Source Map feature is another interesting way to send requests from the browser!
You can read about the legitimate usage of Source Maps But here we will be focusing on abusing the abilities of that feature in favor of proving how hackers can use it in all sorts of ways!
Any script tag that its content contains a comment that looks like this:
//# sourceMappingURL=http://example.com will make the browser send a request to
http://example.com in case:
1. devtools opening was triggered
2. devtools were open when page was loaded
Since this is a debugging feature, it only works when the devtools are open. But because of it being a debugging feature, it has some extra abilities that are kind of unique, which will be demonstrated here.
First notice how there is no indication in the devtools that the request was made - not in the network tab, not in the console - simply nowhere!
Your only chance of telling it actually worked is to check the logs the server produces and see for yourself!
For your convenient, I will be writing the logs the server produces here in red.
Don't worry about how I get the server logs to the client side if the SourceMapURL requests can't process the responses - I've implemented a special trick in the demos just for that ;)
(the usage of Source Map feature in the page is being done statically and can be found at the bottom of
staticJS file in this page)
back to menu