# 3rd Party Recon with Javascript - Part1

In a security test engagement, there are many ways to find 3rd Party Libraries like browser and burp extensions. So, I'm using them in my tests. But I noticed that I couldn't see all the libraries except the vulnerable ones in these extensions. So, I'm checking with JavaScipt for complete visibility, especially while JS lib recon. You can see all the JS files, such as custom coded for the project. If you are lucky or in a vulnerable environment, you can find sensitive data, logic problems, etc., in these JS files. Easily developer console is a blessing!\
\
Let's see my little notes. \
\
It's getting all the JS files that are called on the page. querySelectorAll is the key in this tiny script. As you guessed, it's selecting all the \<script> tags to check their source attribute.

```javascript
const getScripts = function() {

    const scripts = document.querySelectorAll('script');
        scripts.forEach((script) => { if (script.src) {
            console.log(`i: ${script.src}`);
        }
    }); 
};
getScripts();
```

<figure><img src="/files/WeOBwjJSK2gnRlZ4gS1g" alt=""><figcaption></figcaption></figure>

You can easily modify this script if you have another target tag to see its attribute values. The secret thing is, what do you want from the DOM?

Tiny things:

```javascript
console.log(Ember.VERSION); // Ember JS version check in Dev Console
```

<figure><img src="/files/hJxeY5SDehqTg5qFcxqF" alt=""><figcaption></figcaption></figure>

```javascript
const elements = getAllAngularRootElements();
const version = elements[0].attributes['ng-version'];
console.log(version); // Let's see the Angular version!
```

<figure><img src="/files/oZvWFrnXnNosAoXRSnEK" alt=""><figcaption></figcaption></figure>

```javascript
const version = React.version;
console.log(version); //Show me the React version
```

<figure><img src="/files/JM3XRkP7h1NWdZOqkwql" alt=""><figcaption></figcaption></figure>

**BONUS:**\
\
CSS is as important as JS files. Let's check it then!

{% code lineNumbers="true" %}

```javascript
const getStyles = function() {
   const scripts = document.querySelectorAll('link');
       scripts.forEach((link) => {
           if (link.rel === 'stylesheet') {
               console.log(`i: ${link.getAttribute('href')}`);
           }
       }); 
};

getStyles();
```

{% endcode %}

-EOF


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lookbook.cyberjungles.com/appsecnotes/3rd-party-recon-with-javascript-part1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.