Security issues in JavaScript

mingzhi61 2022-02-13 05:09:33 阅读数:870

security issues javascript

For more penetration courses, you can click on my avatar to watch my video , You can also click on the link below

web The most complete practical course of penetration testing -- Penetration testing video tutorial - Information security -CSDN Programmer Institute

JavaScript Introduce

JavaScript( abbreviation “JS”) It is a kind of lightweight with function priority , Interpreted or just in time compiled programming languages . That's the scripting language .


JavaScript and Java What's the difference ?JavaScript and Java It doesn't matter , Two different languages .


JavaScript effect

JavaScript Widely used Web application development , Used to add various dynamic functions to web pages , Provide users with more smooth and beautiful browsing effect .

Embed dynamic text in HTML page .

Respond to browser Events .

Reading and writing HTML Elements .

Validate data before it is submitted to the server .

Check the browser information of visitors .

control cookies, Including creation and modification .

View... In the web site JavaScript

browser --> development tool (F12)


take Js Turn into html Format , Look at the above. Js Very nonstandard , Click... In the lower left corner of the middle box {} You can standardize its format


JavaScript The code analysis

1、 Find more attack surfaces (URL、 domain name 、 Path, etc )

Test station 、 Backstage path 、 Unpublished path 、api Address, etc.

2、 Discover sensitive information ( Hard coded account password 、API secret key 、 Annotations, etc. )

Hard coded account can log in 、 The test account can be logged in 、 Key disclosure 、 Development information in comments, etc

3、 Find dangerous code (eval、dangerouslySetInnerHTML wait )

XSS Loophole 、 Template Injection

4、 Understand the functions of the website

Analysis method

Search keywords :








For the current page js Do a global search :

firefox -->F12--> The debugger -->Ctrl+Shift+F


Webpack Pack the front end js

webpack It is currently the most popular front-end resource modular management and packaging tool .


There is .map file


• Use reverse-sourcemap Tools

•reverse-sourcemap -v -o sourcecode


Analysis after restore , Test data found :


Log in and access with test data , Successfully logged in


dynamic analysis

The debugger of the developer tools of each browser is assisted by the package capture tool at the same time


Found website packet encryption , Then look for the logic to submit the login , Go to the next breakpoint , Then step through the debugging


Trace encryption function :


Search encryption function call method aesUtil.encryptAES()


Guess the packet decryption method aesUtil.decryptAES()


Encrypt and decrypt the data packet through the console , structure sql Injection of statements , Find a place SQLServer Of SQL Inject


Further, the data is directly output through encryption and decryption


copyright:author[mingzhi61],Please bring the original link to reprint, thank you.