JavaScript Code Review Guide for Bug Bounty Hunters
Javascript is one of the most crucial parts in web app nowadays. When you click inspect in browser, you will find Javascript code everywhere. Some written in main html files. Some served as separate files with web app. If you are a bug bounty hunter, you should spend some times to find treasures out of it. You may find high severity bugs if you are lucky.
Some of you might get frustrated when it comes to code review. Don’t worry! You don’t need to read it line by line. You just need to focus in a few areas. Here’s some example of what you should look at in JS code:-
1. Credential data
Sometimes, developers left juicy information like password, API key hard coded in client side JS codes. Finding these information from JS code doesn’t need years of JS coding experience.
My favorite way to look for these information is download JS files and use regex to filter useful information out. For example, AWS key regex might look something like this:
(?i)aws(.{0,20})?(?-i)[‘\”][0–9a-zA-Z\/+]{40}[‘\”]
You can refer to below github repo for some other regex examples:
