├── README.md └── Snippets ├── JSEncrypt_fuzz.js ├── consolesave.js ├── developers_mindset.js ├── fuzz_with_websocket.js ├── fuzzit.js └── getCurrentURLHeaders.js /README.md: -------------------------------------------------------------------------------- 1 | ## DevTools snippet collection: 2 | 3 | **TL;DR** 4 | List of some cool JS snippets which I have created and found while doing research of client side encryption bypass using devtool only. 5 | 6 | | Sr. No. | Snippet | Description | Example | 7 | |---------|---------|-------------|---------| 8 | |1.| [consolesave.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/consolesave.js) | Used for saving console output in a file. | console.save("data");| 9 | |2.| [getCurrentURLHeaders.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/getCurrentURLHeaders.js) | Used for fetching the Current URL Headers in console (table format) | - | 10 | |3.| [developers_mindset.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/developers_mindset.js) | Just an example of how monitor() works | - | 11 | |4.| [fuzzit.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/fuzzit.js) | fuzzing encrypted parameter using devtools only | - | 12 | |5.| [fuzz_with_websocket.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/fuzz_with_websocket.js) | fuzzing encrypted parameters using devtools only with ws:// integration | - | 13 | |6.| [JSEncrypt_fuzz.js](https://github.com/bhattsameer/devtool-snippets-forhacks/blob/main/Snippets/JSEncrypt_fuzz.js) | snippet for making JSEncrypt automate | - | 14 | 15 | ## How to run above snippets? 16 | 17 | 1. Open the application in chrome browser. 18 | 19 | 2. Open inspect element and navigate to source tab -> snippet section. 20 | 21 | 3. Copy paste the javascript code and execute it. 22 | 23 | 4. call the snippets methods from console and done. 24 | 25 | ## There is complete series of how to bypass client side encryption and fuzz the encrypted parameters using devtools. 26 | 27 | 1. [client-side-encryption-bypass-part-1](https://bhattsameer.github.io/2021/01/01/client-side-encryption-bypass-part-1.html) 28 | 2. [client-side-encryption-bypass-part-2](https://bhattsameer.github.io/2021/02/14/client-side-encryption-bypass-part-2.html) 29 | 3. [client-side-encryption-bypass-part-3](https://bhattsameer.github.io/2021/02/21/client-side-encryption-bypass-part-3.html) 30 | 31 | **Follow me:** 32 | 33 | Twitter : [@sameer_bhatt](https://twitter.com/sameer_bhatt) 34 | Github : [bhattsameer](https://github.com/bhattsameer) 35 | LinkedIn: [bhatt-sameer](https://linkedin.com/in/bhatt-sameer) 36 | -------------------------------------------------------------------------------- /Snippets/JSEncrypt_fuzz.js: -------------------------------------------------------------------------------- 1 | /* 2 | Snippet where the JSEncrypt is used for encryption purpose. 3 | */ 4 | 5 | //payload:: 6 | function payloads(){ 7 | var x = document.createElement("textarea"); 8 | x.setAttribute('id', 'payloads'); 9 | document.body.appendChild(x); 10 | } 11 | 12 | function fuzz1(){ 13 | var textArea = document.getElementById('payloads'); 14 | var lines = textArea.value.split('\n'); 15 | for (var i = 0; i < lines.length; i++) { 16 | 17 | // write your logic here... 18 | console.log('Payload: ' + lines[i]); 19 | 20 | var encrypt = new JSEncrypt(); 21 | encrypt.setPublicKey(AppConfig.passwordEncryption.pubkey); 22 | console.log(encrypt.encrypt(lines[i])) 23 | 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Snippets/consolesave.js: -------------------------------------------------------------------------------- 1 | (function(console){ 2 | 3 | console.save = function(data, filename){ 4 | 5 | if(!data) { 6 | console.error('Console.save: No data') 7 | return; 8 | } 9 | 10 | if(!filename) filename = 'console.json' 11 | 12 | if(typeof data === "object"){ 13 | data = JSON.stringify(data, undefined, 4) 14 | } 15 | 16 | var blob = new Blob([data], {type: 'text/json'}), 17 | e = document.createEvent('MouseEvents'), 18 | a = document.createElement('a') 19 | 20 | a.download = filename 21 | a.href = window.URL.createObjectURL(blob) 22 | a.dataset.downloadurl = ['text/json', a.download, a.href].join(':') 23 | e.initMouseEvent('click', true, false, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null) 24 | a.dispatchEvent(e) 25 | } 26 | })(console) 27 | -------------------------------------------------------------------------------- /Snippets/developers_mindset.js: -------------------------------------------------------------------------------- 1 | function onClick() { 2 | if (inputsAreEmpty()) { 3 | label.textContent = 'Error: one or both inputs are empty.'; 4 | return; 5 | } 6 | updateLabel(getNumber1(),getNumber2()); 7 | } 8 | function inputsAreEmpty() { 9 | if (getNumber1() === '' || getNumber2() === '') { 10 | return true; 11 | } else { 12 | return false; 13 | } 14 | } 15 | function updateLabel(add1, add2) { 16 | var addend1 = add1; 17 | var addend2 = add2; 18 | var sum = addend1 + addend2; 19 | label.textContent = addend1 + ' + ' + addend2 + ' = ' + sum; 20 | } 21 | function getNumber1() { 22 | return inputs[0].value; 23 | } 24 | function getNumber2() { 25 | return inputs[1].value; 26 | } 27 | var inputs = document.querySelectorAll('input'); 28 | var label = document.querySelector('p'); 29 | var button = document.querySelector('button'); 30 | button.addEventListener('click', onClick); 31 | 32 | -------------------------------------------------------------------------------- /Snippets/fuzz_with_websocket.js: -------------------------------------------------------------------------------- 1 | 2 | //payload:: 3 | function payloads(){ 4 | var x = document.createElement("textarea"); 5 | x.setAttribute('id', 'payloads'); 6 | document.body.appendChild(x); 7 | } 8 | 9 | // Fuzzing logic:: 10 | function fuzz(){ 11 | var textArea = document.getElementById('payloads'); 12 | var lines = textArea.value.split('\n'); 13 | 14 | for (var j = 0; j < lines.length; j++) { 15 | var websocket = new WebSocket("ws://127.0.0.1:1234"); 16 | websocket.onmessage = function(e){ console.log(e.data); }; 17 | 18 | // write your logic here... 19 | console.log('Payload: ' + lines[j]); 20 | websocket.onopen = () => websocket.send('Payload: ' + lines[j]); 21 | 22 | // your AES Key and IV 23 | var mykey = "myKey123" 24 | 25 | //Call encryption method 26 | otpEncrypt = CryptoJS.AES.encrypt( lines[j], mykey, {format: CryptoJSAesJson} ); 27 | 28 | //Encrypted Payload 29 | console.log('Encrypted Payload: ' + otpEncrypt); 30 | websocket.onopen = () => websocket.send('Encrypted Payload: ' + otpEncrypt); 31 | 32 | //Prepare post request 33 | $.post("otpvalidate.php",{ 34 | otp: otpEncrypt.toString() 35 | }, 36 | 37 | //Handle Response 38 | function(res){ 39 | 40 | //Call Decrypt method 41 | var data2 = CryptoJS.AES.decrypt(JSON.stringify(res), mykey, {format: CryptoJSAesJson}).toString(CryptoJS.enc.Utf8); 42 | websocket.onopen = () => websocket.send('Encrypted Response: ' + data2); 43 | var data = JSON.parse(data2); 44 | 45 | //Decrypted response 46 | console.log(data); 47 | websocket.onopen = () => websocket.send('Decrypted Response: ' + data); 48 | //logic for Otp bypass 49 | //var a = data[10]; 50 | //$("#message").html(data.slice(23,36)); 51 | //if(a == a) 52 | // window.location.href="my_account.php"; 53 | },"json"); 54 | //sleep 55 | sleep(3000); 56 | } 57 | 58 | // sleep function 59 | function sleep(milliseconds) { 60 | var start = new Date().getTime(); 61 | for (var i = 0; i < 1e7; i++) { 62 | if ((new Date().getTime() - start) > milliseconds){ 63 | break; 64 | } 65 | } 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /Snippets/fuzzit.js: -------------------------------------------------------------------------------- 1 | 2 | //payload:: 3 | function payloads(){ 4 | var x = document.createElement("textarea"); 5 | x.setAttribute('id', 'payloads'); 6 | document.body.appendChild(x); 7 | } 8 | 9 | // Fuzzing logic:: 10 | function fuzz(){ 11 | var textArea = document.getElementById('payloads'); 12 | var lines = textArea.value.split('\n'); 13 | 14 | for (var j = 0; j < lines.length; j++) { 15 | 16 | // write your logic here... 17 | console.log('Payload: ' + lines[j]); 18 | 19 | // your AES Key and IV 20 | var mykey = "myKey123" 21 | 22 | //Call encryption method 23 | otpEncrypt = CryptoJS.AES.encrypt( lines[j], mykey, {format: CryptoJSAesJson} ); 24 | 25 | //Encrypted Payload 26 | console.log('Encrypted Payload: ' + otpEncrypt); 27 | 28 | //Prepare post request 29 | $.post("otpvalidate.php",{ 30 | otp: otpEncrypt.toString() 31 | }, 32 | 33 | //Handle Response 34 | function(res){ 35 | 36 | //Call Decrypt method 37 | var data2 = CryptoJS.AES.decrypt(JSON.stringify(res), mykey, {format: CryptoJSAesJson}).toString(CryptoJS.enc.Utf8); 38 | var data = JSON.parse(data2); 39 | 40 | //Decrypted response 41 | console.log(data); 42 | 43 | //logic for Otp bypass 44 | var a = data[10]; 45 | $("#message").html(data.slice(23,36)); 46 | if(a == a) 47 | window.location.href="my_account.php"; 48 | },"json"); 49 | //sleep 50 | sleep(3000); 51 | } 52 | 53 | // sleep function 54 | function sleep(milliseconds) { 55 | var start = new Date().getTime(); 56 | for (var i = 0; i < 1e7; i++) { 57 | if ((new Date().getTime() - start) > milliseconds){ 58 | break; 59 | } 60 | } 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /Snippets/getCurrentURLHeaders.js: -------------------------------------------------------------------------------- 1 | // showheaders.js 2 | // https://github.com/bgrins/devtools-snippets 3 | // Print out response headers for current URL. 4 | 5 | (function() { 6 | 7 | var request=new XMLHttpRequest(); 8 | request.open('HEAD',window.location,true); 9 | 10 | request.onload = request.onerror = function () { 11 | var headers = request.getAllResponseHeaders(); 12 | var tab = headers.split("\n").map(function(h) { 13 | return { "Key": h.split(": ")[0], "Value": h.split(": ")[1] } 14 | }).filter(function(h) { return h.Value !== undefined; }); 15 | 16 | console.group("Request Headers"); 17 | console.log(headers); 18 | console.table(tab); 19 | console.groupEnd("Request Headers"); 20 | }; 21 | 22 | request.send(null); 23 | 24 | })(); 25 | --------------------------------------------------------------------------------