Information Management-JS Architecture & Framework Identification & Leakage Extraction & API Interface Enumeration & FUZZ Crawler & Plugin Project

overview

What is JS penetration testing?

There are also variables and functions in Javascript. When there are controllable variables and function calls, there are parameter vulnerabilities

The difference between WEB applications developed by JS and PHP, JAVA, NET, etc. is that there is no source code, and the real point can be obtained by viewing the source code through the browser. Obtaining URLs, obtaining JS sensitive information, obtaining code parameters, etc., so the WEB application developed by JS is equivalent to white box testing (with source code reference by default), generally looking for more URL addresses in JS, in JS code logic ( Encryption algorithm, APIkey configuration, verification logic, etc.) for later security testing.

Premise: Web applications can be developed using back-end or front-end languages
​​- Back-end languages: php java python .NET The browser side cannot see the real source code
- Front-end languages: JavaScript (JS) and JS framework The browser side can see the real source code source code

example

zblog: The core function adopts PHP language to transmit and accept
vue.js: The core function adopts framework syntax (JS) to transmit and accept

JS security issues

Source code leakage
Unauthorized access = analyze more URL access in JS to determine the interface path
Sensitive key leakage = interface information (cloud application, SMS, email, database, etc.) may be configured in the JS file)
API interface security = (encrypted submission parameters in the code pass, more URL paths)

What are the popular Js frameworks?

Vue NodeJS jQuery Angular等

How to judge JS development application?

Plug-in wappalyzer #google store installation

The source code is short.
The business processing logic uses js. You can directly see
the introduction of multiple js files
on the front end . Generally, there are js files in the order of /static/js/app.js
. Generally, there is connect.sid in the cookie

How to get more JS files?

手工-浏览器搜索
半自动-Burpsuite插件
工具化-各类提取&FUZZ项目

Front-End Architecture - Manual Search Analysis

Browser global search analysis
Front-end js code search keywords

src=
path=
method:"get"
http.get("
method:"post"
http.post("
$.ajax
http://service.httppost
http://service.httpget

Front-end architecture - semi-automatic Burp analysis

built-in function

Target->sitemap->Engagement tools->Find scripts

official plugin

JS Link Finder & JS Miner

third-party plug-ins

HaE & Unexpected_information
plugin loader: jython-standalone-2.7.2
Unexpected_information: https://github.com/ScriptKid-Beta/Unexpected_information
is used to mark some sensitive information, JS interface and some special fields in the request package
to prevent our negligence Some data packets are lost, using it may have unexpected harvest information.
Hae
https://github.com/gh0stkey/HaE

HaE is an auxiliary framework plug-in for request highlighting and information extraction developed based on the BurpSuite Java plug-in API. The plug-in can match response packets or request packets by customizing regular patterns, and perform Information highlighting and extraction.
Modern web applications adopt the development mode of front-end and back-end separation, which leads to a lot of traffic during daily testing. If you want to test and evaluate a web application as comprehensively as possible, you will waste a lot of energy on useless packets. The emergence of HaE is to solve this similar scenario. With the help of HaE, you can effectively reduce the testing time, put more energy on valuable and meaningful packets, and improve the efficiency of vulnerability mining.

Hae configuration: https://raw.githubusercontent.com/gh0stkey/HaE/gh-pages/Config.yml
An auxiliary plug-in for request highlighting and information extraction developed based on the BurpSuite plug-in JavaAPI. The plug-in can match response packets or request packets by customizing regular patterns, and can decide whether the corresponding requests that match the custom regular patterns need to be highlighted and information extracted.

Front-End Architecture - Automated Project Analysis

Jsfinder - extract URL or sensitive data from JS in presentation

https://github.com/Threezh1/JSFinder
is a tool for quickly extracting URLs and subdomains from js files on websites

URLFinder - Extract URLs or sensitive data from JS in presentationThere is this plug-in in the mall in Burp

https://github.com/pingc0y/URLFinder
A tool for quickly extracting and detecting JS and URLs in pages.
The function is similar to JSFinder, but JSFinder has not been updated for a long time.

JSINFO-SCAN - extract URL or sensitive data from JS in presentation

https://github.com/p1g3/JSINFO-SCAN
recursive crawling domain name (netloc/domain), and a tool for recursively obtaining information from JS

FindSomething - extract URL or sensitive data from JS in presentation

https://github.com/momosecurity/FindSomething
This tool is a browser plug-in for quickly extracting some interesting information from the html source code or js code of a web page,
including requested resources, interface url, requested ip and domain name , Leaked document number, mobile phone number, email address and other information.

ffuf-FUZZ blasting to find more js files and analyze more information

https://github.com/ffuf/ffuf
https://wordlists.assetnote.io
A powerful fuzzing tool, use it to FUZZ fuzzy js files.

Packer-Fuzzer-Development packager Webpack detection for JS framework

https://github.com/rtcatc/Packer-Fuzzer
is a scanning tool for fast and efficient security detection of websites constructed by front-end packaging tools such as Webpack