Find Hidden GET Parameters in JavaScript Files

By /

Listen to this Post

Discovering hidden GET parameters in JavaScript files is a crucial skill for penetration testers and bug bounty hunters. These parameters can often reveal undocumented API endpoints or potential injection points. Below is a refined and practical approach to uncovering them.

Command to Extract Hidden GET Parameters

assetfinder http://example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/./&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

You Should Know:

1. `assetfinder` – Discovers subdomains of a target.

  • Install: `go install github.com/tomnomnom/assetfinder@latest`
    2. `gau` (Get All URLs) – Fetches historical URLs from multiple sources.
  • Install: `go install github.com/lc/gau/v2/cmd/gau@latest`
    3. `egrep` – Filters out static files (images, CSS, etc.).
    4. `curl` – Fetches JavaScript files silently (-s flag).
    5. `sed` – Manipulates text to construct potential vulnerable parameters.

Step-by-Step Execution:

1. Find Subdomains:

assetfinder example.com > domains.txt

2. Gather URLs:

cat domains.txt | gau > urls.txt

3. Filter & Extract JS Vars:

cat urls.txt | egrep -v '(.css|.png|.jpeg|.svg)' | while read url; do curl -s $url | grep -Eo "var [a-zA-Z0-9_]+"; done

4. Test Parameters for XSS:

Append `=xss` to each parameter and check for reflection.

Advanced Techniques:

– `waybackurls` (Alternative to gau):

waybackurls example.com | grep ".js" | httpx -status-code -content-type

– `ffuf` for Parameter Fuzzing:

ffuf -w params.txt -u "http://example.com?FUZZ=test" -mc 200

Courses for Further Learning:

  1. Advanced Web Hacking
  2. Penetration Testing Masterclass
  3. Bug Bounty Hunting Guide

What Undercode Say:

Hidden GET parameters are a goldmine for security researchers. Automate your workflow with tools like gau, assetfinder, and ffuf. Always validate manually to avoid false positives. For Linux/Windows pros, remember:
– Linux: `grep -r “var ” /var/www/html` (Search JS files locally).
– Windows (PowerShell):

Invoke-WebRequest http://example.com/script.js | Select-String -Pattern "var \w+"

– Obfuscated JS? Use js-beautify:

npm install js-beautify -g 
js-beautify obfuscated.js

Expected Output:

A list of URLs with extracted JavaScript variables formatted as potential GET parameters (e.g., `http://example.com?param=xss`). Test these in Burp Suite or browser for vulnerabilities.

Note: Always obtain permission before testing. Unauthorized scanning is illegal.

References:

Reported By: Zlatanh Find – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: