JavaScript: Hunting And Analyzing.

Welcome Guys..!! Its Me Hacktivist Attacker, Awakes Again with Awesome Topic which is JavaScript: Hunting And Analyzing in Web Application Penetration Testing..

Let’s Boost yourself And Get Up, We can start from scratch..,

Who is JavaScript😄?

Mr JavaScript Is an “Programming Language” Used for Designing for Web Applications. Overall 99% of websites uses JavaScript on their client side for Webpage Behavior. The combination of JS(JavaScript), HTML(HyperText Markup Language) and CSS(Cascading Style Sheets) were make the Web Application as Unbelievable..

Why We Focus on The JavaScript🧐:

JavaScript can be used to communicate with other Components like (Application’s Backend, API Servcies ,etc..,). For example, JavaScript might interact with the Application’s Backend.

By analyzing the Javascript codes. we can know how the application is structured and being working. Not only Application’s Logic, Also JavaScript can contains some Sensitive Information(API keys, config files, sensitive Endpoints,etc.,).

We Can divide this blog into three parts..,

1. JavaScript Files Hunting → Collecting the all Js files from the Application’s Source.

2. JavaScript Files Analyzing(Automating) → Analyzing the all Js files for Sensitive information.

3. JavaScript Files Analyzing(Manula) → Manually Analyzing the all JS files for Exploring Vulnerabilities.

We can see all them briefly in One by one..,

1. JavaScript Files Hunting:

The JavaScript files are appended with “.js ” Extension. Every application had stored all the JS files on it’s server. This JS files are referenced in Source code of the Application.

Using the Crawlers we can get all the JS files of the application. Basically the crawlers would crawl all the Contents of the Application’s Source(dirs, files and links). then, We would need to grep the JS files(links) from discovered contents.

NOTE🫠: If you remember, In the previous blog’s Content Discovery: Directories, Files And Links Enumeration , By using crawlers, we could able to enumerate all the contents in the web application(dirs, files and links). But now we will focus on the Links specially for JS files and Analyzing in it.

Basically the crawlers would output all the contents of the web application. We need to grep the Js links from those contents. We can use the command in below to grep the js files from the contents of the file.

cat target-urls.txt | grep -iE "\.js" | uniq > target-all-jslinks.tx

#Explanation:

cat target-urls.txt --> read all the contents if the file.
grep -iE "\.js" --> Grepping the links that ends with ".js"
uniq     --> Remove the Duplicates

Saving JS files in Locally:

We can also need to download all the js files in our computer. It will help us to manually analyzing them in upcoming Section.

Script:

#!/bin/bash
while IFS= read -r url; do
    modified_url=$(echo "$url" | sed -e 's|/|_|g' -e 's|:|_|g' -e 's|\.|_|g' -e 's|?|_|g' -e 's|https___||g' -e 's|-|_|g')
    wget -O "$modified_url" "$url"
done < js_links_files.txt

Usage:

1)Save the script as shell(.sh) file(js_down.sh)

2)Replace the "js_links_files.txt" to your js links file name

3)Give executable permission
chmod +x js_down.sh

4)Run The Script
./js_down.sh

The Script would download all Js files in your current working directory.

2. JavaScript Files Analyzing(Automating):

Now, We can Analyze JS files for Sensitive data by parsing them in the Automation tools. The tools will work by regex patterns and found some interest information in the JS files.

Tools:

1.SecretFinder —> A python script for find sensitive data (apikeys,etc..,) and search anything on javascript files

https://github.com/m4ll0k/SecretFinder.

m4ll0k’s Secretfinder from github..

Install:

git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
cd secretfinder
python -m pip install -r requirements.txt or pip install -r requirements.txt
python3 SecretFinder.py

Usage:

#!/bin/bash
#                   Change the filename to yours....
for jsurls in $(cat target-all-jslinks.txt) ; do
python3 SecretFinder.py -i $jsurls -o cli | tee -a target-all-sensitive-js.txt
echo ''
sleep 0.5
done

The script in above just pass all the links in the file to the tool SecretFinder. Then the tools would analyze the JavaScript file and outputs the founded sensitive information.

Also we can directly pass all the downloaded js file’s location to the SecretFinder to Analyzing.

Usage:

python3 SecretFinder.py -i your/jsfiles/location/ -o cli | tee -a target-all-sensitive-js.txt

2.Nuclei → Fast and customizable vulnerability scanner based on simple YAML based DSL.

https://github.com/projectdiscovery/nuclei.

Projectdiscoverys Nuclei from github..

Install:

#Check if Go is alreday installed and PATH env has been set "/go/bin"
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Usage:

nuclei -l target-jslinks.txt -t ~/nuclei-templates/http/exposures -o target-js-secrets.txt

#Explanation:

-l     -->File that holds the list of js links.
-t     -->Templates to load to execute
-o     -->Save the output on the file

Like the Secretfinder the Nuclei would able to extract the sensitive information from the JS files. There are lots of templates were available in the location “nuclei-templates/http/exposures”. The nuclei would report all the findings in the runtime and concurrently save the all outputs in the file.

2. JavaScript Files Analyzing(Manually):

What we saw in the previous technique is an all small part of analyzing the JavaScript in Bug bounty. Really, We need to know the JavaScript language for analyze them in Real world application🙂‍.

Personally, I am not 100% perfect in JavaScript language. I don’t even conducting manual JavaScript analyzing on every JS files. But, I should Manually read and perform analysis on some JS files in Sensitive Endpoints like “api, login, reset password, etc..,”. That is not matter, I can try to give the best Of My🤠. It would help you to Identify vulnerabilities in the JavaScript codes.

Methodology For Manually Analyzing JS Files:

1)Gathering All JavaScript Files:

We already Collected All JS files of our target. You can refer this blog to gathering the js files from your target. Okay dudes, Let we move on the next section..

2)Understanding The Code:

If we look the Application’s JS files in the browser , it looks like complex. We can use developer tools that beautify the code. Also we can use other tools, that would able to beautify our locally downloaded JS files.

i)JavaScript Beautify:

We can use js-beautify tool to revoke the non-structured JS codes to structured and looks beautiful.

Tools:

js-beautify → Beautifier for javaScript that will reconstruct the Plane or complex JS codes to readable view.

https://github.com/beautifier/js-beautify

Install And Usage:

#Install with npm(you need to already installed the npm)
npm install -g js-beautify

#usage:
js-beautify example.com-ugly.js > example.com-beautified.js

ii)Obfuscation:

Another important thing in Codes, we make sure that the JavaScript files are in readable format. Sometimes the defense mechanism would implemented An Obfuscation technique, that builds the code to complex for Understanding. There is not 100% possibility to clarify the Obfuscated code. However, We can try our Best 👊.

Tools:

JSDetox- A JavaScript malware analysis tool.

https://github.com/svent/jsdetox/

Install:

sudo apt-get install git ruby ruby-dev bundler build-essential
git clone https://github.com/svent/jsdetox.git
cd jsdetox
sudo bundle install

Usage:

Just execute the main file and point your browser to http://localhost:3000/. In the browser interface you could paste your obfuscated JS code. The tool would return the original form of the obfuscated JS code.

Source:http://relentless-coding.org/projects/jsdetox/samples

4)Analyzing The Code:

After we transferred our code to readable version , we start to analyze the JS code for finding some interesting stuff. For the complex of code and beginner friendly, I divided the analyzing topic into several parts. It can very helpful for beginners to analyze the JavaScript👍.

i)Identify Frameworks and Libraries:

Every programming language has predefined libraries and frameworks. They are just group of codes designed for performing some functions on that programming language.

Popular frameworks like JQuery or React can contains potential vulnerabilities into them. By reading the source of the application, We could able to find out🔎 which Framework is used by the in the application’s JavaScript. Also there are programs were available to analyze the source code and find out the vulnerable libraries and Frameworks.

Tools:

Retire-JS → Scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also give the reference and PoC of the vulnerable libraries it finds.

https://github.com/RetireJS/retire.js

Install:

#Please ensure you already installed the "npm" on your system
npm install -g retire

Usage:

retire --path /path/to/your/jsfiles/ --deep --outputpath outfile.txt

#Usage:
--path -> Path to your JS files
--deep -> perform an deep scan
--outputpath -> File to write the outputs

#For more usage:
retire --help

Retire-js would give the best results for you. But its always better to look those JS codes and performing manual analyzing.

ii)Analyzing JavaScript Functions(Sinks❗):

Like the library and frameworks , Function would also group of codes which can be created by the programmers As their wish. Function contains unique identifier, by using these Identifier programmers 🧑🏻‍💻 can use the same function in any place on the program.

JavaScript can make many backround requests(without reloading the Page), which is also called Ajax requests. We can’t see the those requests until we use the Proxy tools (Eg.Zap, Burpsuite) or Manually Analyzing the source code. Some dangerous predefined functions(Also called as Sinks) can give you access to execute JavaScript code on the application.(Eg.eval()).

Src: The bug bounty Playbook by Alex Thomas(Ghostulzl )

By looking these Sinks on the application’s JavaScript can give you an chance to execute XSS⚔️(Cross site Scripting).

iii)Looking At The Comments:

Comments are Magical🪄 words used by the developers to add notes about their code. The Highlight about Comments, The Interpreter would not able See or Run Those lines in the program. Developer can add time stamp, version or something about the codes.

Eg:

//This line is used to execute the string as the JS codes.
eval("alert('Hii…,')");

Comments might helps you to understand the code when you’re performing manual analyzing on JavaScript files.

5)Identifying The Potential Vulnerabilities:

Here are the common vulnerabilities, that you can found out by Analyzing JS files😶‍🌫️..!!!

Unsecured Data Storage :Identify instances where sensitive data (e.g., API keys, encryption keys) is stored in plain text or insecurely.

Insecure Direct Object Reference (IDOR): Look for direct object references that can be manipulated to access unauthorized data.

Unvalidated User Input: Identify instances where user input is not properly validated, potentially leading to injection vulnerabilities.

Is This End 🫠?..

Photo by Towfiqu barbhuiya on Unsplash

Not Sure.. As I already said in previously, You need to know at least intermediate level of JavaScript to performing Source Code Analysis.

If you already know JavaScript, that’s cool. If Not, Then Where you can look the Resources for Learning JavaScript ?. No Problem, Lots of JavaScript Courses are Available at free on the internet. I can give some JavaScript tutorials that might helps you to🫠..

Video Courses:

1. Learn JavaScript — Full Course for Beginners

The course Learn JavaScript — Full Course for Beginners would teach you basics of JavaScript you Should Know. This video was published and owned by freeCodeCamp.org — YouTube.

Course Info📜:

Video Duration: 3 Hours

Language: English

Contents: Basics of Javscript

2.JavaScript Tutorial Full Course — Beginner to Pro (2024).

If you want to move further and learn more you could look out these JavaScript Tutorial Full Course — Beginner to Pro (2024). This course was published and owned by SuperSimpleDev-Youtube

Course Info📜:

Video Duration: 22 Hours

Language: English

Contents: Most Related contents to Web Apps

This JavaScript Tutorial Full Course — Beginner to Pro (2024) course would cover most web related contents in JavaScript.

The one problem with video courses, They would not cover every contents of JavaScript(Not only languages, Commonly All Education..). But The Books would definitely help you to avoid this problem. I give some books as PDF version, which was freely available on the internet.

Books📓:

1. The Joy of JavaScript— By Luis Atencio

Click to Download the The Joy of JavaScript

2.Eloquent Javascript: A Modern Introduction to Programming -By Marijn Haverbeke

Click to Download Eloquent Javascript: A Modern Introduction to Programming.

3.JavaScript For Impatient Programmers — By Dr. Axel Rauschmayer

Click to Download JavaScript For Impatient Programmers.

4.Simplifying JavaScript: Writing Modern JavaScript with ES5, ES6, and Beyond — By Joe Morgan

Click to Download Simplifying JavaScript: Writing Modern JavaScript with ES5, ES6, and Beyond.

NOTE: All the recommended resource are based on Rating and Reviews🙃. I Don’t personally suggest anyone to learn JavaScript from those materials Only. If you have any other resources to learn, surely you can use them and If it was Good , Don’t forgot Mention it in Comments😉...

At Last:

Photo by Ren Wang on Unsplash

I thought we were covered overall JavaScript Code Analyzing for Bug Bounty. Most of vulnerability in codes would hunted on Dynamic Analysis. If we were able to analyze the codes in manually, Then it would help us too much.

I know, I published this blog after 2 Months since I published my last previous blog😞. Sorry for My later performance. I was Wasted My Precious Times on Some Worthless🫤Distractions.(But surely I will Not🔥).

That’s all, I want to Say…Okay guys..!! We will meet on our next blog.. Be Ready for it..Stay Tuned and Stay Hacked…

Quote For The Day:

“Don’t Be Afraid To Give Up The Good To Go For The Great.” — John D. Rockefeller