Back
Why do we need JavaScript map files?
Source map files are helpful when you want to debug minified JavaScript files. They work by mapping minified code back to its non-minified version. You can then debug this non-minified Javascript as per usual.
How can an attacker find a JS map file?
Firstly, we need to inspect the webpage source code and look for any “.js” files there. As you can see on the screenshot below we found “app-8a4b38cb30f5ecc24df1.js” file:
Next, we change our URL by adding “/NAME_OF_THE_SCRIPT.js” and we shall see our JS script:
Finally, to see the source map file we add “.map” at the end of our URL:
Why do you need to hide source map files?
If your source map file is publicly available, this means that any developer can obtain your original source code and find sensitive information, for example:
- Links to internal or hidden administrator pages
- API keys
- Sensitive routes or IP addresses
- Credentials.
To prevent such unauthorized access, it is a good idea to serve your source maps from a server that is only accessible to your development team.
Sources:
- https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps#private-source-maps
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage
See our penetration testing service to prevent this and many other security bugs.