Listen to this Post

Introduction:
Modern web applications are complex ecosystems where critical infrastructure often hides in plain sight within client-side code. Security researchers and bug bounty hunters know that JavaScript files are a goldmine of undisclosed subdomains, internal hosts, and API endpoints that developers inadvertently expose. By leveraging a simple yet powerful command-line technique, you can automate the discovery of these hidden assets, significantly expanding your attack surface and uncovering potential entry points that traditional subdomain enumeration might miss.
Learning Objectives:
- Master a one-liner command to extract hidden subdomains and internal hosts from JavaScript files
- Understand how to automate the discovery of API endpoints and staging environments
- Learn to integrate this reconnaissance technique into a comprehensive bug bounty workflow
You Should Know:
- The Anatomy of the JavaScript Subdomain Extraction Command
This technique, popularized by bug bounty hunter Deepak Saini, revolves around a concise command that processes a list of JavaScript URLs and extracts any subdomains belonging to a target domain. The core command is:
cat js.txt | xargs -I{} curl -s {} | grep -Eo "[a-zA-Z0-9.-]+.targetdomain.com"
Let’s break down what each component does:
cat js.txt: Reads a file containing one JavaScript file URL per line.xargs -I{}: Takes each line from the input and substitutes it into the command that follows, allowing us to process multiple URLs sequentially.curl -s {}: Performs a silent HTTP request to the URL, retrieving the JavaScript file’s content without progress meter or error messages.grep -Eo: Uses extended regular expressions to search the content and output only the matching parts (the `-o` flag)."[a-zA-Z0-9.-]+\.targetdomain\.com": The regex pattern that matches any string containing alphanumeric characters, dots, or hyphens, followed by the literal target domain.
To use this effectively, first gather a list of JavaScript URLs. You can obtain these from a source like a crawled website or a tool such as `gau` (GetAllUrls). For example:
Collect all URLs from a domain and filter for JavaScript files
echo "https://example.com" | gau | grep -E ".js$" > js.txt
Now run the extraction command
cat js.txt | xargs -I{} curl -s {} | grep -Eo "[a-zA-Z0-9.-]+.example.com" | sort -u
This will output a unique, sorted list of subdomains discovered within the JavaScript files. Common findings include dev.example.com, staging.example.com, api.internal.example.com, and even cloud storage buckets like assets-cdn.example.com.
2. Advanced Automation and Parallel Processing
While the basic command works well for small lists, dealing with hundreds or thousands of JavaScript files requires efficiency. The `xargs` command can be enhanced to run multiple `curl` processes in parallel, drastically reducing runtime. Use the `-P` flag to specify the number of parallel processes:
cat js.txt | xargs -P 10 -I{} curl -s -k {} | grep -Eo "[a-zA-Z0-9.-]+.targetdomain.com" | sort -u
The `-k` flag in `curl` ignores SSL certificate errors, which is useful when testing internal or self-signed certificates often found on staging hosts. For even more robust extraction, combine this with tools like `httpx` to verify which discovered subdomains are actually live:
First extract subdomains
cat js.txt | xargs -P 10 -I{} curl -s -k {} | grep -Eo "[a-zA-Z0-9.-]+.targetdomain.com" | sort -u > potential.txt
Check which ones are alive
cat potential.txt | httpx -silent -status-code -title -tech-detect
This two-step process filters out non-responsive hosts and provides valuable metadata about the live ones, such as HTTP status codes and detected technologies.
- Expanding the Hunt: API Endpoints and Sensitive Data
The same principle can be applied to discover more than just subdomains. JavaScript files often contain hardcoded API endpoints, paths, and even secret keys. Modify the regex to uncover API routes:
Extract API endpoints with paths
cat js.txt | xargs -P 10 -I{} curl -s -k {} | grep -Eo "(api|graphql|v[0-9]).targetdomain.com/[a-zA-Z0-9/_-]+"
For finding potential API keys or tokens, you can look for common patterns:
Search for AWS keys or other secrets
cat js.txt | xargs -P 10 -I{} curl -s -k {} | grep -Eo "AKIA[0-9A-Z]{16}" AWS Access Key ID pattern
When you discover an API endpoint, always check for exposure to common vulnerabilities such as:
– Information disclosure: Unauthenticated endpoints returning sensitive user data
– IDOR (Insecure Direct Object References): Manipulating IDs in API calls to access unauthorized resources
– CORS misconfigurations: Allowing unauthorized origins to read sensitive data
4. Integrating into a Bug Bounty Workflow
To make this discovery process systematic, create a simple bash script that combines multiple reconnaissance tools. Here’s an example workflow script:
!/bin/bash
recon.sh - Automated subdomain discovery from JS files
TARGET=$1
OUTPUT_DIR="recon_$TARGET"
mkdir -p $OUTPUT_DIR
echo "[+] Gathering URLs for $TARGET"
Using gau (getallurls) and waybackurls
echo "$TARGET" | gau --subs --providers wayback,otx,urlscan > $OUTPUT_DIR/all_urls.txt
cat $OUTPUT_DIR/all_urls.txt | grep -E ".js$" | sort -u > $OUTPUT_DIR/js_files.txt
echo "[+] Extracting subdomains from JS files"
cat $OUTPUT_DIR/js_files.txt | xargs -P 10 -I{} curl -s -k -m 5 {} | grep -Eo "([a-zA-Z0-9.-]+.)+$TARGET" | sort -u > $OUTPUT_DIR/subdomains_from_js.txt
echo "[+] Checking live hosts"
cat $OUTPUT_DIR/subdomains_from_js.txt | httpx -silent -status-code -o $OUTPUT_DIR/live_hosts.txt
echo "[+] Discovering API endpoints"
cat $OUTPUT_DIR/all_urls.txt | grep -E "(api|graphql|v[0-9])" | grep "$TARGET" > $OUTPUT_DIR/api_endpoints.txt
echo "[+] Done. Results saved in $OUTPUT_DIR"
Run it with: `./recon.sh targetdomain.com`
5. Defensive Countermeasures: What Developers Should Do
From a defensive perspective, if you’re a developer or security professional hardening your applications, the presence of subdomains in JavaScript represents a significant information leakage risk. To mitigate this:
– Avoid hardcoding internal hostnames: Use environment variables or configuration files that are not exposed client-side.
– Implement strict CSP (Content Security Policy): Use the `connect-src` directive to limit which domains your JavaScript can communicate with, reducing the impact if an attacker discovers an endpoint.
– Regularly audit your JS files: Use tools like `jsbeautifier` to deobfuscate and scan your own JavaScript for exposed endpoints before deployment.
– Use subdomain enumeration as part of your threat modeling: Assume attackers will find these hosts and ensure they are properly secured with authentication, rate limiting, and monitoring.
For security teams, consider setting up automated scans that mimic this attacker technique to identify exposed subdomains and API endpoints before they can be exploited.
What Undercode Say:
- Passive reconnaissance is a force multiplier: The ability to uncover hidden subdomains without actively probing the infrastructure allows for stealthy and effective attack surface mapping.
- Automation is key to scalability: Combining simple Unix tools like
cat,xargs, and `grep` with modern utilities like `gau` and `httpx` creates a powerful, customizable pipeline for continuous asset discovery.
The simplicity of this technique belies its effectiveness. In an era where organizations struggle to maintain visibility over sprawling digital estates, the subdomains and internal hosts leaked in JavaScript represent a persistent blind spot. For bug bounty hunters, this is low-hanging fruit that often leads to critical vulnerabilities—from exposed administrative panels to misconfigured cloud services. For defenders, it’s a stark reminder that client-side code must be treated as a public asset, demanding the same security scrutiny as any other outward-facing component. As web applications continue to grow in complexity, the line between frontend and backend blurs, making these recon techniques not just optional, but essential. The most successful hunters will be those who automate relentlessly, think like developers, and always question what secrets might be hiding in plain sight within the next JavaScript file.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


