Hacking JavaScript files to get the Sensitive data
Hello everyone, I hope everyone is doing good. Today I will be sharing my methodology to get sensitive data from the js files.
Javascript files often contains sensitive data such as PII data, sensitive keys, auth tokens, api keys etc. These files often contain references to API endpoints, app routes and input parameters. Many times, the developers might put some sensitive data in the js files and then they forget to remove those due to which we get the sensitive data.
When doing the bug bounty hunting, make sure you have enumerated all the subdomains using active and passive scanning. Once you get that, you can use katana to gather all the urls and save it in a file. You can also use burp extensions or other tools to gather the urls.
Once you have gathered all the urls, you can grep for all the js files and save those in a text file. Now comes the interesting part, use secretfinder to get the sensitive data present in it. You can also make a script to use and you can also use nuclei to get the sensitive data. I usually prefer to use secretfinder. You can also add your own regex in the tool and can further customise it for your own use. You can also check if the key you had gotten can be exploited or not using keyhacks. Apart from the keys, you can also get api endpoints, staging urls, internal ips, some sensitive parameters, internal data etc in the js files which could further be chained with other bugs so make sure to always test the js files.
Note: It is advisable to also manually check the js files for any sensitive data. Do not just rely on the tools.
I have got many interesting findings from this method like AWS access keys, secret, cognito client id, PII data such as username, email, phone number, Algolia api key, authentication tokens, unclaimed s3 buckets etc. Some I got directly from the tool and for some, I had to manually check to find it. There are other tools present which could be used such as jsmon.
Sometimes, checking the js files manually can be tiresome so I would suggest you can use gowitness to take the screenshots of the js files, it will help you to get an idea about the files and which ones might contain sensitive data, then you can further check those files manually. Just be patient and keep hacking, you will surely get some high or criticals :)
There are many other methods for it but this is what I prefer and have been using from some time now which has also given me some really good bugs. I am also working on my methodology to make it better. Once that is done, I will be sharing that as well. Hope it could be helpful for you. If you have any doubts or queries, feel free to reach out on twitter.
Other useful articles you can refer -
https://blog.stackademic.com/hunting-javascript-file-for-bug-hunters-e8b278a1306a
https://osintteam.blog/how-to-identify-sensitive-data-in-javascript-files-jsrecon-306b8a2e6462
