10 Pieces Of JavaScript That Could Cost You Dearly In A Bug Bounty Program

Teaching JavaScript to bug bounty hunters involves focusing on parts of the language and its ecosystem that are commonly associated with security vulnerabilities. Here are 10 examples of JavaScript code snippets, each highlighting different aspects that might be interesting for bug bounty hunters:

1. Cross-Site Scripting (XSS) through InnerHTML:

   // Vulnerable to XSS if 'userInput' is not sanitized
   document.getElementById('someElement').innerHTML = userInput;
   

2. DOM-based XSS through URL Manipulation:

   // Vulnerable to DOM-based XSS if URL parameters are not properly handled
   var userData = window.location.href.substring(window.location.href.indexOf("user=") + 5);
   document.getElementById('userDisplay').innerText = userData;
   

3. JavaScript Injection via eval():

   // Dangerous use of eval() with user-provided data
   var userCode = getUserInput();
   eval(userCode);
   

4. Prototype Pollution:

   // Vulnerable to prototype pollution
   function mergeOptions(obj1, obj2) {
      for (var prop in obj2) {
          if (obj2.hasOwnProperty(prop)) {
              obj1[prop] = obj2[prop];
          }
      }
   }
   

5. Insecure Direct Object References (IDOR):

   // Using user input directly in an important operation
   var userId = document.getElementById('userId').value;
   var userData = getUserData(userId); // Potential IDOR if not properly checked
   

6. Client-Side Logic Manipulation:

   // Relying on client-side validation for important logic
   if (clientSideCheckPassed()) {
      completeTransaction();
   }
   

7. Sensitive Data Exposure in Local Storage:

   // Storing sensitive data in local storage
   localStorage.setItem('sessionToken', sessionToken);
   

8. Insecure CORS Policy:

   // Setting a too permissive CORS policy
   app.use((req, res, next) => {
    res.setHeader('Access-Control-Allow-Origin', '*');
    next();
   });
   

9. Using document.write with User Input:

   // Potential XSS vulnerability with document.write
   var userInput = getUrlParameter("userInput"); // Assuming this function gets user input from URL
   document.write(userInput);
   

10. Improper Error Handling Revealing Sensitive Info:

    // Insecure error handling that could reveal sensitive information
    try {
        performSensitiveOperation();
    } catch (error) {
        console.log('Error:', error); // Logging detailed error information
    }
    

Each of these examples represents a common issue in JavaScript coding that can lead to vulnerabilities. Bug bounty hunters should be familiar with these patterns to identify and report potential security issues effectively.