javaScript and hacking
Muhammad Muhktar Musa
Posted on November 7, 2021
introduction
javaScript is most well-known as the scripting language for Web pages, and it allows developers do things. It allows the developer to talk to servers, make things dance arround the page, change when clicked on. It is used for form validation and handling of all kinds of things like single page applications.
why we should look at javascript.
We want to look at javascript so that we can have an idea of what can we do to leverage javascript to find vulnerabilities, tools we can use, how to find the tools, how do we start these tools, how to understand what's going on and how to expliot what's going on.
A place to start is to take a look at a website.
One of the most useful and probably most underrated hacker tools that there is at all is the browser devtools. To open devtools while your browser is on the viewport use the following command
/*
Mac
open whatever panel used last: Command + Option + I
open console panel: Comand + Option + I
Open element panel: Command + Shift + C
Windows
open whatever panel used last: Control + Shift + I
open console panel: Control + Shift + j
Open element panel: Control + Shift + C
*/
The browser devtools is not really meant for developers but it is super useful to hackers. For example if we go to the network tab, click on it and reload the tab. We can see all the request that is being loaded on the page and they can be filtered to just the javascript files. All by just one click.
We can right click on any of these files and open it up in a source folder
we can see a single long line of code that doesn't make a whole lot of sense. But we can prettify this code to make sense to us by using the curly buttons in the source folder
Do that and you get a much nicer format of the javascript. There is a of reasons why we want to read this script. Some of the reasons are like we want to know what is going on on the page or search for some information that may be hanging around like API keys or keywords. On the network files, also related to the javascript is the xhr
. xhr
is xml http request. It a name that came to be known as AJAX
or fetching remote files with javascript. These request are request that where made by javascript.
we can check the initiator of the request by using the initiator tab and pretifying the code
The line of code is the one that initiated this call. When this is done you can see that there are API calls being made. You can use this knowledge to check for more API calls.
Headers can also be checked for. From the header tap we see there is a API call being made to a URL.
The dev tools also give a search functionality. We can search for the API calls there and we get a pretty quick response.
click on the result and it is going to take you to the source folder. prettify your code and you can read around the javascript and say ok well we are doing this or that here. One way the devtools can be really useful is performing static analysis and checking for vulnerabilities with the javascript itself.
Posted on November 7, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.