The diffskip tool for JS files
I often read javascript files while doing Bug Bounties. I monitor changes in target main scripts to find new features or juicy things like keys, tokens, or new endpoints. Because primarily it is black-box testing, the JS files are minified and contain much garbage in their diffs.
Methodology
- On the target, find custom scripts. Generally, they have a name like ‘main.min.js’ or ‘app.min.js.’
- Beautify the script and add it to the target git repository.
- After some time, repeat those steps, and you should see the script changes with simple
git diffcommand.
Problem
As I mentioned above, there are many blocks in which we are not interested.
For example, let’s read changes in the bootstrap framework.
mkdir bootstrap
cd bootstrap
git init
wget https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js
js-beautify bootstrap.bundle.min.js > bootstrap.js
rm bootstrap.bundle.min.js
git add bootstrap.js
git commit -m "version 4.5.0"
wget https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js
js-beautify bootstrap.bundle.min.js > bootstrap.js
git diff
And you can see there are many blocks like
- function i(t, e, i) {
- return e && n(t.prototype, e), i && n(t, i), t
+ function r(t, e, n) {
+ return e && o(t.prototype, e), n && o(t, n), t
}
...
- i || l.triggerTransitionEnd(n)
+ n || l.triggerTransitionEnd(e)
These lines do nothing new, and you do not need to pay attention here. They are artifacts from the javascript compression process. Avoid them with the diffskip tool.
go get -u github.com/vodafon/diffskip
git diff | diffskip -color | less
Some stats:
## git diff contains 3054 lines
git diff | wc -l
## with diffskip only 775 lines
git diff | diffskip | wc -l
So there are four times fewer lines to read. It saves me a lot of time, and I hope you will like it too. Enjoy!
