Detecting API endpoints and source code with JS Miner

Read Article

DANA EPP’S BLOG

Security (de)engineering for fun and profit

Let’s be honest. Most APIs are naked without some sort of web app frontend calling it.

These days, those apps are usually written in some sort of framework based on Javascript. With a bit of work, we can do deeper recon against our API targets if we interrogate the Javascript files embedded within the web application.

Let me show you one way to do it using a free Burp Suite extension called JS Miner.

What is JS Miner?

JS Miner is a free Burp Suite Professional extension that finds interesting stuff inside static files like JavaScript and JSON.

You need the Professional edition because it taps directly into the Burp web vulnerability scanner.

If you open up Burp Suite and head over to the BApp Store, you can search for JS Miner and get the full breakdown of what it does. However, there are several features I want to point out specifically:

  1. It automatically scans for hardcoded secrets and credentials.
  2. It passively scans for subdomains the web app calls and pulls code and data from.
  3. It can actively try to construct source code from JavaScript Source Map Files (if found).
  4. It passively tries to detect API endpoints that use GET/POST/PUT/DELETE/PATCH.

The results are displayed as Issues in the dashboard and Site Map. It can look something like this:

Now let me show you an easy way to add it to your API hacking workflow.