By Pakurity on Sat Mar 13 2021
How can an attacker find a JS map file?
Firstly, we need to inspect the webpage source code and look for any “.js” files there. As you can see on the screenshot below we found “app-8a4b38cb30f5ecc24df1.js” file:
Next, we change our URL by adding “/NAME_OF_THE_SCRIPT.js” and we shall see our JS script:
Finally, to see the source map file we add “.map” at the end of our URL:
Why do you need to hide source map files?
If your source map file is publicly available this means that any developer can obtain your original source code and find sensitive information, for example:
- Links to internal or hidden administrator pages
- API keys
- Sensitive routes or IP addresses
To prevent such unauthorized access it is a good idea to serve your source maps from a server that is only accessible to your development team.
See our penetration testing service to prevent this and many other security bugs.