Easy Bounties: JavaScript (JS) File Analysis

Hey everyone! Previously in my other blogs I explained how I’m taking baby steps into learning different vulnerabilities and their exploits to essentially dive into hunting actual bugs.

Earlier we saw how we can Takeover an entire Subdomain of our target. You can check that blog out here :

Subdomain Takeover guides, methodology and exploit POCs

In the list of low-hanging fruits, today I decided to dive into was exploring and analyzing JavaScript (JS) files for sensitive information disclosure. This blog is all about what I’ve learned, step by step, and the tools I’ve used. If you’re also starting out, I hope this helps you!

Why should you perform JS File Analysis

Basically analyzing JS files can lead to discovering P1/P2 category vulnerabilities.

I forgot to mention it happens →SOMETIMES← and not always, but it’s true! These files often contain:

• Sensitive information like API keys or secrets.
• Endpoints that could reveal hidden functionalities.
• Configurations that developers unintentionally expose.

In short, JS files can sometimes become goldmine of sensitive data and because of their sensitive nature, rewards are good too. Plus they’re surprisingly easy to find if you know where to look.

My Game Plan for JS File Analysis

Below are the steps listed that I follow to get some juicy info in those JS files.

Gather JS File Links from the Target

First, I make sure I have a complete list of all the JS files associated with the target. This requires subdomain enumeration to ensure I’m covering all bases.

Filter Out JS Files for Analysis

After gathering the files, I focus on filtering them for analysis. Not all JS files are worth your time; some might just be libraries. Look for:

• JS files with custom names.
• Files hosted directly on the target’s domain.

Analyze for Endpoints

Many JS files contain endpoints that aren’t directly visible on the website. Finding these can reveal hidden APIs or functionalities to explore further.

Look for Secrets

This is where the fun begins! I use a custom wordlist of keywords to search for things like:

• aws_access_key
• api_key
• .env
• password
• ssh

Download JS Files Locally

Having JS files on your local machine makes it easier to analyze them manually, especially when automated tools might miss something subtle.

Tools I’ve Been Using

While manual analysis is crucial, these tools have been game-changers for me:

To Find JS Files:

• Subjs: Quick and efficient for locating JS files.
• Katana: A great alternative for finding both JS files and their associated endpoints.

To Extract JS Files:

• getJS: Makes downloading JS files from sources a breeze.

To Analyze JS Files:

• SecretFinder: Scans JS files for potential secrets and sensitive information.
• APIScout: A helpful tool for identifying API endpoints within JS files.

To Automate Vulnerability Detection:

• Nuclei: Perfect for running vulnerability scans on collected endpoints.

My Wordlist for Sensitive Keywords

When analyzing JS files, I look for the following keywords. There are more to it than just these few words, but this list is still in making and as I’m progressing its gonna increase simaltaneously…

aws_access_key
eyj
key
passwd
pwd
heroku
slack
firebase
swagger
aws_secret_key
api_key
config
admin
json
gcp
htaccess
.env
ssh
oauth_token
oauth_token_secret
aws
password
ftp
jdbc
db
sql
secret
.git

Resources I learned from :

These are not one-all-be-all resources, but I’ve found them really easy to understand and get started as a noob.

Articles:

• This is the easiest bug you can find right now
• Beginner’s guide on how you can use JavaScript in Bug Bounty

Guides:

• BugBountyHunter’s JavaScript file analysis

Videos:

• JS File Analysis for Bug Bounty Hunters

Summary

Learning JS file analysis has been an eye-opening experience. The process of finding and analyzing these files has taught me so much about how data can unintentionally leak and how attackers think.

If you’re new to bug bounty hunting, I highly recommend starting here. It’s not only rewarding but also a great way to sharpen your skills.

NOTE :
Not every API Key we’ll find will be sensitive, some might even be placed there intentionally to be outward/internet/public facing. For this we need to understand the risk it poses and impact it might have.
https://www.youtube.com/watch?v=4enjKo2hQMY

I’ll keep documenting my journey, so stay tuned for more posts like this. And if you’ve got tips, tools, or experiences to share, I’d love to hear them!