banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

How to retrieve sensitive information from js files in penetration testing

Analyzing the javascript files of the website to check if there is any sensitive information in the js files. Some developers may put interfaces, URLs, parameters, access keys, and other information in js files, so we can analyze the js files to find these contents.

The main focus is on finding interface URLs or sensitive parameters. It is difficult to automatically discover these points during vulnerability scanning.

1. Browser Inspection#

1.1 Source Code#

Open the target website in a browser and right-click to "Inspect".

image

Find the "Sources" or "Page Source" tab.

image

Under this tab, you can find the website's static resources, such as CSS and JS files, as shown in the above image.

On a Mac, use the shortcut option + command + F to perform a global search.

image

You can search for some interface URLs.

1.2 SourceDetector#

SourceDetector is a tool for automatically discovering .map files.

image

1.3 findsomething#

This tool is used to quickly extract interesting information from the HTML source code or JS code of a webpage, including possible requested resources, interface URLs, possible requested IP addresses and domain names, leaked ID numbers, phone numbers, email addresses, and other information.

https://github.com/ResidualLaugh/FindSomething/tree/master

image

image

2. Burp Suite#

2.1 Combining JS Scripts with Burp#

Open the browser console and copy the following script, then press Enter.

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

A page like the following will pop up.

image

Copy it to the Intruder module and use the Intruder module for traversal.

image

Or use Yakit for traversal.

image

2.2 HaE#

image

2.3 BurpJSLinkFinder#

image

2.4 findUriInjs#

A Burp plugin that can actively and passively extract links.

3. File Spider + Nuclei#

3.1 rad#

rad --target https://www.wjbet777.com/ | grep ".js" > wjbet777.txt

image

3.2 argo#

An automated general-purpose crawler based on go-rod, used to automatically obtain URLs of websites.

argo -t https://xxx.com/

image

3.3 URLFinder#

A tool for quickly extracting and detecting JS and URLs in web pages, faster and more comprehensive.

urlFinder -u https://xxx.com/ -s all -m 3

image

4. jsleak#

echo https://www.xxx.com/ | jsleak -s

image

echo https://www.xxx.com/ | jsleak -l

image

Complete URL

echo https://www.sishunwl.cn/ | jsleak -e

Status check

echo https://www.sishunwl.cn/ | jsleak -c 20 -k

Text input

cat urls.txt | jsleak -l -s -c 30

cat ff.alive.txt | jsleak -l -s -c 30 -e -k

JS Sensitive Information Leakage Helper#

JS Sensitive Information Leakage Helper - WIH Introduction

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.