javaScript and hacking

mcube25

Muhammad Muhktar Musa

Posted on November 7, 2021

javaScript and hacking

introduction

javaScript is most well-known as the scripting language for Web pages, and it allows developers do things. It allows the developer to talk to servers, make things dance arround the page, change when clicked on. It is used for form validation and handling of all kinds of things like single page applications.

why we should look at javascript.

We want to look at javascript so that we can have an idea of what can we do to leverage javascript to find vulnerabilities, tools we can use, how to find the tools, how do we start these tools, how to understand what's going on and how to expliot what's going on.
A place to start is to take a look at a website.

Image description

One of the most useful and probably most underrated hacker tools that there is at all is the browser devtools. To open devtools while your browser is on the viewport use the following command

/*
Mac
open whatever panel used last:  Command + Option + I
open console panel: Comand + Option + I
Open element panel: Command + Shift + C

Windows
open whatever panel used last:  Control + Shift + I
open console panel: Control + Shift + j
Open element panel: Control + Shift + C
*/
Enter fullscreen mode Exit fullscreen mode

The browser devtools is not really meant for developers but it is super useful to hackers. For example if we go to the network tab, click on it and reload the tab. We can see all the request that is being loaded on the page and they can be filtered to just the javascript files. All by just one click.

Image description

We can right click on any of these files and open it up in a source folder

Image description

we can see a single long line of code that doesn't make a whole lot of sense. But we can prettify this code to make sense to us by using the curly buttons in the source folder

Image description

Do that and you get a much nicer format of the javascript. There is a of reasons why we want to read this script. Some of the reasons are like we want to know what is going on on the page or search for some information that may be hanging around like API keys or keywords. On the network files, also related to the javascript is the xhr . xhr is xml http request. It a name that came to be known as AJAX or fetching remote files with javascript. These request are request that where made by javascript.
we can check the initiator of the request by using the initiator tab and pretifying the code

Image description

The line of code is the one that initiated this call. When this is done you can see that there are API calls being made. You can use this knowledge to check for more API calls.

Image description

Headers can also be checked for. From the header tap we see there is a API call being made to a URL.

Image description

The dev tools also give a search functionality. We can search for the API calls there and we get a pretty quick response.

Image description

click on the result and it is going to take you to the source folder. prettify your code and you can read around the javascript and say ok well we are doing this or that here. One way the devtools can be really useful is performing static analysis and checking for vulnerabilities with the javascript itself.

💖 💪 🙅 🚩
mcube25
Muhammad Muhktar Musa

Posted on November 7, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

What was your win this week?
weeklyretro What was your win this week?

November 29, 2024

Where GitOps Meets ClickOps
devops Where GitOps Meets ClickOps

November 29, 2024

How to Use KitOps with MLflow
beginners How to Use KitOps with MLflow

November 29, 2024

Modern C++ for LeetCode 🧑‍💻🚀
leetcode Modern C++ for LeetCode 🧑‍💻🚀

November 29, 2024