How I Used the js.map File to Gain Admin Access

In the world of web development, source maps (.js.map files) are incredibly useful for debugging. They link compiled or minified JavaScript back to its original source code, making it easier for developers to pinpoint issues. However, what's a boon for developers can sometimes be a treasure trove for security researchers and penetration testers. These files can inadvertently expose the entire internal structure of a web application, laying bare sensitive information that can be leveraged for unauthorized access. This article will delve into how js.map files can reveal critical application details and illustrate an example of how this information can be exploited.

The Power of .js.map Files: A Full Breakdown

When you access a website, the browser typically loads minified or compiled JavaScript files for performance. The .js.map file acts as a guide, providing a detailed map between the minified code and the original, human-readable source code, including variable names, function names, file paths, and even comments. This means that if a js.map file is publicly accessible, an attacker can effectively reconstruct the entire source tree of the application.

This reconstructed source code can reveal:

• API Endpoints: Hidden or internal API endpoints that are not publicly documented.
• Data Structures and Schemas: The exact structure of data objects, including GraphQL queries and schemas, which often define sensitive fields and operations.
• Authentication Mechanisms: Details about how user authentication and authorization are handled.
• Business Logic: Insights into the application’s core functionality, including potential vulnerabilities.
• Sensitive Strings: Sometimes, hardcoded API keys, secrets, or internal identifiers.

Unpacking Source Maps with Sourcemapper

To effectively work with js.map files, specialized tools are invaluable. One such tool is Sourcemapper.

Sourcemapper is designed to extract JavaScript source trees from Sourcemap files. It parses a sourcemap, typically generated by bundlers like Webpack, and then recreates the original JavaScript files and their directory structure based on the file paths specified within the sourcemap.

Sourcemapper can process a .map file directly from a URL or a local file. It also has the capability to process a JavaScript file from a URL, automatically detecting and downloading any sourcemap references within it (including absolute, relative, and data: URIs). Once the sourcemap is retrieved and parsed, Sourcemapper writes the extracted source files into a specified output directory, providing a complete replica of the original codebase.

Example: Gaining Admin Access via Exposed GraphQL Schema

Here’s a hypothetical but illustrative example of how a js.map file could be exploited to gain administrative access:

During a penetration test, I discovered an accessible main.js.map file. Using Sourcemapper, I was able to download and reconstruct the entire JavaScript source code of the web application. Upon reviewing the extracted files, I found extensive details about the application's GraphQL implementation. The js.map file provided a full breakdown of every query, mutation, and schema definition, essentially giving me a blueprint of the application's backend API.

Specifically, I discovered:

• A createUser mutation with parameters for username, email, and password.
• An updateUserRole mutation that, surprisingly, did not have proper access controls defined in the client-side code (which was now visible).
• A hidden adminPanel query and related adminActions mutations.

With this newfound knowledge, I used curl to craft a series of GraphQL queries. First, I used the createUser mutation to add a new user to the system. After successfully creating the user, I then leveraged the updateUserRole mutation, setting my newly created user's role to "admin." This was possible because the js.map file exposed the exact structure and naming conventions needed to invoke this mutation, and the server-side validation was either missing or insufficient to prevent this specific escalation path when called directly via the API.

After successfully upgrading my user account, I could then access the adminPanel and perform adminActions, effectively gaining full administrative control over the application. I could also query sensitive data like project names while unauthenticated, which are typically restricted. In bug bounty programs, exposing internal project names is often classified as a P4 (Severity 4) vulnerability, though Bugcrowd might categorize it as a P5 due to their specific guidelines.

For more extensive GraphQL vulnerability hunting and dumping, tools like graphqlmap are also available. graphqlmap is known for its capabilities in automating the process of finding and exploiting GraphQL vulnerabilities, including full schema dumping.

Conclusion

The accessibility of js.map files, while a convenience for developers, presents a significant security risk if not properly managed. They can expose sensitive application logic, API endpoints, and data structures that attackers can exploit to gain unauthorized access or discover other vulnerabilities. Developers should ensure that .js.map files are not publicly accessible in production environments or, at the very least, implement strict access controls to prevent their misuse. For security professionals, understanding how to leverage these files is a crucial skill in uncovering hidden attack vectors.