Hackfest 2024 - 16-bit Edition

We Know What You Hide in JS
10-11, 11:00–11:50 (America/New_York), Track 2 (206a)
Language: English

Client-side JavaScript plays a crucial role in the development and functionality of Single Page Applications (SPAs) prevalent in modern web applications. Unfortunately, JavaScript code delivered to the browser can contain sensitive information due to development error, oversight, or misunderstanding. These details can provide attackers with a variety of insights that can be leveraged to exploit vulnerabilities in a web application. This presentation delves into the techniques and tools essential for performing comprehensive reconnaissance on client-side JavaScript files, aiming to uncover hidden endpoints, sensitive information, and potential security vulnerabilities. Attendees will gain practical knowledge on the importance of reconnaissance, the types of tools available, and how to effectively analyze client-side JavaScript files to gather actionable intelligence. This presentation is ideal for cybersecurity professionals, web developers, and penetration testers who are keen to deepen their understanding of client-side security. It provides valuable insights for anyone involved in securing modern web applications and protecting sensitive data from unauthorized access.


  1. Introduction.
    a. Speaker, Background, Shameless plug for OWASP Ottawa Chapter.
    b. Goals.
  2. Wither Reconnaissance?
    a. What is reconnaissance? Let's make sure we are talking about the same thing.
    b. Why do we perform reconnaissance? The simple truths about why it's important to do reconnaissance.
    c. The Dreaded LM Kill Chain. The military industrial complex has to have their hand in everything. But it's publish or perish so considering prior art is important.
    d. Types of Reconnaissance. Is it passive or active and is there passive-aggressive? Discuss the types of reconnaissance and examples of each.
  3. Introduction to Client-Side JavaScript:
    a. Understanding the significance of JavaScript in modern web applications.
    b. The role of client-side JavaScript in facilitating dynamic and interactive user experiences.
    c. What is reconnaissance in a JS client?
  4. Introduction of JavaScript sensitive information exposure.
    a. Past examples of sensitive exposure in JS.
  5. The Process.
    a. High level process for Reconnaissance of the JS in a SPA.
    b. What are we looking for?
  6. The Tools
    a. Why do we use tools?
    b. Type of tools. Regex vs AST.
    c. Automated, manual.
    d. Monitoring
  7. Examples of tool usage.
    For each tool introduced, provide examples of finding sensitive content.
  8. Conclusion.

Are you releasing a tool? – yes

Senior Application Security/Cloud Security Architect specializing in Secure Software Architecture and security research with experience supporting development organizations. Founder of DeviousPlan, a boutique security firm specializing in Security Architecture, Threat Modelling, Securing the public cloud, Security Training and Penetration Testing. A lifelong learner who enjoys crafting solutions to interesting and tough problems and thinking of six impossible things before breakfast.