• Js analysis done is when you understand the application well, not directly.
• do not ignore the javascript in the html page

Identifying Js files

1. identifying js files that are relevant to the application

   • do not ignore javascript that’s mentioned in the script tags
   • you should be kinda interested in main js & runtime js

   <aside> 💡

   any additional information you can grab onto will help you later in your journey

   </aside>

   • pretty print extension
   • load all the lazy loaded files from runtime.js:
     • ask AI assistance from the chrome dev tool to do that for you.
   • you can also use jswzl : https://www.jswzl.io/

Analysis

• download js
• beautify it
• identify endpoints or client side paths

<aside> 💡

you need to understand the application better than the people who wrote it to find bugs. And you need to realize how deep you need to go to be able to be a top tier hacker.

</aside>

<aside> 💡

you need to realize that if you wanna be a top tier hunter, you need to understand the application in a way and depth that sets you apart from everyone else. you need to go into the depth that'll help you understand the application better than the dev who wrote it to be able to find as many bugs that's possible to find there.

• Rhynorater

</aside>

<aside> 💡

a lot of people don’t understand how deep you need to go to be able to be a top tier hacker.

</aside>

He normally starts with dynamic analysis.

Every Js file loaded in the application has the potential to cause vulnerability within the application. We should understand at hash change event, we should understand postmessage events, every reference to location.href, every pasing of the path, every parsing of the local stoarage, and cookies, and setting of cookies, and you need to understand how all that integrates into the application.

You have to get up to date on the application within 24 or 25 hours.