Security is hard. It’s often very easy to overlook things, and one small mistake can have a very big impact.
Here’s what I’ve learned.
While this is not a direct security problem, it can tell a great deal about your internals.
It could be a secret pricing function, a list of states that reveal an upcoming feature, or an array of translation strings that uncover some internal tools.
You wouldn’t want your secret algorithms exposed to the face of the world, would you?
This makes the work of security searchers very easy as they have access to all endpoints at once. Some endpoints are maybe deprecated but are still showing in the list: this is more attack surface for a security searcher.
This one is really bad, but is really not that uncommon.
Those are often found in the admin / internal JS files. Developers may think these files won’t be served to regular users so it’s fine to put sensitive information inside, but more often that not, it’s easy to get access to those files.
The interesting files are often the ones not intended for regular users: it can be an admin part, some internal tools, etc.
Every website has a different JS architecture. Some will load all the JS in every page, some more modern will have different entry points depending on the page you are visiting.
Let’s consider the following:
It’s very trivial, but in this case, one could try to load
Let’s consider another example:
Now this is a bit more complicated, the file has a hash in its name so it’s impossible to do some basic enumeration.
What if we try to access this url:
Ooops! In this case this website is using webpack, a famous assets bundler. It is often used with a plugin that generates a
manifest.json file containing the link to all assets, which is often served by the web server.
If you manage to find which tools a website is using, it’s easier to find this kind of vulnerabilities.
Here are a few tips to avoid being vulnerable to this kind of attacks:
Security issues can come from a lot of unexpected spots. When writing any kind of code, when pasting sensible data, it’s always good to ask yourself who will have access to this code, to avoid leaking all your secrets!