JS Analyzing

[Sh4d0wHunt3rX]

Probably the thing I'm going to write here, is not related to bbot at all and be out of scope of it, but I'm writing it anyway, maybe someone came up with better idea or a module.

Right now I am downloading JS files by filedownload module. Then I'm going to use this script to find dangerous sinks and sources inside them:
https://github.com/ariary/DomXssFinder

(You can see info about these sources and sinks here: https://github.com/Sivnerof/Sources-And-Sinks-Cheatsheet )

I was thinking maybe can automate this and add this to bbot that shows which sources and sinks exist in which files.

Also, bbot is not downloading inline js. Not sure if that is even technically possible to implement in bbot, but right now I'm using this to download them if needed:
https://github.com/ariary/JSextractor/

[TheTechromancer]

These are both good ideas. It would be cool to have a family of modules for downloading and analyzing javascript.

The use case is different enough I think it would justify having a separate module to download them. jsdownload could download all .js files, extract inline js, and raise them as JAVASCRIPT events to be consumed by other modules for secrets extraction, link finding, static analysis, etc.

@liquidsec what are your thoughts

[Sh4d0wHunt3rX]

Maybe also add headless ability of downloading dynamically loaded js in DOM

[TheTechromancer]

This is a good idea. We eventually plan to implement this with Playwright (#698). Most likely we'll have a webscreenshot module that raises the fully-rendered DOM and each of the individual network requests as HTTP_RESPONSE, then our jsdownload module will consume those and extract inline javascript.

[Sh4d0wHunt3rX]

Maybe possible to address this here as well: (Add functionality to extract JS strings as links in a javascript blob) #1121

[Sh4d0wHunt3rX]

One method explained here by one of the guys I follow in Oasis discord channel, originally can be seen here:
https://discord.com/channels/1051004171559649361/1051004172008435774/1221529201560129718

[TheTechromancer]

This is a neat concept. I think we could automate it with a headless browser module, i.e. playwright.

[Sh4d0wHunt3rX]

And also:

[Sh4d0wHunt3rX]

Maybe not a bad idea for jsdownload module, to able to download also source maps and also use it for subdomain enumeration or content discovery, more info here:

https://www.redsentry.com/blog/javascript-source-maps
https://github.com/danielmiessler/Source2URL/blob/master/Source2URL
https://bitthebyte.medium.com/javascript-for-bug-bounty-hunters-part-2-f82164917e7

This may be helpful too https://www.jswzl.io/ and see what can achieve in bbot.

Sample of the source map

[Sh4d0wHunt3rX]

May be useful, made by the person above for JS analyzing:

https://github.com/aristosMiliaressis/js-analysis-tools