This is a simple guide to perform javascript recon in the bugbounty
-
The first step is to collect possibly several javascript files (
more files
=more paths,parameters
->more vulns
)To get more js files, this depends a lot on the target, I'm one who focuses a lot in large targets, it depends also a lot on the tools that you use, I use a lot of my personal tools for this:
Tools:
gau - https://github.com/lc/gau
linkfinder - https://github.com/GerbenJavado/LinkFinder
getSrc - https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/getsrc.py
SecretFinder - https://github.com/m4ll0k/SecretFinder
antiburl - https://github.com/tomnomnom/hacks/tree/master/anti-burl
antiburl.py - https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/antiburl.py
ffuf - https://github.com/ffuf/ffuf
allJsToJson.py (private tool)
getJswords.py - https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/getjswords.py
gitHubLinks.py (private tool)
availableForPurchase.py (private tool)
BurpSuite - http://portswigger.net/
jsbeautify.py - https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/jsbeautify.py
collector.py - https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/collector.py
getScriptTagContent.py (private tool)
jsAlert.py (private tool)
Description:
gau - This tool is great, i usually use it to search for as many javascript files as possible, many companies host their files on third parties, this thing is very for important for a bughunter because then really enumerate a lot js files!
Example: paypal.com host their files on paypalobjects.com $ gau paypalobjects.com |grep -iE '\.js'|grep -ivE '\.json'|sort -u >> paypalJS.txt $ gau paypal.com |grep -iE '\.js'|grep -ivE '\.json'|sort -u >> paypalJS.txt don't worry if where the files are hosted is out-of-scope, our intent is to enumerate js files to get more parameters,paths,tokens,apikey,..
linkfinder - This tool is great, i usually use it to search paths,links, combined with
availableForPurchase.py
andcollector.py
is awesome!Example: $ cat paypalJS.txt|xargs -n2 -I@ bash -c "echo -e '\n[URL]: @\n'; python3 linkfinder.py -i @ -o cli" >> paypalJSPathsWithUrl.txt $ cat paypalJSPathsWithUrl.txt|grep -iv '[URL]:'||sort -u > paypalJSPathsNoUrl.txt $ cat paypalJSPathsNoUrl.txt | python3 collector.py output
getSrc - Tool to extract script links, the nice thing about this tool it make absolute url!
Example: $ python3 getSrc.py https://www.paypal.com/ https://www.paypalobjects.com/digitalassets/c/website/js/react-16_6_3-bundle.js https://www.paypalobjects.com/tagmgmt/bs-chunk.js
SecretFinder - Tool to discover sensitive data like apikeys, accesstoken, authorizations, jwt,..etc in js file
Example: $ cat paypalJS.txt|xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 linkfinder.py -i @ -o cli' >> paypalJsSecrets.txt
antiburl/antiburl.py - Takes URLs on stdin, prints them to stdout if they return a 200 OK. antiburl.py is an advanced version
Example: $ cat paypalJS.txt|antiburl > paypalJSAlive.txt $ cat paypalJS.txt | python3 antiburl.py -A -X 404 -H 'header:value' 'header2:value2' -N -C "mycookies=10" -T 50
ffuf - tool for fuzzing, I also use it for fuzzing js files
Example: $ ffuf -u https://www.paypalobjects.com/js/ -w jsWordlist.txt -t 200 Note: top wordlists - https://wordlists.assetnote.io/
allJsToJson.py - it makes a request to the urls that are passed to it and retrieves all the js files and saves them to me in a json file.
$ cat myPaypalUrls.txt | python3 allJsToJson.py output.json $ cat output.json { "url_1": { "root": "www.paypal.com", "path": "/us/home", "url": "https://www.paypa.com/us/home", "count_js": "4", "results": { "script_1": "https://www.paypalobjects.com/web/res/dc9/99e63da7c23f04e84d0e82bce06b5/js/config.js", "content": "function()/**/" } }, "url_2": {} }
gitHubLinks.py - find new links on GitHub, in this case only javascript links
Example: $ python3 gitHubLinks.py www.paypalobjects.com|grep -iE '\.js'
availableForPurchase.py - this tools search if a domain is available to be purchase, this tool combined with linkfinder and collector is really powerful. Many times the developers for distraction mistake to write the domain, maybe the domain is importing an external javascript file ,...etc
Example: $ cat paypalJS.txt|xargs -I @ bash -c 'python3 linkfinder.py -i @ -o cli' | python3 collector.py output $ cat output/urls.txt | python3 availableForPurchase.py [NO] www.googleapis.com [YES] www.gooogleapis.com
BurpSuite - extract the content between the script tags, I usually use
getScriptTagContent.py
after this save the content and use linkfinder
$ python3 linkfinder.py -i burpscriptscontent.txt -o cli
jsbeautify.py - Javascript Beautify
Example: $ python3 jsbeautify https://www.paypalobject.com/test.js paypal/manualAnalyzis.js
collector.py - Split linkfinder stdout in jsfile,urls,params..etc
$ python3 linkfinder.py -i https://www.test.com/a.js -o cli | python3 collector.py output $ ls output files.txt js.txt params.txt paths.txt urls.txt
jsAlert.py - notify if there are any interesting keywords, such as postMessage,onmessage,innerHTML,etc
Example: $ cat myjslist.txt | python3 jsAlert.py [URL] https://..../test.js line:16 - innerHTML [URL] https://.../test1.js line:3223 - onmessage
getScriptTagContent.py - get content between script tags
Example: $ cat "https://www.google.com/"|python3 getScriptTagContent.py function()/**/...
getJSWords.py - get all javascript file words excluding javascripts keywords
Example: $ python3 getjswords.py https://www.google.com/test.js word word1 ...
As you see above we need a lot to do every time many requests, i solve this problem with allJsToJson, that keep me a contentof all js files and their content, obviously the tool is made on purpose to process only 5 urls at a time because of the size of the file, every time it process 5 urls save the output .. output1.json, output2.json,...
Other Resources: