JavaScript Source Map Vulnerabilities

  • Home
  • JavaScript Source Map Vulnerabilities
JavaScript Source Map Vulnerabilities

What is a JavaScript source map file? Source map files map the transformed, minified, or compiled code back to the original source code, and they can often be found exposed publicly in web applications. This is particularly useful for debugging because it allows developers to view and step through the original source code even when the browser is executing the optimized code. Some third party tools may also rely on the source map to perform their functions.

As mentioned, there are legitimate use cases for the source map file to be present, but many times developers assume that their minified code cannot be read by an attacker. If source maps are included in production deployments, they can expose the original source code, which may contain comments, unminified code, and other sensitive information. It’s crucial to consider whether source maps should be included in the production environment.

Tools like Sentry, Bugsnag, and Rollbar, use source maps to perform their functionality. But, for example, Rollbar and Sentry have functionality where the developer can optionally upload the source map file to the service and then not expose it on the web application. Additionally, comments should likely be removed before minifying because an attacker can read them once the source code is reconstructed with the source map file.

Source maps are key assets when it comes to web application penetration testing and bug bounty hunting because they allow the tester to uncover essentially all API endpoints without logging in or manually mapping/spidering the application. Often times there are hidden endpoints present that the tester won’t even come across in the application.

Here is a tool that the Brackish Security team likes to use to reconstruct source code once a source map file has been discovered (generally you can just change the extension of the main/app/index js file to .map).

Here are some more links to read: