JS File Reconnaissance In Web Hacking

Introduction

SysSecureLabs is a cutting-edge cybersecurity firm focused on delivering expert penetration testing and in-depth security assessments to protect modern digital infrastructures. Our mission is to empower businesses with robust defense strategies through innovation, precision, and expert-driven insights.

In today’s blog post, we’re diving into an essential topic for web security professionals: JavaScript File Reconnaissance in Web Hacking — exploring how JS files can reveal critical information that attackers often exploit.

Agenda

In this post, we’ll be covering three powerful techniques for extracting valuable information from JavaScript files during reconnaissance:

  1. Two Regular Expressions for Endpoint Discovery – These help identify hidden or undocumented API endpoints that can be targeted during further testing.
  2. One Regular Expression for Secret Detection – This focuses on uncovering hardcoded secrets like API keys or tokens that may be unintentionally exposed in JavaScript files.
  3. Bonus

Adding Bookmark In Browser

Step 1: Add Bookmark – Extract Endpoints Type 1

  1. Open your browser’s Bookmarks Manager.
  2. Create a new bookmark named: Extract Endpoints Type 1
  3. Paste the following code into the URL field of the bookmark:
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g;const%20results=new%20Set;for(var%20i=0;i<scripts.length;i++){var%20t=scripts[i].src;""!=t&&fetch(t).then(function(t){return%20t.text()}).then(function(t){var%20e=t.matchAll(regex);for(let%20r%20of%20e)results.add(r[0])}).catch(function(t){console.log("An%20error%20occurred:%20",t)})}var%20pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const%20match%20of%20matches)results.add(match[0]);function%20writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})()

4.Save the bookmark.

Step 2: Add Bookmark – Extract Endpoints Type 2

  1. Open your browser’s Bookmarks Manager.
  2. Create a new bookmark named: Extract Endpoints Type 2
  3. Paste the following code into the URL field of the bookmark:
javascript:(function(){  const regex = /(?<=(["%27`]))(https?:\/\/|\/)[^"%27`<>\\\s]+(?=(["%27`]))/g;  const jsFiles = new Set();  const apiPaths = new Set();  const s3Buckets = new Set();  const otherPaths = new Set();  const scripts = document.getElementsByTagName("script");  for (let i = 0; i < scripts.length; i++) {    const src = scripts[i].src;    if (src) categorize(src);    fetch(src)      .then(res => res.text())      .then(text => {        const matches = text.matchAll(regex);        for (const match of matches) {          categorize(match[0]);        }      })      .catch(err => console.warn("Fetch error:", err));  }  const htmlMatches = document.documentElement.outerHTML.matchAll(regex);  for (const match of htmlMatches) {    categorize(match[0]);  }  function categorize(url) {    const lower = url.toLowerCase();    if (lower.startsWith("http://") || lower.startsWith("https://")) {      if (lower.endsWith(".js")) jsFiles.add(url);      else if (lower.includes("/api")) apiPaths.add(url);      else if (lower.includes("s3.amazonaws.com") || lower.includes(".s3.") || lower.includes(".s3-")) s3Buckets.add(url);      else otherPaths.add(url);    }  }  function writeSection(win, title, dataSet, emptyMessage) {    win.document.write(`<h2 style="font-family:monospace;">${title}</h2><pre>`);    if (dataSet.size > 0) {      Array.from(dataSet).sort().forEach(url => win.document.write(url + '\n'));    } else {      win.document.write(`❌ ${emptyMessage}\n`);    }    win.document.write('</pre>');  }  function showResults() {    const win = window.open('', '_blank');    writeSection(win, '📦 JavaScript Files (.js)', jsFiles, 'No JavaScript files found');    writeSection(win, '🧪 API Endpoints (/api)', apiPaths, 'No API URLs found');    writeSection(win, '🔣 S3 Bucket URLs', s3Buckets, 'No S3 Bucket URLs found');    writeSection(win, '🌐 Other URLs / Paths', otherPaths, 'No other URLs found');  }  setTimeout(showResults, 4000);})()

4.Save the bookmark.

Step 3: Add Bookmark – Find Secret in JS Files

  1. Add a third bookmark named: Find Secret In Js Files
  2. Paste the following code into the URL field:
javascript:(function() {  const jsRegex = /^https?:\/\/.*\.js$/i;  const sensitiveRegex = /(-password|basic-payment-profiles|_password|aws_|aws-|-secret|_secret|-key|_key|-token|_token|bearer|authorization).{0,160}/gi;  const scripts = Array.from(document.getElementsByTagName("script"))    .map(s => s.src)    .filter(src => jsRegex.test(src));  if (scripts.length === 0) {    alert("❌ No external JS files found starting with http/https.");    return;  }  const win = window.open('', '_blank');  win.document.write(`    <html>      <head>        <title>Sensitive Data in JS</title>        <style>          body { font-family: Consolas, monospace; background: #1e1e1e; color: #d4d4d4; padding: 10px; }          .url { color: #ffd700; font-weight: bold; }          .match { color: #00ff7f; margin-left: 20px; }          .error { color: #ff4c4c; }        </style>      </head>      <body>        <h2>🔍 Scanning External JS Files for Sensitive Info</h2>        <pre id="results"></pre>      </body>    </html>`);  const resultContainer = () => win.document.getElementById("results");  scripts.forEach(js_url => {    fetch(js_url)      .then(res => res.text())      .then(content => {        const matches = content.match(sensitiveRegex);        if (matches && matches.length > 0) {          resultContainer().innerHTML += `<div class="url">📄 ${js_url}</div>`;          matches.forEach(m => {            const sanitized = m.trim().replace(/</g, "&lt;").replace(/>/g, "&gt;");            resultContainer().innerHTML += `<div class="match">${sanitized}</div>`;          });          resultContainer().innerHTML += `<br>`;        }      })      .catch(err => {        resultContainer().innerHTML += `<div class="error">❌ Error loading ${js_url}: ${err}</div><br>`;      });  });})()

3.Save the bookmark.

Test All three bookmarks

Testing First Bookmark

Visit any website(we are taking paypal our target) and just click our first bookmark

See endpoints got from First bookmark

Testing Second Bookmark

we are getting this endpoint

Testing Third Bookmark

When you want to visit that if website or your target have leak some credentials or api keys you just need to visit site and click this bookmark with in second this get data.

See output this is just example okay

For only motivation purpose our researcher got a bounty from a program for only 5 minutes of work below is the breakdown

Our researcher pick target intercepting request see some api behind every request visit website run this bookmark of finding secret got one token in output as above verify it validity reported to program they effectively rotate that token and give generous 750 Euros bounty for this work.

Bonus of Today

Today bonus that we will also tell you the extension that also extract endpoints only that is also to good below is the link of that extension.

Link of Extension

Now that all for today if you face any issue setting up this we are here to assist you! Have a nice day!

3 thoughts on “JS File Reconnaissance In Web Hacking”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top