Before reading the second part, go and read part 1 https://medium.com/@indhumathi19973/analyzing-javascript-files-part-1-9b07eb8cfb8e
Attack Strategy:
Using waybackurls
Install waybackurls, using this tool we can also grep for any JS files that might not be linked anymore but still online.
go get github.com/tomnomnom/waybackurlswaybackurls google.com | grep "\.js" | uniq | sortDefense mechanisms
Developers use a range of defense mechanisms to hold us off but that’s okay. We can get around those by being dilligent and making sure that we take our time.
- JS Obfuscation
- This is where developers will make it intenionally hard to read the code for humans but machines don’t have any problem reading this code. This is harder to decipher but with some dilligence it can be done.
- https://stackoverflow.com/questions/194397/how-can-i-obfuscate-protectjavascript
- https://www.dcode.fr/javascript-unobfuscator (doesn’t seem to work well)
2. JS Chunking
- This is where the developers chops up the JS into little pieces that all reference eachother. Very annoying to get arround and it’s just hard work puzzling together the code.
If we are trying to defeat these mechanisms it might help to set up a replica of you targets environment and to run the code statically
Analysing JS files
So now that we have a ton of JS files, we can analyse them manually or we can run some tools on them. The cool thing is that these tools don’t always need to have the JS files downloaded. It is possible for tools like linkfinder to crawl a domain for JS files. We basically have a few tools in our toolbelt but today i want to focus on linkfinder and secretfinder.
- Linkfinder
Installing linkfinder is super simple
git clone https://github.com/GerbenJavado/LinkFinder.git cd LinkFinderpython setup.py installWe then need to install the dependencies
$ pip3 install -r requirements.txtWe can then use linkfinder in a range of different modes.
python linkfinder.py -i https://example.com/1.js -o results.htmlpython linkfinder.py -i https://example.com -dThe results will consist a TON of new links that we can investigate and either dig deeper into manually or automatically scan them if the target allows it.
2. Secretfinder:
Secretfinder builds on linkfinder but focusses on analyzing the JS for things like API keys.
Installation is just as simple as with linkfinder
git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
cd secretfinder
python -m pip install -r requirements.txt or pip install -r requirements.txt
python3 SecretFinder.pyThen we can start using it in the same way as linkfinder
python3 SecretFinder.py -i https://example.com/1.js -o results.htmlpython3 SecretFinder.py -i https://example.com -dThe results will consist of a list of sensitive data. The nature of this sensitive data can vary from API keys to litteral passwords. It’s highly situational on how we can use these and sometimes they don’t even have a use at all or are supposed to be public so judge carefully.