Finding Basic Authtoken in JAVASCRIPT file BY Full Automation

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .

TIP For looking for android bug :

Tools Requried:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. grep
  3. wget
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
  6. subjs(Corben) — https://github.com/lc/subjs

Step 1: Collecting all the js file from wayback machine

Suppose the target domain is example.com here all the subdomain and wild card are in scope.

Scope of the target: *.example.com

gau -subs example.com | grep “.js$” >> jsfile.txt

subfinder -d example.com -silent | waybackurls | grep “.js$” >> jsfile.txt

subfinder -d example.com -silent | httpx -silent | subjs >> jsfile.txt

Noted: Spider the host on burp and copy all the js file link from burp also so that you won’t miss any js file and paste it into jsfile.txt file

Now after extracting all js files from wayback machine and from burp, we will sort the js file url and aslo check if they resolve or not to remove dead link from the file.Just by running simple we can sort and remove dead link.

cat jsfile.txt | sort -u | anew | httpx -silent >> jsfile_totest.txt

Step 2: Now come the automation part.

Case 1# — — Automating using curl and grep command.

I don’t go for complex tool or script for automation. Just using simple tool like curl and grep we can automate it.

cat jsfile_totest.txt | xargs -I % -P 10 curl -sk “%” | grep -E -i -w -n ‘BASIC[\\-|_|A-Z0–9]*(\’|\”)?(:|=)(\’|\”)?[\\-|_|A-Z0–9]{10}’ — color

Case 2# — — Automation using wget and grep command.

So you might be thinking why i have used wget. So, by using wget i will download all the js file in local machine and if can perform your white box testing.

mkdir localpathjs; cd localpathjs

cat jsfile_totest.txt | xargs -I % -P 10 wget -r “%”

Now change the directory where you have download your js file. Suppose mine is localpathjs and open a terminal and the grep command that we have used

cd localpathjs

root@kali:~/localpathjs# grep -E -i -w -n -r -H ‘BASIC[\\-|_|A-Z0–9]*(\’|\”)?(:|=)(\’|\”)?[\\-|_|A-Z0–9]{10}’ — color

Takeaway

I’m sure that a lot of security researcher had already seen this process but this how I approach for find secret in js file , and i have reported many in HackerOne using this process, .I hope this will help to find more leaked credential in js file. I don’t think this the correct way but This my process for automation As looking each and js file more 1000 line of code is impossible.

I hope this will help my fellow bugbounty hunter . If it helps an single person its a win for me. That’s one of the reasons why I wanted to share my experience. also to highlight process of automation

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.

https://twitter.com/killmongar1996

--

--

--

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

OpenSilver and The Return of Silverlight

Javascript 30 (Day 12)

Scroll Content Based Progress Bar in CSS and JS

Essential JavaScript Interview Questions

HTTP Requests in Node.js

React basic 1 — "Hello React World". Setting Up the First React App.

How to migrate a VueJs project to NuxtJs in 7 steps.

Angular ViewChild and ViewChildren

What is Working with ViewChild and ViewChildren in Angular. Angular Working ViewChild and ViewChildren

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Santosh Kumar Sha (@killmongar1996)

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

More from Medium

B̶a̶k̶e̶ Hack your cake!

VishwaCTF-22 => “Hey Buddy!” (Web)

Exploiting IOTransfer insecure API CVE-2022–24562

How I approached Dependency Confusion!