For those who don't know me I am Gerben Janssen van Doorn (online known as: "gerben_javado"). Im a 21-year-old bug bounty hunter mainly working on HackerOne and a business student. I felt it was time to give back to the community, because up until now I have been fairly silent. Thus, to change this I setup this blog to share information about some of my findings. Let's get to it!

It is no secret that JavaScript files can contain endpoints and/or information that is not disclosed elsewhere in the application. The problem with these JavaScript files is that they are often very large (>1 mb) and minified which makes reading them manually very time consuming. To battle this problem I have created LinkFinder, a python script which uses jsbeautifier in combination with a fairly large regular expression. This to (hopefully) find all endpoints in a JavaScript file, while also delivering the context around the endpoint. To give a short description on the regex: it consists of four small regexes. These are responsible for finding:

  • Full URLs (https://example.com/*)
  • Absolute URLs or dotted URLs (/* or ../*)
  • Relative URLs with atleast one slash (text/test.php)
  • Relative URLs without a slash (test.php)

Further details plus the source code can be found on https://github.com/GerbenJavado/LinkFinder, for the rest of this blog post I would like to focus on one of the results it has brought me.

LinkFinder Output of LinkFinder

Practical example

Running LinkFinder on the JavaScript files of one of my private (not public 😕) programs*, like:

$ linkfinder.py -i https://www.company.com/static/js/file.js -o 1.html

Got me among other stuff the following code snippet:

ajax.request('/company/api/original-owner', {

After manually going to the JavaScript file and searching for the string above I found out that the endpoint simply required an id GET parameter, specifying which resource should be requested. Supplying the endpoint with an ID linked to staff users of this program revealed the hashed password, email, user agent & verification key of that member among other sensitive information in JSON format. A simple IDOR, but only found at a later stage of the program because it was hidden in a large JavaScript file. Upon triage this issue was classed P1 by the program.

This example also points out that while LinkFinder automates a big part of the process, it is still up to the user to go through the results and inspect them carefully. A lot of the times parameters are not on the same line as the endpoint and should be looked for in the orginal file. Finally, I hope the tool will be a nice addition to your arsenal and will help you in discovering a larger part of an application. Good luck!

Further reading

SSRF using hidden endpoints in JS files & IDOR leaking Airbnb messages in JS files By: NahamSec & Ziot

*Endpoints have been modified to keep the company private, while keeping the data as close to the original as possible.