# Collect JS Files
katana -list targets.txt -jc | grep “\\.js$” | uniq | sort -u | tee JS.txt
# or use gau tool
cat targets.txt | gau | grep “\\.js$” | uniq | sort -u | tee JS2.txt
# Analyzing JS files
nuclei -l JS.txt -t ~/nuclei-templates/exposures/ -o js_exposures_results.txt
nuclei -l JS2.txt -t ~/nuclei-templates/exposures/ -o js_exposures_results.txt
cat Js_urls.txt | Mantra
# Download all JS files
file="JS.txt"
while IFS= read -r link
do
wget "$link"
done < "$file"
file="JS2.txt"
while IFS= read -r link
do
wget "$link"
done < "$file"
# Use This Regex to search for sensitive info
grep -r -E "aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret|smtp|GTM-" *.js
Bypass WAF and Find Origin IPs
Using hakoriginfinder
References:
Make a note of the target's IP range.
Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter:
If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF
Using Netlas/Shodan
Make filters like http.title:"My_target_title"
Sometyimes There is Origin IPs exposed
Fuzzing Tips
Use Some Hash's And Encoding Algorithm's (MD5 , SHA-1 , SHA-256 , base32 , base64 , etc . . . )
From Most Common WordList Content Discovery With Common Extensions , Say :
https://example*com/<HashValue>.php
https://example*com/Fuzz/<Encoding>.php
https://example*com/Fuzz/<HashValue>.asp , . . .
--
Use Random Bytes With base64 To Fuzz Sensitive Fails , With Extension Or Not , Say:
https://example*com/path/<RandomBytes-Base64>.php
https://example*com/path/<RandomBytes-Base64>
--
- Generate Wordlist Examples
```
cat common.txt | while read word; do echo -n "$word" | base64 | tee -a base64-wordlist.txt ; done
cat wordlist.txt | while read word; do echo -n "$word" | md5sum | cut -d ' ' -f1 | tee -a MD5-Hashs.txt; done
```
uploads => 5128f35c9b4be13788ba41bdb6d1fc1f
cmd => dfff0a7fa1a55c8c1a4966c19f6da452
index => aW5keAo=
. . .
https://examples*com/path/5128f35c9b4be13788ba41bdb6d1fc1f
https://examples*com/path/dfff0a7fa1a55c8c1a4966c19f6da452.php
https://examples*com/path/aW5keAo=.bak
. . .
- Say In Ffuf
ffuf -w MD5-Hashs.txt:/W1 -w extensions.txt:/W2 -u "https://example*com/path/W1.W2" -mc 200
ffuf -w base64-wordlist.txt:/W1 -w extensions.txt:/W2 -u "https://example*com/path/W1.W2" -mc 200
--
U Can After get 200 Status Code From Fails With Extension , Discover Parameters Using (arjun, ParamSpider , etc . . . ) Tools
https://examples*com/path/dfff0a7fa1a55c8c1a4966c19f6da452.php?cmd=
etc . . .
--
Port Scanning
>> discover exposed hosts on the internet. It is built with automation in mind, so you can query it and utilize the results with your current pipeline tools.
Use This Extension to analyse JS Files
Discover your target's ASN and check
Go to , , SecurityTrails or other similar platforms