How to expand your attack surface and avoid duplicates
assalamu alaikum wa rahmatullahi wa barakatuh, i hope you’re doing good insha’allah
This write-up will be about how do i approach JS files in a way that is kinda Cool “not slow”, i hope so :D
Avoiding duplicates usually get achieved by doing what other bug hunters procrastinate to do, which is digging in JS files, most of them as i’ve noticed in twitter “X” use tools that automate the process of finding endpoints and secrets, this is kinda 50% effective as i have noticed, because not all developers are the same, some may write the code of sending request like
await go.x1.patch(`endpoint/api/v3/${o}/jobs/${n}/messages/${t}`, {
text: i,
attachments: r}most of tools will not be able to catch the url in the past code, even JSluice that the legend tomnomnom has created
other example
const l = (0, n(1).Nh)(a.W, (e => {
let {
bookingID: t
} = e;
return `/bookings/${t}`
})),
d = {
getJobBookingDetails(e) {
let {
bookingID: t,
apiContext: n
} = e;
return l({
apiContext: n,
method: "get",
pathParams: {
bookingUuid: t
}
}).then((e => {
let {
data: t
} = e;
return {
data: (0, r.h)(t.toJS())
}
}))
}
}now you might say in your head “no way to automate it”, well, you won’t automate it, you will extract them but not with any tools, bc as you’ve noticed not all developers are the same :D
Let’s get to the action part, shall we ? :D
i guess you may need to use ChatGPT if you cant write regexs “It’s hard till you practice it”
Collecting process “recon”
Lil Tip: make sure that you have added the host that serves the JS files to scope in your burp project, bc not every web app serves his JS files in it’s own host, it maybe using a CDN, so make sure that the CDN hostname in the scope e.g.
target.cloudfront.com
- enable proxyifiing traffic to burp, and go browse every functionality in your target, try every button, submit every form, and so on
- save all the JS files from you burp project to a file, how is that? let’s figure out, burp suite -> proxy -> http history -> search -> mark only in scope items and show only JS files
3. now select all of them -> right click -> save items “make sure you unselect save them in B64 format”
4. remember when i told you browse every functionality ? now you have dozens of endpoints in your burp suite, grab some, i’d prefect to get at least 10 endpoints, specially ones with variable in it “like IDs or something”, remember “only the endpoints” not the hostname with the endpoint
5. open the xml file we have saved in your favorite code editor, personally I prefer sublime text, now try noting how the endpoints has been written, and create regexs to match it, if you dont know how to write one, ask ChatGPT, but at what part are we gonna match? in the previous example of JS code, it might be
return `/bookings/${t}`if you have found that this is a pattern of writing endpoints there try writing a regex that would be smth like
return `[^`]+`
this regex will start matching from that return string, then a space and anything between these two backticks symbols, you may add a condition of matching to have at least one backslash in the string in between, consider it as a homework too :D, repeat this process for all endpoints you have if it does have a unique pattern of typing like this one, wont be time consuming as reviewing every single line trust me, and every code editor has that feature to search with regexs so, you dont have to code
regarding that ChatGPT, you can ask to questions Like
Create me a regex that matches anything between 2 backticks and must have at least one backslah in it
ChatGPT is your friend after google
6. you may use tools too like jsluice, endext, xnLinkFinder
7. this one is not regarding JS files, but this one depends on your ability of noticing patterns of typing endpoints by developers, after passing by most of them in burp suite you may get to know a pattern of typing
e.g., there was that target that has some data that cant be modified after verification process till you contact support and tell them you wanna edit it, the endpoint was something like /get-business-info I’ve found multiple endpoints prefixed with the get string and it gets modified by replacing it with update string believe it or not, it worked, but after reporting it i found that this endpoint was in JS files:D, still a point for me, ryt?
Analyzing process
After you’ve collected a decent amount of endpoints by now, you should be able to notice what is important and critical, prioritize endpoints that’s catchy for you it maybe something regarding paying, payout? searching for staging, admin? this process is up to you not me unfortunately, so be creative, search for secrets using regex DB you’ve created or posted in github repo or something
Lil trick
try extracting all string between double quotes “” and use them for fuzzing endpoints, parameter values “create a regex”
use them to fuzz for JS files, it works trust me, and for finding swagger endpoints too :D
by saying endpoints i mean you should fuzz every path segment with the wordlist you’ve created by doing that, don’t just try it in the last path segment, be creative yk?
This process is not enough for analyzing JS files, you should investigate them further if you’re not in a rush, and it’s good for beginners “Like me” :)
i hope you’ve learned something, its my first “long” blog, DM me on Twitter “X” on @mux0x for any comments you have
