How to JS for Bug Bounties : Edition 2023
I am Aditya Shende (Kong) from India. A Bounty Hunter , Biker and Researcher.
This is my 14th article , If you found any spell error. Let it be….. Lets start
Locating .js files:
The process of finding .js files is relatively straightforward. One approach is to right-click on the web page and select “view source” (or visit view-source:https://www.website.com/). Then, you can search for occurrences of “.js” within the HTML code. This method is suitable for manual hackers, as it allows you to identify .js files that exclusively contain code relevant to the specific endpoint you are exploring. In that case, you may come across a file named “config.js,” which is specifically associated with this endpoint. This file might unveil new API endpoints that were previously unknown to you.
When employing Burp Suite’s spidering functionality, you will encounter numerous .js files, which should be subjected to further investigation. Additionally, as mentioned earlier, if the target website utilizes ReactJS, you are likely to encounter main.js and app.js files.
The items you should be searching for include:
grep -r -E "aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret" /path/to/directory/*.js
Make sure to replace
/path/to/directory with the actual path to the directory where your .js files are located. The command will recursively search for the specified keywords in all .js files within that directory.
Please note that it's important to exercise caution and follow ethical guidelines when performing searches like this, ensuring you have proper authorization to access and analyze the files.
subfinder -d domain.com: This command utilizes the tool called Subfinder to discover subdomains of the specified domain (
domain.com). Subfinder is a subdomain discovery tool that uses various sources to find subdomains associated with a domain.
| httpx -mc 200: The pipe (
|) symbol is used to pass the output of the previous command as input to the next command. In this case, the output of the
subfindercommand is passed to
httpxcommand is used to send HTTP requests and filter the responses with a status code of 200 (successful response).
| tee subdomains.txt: Again, the pipe (
|) symbol is used to pass the output of the previous command, which contains the discovered subdomains with a 200 status code, to the
teeis a command-line utility that allows you to both display the output on the screen and save it to a file. In this case, it saves the subdomains to a file named
cat subdomains.txt | waybackurls: The
catcommand is used to read the contents of the
subdomains.txtfile. The output is then passed as input to the
waybackurlsis a tool that retrieves historical URLs from the Wayback Machine, which is an archive of web pages. This command helps in finding URLs that were previously available but may not be currently accessible.
| httpx -mc 200: Similar to the previous usages, the pipe (
|) symbol passes the output from
httpx, which filters URLs with a status code of 200.
| grep .js | tee js.txt: The
tee, which saves them to a file named
teecommand allows displaying the output on the screen while simultaneously saving it to the file.
In summary, this command sequence combines various tools (
The complete command is as follows:
subfinder -d domain.com | httpx -mc 200 | tee subdomains.txt && cat subdomains.txt | waybackurls | httpx -mc 200 | grep .js | tee js.txt
Please ensure that you replace
domain.com with the actual domain you want to search.
Now you can grep for this : cat js.txt | grep -r -E “aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret”
Once you get the JS URLs you can use nuclei exposures tag on it get more sensitive information .
To run a Nuclei command on the
js.txt file with the
exposures tag, you can use the following command:
nuclei -l js.txt -t ~/nuclei-templates/exposures/ -o js_exposures_results.txt
Here’s an explanation of each part of the command:
nuclei: This is the command to run Nuclei, a fast and customizable vulnerability scanner.
-l js.txt: The
-lflag specifies the file (
js.txt) containing the list of URLs to scan with Nuclei.
-t ~/nuclei-templates/exposures/: The
-tflag specifies the path to the Nuclei templates directory for the
exposurestag. Adjust the path
~/nuclei-templates/exposures/to match the actual path where your Nuclei templates are stored.
-o js_exposures_results.txt: The
-oflag is used to specify the output file (
js_exposures_results.txt) where the scan results will be saved. You can replace
js_exposures_results.txtwith the desired output file name.
Make sure you have Nuclei and the relevant templates (in this case, templates related to exposures) installed and configured properly before running the command. Adjust the paths and filenames according to your specific setup.