Exposed API Keys & Config Files in js file! || Bug Bounty

Kerolos Ayman
2 min readFeb 10, 2025

--

During hunting on target
I found sensitive API keys and system configurations
How could I find that?

Let’s called it target.com

After I collected all subdomains using sublist3r, subfinder, assetfinder, amass, using httpx to see alive subdomains, I put them in a file called alive.txt (Note: The scope might be one domain, no problem)

Then I used Waybackurls tool to fetch all the URLs that the Wayback Machine knows about for a domain and Gau tool to Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.

cat alive.txt | waybackurls > waybackurls.txt
cat alive.txt | gau > gau.txt

After collecting URLs, I used this command to collect all js files

cat * | grep .js$ | sort -u | tee js.txt

or

cat waybackurls.txt | grep .js$ | sort -u | tee js.txt

or

cat gau.txt | grep .js$ | sort -u | tee js.txt

After collecting js files, I used 2 tools to retrieve sensitive information such as API Keys, Tokens, etc… which are:
1. Mantra (https://github.com/brosck/mantra)
2. Jsecret (https://github.com/raoufmaklouf/jsecret)

After that, Check the outputs as sometimes they contains false positive outputs.

If you reach to here so, thanks so much for reading.

My Linkedin account: https://www.linkedin.com/in/kerolos-ayman-19a569255

My channels on Telegram:
https://t.me/CyberSecurityforall24

https://t.me/cybersecurityforall77

--

--

Kerolos Ayman
Kerolos Ayman

Written by Kerolos Ayman

Bug Hunter || Junior Penetration Tester || CTF Player

No responses yet