Exposed API Keys & Config Files in js file! || Bug Bounty
During hunting on target
I found sensitive API keys and system configurations
How could I find that?
Let’s called it target.com
After I collected all subdomains using sublist3r, subfinder, assetfinder, amass, using httpx to see alive subdomains, I put them in a file called alive.txt (Note: The scope might be one domain, no problem)
Then I used Waybackurls tool to fetch all the URLs that the Wayback Machine knows about for a domain and Gau tool to Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
cat alive.txt | waybackurls > waybackurls.txt
cat alive.txt | gau > gau.txt
After collecting URLs, I used this command to collect all js files
cat * | grep .js$ | sort -u | tee js.txt
or
cat waybackurls.txt | grep .js$ | sort -u | tee js.txt
or
cat gau.txt | grep .js$ | sort -u | tee js.txt
After collecting js files, I used 2 tools to retrieve sensitive information such as API Keys, Tokens, etc… which are:
1. Mantra (https://github.com/brosck/mantra)
2. Jsecret (https://github.com/raoufmaklouf/jsecret)
After that, Check the outputs as sometimes they contains false positive outputs.
If you reach to here so, thanks so much for reading.
My Linkedin account: https://www.linkedin.com/in/kerolos-ayman-19a569255
My channels on Telegram:
https://t.me/CyberSecurityforall24