👑Find Js and Secret

My OneLiner for JS Recon & Secrets

Configure Domain Name 


katana -u https://press.zara.com -jc -d 2 | grep ".js$" | uniq | httpx -mc 200 | sort > js_files.txt && cat all.txt | grep '.js$' | uniq | httpx -mc 200 | anew js_files.txt && cat js_files.txt | while read url; do secretfinder -i $url -o cli >> secrets.txt; done && xnLinkFinder -i js_files.txt -sf https://press.zara.com -o js_hidden_endpoint.txt && mv parameters.txt js_hidden_parameters.txt

My OneLiner for Gf-Patterns Recon

cat all_endpoints.txt | gf ip | tee > gf-ip.txt && cat all_endpoints.txt | gf debug_logic | tee > gf-debug_logic.txt && cat all_endpoints.txt | gf jwt | tee > gf-jwt.txt && cat all_endpoints.txt | gf secrets | tee > gf-secrets.txt && cat all_endpoints.txt | gf sec | tee > gf-sec.txt && cat all_endpoints.txt | gf interestingparams | tee > gf-interestingparams.txt && cat all_endpoints.txt | gf interestingEXT | tee > gf-interestingEXT.txt && cat all_endpoints.txt | gf fw | tee > gf-fw.txt && cat all_endpoints.txt | gf debug-pages | tee > gf-debug-pages.txt && cat all_endpoints.txt | gf ccode | tee > gf-ccode.txt && cat all_endpoints.txt | gf api-keys | tee > gf-api-keys.txt && cat all_endpoints.txt | gf auth | tee > gf-auth.txt && cat all_endpoints.txt | gf aws-keys | tee > gf-aws-keys.txt && cat all_endpoints.txt | gf aws-keys_secrets | tee > gf-aws-keys_secrets.txt &&  cat all_endpoints.txt | gf aws-mws-key | tee > gf-aws-mws-key.txt && cat all_endpoints.txt | gf aws-s3_secrets | tee > gf-aws-s3_secrets.txt && cat all_endpoints.txt | gf aws-secret-key | tee > gf-aws-secret-key.txt && cat all_endpoints.txt | gf base64 | tee > gf-base64.txt && cat all_endpoints.txt | gf facebook-access-token | tee > gf-facebook-access-token.txt && cat all_endpoints.txt | gf facebook-oauth | tee > gf-facebook-oauth.txt && cat all_endpoints.txt | gf facebook-token_secrets | tee > gf-facebook-token_secrets.txt && cat all_endpoints.txt | gf firebase | tee > gf-firebase.txt && cat all_endpoints.txt | gf firebase_secrets | tee > gf-firebase_secrets.txt && cat all_endpoints.txt | gf github | tee > gf-github.txt && cat all_endpoints.txt | gf github_secrets | tee > gf-github_secrets.txt && cat all_endpoints.txt | gf google-keys_secrets | tee > gf-google-keys_secrets.txt && cat all_endpoints.txt | gf google-oauth_secrets | tee > gf-google-oauth_secrets.txt && cat all_endpoints.txt | gf google-service-account_secrets | tee > gf-google-service-account_secrets.txt && cat all_endpoints.txt | gf google-token_secrets | tee > gf-google-token_secrets.txt && cat all_endpoints.txt | gf heroku-keys_secrets | tee > gf-heroku-keys_secrets.txt && cat all_endpoints.txt | gf http-auth | tee > gf-http-auth.txt && cat all_endpoints.txt | gf img-traversal | tee > gf-img-traversal.txt && cat all_endpoints.txt | gf js-sinks | tee > gf-js-sinks.txt && cat all_endpoints.txt | gf json-sec | tee > gf-json-sec.txt && cat all_endpoints.txt | gf jsvar | tee > gf-jsvar.txt && cat all_endpoints.txt | gf mailchimp-keys_secrets | tee > gf-mailchimp-keys_secrets.txt && cat all_endpoints.txt | gf mailgun-keys_secrets | tee > gf-mailgun-keys_secrets.txt && odecat all_endpoints.txt | gf paypal-token_secrets | tee > gf-paypal-token_secrets.txt && cat all_endpoints.txt | gf php-callbacks | tee > gf-php-callbacks.txt && cat all_endpoints.txt | gf php-codeexec | tee > gf-php-codeexec.txt && cat all_endpoints.txt | gf php-commandexec | tee > gf-php-commandexec.txt && cat all_endpoints.txt | gf php-curl | tee > gf-php-curl.txt && cat all_endpoints.txt | gf php-errors | tee > gf-php-errors.txt && cat all_endpoints.txt | gf php-informationdisclosure | tee > gf-php-informationdisclosure.txt && cat all_endpoints.txt | gf php-open-filesystem-handler | tee > gf-php-open-filesystem-handler.txt && cat all_endpoints.txt | gf php-read-filesystem | tee > gf-php-read-filesystem.txt && cat all_endpoints.txt | gf php-serialized | tee > gf-php-serialized.txt && cat all_endpoints.txt | gf php-sinks | tee > gf-php-sinks.txt && cat all_endpoints.txt | gf php-sources | tee > gf-php-sources.txt && cat all_endpoints.txt | gf php-write-filesystem | tee > gf-php-write-filesystem.txt && cat all_endpoints.txt | gf picatic-keys_secrets | tee > gf-picatic-keys_secrets.txt && cat all_endpoints.txt | gf s3-buckets | tee > gf-s3-buckets.txt && cat all_endpoints.txt | gf serial | tee > gf-serial.txt && cat all_endpoints.txt | gf servers | tee > gf-servers.txt && cat all_endpoints.txt | gf slack-token | tee > gf-slack-token.txt && cat all_endpoints.txt | gf slack-token_secrets | tee > gf-slack-token_secrets.txt && cat all_endpoints.txt | gf slack-webhook | tee > gf-slack-webhook.txt && cat all_endpoints.txt | gf slack-webhook_secrets | tee > gf-slack-webhook_secrets.txt && cat all_endpoints.txt | gf square-keys_secrets | tee > gf-square-keys_secrets.txt && cat all_endpoints.txt | gf square-secret | tee > gf-square-secret.txt && cat all_endpoints.txt | gf strings | tee > gf-strings.txt && cat all_endpoints.txt | gf stripe-keys_secrets | tee > gf-stripe-keys_secrets.txt && cat all_endpoints.txt | gf swearwords | tee > gf-swearwords.txt && cat all_endpoints.txt | gf takeovers | tee > gf-takeovers.txt && cat all_endpoints.txt | gf truffle | tee > gf-truffle.txt && cat all_endpoints.txt | gf twilio-key | tee > gf-twilio-key.txt && cat all_endpoints.txt | gf twilio-keys_secrets | tee > gf-twilio-keys_secrets.txt && cat all_endpoints.txt | gf twitter-oauth | tee > gf-twitter-oauth.txt && cat all_endpoints.txt | gf twitter-oauth_secrets | tee > gf-twitter-oauth_secrets.txt && cat all_endpoints.txt | gf twitter-secret | tee > gf-twitter-secret.txt && cat all_endpoints.txt | gf twitter-token_secrets | tee > gf-twitter-token_secrets.txt && cat all_endpoints.txt | gf typos | tee > gf-typos.txt && cat all_endpoints.txt | gf upload-fields | tee > gf-upload-fields.txt

------------------------------------------------------------

cat all_endpoints.txt | gf ip | tee > gf-ip.txt && cat all_endpoints.txt | gf debug_logic | tee > gf-debug_logic.txt && cat all_endpoints.txt | gf jwt | tee > gf-jwt.txt && cat all_endpoints.txt | gf secrets | tee > gf-secrets.txt && cat all_endpoints.txt | gf sec | tee > gf-sec.txt && cat all_endpoints.txt | gf interestingparams | tee > gf-interestingparams.txt && cat all_endpoints.txt | gf interestingEXT | tee > gf-interestingEXT.txt && cat all_endpoints.txt | gf fw | tee > gf-fw.txt && cat all_endpoints.txt | gf debug-pages | tee > gf-debug-pages.txt && cat all_endpoints.txt | gf ccode | tee > gf-ccode.txt && cat all_endpoints.txt | gf api-keys | tee > gf-api-keys.txt && cat all_endpoints.txt | gf auth | tee > gf-auth.txt 

cat all_endpoints.txt | gf aws-keys && cat all_endpoints.txt | gf aws-keys_secrets &&  cat all_endpoints.txt | gf aws-mws-key && cat all_endpoints.txt | gf aws-s3_secrets && cat all_endpoints.txt | gf aws-secret-key && cat all_endpoints.txt | gf base64 && cat all_endpoints.txt | gf facebook-access-token && cat all_endpoints.txt | gf facebook-oauth && cat all_endpoints.txt | gf facebook-token_secrets && cat all_endpoints.txt | gf firebase && cat all_endpoints.txt | gf firebase_secrets && cat all_endpoints.txt | gf github && cat all_endpoints.txt | gf github_secrets && cat all_endpoints.txt | gf google-keys_secrets && cat all_endpoints.txt | gf google-oauth_secrets && cat all_endpoints.txt | gf google-service-account_secrets && cat all_endpoints.txt | gf google-token_secrets && cat all_endpoints.txt | gf heroku-keys_secrets && cat all_endpoints.txt | gf http-auth && cat all_endpoints.txt | gf img-traversal && cat all_endpoints.txt | gf js-sinks && cat all_endpoints.txt | gf json-sec && cat all_endpoints.txt | gf jsvar && cat all_endpoints.txt | gf mailchimp-keys_secrets && cat all_endpoints.txt | gf mailgun-keys_secrets && cat all_endpoints.txt | gf paypal-token_secrets && cat all_endpoints.txt | gf php-callbacks && cat all_endpoints.txt | gf php-codeexec && cat all_endpoints.txt | gf php-commandexec && cat all_endpoints.txt | gf php-curl && cat all_endpoints.txt | gf php-errors && cat all_endpoints.txt | gf php-informationdisclosure && cat all_endpoints.txt | gf php-open-filesystem-handler && cat all_endpoints.txt | gf php-read-filesystem && cat all_endpoints.txt | gf php-serialized && cat all_endpoints.txt | gf php-sinks && cat all_endpoints.txt | gf php-sources && cat all_endpoints.txt | gf php-write-filesystem && cat all_endpoints.txt | gf picatic-keys_secrets && cat all_endpoints.txt | gf s3-buckets && cat all_endpoints.txt | gf serial && cat all_endpoints.txt | gf servers && cat all_endpoints.txt | gf slack-token && cat all_endpoints.txt | gf slack-token_secrets && cat all_endpoints.txt | gf slack-webhook && cat all_endpoints.txt | gf slack-webhook_secrets && cat all_endpoints.txt | gf square-keys_secrets && cat all_endpoints.txt | gf square-secret && cat all_endpoints.txt | gf strings && cat all_endpoints.txt | gf stripe-keys_secrets && cat all_endpoints.txt | gf swearwords && cat all_endpoints.txt | gf takeovers && cat all_endpoints.txt | gf truffle && cat all_endpoints.txt | gf twilio-key && cat all_endpoints.txt | gf twilio-keys_secrets && cat all_endpoints.txt | gf twitter-oauth && cat all_endpoints.txt | gf twitter-oauth_secrets && cat all_endpoints.txt | gf twitter-secret && cat all_endpoints.txt | gf twitter-token_secrets && cat all_endpoints.txt | gf typos && cat all_endpoints.txt | gf upload-fields

------------------------------------------------------------

Find Js_Files Using Active_Recon

katana -u https://website.com -jc -d 2 | grep ".js$" | uniq | httpx -mc 200 | sort > js_files.txt

------------------------------------------------------------

Find Js_Files Using Archive URLS

cat all.txt | grep '.js$' | uniq | httpx -mc 200 | sort > js_files.txt
cat js_files.txt | uro > js.txt
Send Data to Burp_Suite:
cat js.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null

-------------------------------------------------------------

Find information disclosures in Js_Files

cat js.txt | while read url; do secretfinder -i $url -o cli >> secrets.txt; done
python3 aranea.py -U https://techdocs.broadcom.com -M analysis

If you find an Api key and just use this:

curl https://raw.githubusercontent.com/rohsec/LEAKEY/master/install.sh -o leaky_install.sh && chmod +x leaky_install.sh && bash leaky_install.sh
leaky
Not found

-------------------------------------------------------------

Find hidden endpoint in js_files.txt

xnLinkFinder -i js_files.txt -sf https://press.zara.com -o js_hidden_endpoint.txt && mv parameters.txt js_hidden_parameters.txt 
httpx -l js_hidden_endpoint.txt --mc 200
ffuf -u https://target.com/FUZZ -w js_final.txt -o xnLinkFinder_endpoint.txtls

-------------------------------------------------------------

Find critical backup files

echo https://fuzzuli.musana.net | fuzzuli -mt all
PreviousFind ParametersNextGrep tricks for JavaScript Analysis

Last updated