Hello Everyone (Ram Ram Ji),

In this article, I will share one of my recent finding which is basically related to JS files. In which, i will tell you that how these JS files will help you to find a High Severity bugs.

If you are too lazy then I suggest you please use this tool i.e LinkFinder. It’s a tool to discover JS endpoints which is written by GerbenJavado. You can find it here, LinkFinder.

But, I personally prefer doing this stuff as manually. Because sometimes Automated tools don’t come out useful & they skipped out some important things. So, Let’s get Started.

Phase 1: Extracting JS Files & Beautify them :

Extraction(){

waybackurl $1| grep -iE “\.js$” | uniq | sort

}

3. For Beautifying the JS Code I used js-beautify for pretty print js code (Quite Easy).

js-beautify <file.js> | tee -a <beautify.js>

You can install it from the given link below:

Phase 2: Searching for Patterns & Endpoints in JS files:

{api_key, api-key, apikey , api , access , AccessToken , gmap , gmaps , algolia_api_key , credentials, etc..}

2. Mapping of Endpoints that you found while reading the JS file. (Important one)

3. Most of the bug hunter’s skip the second point just because they can’t map out the correct endpoints which leads to high severity security bugs & loses their chances to getting High severity bugs.

NOTE: Read every path and try to mapping that endpoints until you succeed. Because JS file contains all the solutions related to mapping of endpoints.

Phase 3. Searching for Respective Documentation:

Now, lets take a look at my disclosed report where i found a HelpShift-Rest-Api-Key using that i can modified the content of accounts & also i can delete the accounts of redacted.com

Steps to Reproduce (Acc. to Report):

Finding API Key:

HelpShift Rest API Key

Full Exploitation:

Note: You can also use curl command :

curl -X PUT — header ‘Content-Type: application/x-www-form-urlencoded’ — header ‘Accept: application/json’ — header ‘Authorization: Basic <base64_API_Key>’ -d ‘username=<username>’ ‘https://api-a.helpshift.com/v1/<domain_name>/users/<profile_id>'

you can get all profile id’s from getUser query.

Timeline:

Bounty Rewarded

Sept 26, 2020 — Reported to private program
Sept 26, 2020 — Report Triaged
Sept 29, 2020 — Vulnerability Fixed
Oct 08, 2020 — Bounty of $5000 USD awarded

Special thanks to nullr3x for this (Big Bad Brother 🤑)

"CS-Engineer" | "Bughunter • Hackerone • Bugcrowd (Top 150)" | "Synack Red Teamer" • @sechunt3r