rtexit-method 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +9 -7
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/commands/install.js +0 -1
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/banner.js +14 -6
- package/tools/installer/lib/copy-assets.js +5 -2
- package/tools/installer/lib/prompts.js +1 -11
- package/tools/installer/lib/write-config.js +8 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,639 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-js-analysis
|
|
3
|
+
description: "JavaScript bundle analysis skill. Use to extract secrets, API keys, hardcoded credentials, internal endpoints, and configuration from JavaScript files in SPAs (React, Angular, Vue, Next.js). Covers TruffleHog, Gitleaks, LinkFinder, and source map extraction. Essential for modern web applications."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-js-analysis — JavaScript Bundle Analysis
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
Modern Single Page Applications (React, Angular, Vue, Next.js, Nuxt) ship compiled JavaScript bundles that frequently contain hardcoded secrets, API keys, internal endpoint URLs, environment variables, and configuration objects that were never meant to be public. Unlike server-side code, these bundles are delivered directly to the browser and are trivially accessible to any operator.
|
|
11
|
+
|
|
12
|
+
This skill covers the full workflow for extracting intelligence from JavaScript bundles during a Red Team engagement: discovery, download, deobfuscation, secret scanning, endpoint extraction, and source map reconstruction. Every command below has been validated on Kali Linux.
|
|
13
|
+
|
|
14
|
+
**Primary objectives:**
|
|
15
|
+
|
|
16
|
+
- Extract API keys, tokens, and credentials from compiled JS bundles
|
|
17
|
+
- Discover undocumented internal API endpoints and admin routes
|
|
18
|
+
- Recover original source code via source maps
|
|
19
|
+
- Identify environment configuration leaked into client-side code
|
|
20
|
+
- Map third-party service integrations (Stripe, Twilio, SendGrid, Firebase, AWS, etc.)
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## Skill Levels
|
|
25
|
+
|
|
26
|
+
### BEGINNER
|
|
27
|
+
|
|
28
|
+
Download JS files from a target and run a basic secret scan.
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
# 1. Crawl the target and pull all .js files
|
|
32
|
+
TARGET="https://target.example.com"
|
|
33
|
+
mkdir -p ~/rtexit/js-analysis && cd ~/rtexit/js-analysis
|
|
34
|
+
|
|
35
|
+
wget -r -l2 -nd -A "*.js" --no-check-certificate "$TARGET" -P ./bundles/
|
|
36
|
+
|
|
37
|
+
# 2. Run Gitleaks against the downloaded files
|
|
38
|
+
gitleaks detect --source ./bundles/ --report-format json --report-path gitleaks-report.json --no-git
|
|
39
|
+
cat gitleaks-report.json | python3 -m json.tool | less
|
|
40
|
+
|
|
41
|
+
# 3. Grep for common secret patterns manually
|
|
42
|
+
grep -rEi \
|
|
43
|
+
"(api[_-]?key|apikey|secret|token|password|passwd|pwd|auth|bearer|access_key|private_key)" \
|
|
44
|
+
./bundles/ | grep -v "\.map" | head -80
|
|
45
|
+
|
|
46
|
+
# 4. Find hardcoded URLs and endpoints
|
|
47
|
+
grep -rEo "https?://[a-zA-Z0-9._/-]+" ./bundles/ | sort -u | grep -v "cdn\|jquery\|bootstrap\|google"
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
### INTERMEDIATE
|
|
51
|
+
|
|
52
|
+
Use LinkFinder and TruffleHog for deeper endpoint and secret extraction.
|
|
53
|
+
|
|
54
|
+
```bash
|
|
55
|
+
# 1. Install LinkFinder (if not present)
|
|
56
|
+
git clone https://github.com/GerbenJavado/LinkFinder.git ~/tools/LinkFinder
|
|
57
|
+
pip3 install jsbeautifier requests
|
|
58
|
+
|
|
59
|
+
# 2. Run LinkFinder against all local JS files
|
|
60
|
+
cd ~/tools/LinkFinder
|
|
61
|
+
for f in ~/rtexit/js-analysis/bundles/*.js; do
|
|
62
|
+
echo "[*] Processing: $f"
|
|
63
|
+
python3 linkfinder.py -i "$f" -o cli 2>/dev/null
|
|
64
|
+
done | sort -u | tee ~/rtexit/js-analysis/endpoints.txt
|
|
65
|
+
|
|
66
|
+
# 3. Run LinkFinder against live target (direct URL crawl)
|
|
67
|
+
python3 linkfinder.py -i "https://target.example.com" -d -o cli | tee ~/rtexit/js-analysis/endpoints-live.txt
|
|
68
|
+
|
|
69
|
+
# 4. Run TruffleHog against local directory
|
|
70
|
+
trufflehog filesystem ./bundles/ \
|
|
71
|
+
--json \
|
|
72
|
+
--only-verified \
|
|
73
|
+
2>/dev/null | tee ~/rtexit/js-analysis/trufflehog-verified.json
|
|
74
|
+
|
|
75
|
+
# Run without --only-verified to get all candidates
|
|
76
|
+
trufflehog filesystem ./bundles/ \
|
|
77
|
+
--json \
|
|
78
|
+
2>/dev/null | tee ~/rtexit/js-analysis/trufflehog-all.json
|
|
79
|
+
|
|
80
|
+
# 5. Check for Firebase configuration leaks
|
|
81
|
+
grep -rEi "firebase|firebaseConfig|apiKey.*firebase|storageBucket|messagingSenderId" ./bundles/
|
|
82
|
+
|
|
83
|
+
# 6. Check for AWS credentials
|
|
84
|
+
grep -rEi "(AKIA[0-9A-Z]{16}|aws_access_key|aws_secret)" ./bundles/
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### ADVANCED
|
|
88
|
+
|
|
89
|
+
Source map extraction, deobfuscation, and targeted secret enumeration.
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
# 1. Check if source maps are exposed
|
|
93
|
+
curl -s "https://target.example.com/static/js/main.chunk.js.map" | python3 -m json.tool | head -40
|
|
94
|
+
# If 200, source maps are exposed — extract original source
|
|
95
|
+
# If 404, they may still be referenced in the JS bundle headers
|
|
96
|
+
|
|
97
|
+
# 2. Find source map references in bundles
|
|
98
|
+
grep -rEo "sourceMappingURL=\S+" ./bundles/ | sort -u
|
|
99
|
+
|
|
100
|
+
# 3. Download and extract source maps with sourcemapper
|
|
101
|
+
# Install: go install github.com/denandz/sourcemapper@latest
|
|
102
|
+
sourcemapper -url "https://target.example.com/static/js/main.chunk.js.map" \
|
|
103
|
+
-output ~/rtexit/js-analysis/sourcemap-output/
|
|
104
|
+
|
|
105
|
+
# Alternative: use source-map-cli
|
|
106
|
+
npm install -g source-map-cli
|
|
107
|
+
source-map decode -m main.chunk.js.map -o ./sourcemap-output/
|
|
108
|
+
|
|
109
|
+
# 4. Unminify / beautify bundles before scanning
|
|
110
|
+
pip3 install jsbeautifier
|
|
111
|
+
for f in ./bundles/*.js; do
|
|
112
|
+
js-beautify "$f" > "./bundles/beautified/$(basename $f)"
|
|
113
|
+
done
|
|
114
|
+
|
|
115
|
+
# 5. Extract all string literals (catches obfuscated keys)
|
|
116
|
+
python3 - <<'PYEOF'
|
|
117
|
+
import re, glob, os
|
|
118
|
+
|
|
119
|
+
patterns = {
|
|
120
|
+
"AWS Key": r"AKIA[0-9A-Z]{16}",
|
|
121
|
+
"AWS Secret": r"(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+]{40}['\"]",
|
|
122
|
+
"Stripe Key": r"(sk|pk)_(test|live)_[0-9a-zA-Z]{24,}",
|
|
123
|
+
"Twilio": r"SK[0-9a-fA-F]{32}",
|
|
124
|
+
"Google API": r"AIza[0-9A-Za-z\-_]{35}",
|
|
125
|
+
"Firebase URL": r"https://[a-z0-9-]+\.firebaseio\.com",
|
|
126
|
+
"JWT": r"eyJ[A-Za-z0-9_/+\-]{10,}\.eyJ[A-Za-z0-9_/+\-]{10,}\.[A-Za-z0-9_/+\-]{10,}",
|
|
127
|
+
"Bearer Token": r"(?i)bearer\s+[a-z0-9\-._~+/]+=*",
|
|
128
|
+
"Basic Auth": r"(?i)basic\s+[a-z0-9+/=]{10,}",
|
|
129
|
+
"Slack Token": r"xox[baprs]-[0-9a-zA-Z]{10,}",
|
|
130
|
+
"GitHub PAT": r"ghp_[0-9a-zA-Z]{36}",
|
|
131
|
+
"SendGrid Key": r"SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43}",
|
|
132
|
+
"Mailgun Key": r"key-[0-9a-zA-Z]{32}",
|
|
133
|
+
"Generic Secret": r"(?i)(secret|password|passwd|api.?key)\s*[:=]\s*['\"][^'\"]{8,}['\"]",
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
results = {}
|
|
137
|
+
for fpath in glob.glob("./bundles/**/*.js", recursive=True):
|
|
138
|
+
with open(fpath, "r", errors="ignore") as fh:
|
|
139
|
+
content = fh.read()
|
|
140
|
+
for name, pat in patterns.items():
|
|
141
|
+
matches = re.findall(pat, content)
|
|
142
|
+
if matches:
|
|
143
|
+
results.setdefault(fpath, {})[name] = list(set(matches))
|
|
144
|
+
|
|
145
|
+
for fpath, findings in results.items():
|
|
146
|
+
print(f"\n[FILE] {fpath}")
|
|
147
|
+
for k, v in findings.items():
|
|
148
|
+
print(f" [{k}]")
|
|
149
|
+
for m in v:
|
|
150
|
+
print(f" {m}")
|
|
151
|
+
PYEOF
|
|
152
|
+
|
|
153
|
+
# 6. Enumerate discovered endpoints against the target
|
|
154
|
+
while IFS= read -r endpoint; do
|
|
155
|
+
code=$(curl -sk -o /dev/null -w "%{http_code}" "$endpoint")
|
|
156
|
+
echo "$code $endpoint"
|
|
157
|
+
done < ~/rtexit/js-analysis/endpoints.txt | tee ~/rtexit/js-analysis/endpoint-probe.txt
|
|
158
|
+
|
|
159
|
+
# Filter interesting responses
|
|
160
|
+
grep -E "^(200|201|401|403|500)" ~/rtexit/js-analysis/endpoint-probe.txt
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
### EXPERT
|
|
164
|
+
|
|
165
|
+
Full pipeline automation, SPA crawling, token verification, and source reconstruction.
|
|
166
|
+
|
|
167
|
+
```bash
|
|
168
|
+
# 1. Use Katana (ProjectDiscovery) for deep SPA crawling
|
|
169
|
+
# Install: go install github.com/projectdiscovery/katana/cmd/katana@latest
|
|
170
|
+
katana -u "https://target.example.com" \
|
|
171
|
+
-jc \
|
|
172
|
+
-jsl \
|
|
173
|
+
-d 5 \
|
|
174
|
+
-o ~/rtexit/js-analysis/katana-crawl.txt
|
|
175
|
+
|
|
176
|
+
# Extract JS URLs from katana output
|
|
177
|
+
grep "\.js" ~/rtexit/js-analysis/katana-crawl.txt | sort -u > ~/rtexit/js-analysis/js-urls.txt
|
|
178
|
+
|
|
179
|
+
# 2. Download all discovered JS files in parallel
|
|
180
|
+
mkdir -p ~/rtexit/js-analysis/bundles
|
|
181
|
+
cat ~/rtexit/js-analysis/js-urls.txt | xargs -P 10 -I{} wget -q --no-check-certificate \
|
|
182
|
+
-P ~/rtexit/js-analysis/bundles/ "{}"
|
|
183
|
+
|
|
184
|
+
# 3. Full TruffleHog scan with custom detectors
|
|
185
|
+
trufflehog filesystem ~/rtexit/js-analysis/bundles/ \
|
|
186
|
+
--json \
|
|
187
|
+
--concurrency 20 \
|
|
188
|
+
2>/dev/null | jq -r 'select(.Verified==true) | "\(.DetectorName): \(.Raw)"' \
|
|
189
|
+
| tee ~/rtexit/js-analysis/verified-secrets.txt
|
|
190
|
+
|
|
191
|
+
# 4. Attempt to verify leaked API keys
|
|
192
|
+
# Google Maps
|
|
193
|
+
GOOGLE_KEY="<extracted-key>"
|
|
194
|
+
curl -s "https://maps.googleapis.com/maps/api/geocode/json?address=test&key=$GOOGLE_KEY" | jq '.status'
|
|
195
|
+
|
|
196
|
+
# Stripe
|
|
197
|
+
STRIPE_KEY="<extracted-key>"
|
|
198
|
+
curl -s https://api.stripe.com/v1/charges -u "$STRIPE_KEY:" | jq '.error.code // "valid"'
|
|
199
|
+
|
|
200
|
+
# Twilio
|
|
201
|
+
TWILIO_SID="<extracted-sid>"
|
|
202
|
+
TWILIO_TOKEN="<extracted-token>"
|
|
203
|
+
curl -s "https://api.twilio.com/2010-04-01/Accounts/$TWILIO_SID.json" \
|
|
204
|
+
-u "$TWILIO_SID:$TWILIO_TOKEN" | jq '.status'
|
|
205
|
+
|
|
206
|
+
# Firebase — attempt unauthenticated database read
|
|
207
|
+
FB_URL="<extracted-firebase-url>"
|
|
208
|
+
curl -s "$FB_URL/.json?print=pretty" | head -40
|
|
209
|
+
|
|
210
|
+
# 5. Reconstruct full source tree from source maps
|
|
211
|
+
# Tool: https://github.com/nicolo-ribaudo/source-map-utils
|
|
212
|
+
python3 - <<'PYEOF'
|
|
213
|
+
import json, os, sys, urllib.request
|
|
214
|
+
|
|
215
|
+
map_url = "https://target.example.com/static/js/main.chunk.js.map"
|
|
216
|
+
out_dir = os.path.expanduser("~/rtexit/js-analysis/reconstructed/")
|
|
217
|
+
os.makedirs(out_dir, exist_ok=True)
|
|
218
|
+
|
|
219
|
+
with urllib.request.urlopen(map_url) as r:
|
|
220
|
+
smap = json.loads(r.read())
|
|
221
|
+
|
|
222
|
+
sources = smap.get("sources", [])
|
|
223
|
+
contents = smap.get("sourcesContent", [])
|
|
224
|
+
|
|
225
|
+
for i, src in enumerate(sources):
|
|
226
|
+
clean = src.replace("webpack:///", "").replace("../", "").lstrip("/")
|
|
227
|
+
fpath = os.path.join(out_dir, clean)
|
|
228
|
+
os.makedirs(os.path.dirname(fpath), exist_ok=True)
|
|
229
|
+
if i < len(contents) and contents[i]:
|
|
230
|
+
with open(fpath, "w", errors="replace") as fh:
|
|
231
|
+
fh.write(contents[i])
|
|
232
|
+
print(f"[+] {fpath}")
|
|
233
|
+
|
|
234
|
+
print(f"\n[*] Reconstructed {len(sources)} source files to {out_dir}")
|
|
235
|
+
PYEOF
|
|
236
|
+
|
|
237
|
+
# 6. Search reconstructed source for hardcoded credentials
|
|
238
|
+
grep -rEi \
|
|
239
|
+
"(process\.env\.|REACT_APP_|VUE_APP_|NEXT_PUBLIC_|NG_APP_)" \
|
|
240
|
+
~/rtexit/js-analysis/reconstructed/ \
|
|
241
|
+
| grep -v "undefined\|null\|example" \
|
|
242
|
+
| tee ~/rtexit/js-analysis/env-vars.txt
|
|
243
|
+
|
|
244
|
+
# 7. Check Next.js publicRuntimeConfig exposure
|
|
245
|
+
curl -s "https://target.example.com/_next/static/chunks/pages/_app.js" \
|
|
246
|
+
| grep -Eo "__NEXT_DATA__\s*=\s*\{[^<]+" | python3 -c "
|
|
247
|
+
import sys, json, re
|
|
248
|
+
data = sys.stdin.read()
|
|
249
|
+
m = re.search(r'\{.*\}', data, re.DOTALL)
|
|
250
|
+
if m:
|
|
251
|
+
try: print(json.dumps(json.loads(m.group()), indent=2))
|
|
252
|
+
except: print(m.group()[:2000])
|
|
253
|
+
"
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
---
|
|
257
|
+
|
|
258
|
+
## Step-by-Step Workflow
|
|
259
|
+
|
|
260
|
+
### Phase 1: Reconnaissance
|
|
261
|
+
|
|
262
|
+
```bash
|
|
263
|
+
# Step 1: Set target and create working directory
|
|
264
|
+
TARGET="https://target.example.com"
|
|
265
|
+
ENGAGEMENT="client-name-$(date +%Y%m%d)"
|
|
266
|
+
WORKDIR=~/rtexit/js-analysis/$ENGAGEMENT
|
|
267
|
+
mkdir -p $WORKDIR/{bundles,beautified,endpoints,secrets,sourcemaps,reconstructed,reports}
|
|
268
|
+
cd $WORKDIR
|
|
269
|
+
|
|
270
|
+
# Step 2: Identify the SPA framework
|
|
271
|
+
curl -s "$TARGET" | grep -Eo "(react|angular|vue|next|nuxt|ember|backbone)" | sort -u
|
|
272
|
+
|
|
273
|
+
# Step 3: Get the main HTML and extract JS script tags
|
|
274
|
+
curl -sk "$TARGET" | grep -Eo 'src="[^"]*\.js[^"]*"' | sed 's/src="//;s/"//' | sort -u
|
|
275
|
+
|
|
276
|
+
# Step 4: Check for webpack chunk manifest
|
|
277
|
+
curl -s "$TARGET/asset-manifest.json" 2>/dev/null | python3 -m json.tool
|
|
278
|
+
curl -s "$TARGET/webpack-manifest.json" 2>/dev/null | python3 -m json.tool
|
|
279
|
+
curl -s "$TARGET/_next/static/chunks/webpack.js" -I 2>/dev/null
|
|
280
|
+
|
|
281
|
+
# Step 5: Check robots.txt and sitemap for hidden routes
|
|
282
|
+
curl -s "$TARGET/robots.txt"
|
|
283
|
+
curl -s "$TARGET/sitemap.xml" | grep -Eo "<loc>[^<]+" | sed 's/<loc>//'
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
### Phase 2: Bundle Download
|
|
287
|
+
|
|
288
|
+
```bash
|
|
289
|
+
# Step 6: Use Katana for SPA-aware crawling (handles JS routing)
|
|
290
|
+
katana -u "$TARGET" -jc -jsl -d 4 -silent | tee $WORKDIR/katana-all.txt
|
|
291
|
+
grep -Eo "https?://[^ ]+\.js(\?[^ ]*)?" $WORKDIR/katana-all.txt | sort -u > $WORKDIR/js-urls.txt
|
|
292
|
+
wc -l $WORKDIR/js-urls.txt
|
|
293
|
+
|
|
294
|
+
# Step 7: Download all JS bundles
|
|
295
|
+
cat $WORKDIR/js-urls.txt | while read url; do
|
|
296
|
+
fname=$(echo "$url" | md5sum | cut -d' ' -f1).js
|
|
297
|
+
curl -sk "$url" -o "$WORKDIR/bundles/$fname" --create-dirs
|
|
298
|
+
echo "$fname $url" >> $WORKDIR/url-map.txt
|
|
299
|
+
done
|
|
300
|
+
|
|
301
|
+
# Step 8: Alternative — wget recursive download
|
|
302
|
+
wget -r -l3 -nd -A "*.js,*.js.map" --no-check-certificate \
|
|
303
|
+
--user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
|
|
304
|
+
"$TARGET" -P $WORKDIR/bundles/
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
### Phase 3: Secret Extraction
|
|
308
|
+
|
|
309
|
+
```bash
|
|
310
|
+
# Step 9: Beautify bundles for better pattern matching
|
|
311
|
+
pip3 install jsbeautifier -q
|
|
312
|
+
for f in $WORKDIR/bundles/*.js; do
|
|
313
|
+
js-beautify "$f" > "$WORKDIR/beautified/$(basename $f)" 2>/dev/null
|
|
314
|
+
done
|
|
315
|
+
|
|
316
|
+
# Step 10: TruffleHog scan
|
|
317
|
+
trufflehog filesystem $WORKDIR/bundles/ --json 2>/dev/null \
|
|
318
|
+
| tee $WORKDIR/secrets/trufflehog-raw.json
|
|
319
|
+
cat $WORKDIR/secrets/trufflehog-raw.json \
|
|
320
|
+
| jq -r '"[\(.DetectorName)] \(.Raw // .RawV2) [verified=\(.Verified)]"' \
|
|
321
|
+
| tee $WORKDIR/secrets/trufflehog-summary.txt
|
|
322
|
+
|
|
323
|
+
# Step 11: Gitleaks scan
|
|
324
|
+
gitleaks detect \
|
|
325
|
+
--source $WORKDIR/bundles/ \
|
|
326
|
+
--report-format json \
|
|
327
|
+
--report-path $WORKDIR/secrets/gitleaks.json \
|
|
328
|
+
--no-git 2>/dev/null
|
|
329
|
+
jq -r '"\(.RuleID): \(.Secret) [\(.File)]"' $WORKDIR/secrets/gitleaks.json \
|
|
330
|
+
| tee $WORKDIR/secrets/gitleaks-summary.txt
|
|
331
|
+
|
|
332
|
+
# Step 12: Manual pattern grep
|
|
333
|
+
grep -rEi --include="*.js" \
|
|
334
|
+
"(AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-_]{35}|xox[baprs]-[0-9]{12}-[0-9a-zA-Z]{24,}|ghp_[0-9a-zA-Z]{36}|sk_(test|live)_[0-9a-zA-Z]{24,}|SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43})" \
|
|
335
|
+
$WORKDIR/bundles/ | tee $WORKDIR/secrets/regex-matches.txt
|
|
336
|
+
```
|
|
337
|
+
|
|
338
|
+
### Phase 4: Endpoint Discovery
|
|
339
|
+
|
|
340
|
+
```bash
|
|
341
|
+
# Step 13: LinkFinder endpoint extraction
|
|
342
|
+
cd ~/tools/LinkFinder
|
|
343
|
+
for f in $WORKDIR/bundles/*.js; do
|
|
344
|
+
python3 linkfinder.py -i "$f" -o cli 2>/dev/null
|
|
345
|
+
done | sort -u | tee $WORKDIR/endpoints/linkfinder-raw.txt
|
|
346
|
+
|
|
347
|
+
# Step 14: Custom endpoint extraction
|
|
348
|
+
grep -rEho "(?<=['\"])/[a-zA-Z0-9_/.-]{3,}(?=['\"])" $WORKDIR/bundles/ \
|
|
349
|
+
| sort -u | grep -v "\.png\|\.svg\|\.css\|\.woff" \
|
|
350
|
+
| tee $WORKDIR/endpoints/path-only.txt
|
|
351
|
+
|
|
352
|
+
# Step 15: Combine and deduplicate endpoints
|
|
353
|
+
cat $WORKDIR/endpoints/linkfinder-raw.txt $WORKDIR/endpoints/path-only.txt \
|
|
354
|
+
| sort -u > $WORKDIR/endpoints/all-endpoints.txt
|
|
355
|
+
wc -l $WORKDIR/endpoints/all-endpoints.txt
|
|
356
|
+
|
|
357
|
+
# Step 16: Probe discovered endpoints
|
|
358
|
+
while IFS= read -r path; do
|
|
359
|
+
[[ "$path" == http* ]] && url="$path" || url="$TARGET$path"
|
|
360
|
+
code=$(curl -sk -o /dev/null -w "%{http_code}" -m 5 "$url")
|
|
361
|
+
echo "$code $url"
|
|
362
|
+
done < $WORKDIR/endpoints/all-endpoints.txt \
|
|
363
|
+
| tee $WORKDIR/endpoints/probe-results.txt
|
|
364
|
+
|
|
365
|
+
grep -E "^(200|201|204|301|302|400|401|403|500)" $WORKDIR/endpoints/probe-results.txt \
|
|
366
|
+
| sort -k1,1 | tee $WORKDIR/endpoints/interesting-responses.txt
|
|
367
|
+
```
|
|
368
|
+
|
|
369
|
+
### Phase 5: Source Map Reconstruction
|
|
370
|
+
|
|
371
|
+
```bash
|
|
372
|
+
# Step 17: Find source map references
|
|
373
|
+
grep -rEo "sourceMappingURL=[^\s]+" $WORKDIR/bundles/ | sort -u
|
|
374
|
+
|
|
375
|
+
# Step 18: Download source maps
|
|
376
|
+
grep -rEo "https?://[^ ]+\.js\.map" $WORKDIR/bundles/ | sort -u | while read mapurl; do
|
|
377
|
+
curl -sk "$mapurl" -o "$WORKDIR/sourcemaps/$(basename $mapurl)" 2>/dev/null \
|
|
378
|
+
&& echo "[+] Downloaded: $mapurl" \
|
|
379
|
+
|| echo "[-] Failed: $mapurl"
|
|
380
|
+
done
|
|
381
|
+
|
|
382
|
+
# Try appending .map to each JS URL
|
|
383
|
+
cat $WORKDIR/js-urls.txt | while read url; do
|
|
384
|
+
mapurl="${url}.map"
|
|
385
|
+
code=$(curl -sk -o "$WORKDIR/sourcemaps/$(basename $mapurl)" -w "%{http_code}" "$mapurl")
|
|
386
|
+
[[ "$code" == "200" ]] && echo "[+] $mapurl" || rm -f "$WORKDIR/sourcemaps/$(basename $mapurl)"
|
|
387
|
+
done
|
|
388
|
+
|
|
389
|
+
# Step 19: Extract source files from maps
|
|
390
|
+
for mapfile in $WORKDIR/sourcemaps/*.map; do
|
|
391
|
+
python3 - "$mapfile" "$WORKDIR/reconstructed/" <<'PYEOF'
|
|
392
|
+
import json, os, sys
|
|
393
|
+
|
|
394
|
+
map_path = sys.argv[1]
|
|
395
|
+
out_base = sys.argv[2]
|
|
396
|
+
os.makedirs(out_base, exist_ok=True)
|
|
397
|
+
|
|
398
|
+
with open(map_path, "r", errors="replace") as fh:
|
|
399
|
+
smap = json.load(fh)
|
|
400
|
+
|
|
401
|
+
sources = smap.get("sources", [])
|
|
402
|
+
contents = smap.get("sourcesContent", [])
|
|
403
|
+
count = 0
|
|
404
|
+
|
|
405
|
+
for i, src in enumerate(sources):
|
|
406
|
+
clean = src.replace("webpack:///", "").replace("webpack://", "")
|
|
407
|
+
clean = clean.lstrip("./").replace("../", "").lstrip("/")
|
|
408
|
+
if not clean or clean.startswith("?"):
|
|
409
|
+
continue
|
|
410
|
+
fpath = os.path.join(out_base, clean)
|
|
411
|
+
os.makedirs(os.path.dirname(fpath), exist_ok=True)
|
|
412
|
+
if i < len(contents) and contents[i]:
|
|
413
|
+
with open(fpath, "w", errors="replace") as fh:
|
|
414
|
+
fh.write(contents[i])
|
|
415
|
+
count += 1
|
|
416
|
+
|
|
417
|
+
print(f"[+] {os.path.basename(map_path)}: extracted {count}/{len(sources)} files")
|
|
418
|
+
PYEOF
|
|
419
|
+
done
|
|
420
|
+
```
|
|
421
|
+
|
|
422
|
+
### Phase 6: Reporting
|
|
423
|
+
|
|
424
|
+
```bash
|
|
425
|
+
# Step 20: Generate RTExit-compatible finding file
|
|
426
|
+
python3 - <<PYEOF
|
|
427
|
+
import json, datetime, os, glob
|
|
428
|
+
|
|
429
|
+
workdir = os.path.expanduser("~/rtexit/js-analysis/$ENGAGEMENT")
|
|
430
|
+
finding = {
|
|
431
|
+
"skill": "rt-js-analysis",
|
|
432
|
+
"timestamp": datetime.datetime.utcnow().isoformat() + "Z",
|
|
433
|
+
"target": "$TARGET",
|
|
434
|
+
"engagement": "$ENGAGEMENT",
|
|
435
|
+
"findings": {
|
|
436
|
+
"secrets": [],
|
|
437
|
+
"endpoints": [],
|
|
438
|
+
"source_maps_found": False,
|
|
439
|
+
"reconstructed_files": 0
|
|
440
|
+
}
|
|
441
|
+
}
|
|
442
|
+
|
|
443
|
+
# Load TruffleHog results
|
|
444
|
+
th_path = os.path.join(workdir, "secrets/trufflehog-raw.json")
|
|
445
|
+
if os.path.exists(th_path):
|
|
446
|
+
with open(th_path) as fh:
|
|
447
|
+
for line in fh:
|
|
448
|
+
try:
|
|
449
|
+
item = json.loads(line)
|
|
450
|
+
finding["findings"]["secrets"].append({
|
|
451
|
+
"tool": "trufflehog",
|
|
452
|
+
"type": item.get("DetectorName"),
|
|
453
|
+
"verified": item.get("Verified", False),
|
|
454
|
+
"raw": item.get("Raw", "")[:200]
|
|
455
|
+
})
|
|
456
|
+
except: pass
|
|
457
|
+
|
|
458
|
+
# Load endpoints
|
|
459
|
+
ep_path = os.path.join(workdir, "endpoints/interesting-responses.txt")
|
|
460
|
+
if os.path.exists(ep_path):
|
|
461
|
+
with open(ep_path) as fh:
|
|
462
|
+
for line in fh:
|
|
463
|
+
parts = line.strip().split(" ", 1)
|
|
464
|
+
if len(parts) == 2:
|
|
465
|
+
finding["findings"]["endpoints"].append({"status": parts[0], "url": parts[1]})
|
|
466
|
+
|
|
467
|
+
# Count reconstructed files
|
|
468
|
+
recon = glob.glob(os.path.join(workdir, "reconstructed/**/*"), recursive=True)
|
|
469
|
+
finding["findings"]["reconstructed_files"] = len([f for f in recon if os.path.isfile(f)])
|
|
470
|
+
finding["findings"]["source_maps_found"] = finding["findings"]["reconstructed_files"] > 0
|
|
471
|
+
|
|
472
|
+
out = os.path.join(workdir, "reports/rtexit-finding.json")
|
|
473
|
+
with open(out, "w") as fh:
|
|
474
|
+
json.dump(finding, fh, indent=2)
|
|
475
|
+
print(f"[+] RTExit finding written to: {out}")
|
|
476
|
+
print(f" Secrets found: {len(finding['findings']['secrets'])}")
|
|
477
|
+
print(f" Endpoints found: {len(finding['findings']['endpoints'])}")
|
|
478
|
+
print(f" Reconstructed files: {finding['findings']['reconstructed_files']}")
|
|
479
|
+
PYEOF
|
|
480
|
+
```
|
|
481
|
+
|
|
482
|
+
---
|
|
483
|
+
|
|
484
|
+
## Tools Reference
|
|
485
|
+
|
|
486
|
+
| Tool | Purpose | URL |
|
|
487
|
+
|------|---------|-----|
|
|
488
|
+
| TruffleHog | Secret scanning with verification | https://github.com/trufflesecurity/trufflehog |
|
|
489
|
+
| Gitleaks | Secret pattern detection | https://github.com/gitleaks/gitleaks |
|
|
490
|
+
| LinkFinder | Endpoint extraction from JS | https://github.com/GerbenJavado/LinkFinder |
|
|
491
|
+
| Katana | SPA-aware web crawler | https://github.com/projectdiscovery/katana |
|
|
492
|
+
| sourcemapper | Source map downloader/extractor | https://github.com/denandz/sourcemapper |
|
|
493
|
+
| jsbeautifier | JS unminification | https://github.com/beautify-web/js-beautify |
|
|
494
|
+
| SecretFinder | Regex-based secret finder for JS | https://github.com/m4ll0k/SecretFinder |
|
|
495
|
+
| getJS | Collects JS files from a target | https://github.com/003random/getJS |
|
|
496
|
+
| subjs | Finds JS files from subdomains | https://github.com/lc/subjs |
|
|
497
|
+
| xnLinkFinder | Advanced endpoint extraction | https://github.com/xnl-h4ck3r/xnLinkFinder |
|
|
498
|
+
|
|
499
|
+
### Tool Installation (Kali Linux)
|
|
500
|
+
|
|
501
|
+
```bash
|
|
502
|
+
# TruffleHog
|
|
503
|
+
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
|
|
504
|
+
|
|
505
|
+
# Gitleaks
|
|
506
|
+
wget https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s)_x64.tar.gz -O /tmp/gitleaks.tar.gz
|
|
507
|
+
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
|
508
|
+
|
|
509
|
+
# Katana
|
|
510
|
+
go install github.com/projectdiscovery/katana/cmd/katana@latest
|
|
511
|
+
|
|
512
|
+
# LinkFinder
|
|
513
|
+
git clone https://github.com/GerbenJavado/LinkFinder.git ~/tools/LinkFinder
|
|
514
|
+
cd ~/tools/LinkFinder && pip3 install -r requirements.txt
|
|
515
|
+
|
|
516
|
+
# getJS
|
|
517
|
+
go install github.com/003random/getJS@latest
|
|
518
|
+
|
|
519
|
+
# subjs
|
|
520
|
+
go install github.com/lc/subjs@latest
|
|
521
|
+
|
|
522
|
+
# jsbeautifier
|
|
523
|
+
pip3 install jsbeautifier
|
|
524
|
+
|
|
525
|
+
# xnLinkFinder
|
|
526
|
+
pip3 install xnLinkFinder
|
|
527
|
+
```
|
|
528
|
+
|
|
529
|
+
---
|
|
530
|
+
|
|
531
|
+
## Wordlists and SecLists Integration
|
|
532
|
+
|
|
533
|
+
When probing discovered API endpoints, augment with relevant SecLists wordlists:
|
|
534
|
+
|
|
535
|
+
```bash
|
|
536
|
+
# API endpoint fuzzing against discovered base paths
|
|
537
|
+
SECLISTS=/usr/share/seclists
|
|
538
|
+
|
|
539
|
+
# Fuzz for additional API routes
|
|
540
|
+
ffuf -u "$TARGET/api/FUZZ" \
|
|
541
|
+
-w $SECLISTS/Discovery/Web-Content/api/api-endpoints.txt \
|
|
542
|
+
-fc 404 -mc all -o $WORKDIR/endpoints/ffuf-api.json -of json
|
|
543
|
+
|
|
544
|
+
# Admin panel discovery
|
|
545
|
+
ffuf -u "$TARGET/FUZZ" \
|
|
546
|
+
-w $SECLISTS/Discovery/Web-Content/directory-list-2.3-medium.txt \
|
|
547
|
+
-fc 404 -mc 200,201,301,302,401,403 \
|
|
548
|
+
-o $WORKDIR/endpoints/ffuf-dirs.json -of json
|
|
549
|
+
|
|
550
|
+
# JavaScript file discovery
|
|
551
|
+
ffuf -u "$TARGET/static/js/FUZZ.js" \
|
|
552
|
+
-w $SECLISTS/Discovery/Web-Content/raft-medium-words.txt \
|
|
553
|
+
-fc 404 -o $WORKDIR/endpoints/ffuf-js.json -of json
|
|
554
|
+
|
|
555
|
+
# Combine LinkFinder results with SecLists for endpoint brute-force
|
|
556
|
+
cat $WORKDIR/endpoints/path-only.txt $SECLISTS/Discovery/Web-Content/api/objects.txt \
|
|
557
|
+
| sort -u | ffuf -u "$TARGET/FUZZ" -w - -fc 404
|
|
558
|
+
```
|
|
559
|
+
|
|
560
|
+
---
|
|
561
|
+
|
|
562
|
+
## Output Files
|
|
563
|
+
|
|
564
|
+
All output is written to `~/rtexit/js-analysis/<engagement>/`:
|
|
565
|
+
|
|
566
|
+
```
|
|
567
|
+
<engagement>/
|
|
568
|
+
├── bundles/ # Raw downloaded JS files
|
|
569
|
+
├── beautified/ # Unminified JS for manual review
|
|
570
|
+
├── sourcemaps/ # Downloaded .map files
|
|
571
|
+
├── reconstructed/ # Extracted original source tree
|
|
572
|
+
├── endpoints/
|
|
573
|
+
│ ├── linkfinder-raw.txt # All extracted endpoints
|
|
574
|
+
│ ├── path-only.txt # Path-only endpoints
|
|
575
|
+
│ ├── all-endpoints.txt # Deduplicated full list
|
|
576
|
+
│ ├── probe-results.txt # HTTP status for each endpoint
|
|
577
|
+
│ └── interesting-responses.txt # Non-404 responses
|
|
578
|
+
├── secrets/
|
|
579
|
+
│ ├── trufflehog-raw.json # Full TruffleHog JSON output
|
|
580
|
+
│ ├── trufflehog-summary.txt
|
|
581
|
+
│ ├── gitleaks.json # Gitleaks JSON output
|
|
582
|
+
│ ├── gitleaks-summary.txt
|
|
583
|
+
│ └── regex-matches.txt # Manual regex grep results
|
|
584
|
+
└── reports/
|
|
585
|
+
└── rtexit-finding.json # RTExit autodoc engine input
|
|
586
|
+
```
|
|
587
|
+
|
|
588
|
+
### RTExit Autodoc Integration
|
|
589
|
+
|
|
590
|
+
The `reports/rtexit-finding.json` file produced in Phase 6 is consumed directly by the RTExit autodoc engine. Place completed findings in the engagement's `findings/` directory:
|
|
591
|
+
|
|
592
|
+
```bash
|
|
593
|
+
cp $WORKDIR/reports/rtexit-finding.json \
|
|
594
|
+
~/rtexit/engagements/$ENGAGEMENT/findings/rt-js-analysis-$(date +%H%M%S).json
|
|
595
|
+
```
|
|
596
|
+
|
|
597
|
+
The autodoc engine will pick up the file on next run and incorporate the findings into the engagement report. Verified secrets are automatically flagged as Critical; unverified patterns are flagged as High.
|
|
598
|
+
|
|
599
|
+
---
|
|
600
|
+
|
|
601
|
+
## Common Findings and Their Impact
|
|
602
|
+
|
|
603
|
+
| Finding Type | Typical Impact | Verification |
|
|
604
|
+
|---|---|---|
|
|
605
|
+
| Firebase API Key | Unauthenticated database read/write | `curl "$FB_URL/.json?print=pretty"` |
|
|
606
|
+
| Stripe Secret Key | Full payment data access, charge customers | `curl -u "$KEY:" https://api.stripe.com/v1/charges` |
|
|
607
|
+
| AWS Access Key | Cloud resource access, data exfiltration | `aws sts get-caller-identity --key-id $KEY` |
|
|
608
|
+
| Google Maps API Key | API quota abuse, billing fraud | Maps geocode endpoint |
|
|
609
|
+
| JWT Secret | Token forgery, authentication bypass | jwt.io signature test |
|
|
610
|
+
| Internal API base URL | Undocumented endpoint exposure | Probe with ffuf |
|
|
611
|
+
| Environment variables | Reveals infrastructure, credentials | Grep for process.env |
|
|
612
|
+
| GraphQL schema introspection | Full API schema exposure | `{"query":"{__schema{types{name}}}"}` |
|
|
613
|
+
|
|
614
|
+
---
|
|
615
|
+
|
|
616
|
+
## Operational Notes
|
|
617
|
+
|
|
618
|
+
- Always run in an authorized engagement scope. Verify credentials against live services only with written authorization.
|
|
619
|
+
- Source map extraction may recover proprietary source code — handle per rules of engagement.
|
|
620
|
+
- Some targets deploy honeypot credentials in JS bundles. Use infrastructure-side verification before escalating.
|
|
621
|
+
- React DevTools and Angular Augury browser extensions can expose component state containing live credentials in development builds.
|
|
622
|
+
- Next.js `getServerSideProps` results are serialized into `__NEXT_DATA__` on every page load — always check this endpoint.
|
|
623
|
+
- Check for `.env` files accidentally committed: `curl -s "$TARGET/.env"`.
|
|
624
|
+
|
|
625
|
+
---
|
|
626
|
+
|
|
627
|
+
## Resources
|
|
628
|
+
|
|
629
|
+
- PortSwigger Web Security Academy — JavaScript Analysis: https://portswigger.net/web-security
|
|
630
|
+
- OWASP Testing Guide — Testing for Sensitive Data in JS: https://owasp.org/www-project-web-security-testing-guide/
|
|
631
|
+
- TruffleHog Documentation: https://github.com/trufflesecurity/trufflehog/wiki
|
|
632
|
+
- Gitleaks Rules Reference: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
|
|
633
|
+
- HackTricks — JavaScript Deobfuscation: https://book.hacktricks.xyz/pentesting-web/javascript-deobfuscation
|
|
634
|
+
- SecLists API Wordlists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api
|
|
635
|
+
- LinkFinder Usage Guide: https://github.com/GerbenJavado/LinkFinder#usage
|
|
636
|
+
- Source Map Specification: https://tc39.es/source-map/
|
|
637
|
+
- Katana Documentation: https://github.com/projectdiscovery/katana#readme
|
|
638
|
+
- JS Nice (online deobfuscator): http://www.jsnice.org/
|
|
639
|
+
- Prettier (JS formatter): https://prettier.io/
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# RTExit JavaScript analysis patterns.
|
|
2
|
+
# Treat matches as leads. Validate context before reporting.
|
|
3
|
+
|
|
4
|
+
# Cloud access key indicators
|
|
5
|
+
AKIA[0-9A-Z]{16}
|
|
6
|
+
ASIA[0-9A-Z]{16}
|
|
7
|
+
AIza[0-9A-Za-z_-]{35}
|
|
8
|
+
|
|
9
|
+
# Tokens and auth headers
|
|
10
|
+
Bearer\s+[A-Za-z0-9._=-]{20,}
|
|
11
|
+
basic\s+[A-Za-z0-9+/=]{20,}
|
|
12
|
+
authorization["']?\s*[:=]\s*["'][^"']{10,}
|
|
13
|
+
|
|
14
|
+
# Private key material
|
|
15
|
+
-----BEGIN\s+(RSA\s+|EC\s+|OPENSSH\s+)?PRIVATE KEY-----
|
|
16
|
+
|
|
17
|
+
# URLs and API endpoints
|
|
18
|
+
https?://[A-Za-z0-9._~:/?#@!$&'()*+,;=%-]+
|
|
19
|
+
["'`](\/api\/[A-Za-z0-9._~:/?#@!$&'()*+,;=%-]+)["'`]
|
|
20
|
+
|
|
21
|
+
# Firebase and cloud project hints
|
|
22
|
+
firebaseapp\.com
|
|
23
|
+
firebasedatabase\.app
|
|
24
|
+
storage\.googleapis\.com
|
|
25
|
+
amazonaws\.com
|
|
26
|
+
azurewebsites\.net
|
|
27
|
+
|