=========================================================================================
Webpack Source Code Retrieval
//# sourceMappingURL=client.bundle.js.map in JS file
- Send GET request to that location + .map to retrieve Webpack URLs
- https://medium.com/@rarecoil/spa-source-code-recovery-by-un-webpacking-source-maps-ef830fc2351d
- https://github.com/denandz/sourcemapper
=========================================================================================
Hidden files in client-side JavaScript folders
- Navigate to pages that do not exist to potentially create a more holistic sitemap.
https://stackoverflow.com/questions/23730882/what-is-the-role-of-src-and-dist-folders
src/stands for source, and is the raw code before minification or concatenation or some other compilation - used to read/edit the code.dist/stands for distribution, and is the minified/concatenated version - actually used on production sites.- The existence of a dist directory suggests that the application developer included the entire directory instead of just the .js library file.
- Any unnecessary files in this directory could expand our attack surface.
- This technique should generally be tried after all other options are exhausted.
Could other directories be present on the server as well?
- Investigate each npm package (inc. GitHub) to determine files that may be on the application.
NPM Package Wordlists
- Enumerate packages: https://github.com/nice-registry/all-the-package-names/
wget https://github.com/nice-registry/all-the-package-names/raw/master/names.jsonjq '.[0:10000]' names.json | grep ","| cut -d '"' -f 2 > npm-10000.txt- Use Gobuster to enumerate directories
gobuster dir -w ./npm-10000.txt -u https://openitcockpit/js/vendor/ -k
- Multiple Gobuster from
package.txtwhile read l; do echo "===$l==="; gobuster dir -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -q -u $l; done < package.txt
Note that JavaScript-heavy applications are trending towards using a bundler like webpack and a package manager like Node Package Manager(npm) instead of manual distribution methods. This type of workflow streamlines development and may ensure that only the proper files are distributed.
=========================================================================================
DOM-based Cross-site Scripting (XSS) in Client-side JavaScript files
*Continuation from above**
- Any HTML files discovered in client-side JavaScript libraries are not dynamically generated by a server, therefore traditional reflected XSS and stored XSS won’t work since user-supplied data cannot be appended to the HTML files.
- However, these files might contain additional JavaScript that allows user input to manipulate the DOM, which could lead to DOM-based XSS.
- Example HTML snippet (note that only DOM-based XSS would be applicable, as no server-side rendering will take place as in the case of traditional XSS): ```html <!DOCTYPE html>
```
- Download libraries and grep for ‘document.write’ in HTML files only
grep -r "document.write" ./ --include *.html
- Searching functions
grep -r "buildPath[[:space:]]*=" ./