While scrolling twitter recently I saw Intigriti linked to some JavaScript bookmarklet for discovering API endpoints. When doing reconnaissance, sometimes tools like ffuf aren't fine-grained enough for enumerating API endpoints. On the contrary however, interacting with an app in the browser is much more personal and can often reveal API endpoints other tools might miss. We can use the browser developer console and JavaScript to our advantage here:
(function () {
const scripts = document.getElementsByTagName("script");
const regex = /(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;
const results = new Set();
for (let i = 0; i < scripts.length; i++) {
const src = scripts[i].src;
if (src !== "") {
fetch(src)
.then((response) => response.text())
.then((text) => {
const matches = text.matchAll(regex);
for (const match of matches) {
results.add(match[0]);
}
})
.catch((error) => {
console.log("An error occurred: ", error);
});
}
}
const pageContent = document.documentElement.outerHTML;
const pageMatches = pageContent.matchAll(regex);
for (const match of pageMatches) {
results.add(match[0]);
}
function writeResults() {
results.forEach((result) => {
document.write(result + "
");
});
}
setTimeout(writeResults, 3000);
})();
No comments:
Post a Comment