CyberXsociety

LOGIN
JOIN ACADEMY

Part 13 – JavaScript and Frontend Recon (Endpoints, Secrets, Logic)

Introduction

So far, you’ve found:

  • Subdomains
  • Live hosts
  • URLs
  • Services
  • Visual targets

Now we go deeper.

Because modern web apps hide a lot inside JavaScript.

Not visible in HTML.
Not visible in URLs.
But sitting quietly inside JS files.

This is where many real bugs start.

Why JavaScript recon matters

  • Frontend code contains hidden endpoints
  • APIs are often exposed in JS
  • Sensitive keys sometimes leak
  • Business logic can be reverse engineered

If you are not reading JavaScript, you are missing half the attack surface.

What you are trying to find

  • Hidden API endpoints
  • Internal routes
  • Hardcoded tokens or keys
  • Parameter names
  • Logic flows

This becomes your deep attack surface.

Tools you will use

  • httpx – collect JS files
  • katana – extract JS URLs
  • LinkFinder – extract endpoints
  • grep / regex – manual extraction
  • JSParser / custom scripts – deeper analysis
  • curl – fetch JS content

Keep it simple. Most power comes from basic extraction.

Step-by-step JavaScript recon workflow

1. Collect JavaScript files

From your URL list:

cat final_urls.txt | grep "\.js$" | sort -u > js_files.txt

Or use httpx:

httpx -l live_hosts.txt -path / -mc 200 -silent | grep ".js" > js_files.txt

Now you have all JS sources.

2. Download JS files locally

mkdir js
cat js_files.txt | while read url; do
  curl -s $url -o js/$(basename $url)
done

This helps in offline analysis.

3. Extract endpoints using grep

Quick method:

grep -oE "https?://[^\"']+" js/* | sort -u > endpoints.txt

Also extract relative paths:

grep -oE "/[a-zA-Z0-9_/.-]+" js/* | sort -u > paths.txt

4. Use LinkFinder (better extraction)

python3 linkfinder.py -i js_files.txt -o cli

This gives:

  • Clean endpoints
  • API paths
  • Structured output

Much more accurate than raw grep.

Finding sensitive data in JavaScript

Look for:

  • API keys
  • Tokens
  • Secrets
  • URLs with parameters

Example search:

grep -iE "api|key|token|secret|auth" js/*

Common sensitive patterns

Look for:

  • api_key = "..."
  • Authorization: Bearer
  • access_token
  • client_secret
  • firebaseConfig
  • aws_key

Not all are exploitable.
But all are valuable signals.

Understanding frontend logic

JavaScript tells you:

  • How API calls are made
  • What parameters are required
  • What validation happens on client side

Example:

fetch('/api/user?id=' + userId)

Now you know:

  • Endpoint: /api/user
  • Parameter: id

This directly feeds into:

  • IDOR testing
  • Parameter fuzzing

Extracting parameters from JS

grep -oE "[a-zA-Z0-9_]+=" js/* | sort -u > params.txt

This gives:

  • Parameter names
  • Internal variables

These are useful for fuzzing.

Mapping API endpoints

Combine JS data:

/api/user
/api/admin
/api/v1/data
/graphql

Now you know:

  • Backend structure
  • Versioning
  • API design

This is powerful for:

  • Access control testing
  • API abuse

Finding hidden features

Sometimes JS contains:

  • Disabled features
  • Beta endpoints
  • Internal routes

Example:

"/admin/debug"
"/internal/stats"

These may not be linked anywhere.

Validating endpoints

Always verify:

httpx -l endpoints.txt -status-code -silent -o live_endpoints.txt

Only test what is alive.

Prioritisation strategy

High priority:

  • API endpoints
  • Auth-related paths
  • Admin routes
  • Parameter-heavy URLs

Medium priority:

  • Static endpoints
  • Public APIs

Low priority:

  • Duplicates
  • Unreachable endpoints

Real-world use-cases

  • Finding hidden /api/admin endpoint
  • Extracting /graphql endpoint
  • Discovering unused parameters
  • Identifying internal services
  • Finding leaked Firebase configs

These are common real bugs.

Mini lab exercise (30–40 minutes)

  1. Collect JS files:
grep "\.js$" urls.txt > js.txt
  1. Download:
cat js.txt | while read url; do curl -s $url; done > all.js
  1. Extract endpoints:
grep -oE "https?://[^\"']+" all.js | sort -u
  1. Extract params:
grep "=" all.js
  1. Pick 3 endpoints and test manually.

Common mistakes and fixes

Mistake: Ignoring JS files
Fix: Always analyse JS

Mistake: Only using automated tools
Fix: Combine manual + tools

Mistake: Not validating endpoints
Fix: Use httpx

Mistake: Missing relative paths
Fix: Extract both full URLs and paths

Quick command summary

Collect JS:

grep "\.js$" urls.txt

Extract endpoints:

grep -oE "https?://[^\"']+"

Extract params:

grep "="

Validate:

httpx -l endpoints.txt

What to do after this Part

  • Use endpoints for parameter fuzzing
  • Test APIs for auth issues
  • Check for IDOR, XSS, SSRF
  • Analyse business logic

Now recon becomes real vulnerability hunting.

Next post preview

Part 14 – Parameter Discovery and Hidden Parameter Hunting

We will cover:

  • Finding hidden parameters
  • Parameter fuzzing
  • Wordlists for parameters
  • Tools and automation

This is where exploitation starts becoming real.

Closing thought

Frontend code is not just UI.
It is a blueprint.

If you read it properly,
you already know where to attack.

Disclaimer

This content is for educational purposes only. Use it ethically and only against targets you own or have explicit permission to test. Do not use any techniques described here in ways that break laws, platform rules, or third-party rights. If in doubt, stop and get permission.

Share the Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

×