Unleash the Power of JS Link Finder: Hunt Hidden Endpoints Like a Pro
介绍如何使用Burp Suite的JS Link Finder扩展查找JavaScript中的隐藏URL和端点,帮助发现安全漏洞。该工具通过被动扫描自动分析JavaScript文件,提取潜在的敏感API或易受攻击的路径。 2025-9-2 10:19:24 Author: infosecwriteups.com(查看原文) 阅读量:9 收藏

Finding JavaScript URLs and Secret Endpoints with Burp Suite’s JS Link Finder Extension

Monika sharma

Press enter or click to view image in full size

Bug bounty hunting is like being a digital detective, searching for security flaws in websites to keep them safe and earn rewards. One of the most powerful tools in a bug hunter’s toolkit is Burp Suite, and its extensions can supercharge your efforts. Among these, the JS Link Finder extension stands out as a game-changer. It scans JavaScript files for URLs and hidden endpoints that could lead to vulnerabilities like exposed APIs, open redirects, or even account takeovers. Whether you’re a beginner or a seasoned hunter, this extension can help you uncover “fishy” endpoints that developers might have overlooked. In this article, we’ll walk you through the full process: from setting up a target in Burp Suite to using JS Link Finder to extract JavaScript URLs and hidden endpoints, and finally checking those endpoints for bugs. Let’s dive into this powerful tool and start hunting like a pro!

Why JS Link Finder Is a Must-Have for Bug Hunters

Modern websites rely heavily on JavaScript for features like dynamic content, API calls, and user interactions. These JavaScript files often contain URLs or endpoints that aren’t visible on the website’s front end. For example, a file like service-worker.js might include API paths or redirect URLs that, if misconfigured, could lead to serious vulnerabilities. Manually searching through these files is time-consuming and easy to miss. That’s where JS Link Finder, a Burp Suite extension, shines. It automatically scans JavaScript files for links, endpoints, and parameters, saving you hours of work and helping you find hidden gems like /api/users or /admin endpoints that could be exploitable.

Here’s why JS Link Finder is so powerful:

  • Passive Scanning: It analyzes JavaScript files as you browse, without sending extra requests, keeping your testing stealthy.
  • Endpoint Discovery: Finds URLs and paths (e.g., /api/v1/config) that might expose sensitive data or logic.
  • Bug Bounty Friendly: Helps uncover vulnerabilities like open redirects, broken authentication, or information disclosure, which can lead to big rewards.
  • Beginner-Friendly: Easy to set up and use, even if you’re new to Burp Suite.

In this guide, we’ll show you how to use JS Link Finder to find these hidden endpoints, step by step, with practical examples inspired by real-world bug bounty reports.

Prerequisites: What You Need to Get Started

Before we begin, make sure you have the following:

  • Burp Suite Community or Professional Edition: The free Community Edition works for manual testing, but Professional is better for passive scanning with extensions. Download it from portswigger.net.
  • JPython Environment: JS Link Finder requires JPython to run. Download the JPython JAR file from jython.org and set it up in Burp Suite.
  • A Target Website: Choose a website with a bug bounty program (e.g., on HackerOne or Bugcrowd) and check its scope to ensure subdomains and JavaScript files are included.
  • A Browser: Configure your browser (e.g., Chrome or Firefox) to use Burp Suite as a proxy.
  • Basic Tools: A text editor to review findings and a notebook to track your progress.

If you’re new, practice on safe environments like PortSwigger’s Web Security Academy to avoid legal issues.

Step-by-Step Process: Using JS Link Finder in Burp Suite

Let’s break down the process into clear steps, from setting up your target to finding and testing hidden endpoints with JS Link Finder.

Step 1: Set Up Your Target in Burp Suite

To use JS Link Finder, you first need to configure Burp Suite to capture traffic from your target website. Here’s how:

  1. Open Burp Suite: Launch Burp Suite (Community or Professional).
  2. Configure Your Browser:
  • Set your browser to use Burp as a proxy. In Chrome, go to Settings > System > Open your computer’s proxy settings, and set the proxy to 127.0.0.1:8080.
  • Install the Burp Suite CA certificate in your browser to avoid SSL errors. In Burp, go to Proxy > Options > Import/Export CA Certificate and follow the instructions.

3. Add the Target to Scope:

  • Go to the Target > Scope tab in Burp Suite.
  • Click Add under the Target Scope section.
  • Enter the target’s domain (e.g., example.com) or specific subdomains (e.g., dev.example.com, api.example.com). Include https:// or http:// as needed.
  • For bug bounties, check the program’s scope on HackerOne or Bugcrowd to include only allowed domains.

4. Turn on Proxy: In the Proxy > Proxy Settings tab, ensure the proxy is running on 127.0.0.1:8080. Enable Intercept is on to capture requests (you can turn it off later for passive scanning).

5. Browse the Target: Visit the target website in your browser and interact with it (e.g., log in, click links, submit forms). This populates the Target > Site map with URLs and JavaScript files.

Step 2: Install JS Link Finder Extension

JS Link Finder is available in Burp Suite’s BApp Store. Here’s how to install it:

  1. Open the BApp Store:
  • In Burp Suite, go to the Extender > BApp Store tab.

2. Search for JS Link Finder:

  • Type “JS Link Finder” in the search bar. You’ll see the extension by PortSwigger or a forked version (e.g., by InitRoot or phlmox).
  • Note: If you use a forked version like BurpJSLinkFinderv2, check its GitHub page for specific setup instructions.

3. Install the Extension:

  • Click on “JS Link Finder” and hit the Install button. It will download and load into Burp Suite.

4. Set Up JPython:

  • Go to Extender > Options.
  • Under Python Environment, click Select file and choose the JPython JAR file you downloaded.
  • If you don’t have JPython, download it from jython.org and set the path.

5. Verify Installation:

  • In the Extender > Extensions tab, ensure JS Link Finder is listed and checked (enabled). If there’s an error, double-check the JPython setup.

Step 3: Configure JS Link Finder

JS Link Finder is a passive scanner, meaning it analyzes JavaScript files as you browse without sending extra requests. To make it effective:

  1. Set Exclusion List:
  • JS Link Finder skips common JavaScript libraries like jquery or google-analytics to avoid noise. You can customize this list.
  • Open the extension’s source code (available on GitHub, e.g., PortSwigger/js-link-finder) and modify the JSExclusionList (e.g., ['jquery', 'google-analytics', 'gpt.js']) on line 33 or similar, depending on the version.
  • Save and reload the extension if you make changes (requires manual editing for Community Edition).

2. Enable Passive Scanning:

  • In Burp Suite, go to Scanner > Options and ensure passive scanning is enabled (default in Professional Edition).
  • JS Link Finder will automatically analyze JavaScript files in the scope as you browse.

3. Optional Settings:

  • In some versions (e.g., BurpJSLinkFinderv2), you can enable “Only scope” to limit scanning to in-scope domains or add a blacklist for file extensions (e.g., .jpg, .css) to reduce false positives.

Step 4: Browse the Target to Collect JavaScript Files

JS Link Finder works by analyzing JavaScript files captured in Burp’s proxy. To collect these files:

  1. Browse Actively: Visit the target website (e.g., https://example.com) and interact with all features—log in, click buttons, submit forms, and navigate subdomains (e.g., dev.example.com).
  2. Check Site Map: In Burp’s Target > Site map, filter for JavaScript files (e.g., .js extensions). You’ll see files like /scripts/main.js or /service-worker.js.
  3. Manual Collection: If you know specific JavaScript files (e.g., from robots.txt or sitemap.xml), visit them directly (e.g., https://dev.example.com/service-worker.js) to ensure they’re captured.

Step 5: Run JS Link Finder to Extract URLs and Endpoints

Once JavaScript files are in Burp’s Site map, JS Link Finder will passively scan them. Here’s how it works:

  1. Automatic Scanning:
  • As you browse, JS Link Finder analyzes JavaScript files in the scope and extracts URLs, endpoints, and parameters.
  • Results appear in the Issues tab (Professional Edition) or the extension’s output window (check Extender > Extensions > JS Link Finder > Output).

2. Example Output:

  • For a file like service-worker.js, JS Link Finder might extract:
Endpoint: /api/v1/users
Parameter: redirectUrl
URL: https://api.example.com/config
  • These could point to sensitive APIs or redirect logic worth testing.

3. Export Results:

  • In the extension’s interface (or output window), you can export results to a text file for review. Look for a button or option like “Export endpoints” in newer versions (e.g., BurpJSLinkFinderv2).

Step 6: Check Extracted URLs for Hidden Endpoints

JS Link Finder will give you a list of URLs and endpoints. Now, it’s time to investigate them for vulnerabilities:

  1. Review the List:
  • Open the exported results or check the Issues tab. You might see endpoints like:
  • /api/v1/users (possible data leak)
  • /redirect?redirectUrl= (potential open redirect)
  • /admin/config (possible admin panel access)

2. Test with Burp Suite:

  • Send promising endpoints to Burp’s Repeater:
  • Right-click the endpoint in the Site map or Issues tab and select Send to Repeater
  • Test GET/POST requests to check for unauthenticated access. For example: If it returns user data without authentication, it’s a bug.
GET /api/v1/users HTTP/1.1
Host: api.example.com
  • For redirect endpoints (e.g., /redirect?redirectUrl=), test for open redirects by injecting https://evil.com and checking if the site redirects without validation.

3. Use Browser Developer Tools:

  • Open Chrome or Firefox, press F12, and go to the Network tab.
  • Visit the extracted URLs (e.g., https://api.example.com/api/v1/config) and check for sensitive data in responses (e.g., API keys, user info).

4. Manual Inspection:

  • For JavaScript files like service-worker.js, open them in a text editor or browser to look for hardcoded endpoints, tokens, or parameters. For example, the redirectUrl in your service-worker.js could be vulnerable if it’s not sanitized.

Step 7: Test for Vulnerabilities

Here are common vulnerabilities to check in the extracted endpoints:

  • Information Disclosure: If /api/v1/config returns sensitive data (e.g., API keys), it’s reportable.
  • Broken Authentication: Test if /admin or /api/users allows access without login.
  • Open Redirects: For endpoints like /redirect, try injecting redirectUrl=https://evil.com to see if it redirects without validation.
  • XSS or Injections: If endpoints accept user input (e.g., ?query=test), test for XSS by injecting <script>alert(1)</script>.

Use Burp’s Repeater or Intruder to automate testing (Intruder is Professional Edition only).

Step 8: Report Your Findings

If you find a vulnerability, report it responsibly:

  1. Write a Clear Report:
  • Include:
  • Steps to Reproduce: E.g., “Visited /api/v1/users without auth and got user data.”
  • Proof-of-Concept (PoC): Screenshots or a video of the exploit.
  • Impact: Explain the risk (e.g., “Leaked user data can lead to account takeovers”).
  • Submit via the bug bounty platform (e.g., HackerOne).

2. Example Report:

  • Title: Unauthenticated Access to /api/v1/users
  • Description: JS Link Finder found /api/v1/users in main.js. Sending a GET request returns user emails without authentication.
  • PoC: curl <https://api.example.com/api/v1/users>
  • Impact: Exposes sensitive user data, risking privacy breaches.

3. Follow Program Rules: Ensure the endpoint is in scope and avoid disclosing findings publicly until resolved.

Real-World Example: Finding a Hidden API Endpoint

Let’s look at a simplified real-world scenario inspired by bug bounty reports (like the GitLab OAuth bypass):

  • Target: A website with a bug bounty program.
  • Process:
  • You add example.com and subdomains (e.g., api.example.com) to Burp’s scope.
  • While browsing, JS Link Finder scans scripts.js and finds /api/v1/keys.
  • You send a GET request to https://api.example.com/api/v1/keys using Burp’s Repeater.
  • The response contains an API key: {"key": "abc123"}.
  • Result: The exposed key could access internal APIs, earning a $500 reward after reporting.
  • Why It Worked: JS Link Finder spotted a hidden endpoint missed by manual inspection, showing its power in bug hunting.

Tips for Maximizing JS Link Finder

  • Combine with Other Tools: Use waybackurls to find archived JavaScript files: Visit these files to ensure they’re scanned by JS Link Finder.
waybackurls https://example.com | grep "\.js$" > js-files.txt
  • Check Subdomains: Add subdomains like dev.example.com to the scope, as they often host sensitive endpoints.
  • Test Parameters: For endpoints with parameters (e.g., redirectUrl), test for open redirects or XSS.
  • Stay Ethical: Only test within the bug bounty program’s scope to avoid legal issues.
  • Learn from Reports: Read public bug reports on HackerOne to see how others used JavaScript analysis for big finds.

Common Mistakes to Avoid

  • Not Setting Scope: Always define the target scope to avoid scanning out-of-scope domains.
  • Ignoring False Positives: JS Link Finder may flag common libraries. Use the exclusion list to filter them.
  • Skipping Manual Testing: Don’t rely solely on the extension — manually test endpoints for real vulnerabilities.
  • Poor Reporting: Include clear steps and impact in your reports to increase reward chances.

Why JS Link Finder Is a Game-Changer

JS Link Finder is a must-have for bug hunters because it automates the tedious task of analyzing JavaScript files. It finds hidden endpoints that could lead to critical bugs, like the GitLab OAuth bypass, where a simple parameter tweak led to account takeovers. By integrating seamlessly with Burp Suite, it fits into your workflow, whether you’re a beginner using the Community Edition or a pro with the Professional version. Its passive scanning keeps your testing low-profile, and its ability to export results makes it easy to prioritize high-value endpoints.

Conclusion: Start Hunting with JS Link Finder Today

The JS Link Finder extension is a powerful ally in your bug bounty journey, helping you uncover hidden endpoints and vulnerabilities with ease. By following this guide — setting up your target, installing the extension, scanning JavaScript files, and testing endpoints — you can find bugs like exposed APIs or open redirects that earn real rewards. Download Burp Suite, install JS Link Finder, and pick a beginner-friendly program on HackerOne or Bugcrowd. Practice on safe labs like PortSwigger’s Web Security Academy, and soon, you’ll be hunting like a pro. Your next big bug is out there — happy hunting!


文章来源: https://infosecwriteups.com/unleash-the-power-of-js-link-finder-hunt-hidden-endpoints-like-a-pro-deb77530155f?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh