Post

The Ultimate JS Recon using KeyHound

Posted
Preview Image
By Dikshant Singh
2 min read
The Ultimate JS Recon using KeyHound

Its been quite a long time since I posted any blog as I was busy doing some Pentests. So, This blog is regarding my tool called KeyHound and we will be looking at how you can use this tool to find sensitive information like API Keys, Credentials, Internal Paths, Subdomains inside JS files.

I recently was listed in Apple’s prestigious Hall of Fame (September 2024) meant for Security Researchers who submit vulnerabilities in their assets. What exactly did I find and How did I find it? Let’s see in the blog:

Basic Recon Methodology for mass hunting:

Step 1) The very first step is to gather as many subdomains as you can because companies like Apple have a really large attack surface. So, doing mass hunting can sometimes yield results.

Step 2) After collecting subdomains, filter them out using httpx.

Step 3) Now that we have alive subdomains, we will look for subdomains that are important. Usually I check for keywords like prod, api, test, staging, admin etc. Here is a one liner bash to do the same:

1

grep -E 'api|prod|test|dev|staging|secure|login|admin|beta|support|private|internal|demo|management|dashboard|config|service|analytics|auth' subdomains.txt > important_subs.txt

Step 4) Now, we will run waybackurls, katana on each of the sudomains, sort the urls and filter out the JS files.

Step 5) After this we will look for Juicy Information like credentials, API Keys, Internal Paths etc.

But this whole process is quite boring especially when you are supposed to do it over and over. So, why not automate this? Sounds cool right? Well yeah, I have created this awesome tool called KeyHound.

Time to Automate

KeyHound is an advanced JavaScript secrets hunting tool that sniffs out sensitive information from JavaScript files across web applications. Like a trained hunting dog, it tracks down secrets through web archives and crawling results, specializing in detecting API keys, credentials, and other sensitive data.

WorkFlow:

Workflow

So, the tool works as follows:

Step 1) It uses waybackurls and katana to gather all the endpoints and separates the js files.

Step 2) It uses custom regex to filter out juicy information like credentials, API Keys, Internal Paths, subdomains from the js files.

Step 3) It outputs the result in Output Directory for you to analyze further.

KeyHound in action:

keyhound in action

Future goals regarding KeyHound:

Well, regarding KeyHound, I plan on improving it further so that users can use their own custom regex, supply a list of subdomains to test, view the Information found in real time and overall make it more efficient.

Check out KeyHound here:

KeyHound Tool

Web Application Testing, Tool
Tool JS Files Information Disclosure
This post is licensed under CC BY 4.0 by the author.