Building a custom JS monitoring tool with no coding knowledge using AI
Background
I had a very interesting JavaScript-heavy target I was working on, which was built using a microservice architecture. The main domain contains a lot of sub-apps, so doing subdomain enumeration did not result in any significant success other than finding third-party community forums, support portals, and developer docs.
Every time I worked on this application, my dev tool in Firefox was always on the debugger tab, where I would search for new apps. It was super tedious as I was always finding the same apps over and over, but the JavaScript hash kept changing; as a matter of fact, it changed like every hour and even on weekends.
If you do not know the JavaScript hash, it is the random alphanumeric characters in a JavaScript file before the .js extension, like so https://example.com/static/js/main.8937rir74849ruu440.js
I concluded that I needed to monitor the JS files, so I will only search for sub-apps in newer JS files for better results. I tried some available public tools, but none work to my satisfaction as the target has a very unique routing method, as I said earlier, it uses a microservice architecture, and the main domain contains a lot of sub-apps.
Building with AI: Problem
Who doesn’t use AI these days? So I figured I’d just build the tool with AI by explaining the prompt, but I ran into a problem. The coding knowledge I have is reading JavaScript files, identifying the endpoints and parameters in JavaScript files, that’s it, nothing else.
I chose python language for generating the tool and Alibaba’s Qwen AI because it is FREE, and the prompt looks like this:
Write a python tool that will do the following
1. Send a GET request to https://redacted.com/dashboard with my cookie and get the content
2. parse the content of the GET request and search for a js url that look like
this https://redacted.com/static/js/app-runtime.[hash].js
3. Once you get the js url, send a GET request to it, parse it content and extract the
lazy loaded js files mappings
4. Save the lazy loaded urls to a file named js_urls.txt and download all the js files into
a folder
5. When ever I run this tool again, when it get the lazy loaded js urls it should compare it
to the content of the js_urls.txt file
7. After comparing it, it should save the unique urls to a different text newer_js.txt, and
append the new urls to the old js_urls.txt file
8. then download the newer_js.txt
With the prompt above, the AI generated a Python tool. When I ran the tool on my computer, it gave me a very large error message. I didn’t know what to do, so I copied the error message and pasted it into the AI chat like this
Running this tool gave me this error message=>
LARGE ERROR MESSAGE FROM THE TERMINAL
The AI worked on the script and generated a new script. After running the new script, it was working, but no JS file URL was found. I went back to the chat and told the AI that the tool was working with no error message, but it was not able to find the runtime JS URL from the dashboard source. The AI generated another Python script, which wasn’t able to get the runtime JS URL either.
Building with AI: Breaking down a prompt to perform the simplest task
After failing a couple times and not knowing what to correct from my prompt, I went to the target dashboard in my browser, view it source, and saved it as a text file.
Now I uploaded the source text file to the AI and gave it the exact runtime JS URL that was present at the moment, the chat looked like this:
Parse this uploaded text file, and look for this js url in the file:
https://redacted.com/static/js/app-runtime.[hash].js
After identifying the js url, I want you to write a python script that will parse a text file
and use a regex to identify the js url
The AI generated the tool, and it worked perfectly every time I ran it. Now that I was able to get the runtime JS URL, which is always the starting point for a webpack application, I’ve conquered a phase.
I moved to the next phase of building another tool, and I told the AI where the lazy loaded js mapping begins in the runtime JS URL. The chat looks like this
Write a python tool that sends a GET request to a js url, Parse it content and look for
where the lazy loded js mapping begins, the lazy loaded js mapping starts with some thing
like this "A.u=e=>""+(({39908:"applic-redacted-9f7b83ce"
the tool should extract all the lazy loaded js and append "https://redacted.com/static/js/"
to the beginning of each file and save it to a file js_urls.txt
The tool was generated, and it work pecfectly
After getting two phases working in the tool, I went back to the second prompt and told the AI to improve this tool such that when I run the script, it will always compare the extracted lazy loaded js urls to the URLs present in the js_urls.txt file, and will save the unique URLs to a different file called newer_js.txt, Then it will download the new JS URLs.
Now I have two tools that were working independently,
The first tool will parse the dashboard HTML source as a text file and extract the runtime JS URL.
The second tool takes the runtime JS URL as an argument, parse it content, extracts the lazy loaded js files, and constructs their full URLs by appending
https://redacted.com/static/js/to the beginning of each file.
Getting these two phases working left me with a third. I do not want to always go to the dashboard in my browser to view the source and save it to a text file. This is supposed to be an automated tool, so I ask the AI to generate a Python tool that will visit https://redacted.com/dashboard with my cookie and parse the content as a text file, then save it as dashboard_html.txt.
The AI generated a code that worked perfectly for this, also.
Putting each piece together
I now have three tools that are working independently, but I want to merge them together to make it a single tool
The first tool will use my cookie to get the content of the dashboard at
https://redacted.com/dashboardand save it as a text filedashboard_html.txtThe second tool will parse the dashboard HTML source as a text file and extract the runtime JS URL.
The third tool takes the runtime JS URL as an argument, parse it content, extracts the lazy loaded js files, and constructs their full URLs by appending
https://redacted.com/static/js/to the beginning of each file, and also download the files.
What I did was upload all the tools to the AI with a prompt instructing the AI to understand what each tool is doing and merge it into a single code base. The prompt looks like this:
@get_dashboard_html.py @extract_runtime_js_url.py @extract_lazy_loaded_js.py
Analyze these three python files, understand what they are doing and convert it into a single
code base, also add a help in the codebase on how to run the file
With the prompt above, the AI was able to merge the three tools into one, and when I ran the tool on my system, it worked flawlessly. Now I can always stay on top of my target new sub-app releases, which will definitely help me discover new attack surface before others.
Lesson Learned
Below are important lessons I learned while trying to build this tool
You can automate anything, and you should automate every boring aspect of your hunting!
When building tools with AI, with little or no coding knowledge, you should break the task into smaller units
After getting each of the smaller units working, combine them into one
Whatever interesting thing/case you encounter while hunting, write a blog or tweet about it
