As a pentester in the Discovery phase, we often encounter websites with limited information, challenging to fuzz, or loaded with frontend functionality. When faced with such scenarios, an intriguing technique to explore is delving into the client's JavaScript code. This blog demonstrates how to perform this task directly in the browser.

Web applications based on JavaScript typically employ JavaScript libraries or frameworks (such as Angular, React, among others) to facilitate development and scalability. When using these frameworks, a substantial amount of code is sent to the client.

Developers, focused on implementation and daily tasks, often overlook the fact that all this code, once packaged, resides in the client's browser. In other words, all the code is accessible and readable by anyone.

This exposed code may contain information about internal configurations, secrets, and, most importantly, "hidden" endpoints or URLs that can be used to access supposedly protected sections of the application. This is particularly relevant in scenarios relying on obscurity as a security method.

Keeping all this in mind, we can access the browser's developer tools and begin analyzing the source code.

Some applications may have premium features accessible only with a valid account, but the control is only at the frontend level, or there may be legacy endpoints with vulnerable or hidden functionalities. To exploit these cases, we first need to find the corresponding endpoints.

Through the browser, we'll go to the developer tools and examine the source code in the "Sources" or "Debugger" section (depending on the browser used).

On this screen, we can investigate the source code to find values that are supposed to be hidden. With this information, we can try to exploit other types of vulnerabilities. If we find API endpoints, this information can be used to advance security testing on the API.

For example, we can search for all endpoints to the API used for the admin functionality. Fuzzing attempts are unsuccessful due to slow server speed and a unique format. To find this information, we'll exploit the fact that applications typically use a particular format for making HTTP calls. Using Ctrl+F, we can search for words like POST, PUT, GET, etc. In this example, we find that the URLs use the format 'hred:'

Once we identify the format used by the application, we can search for all occurrences of that format in the code. By investigating the source code, we may uncover admin functionalities that a regular user should not have access to. After attempting to access that hidden URL, we discover an authorization error in the API, allowing us to query the API for user information, such as emails and nicknames, to which a regular user should not have access.

To prevent this, it's crucial to understand that obscurity is not a recommended method for protecting functionalities. When developing, always consider that the source code may be exposed. This is fundamental to prevent leaving sensitive information (such as secrets) in the code that could be misused.

‍