3rd Party Recon with Javascript - Part1
These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!
In a security test engagement, there are many ways to find 3rd Party Libraries like browser and burp extensions. So, I'm using them in my tests. But I noticed that I couldn't see all the libraries except the vulnerable ones in these extensions. So, I'm checking with JavaScipt for complete visibility, especially while JS lib recon. You can see all the JS files, such as custom coded for the project. If you are lucky or in a vulnerable environment, you can find sensitive data, logic problems, etc., in these JS files. Easily developer console is a blessing!
Let's see my little notes.
It's getting all the JS files that are called on the page. querySelectorAll is the key in this tiny script. As you guessed, it's selecting all the <script> tags to check their source attribute.
const getScripts = function() {
const scripts = document.querySelectorAll('script');
scripts.forEach((script) => { if (script.src) {
console.log(`i: ${script.src}`);
}
});
};
getScripts();
You can easily modify this script if you have another target tag to see its attribute values. The secret thing is, what do you want from the DOM?
Tiny things:
console.log(Ember.VERSION); // Ember JS version check in Dev Console
const elements = getAllAngularRootElements();
const version = elements[0].attributes['ng-version'];
console.log(version); // Let's see the Angular version!
const version = React.version;
console.log(version); //Show me the React version
BONUS:
CSS is as important as JS files. Let's check it then!
1
const getStyles = function() {
2
const scripts = document.querySelectorAll('link');
3
scripts.forEach((link) => {
4
if (link.rel === 'stylesheet') {
5
console.log(`i: ${link.getAttribute('href')}`);
6
}
7
});
8
};
9
10
getStyles();
-EOF
Last modified 6mo ago