search

stevemcilwain / quiver

Quiver is the tool to manage all of your tools for bug bounty hunting and penetration testing.
MIT License
206 stars 38 forks source link

Suggestion: Alternative to js-endpoint-finder #28

Closed fullstackpotato closed 4 years ago

fullstackpotato commented 4 years ago

File: qq-enum-web-dirs.zsh Function: qq-enum-web-js-endpoint-finder

gwen001 put up a gist and tweeted it out with a bash based alternative that does not rely upon an external tool (linkfinder.py). Source: https://gist.github.com/gwen001/0b15714d964d99c740a7e8998bd483df

Anecdotally I have just been playing with it and it's runs quite nice on a few js files that I've fed it. Not sure how much it would offer to the tool other than removing a dependency.

Code:

function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | tr -d "'\""
}

Example output:

➜  engagement ./url-extractor.sh https://reactjs.org/app-5e84b639b5b1a1256dbe.js
##### https://reactjs.org/app-5e84b639b5b1a1256dbe.js/src
/404.html
/acknowledgements.html
/app-5e84b639b5b1a1256dbe.js
/blog/
/commons-4f44d8eb8045a930ec5d.js
/community/support.html
/component---src-pages-404-js-ec177956336472a27073.js
/component---src-pages-acknowledgements-html-js-ce62489012d2a13073d0.js
/docs/accessibility.html
/docs/concurrent-mode-intro.html
/docs/faq-ajax.html
stevemcilwain commented 4 years ago

This is great, adding to 1.0 upcoming release.