Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
My Javascript Recon Process - BugBounty


This is a simple guide to perform javascript recon in the bugbounty


  • The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)

    To get more js files, this depends a lot on the target, I'm one who focuses a lot in large targets, it depends also a lot on the tools that you use, I use a lot of my personal tools for this:


    gau -

    linkfinder -

    getSrc -

    SecretFinder -

    antiburl - -

    ffuf - (private tool) - (private tool) -

    BurpSuite - - - (private tool) (private tool)


    gau - This tool is great, i usually use it to search for as many javascript files as possible, many companies host their files on third parties, this thing is very for important for a bughunter because then really enumerate a lot js files!

        host their files on
     $ gau |grep -iE '\.js'|grep -ivE '\.json'|sort -u  >> paypalJS.txt
     $ gau |grep -iE '\.js'|grep -ivE '\.json'|sort -u  >> paypalJS.txt
     don't worry if where the files are hosted is out-of-scope, our intent is to enumerate js files to get more           

    linkfinder - This tool is great, i usually use it to search paths,links, combined with and is awesome!

    $ cat paypalJS.txt|xargs -n2 -I@ bash -c "echo -e '\n[URL]: @\n'; python3 -i @ -o cli" >> paypalJSPathsWithUrl.txt 
    $ cat paypalJSPathsWithUrl.txt|grep -iv '[URL]:'||sort -u > paypalJSPathsNoUrl.txt
    $ cat paypalJSPathsNoUrl.txt | python3 output

    getSrc - Tool to extract script links, the nice thing about this tool it make absolute url!

     $ python3


    SecretFinder - Tool to discover sensitive data like apikeys, accesstoken, authorizations, jwt,..etc in js file

    $ cat paypalJS.txt|xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 -i @ -o cli' >> paypalJsSecrets.txt

    antiburl/ - Takes URLs on stdin, prints them to stdout if they return a 200 OK. is an advanced version

    $ cat paypalJS.txt|antiburl > paypalJSAlive.txt
    $ cat paypalJS.txt | python3 -A -X 404 -H 'header:value' 'header2:value2' -N -C "mycookies=10" -T 50 

    ffuf - tool for fuzzing, I also use it for fuzzing js files

    $ ffuf -u -w jsWordlist.txt -t 200 
    Note: top wordlists -
 - it makes a request to the urls that are passed to it and retrieves all the js files and saves them to me in a json file.

    $ cat myPaypalUrls.txt | python3 output.json
    $ cat output.json
    "url_1": {
       "root": "",
       "path": "/us/home",
       "url": "",
       "count_js": "4",
       "results": {
           "script_1": "",
           "content": "function()/**/"
    "url_2": {}
    } - find new links on GitHub, in this case only javascript links

     $ python3|grep -iE '\.js'
 - this tools search if a domain is available to be purchase, this tool combined with linkfinder and collector is really powerful. Many times the developers for distraction mistake to write the domain, maybe the domain is importing an external javascript file ,...etc

    $ cat paypalJS.txt|xargs -I @ bash -c 'python3 -i @ -o cli' | python3 output
    $ cat output/urls.txt | python3

    BurpSuite - extract the content between the script tags, I usually use


    after this save the content and use linkfinder

    $ python3 -i burpscriptscontent.txt -o cli - Javascript Beautify

    $ python3 jsbeautify paypal/manualAnalyzis.js
 - Split linkfinder stdout in jsfile,urls,params..etc

    $ python3 -i -o cli | python3 output
    $ ls output
    files.txt	js.txt		params.txt	paths.txt	urls.txt
 - notify if there are any interesting keywords, such as postMessage,onmessage,innerHTML,etc

    $ cat myjslist.txt | python3
    [URL] https://..../test.js
    line:16 - innerHTML
    [URL] https://.../test1.js
    line:3223 - onmessage
 - get content between script tags

    $ cat ""|python3 
 - get all javascript file words excluding javascripts keywords

    $ python3

    As you see above we need a lot to do every time many requests, i solve this problem with allJsToJson, that keep me a contentof all js files and their content, obviously the tool is made on purpose to process only 5 urls at a time because of the size of the file, every time it process 5 urls save the output .. output1.json, output2.json,...

Other Resources:


This comment has been minimized.

Copy link

@B4RD4k B4RD4k commented May 25, 2021

Under SecretFinder, change:
cat paypalJS.txt|xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 -i @ -o cli' >> paypalJsSecrets.txt
cat paypalJS.txt|xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 -i @ -o cli' >> paypalJsSecrets.txt


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment