BIPI
BIPI

JS File Analysis for Bug Bounty: Endpoints, Secrets, DOM Sinks

Cybersecurity

Modern apps leak their API surface in JavaScript. Here is how to mine bundles for endpoints, secrets, and DOM sinks that turn into real bug reports.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 15, 2023 · 10 min read

#bug-bounty#javascript#recon#secrets#dom-xss

The frontend tells you everything

Every SPA ships its API surface to the browser. Endpoints, parameter names, role flags, sometimes even keys. Reading the JS bundle is the cheapest reconnaissance you can do, and most hunters still skip it.

Collect every JS file

  • katana -d 2 -jc to crawl and pull JS references
  • gospider for a second pass with different defaults
  • subjs and getJS to extract script src URLs from a host list
  • Mirror to disk so you can grep across the whole bundle

Pull every chunk, including the lazy loaded ones. Sourcemaps if they exist are pure gold. A .map file gives you the original source, variable names, and routes the bundler tried to hide.

Hunt endpoints

  1. Grep for fetch, axios, XMLHttpRequest, and api strings
  2. Run linkfinder or jsluice across each file
  3. Extract routes from React Router and Vue Router blocks
  4. Look for hardcoded /api/v1, /internal, /admin patterns

Hunt secrets

trufflehog and gitleaks run on local copies of JS files find AWS keys, Stripe tokens, Algolia admin keys, Mapbox tokens, and Firebase configs. Many of those are intended to be public. Many are not. Test each one for scope and impact before reporting.

DOM sinks worth checking

  • innerHTML and outerHTML assignments, plus legacy doc-write calls
  • eval, Function constructor, setTimeout with string args
  • location.href and location.hash reads that flow into the DOM
  • postMessage handlers that trust event.origin loosely

Trace from the source, usually a URL parameter or hash, to the sink. If user input reaches innerHTML without sanitization, you have a candidate DOM XSS. Confirm in a controlled browser tab, never on a shared session.

What the JS often gives you

Routes
client side only
Roles
admin, super, internal flags
Keys
third party API tokens
Sinks
DOM XSS candidates

Diff across releases

Save bundles per date. When the app ships an update, diff old against new. New endpoints often launch without security review. Hunters who diff are first to file on freshly shipped admin routes.

The frontend is documentation written for browsers, not for security review. Read it like a manual and the bugs read back.

Wire it into your pipeline

  • Crawl, dedupe, and store JS per host on every recon run
  • Run secret scanners on every new file
  • Extract endpoints and merge into your fuzzing wordlist for the host
  • Diff weekly and alert on new endpoint constants

Closing the loop

JS recon is the bridge between asset discovery and active testing. Done right, it hands you a curated list of endpoints, role names, and sinks to probe. Done wrong, it is just a bunch of saved files nobody reads. Build the loop, then trust it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.