Finding Basic Authtoken in JAVASCRIPT file BY Full Automation
Hi, everyone
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .
I am now offering 1:1 sessions to share my knowledge and expertise:
TIP For looking for android bug :
Tools Requried:
- gf (tomnomnom) — https://github.com/tomnomnom/gf
- grep
- wget
- gau(Corben) — https://github.com/lc/gau
- waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
- subjs(Corben) — https://github.com/lc/subjs
Step 1: Collecting all the js file from wayback machine
Suppose the target domain is example.com here all the subdomain and wild card are in scope.
Scope of the target: *.example.com
gau -subs example.com | grep “.js$” >> jsfile.txt
subfinder -d example.com -silent | waybackurls | grep “.js$” >> jsfile.txt
subfinder -d example.com -silent | httpx -silent | subjs >> jsfile.txt
Noted: Spider the host on burp and copy all the js file link from burp also so that you won’t miss any js file and paste it into jsfile.txt file
Now after extracting all js files from wayback machine and from burp, we will sort the js file url and aslo check if they resolve or not to remove dead link from the file.Just by running simple we can sort and remove dead link.
cat jsfile.txt | sort -u | anew | httpx -silent >> jsfile_totest.txt
Step 2: Now come the automation part.
Case 1# — — Automating using curl and grep command.
I don’t go for complex tool or script for automation. Just using simple tool like curl and grep we can automate it.
cat jsfile_totest.txt | xargs -I % -P 10 curl -sk “%” | grep -E -i -w -n ‘BASIC[\\-|_|A-Z0–9]*(\’|\”)?(:|=)(\’|\”)?[\\-|_|A-Z0–9]{10}’ — color
Case 2# — — Automation using wget and grep command.
So you might be thinking why i have used wget. So, by using wget i will download all the js file in local machine and if can perform your white box testing.
mkdir localpathjs; cd localpathjs
cat jsfile_totest.txt | xargs -I % -P 10 wget -r “%”
Now change the directory where you have download your js file. Suppose mine is localpathjs and open a terminal and the grep command that we have used
cd localpathjs
root@kali:~/localpathjs# grep -E -i -w -n -r -H ‘BASIC[\\-|_|A-Z0–9]*(\’|\”)?(:|=)(\’|\”)?[\\-|_|A-Z0–9]{10}’ — color
Takeaway
I’m sure that a lot of security researcher had already seen this process but this how I approach for find secret in js file , and i have reported many in HackerOne using this process, .I hope this will help to find more leaked credential in js file. I don’t think this the correct way but This my process for automation As looking each and js file more 1000 line of code is impossible.
I hope this will help my fellow bugbounty hunter . If it helps an single person its a win for me. That’s one of the reasons why I wanted to share my experience. also to highlight process of automation
Support me if you like my work! Buy me a coffee and Follow me on Twitter.
Thanks for reading :)
Stay Safe.