JustForFun
  • Hello World
  • AI/ML/LLM Security
    • 🐣What is this AREA?
    • 📚Self-Study AI/ML/LLM Roadmap for Security Folks
    • 🌟AI/ML Dictionary
    • 🌰Generative AI in a Nutshell
    • 👹(WIP) AI/ML/LLM Application Security Testing
      • 💉(WIP) Offensive Approach for Prompt Injection Attacks
      • 👾Standard Input: Prompt Injection
      • ⚠️(WIP) Training Issues
      • 🎑(WIP) Multi-Modal LLM Application Security Testing
      • ✨(WIP) Resources
  • Random Research Area
    • What is this AREA?
    • Phishing with MS Office Docs
      • VSTO and Malicious Office Docs
    • Malware Analysis & Development
      • Malware Development
  • AppSecNotes
    • 3rd Party Recon with Javascript - Part1
    • DAV Methods and Old Features
    • API Security Notes
  • OSEP Preperation Notes
    • OSEP Journey Begin!
    • Basics and More
    • Payload Types (Staged vs. Non-Staged)
    • File Smuggling with HTML & JS
    • VBA Basics
    • Basic Phishing Macro Creation Tricks
  • Somethings and Past
    • HackTheBox Lab – Invite Code Write-Up
    • OSCP Yolculuğum
    • VulnHub – SkyTower CTF Walkthrough
    • Markdown Syntax
    • Web Uygulama Güvenliği Ve Güvenli Kod Geliştirme LYK-2014 Notlarım
    • Yalnızca Eğlenmek İçin
Powered by GitBook
On this page

Was this helpful?

  1. AppSecNotes

3rd Party Recon with Javascript - Part1

These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!

PreviousMalware DevelopmentNextDAV Methods and Old Features

Last updated 2 years ago

Was this helpful?

In a security test engagement, there are many ways to find 3rd Party Libraries like browser and burp extensions. So, I'm using them in my tests. But I noticed that I couldn't see all the libraries except the vulnerable ones in these extensions. So, I'm checking with JavaScipt for complete visibility, especially while JS lib recon. You can see all the JS files, such as custom coded for the project. If you are lucky or in a vulnerable environment, you can find sensitive data, logic problems, etc., in these JS files. Easily developer console is a blessing! Let's see my little notes. It's getting all the JS files that are called on the page. querySelectorAll is the key in this tiny script. As you guessed, it's selecting all the <script> tags to check their source attribute.

const getScripts = function() {

    const scripts = document.querySelectorAll('script');
        scripts.forEach((script) => { if (script.src) {
            console.log(`i: ${script.src}`);
        }
    }); 
};
getScripts();

You can easily modify this script if you have another target tag to see its attribute values. The secret thing is, what do you want from the DOM?

Tiny things:

console.log(Ember.VERSION); // Ember JS version check in Dev Console
const elements = getAllAngularRootElements();
const version = elements[0].attributes['ng-version'];
console.log(version); // Let's see the Angular version!
const version = React.version;
console.log(version); //Show me the React version

BONUS: CSS is as important as JS files. Let's check it then!

const getStyles = function() {
   const scripts = document.querySelectorAll('link');
       scripts.forEach((link) => {
           if (link.rel === 'stylesheet') {
               console.log(`i: ${link.getAttribute('href')}`);
           }
       }); 
};

getStyles();

-EOF