Say hello to Source Maps!

Source Map feature is another interesting way to send requests from the browser!
You can read about the legitimate usage of Source Maps But here we will be focusing on abusing the abilities of that feature in favor of proving how hackers can use it in all sorts of ways!

Any script tag that its content contains a comment that looks like this: //# sourceMappingURL=http://example.com will make the browser send a request to http://example.com in case:
1. devtools opening was triggered
2. devtools were open when page was loaded

Since this is a debugging feature, it only works when the devtools are open. But because of it being a debugging feature, it has some extra abilities that are kind of unique, which will be demonstrated here.
Also, responses cannot be processed by the client side javascript unfortunately, since the browser itself is the only client side entity here that should process the response from the server in order to enable the Source Map feature.

First notice how there is no indication in the devtools that the request was made - not in the network tab, not in the console - simply nowhere!
Your only chance of telling it actually worked is to check the logs the server produces and see for yourself!
For your convenient, I will be writing the logs the server produces here in red.
Don't worry about how I get the server logs to the client side if the SourceMapURL requests can't process the responses - I've implemented a special trick in the demos just for that ;)

(the usage of Source Map feature in the page is being done statically and can be found at the bottom of staticJS file in this page)

back to menu