Hello everyone,
I am Nitin yadav(KD) back again with another write-up on how you can find secrets in any website for your pentest or bug bounty.
You will need the following Tools:
SecretFinder
Hakrawler
Burp Suite
SecretFinder: SecretFinder is a python script based on LinkFinder, written to discover sensitive data like API keys, access tokens, authorizations, jwt,..etc in JavaScript files. It does so by using js beautifier for python combined with a relatively large regular expression.
Hakrawler: Fast golang web crawler for gathering URLs and JavaScript file locations.
Burp Suite: Burp or Burp Suite is a set of tools used for penetration testing of web applications. It was developed by the company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all-in-one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps. It is used by many penetration testers and bug bounty hunters, providing you with good reporting capabilities.
Let's start some magic:
Use Hakrawler, which is a tool written in GO to perform a fast web crawler for gathering URLs and JavaScript endpoints combined with SecretFinder to detect secrets.
To simplify the process of gathering basic JavaScript links use
Here result will be the links that we got from hakrawler.
Now we will use SecretFinder to discover sensitive data in those js links
So let's take any of the links from the js files which we discovered and pass them through secret finder
You can add this in burp suite pro edition to remove workload.
I hope you enjoy this one and I see you next time ;)
Take care and happy hacking!
Kommentare