Chunk Loader

Chunk Loader is a Chrome/firefox extension that allows users to load and import JavaScript chunks from a specified URL. This tool is designed for security researchers/bugbounty hunters to help them find bugs in react apps.

Features

• Auto-find the useful js file to load chunks from.
• Load JavaScript chunks from a specified URL.
• Finds all the javascript "import(x)" or "import x,y from 'z'" using the Run against all function.
• Specify the base path for chunk files.
• Customize the file extension for chunk files.
• Persist URL, base path, and file extension across browser sessions.
• Parse _buildManifest.js files to find the chunks automatically.
• Parse webpacks (most of the time)

React Apps

React applications often use code splitting to improve performance by loading only the necessary code for a given page. This can make it difficult to find and analyze all the JavaScript code that is being executed. Chunk Loader helps security researchers and bug bounty hunters identify and analyze the JavaScript chunks that are being loaded by a React application. /!\ It's not perfect, and it might not work on all the apps, i'm adding new ways to find the chunks regularly, but if you have a suggestion, feel free to open an issue or a PR. /!\

/!\ The code imports the scripts, do not run this extension on "untrusted" apps. I'm not responsible if anything happens to your browser :) /!\

Installation Instructions

Follow these steps to install and use the Chunk Loader extension in Google Chrome/FF dev build.

• Firefox store: Todo

• Chrome store: Todo

Step 1: Clone the Repository

First, clone the repository to your local machine using the following command:

git clone https://github.com/ElSicarius/chunkloader.git

Step 2: Load the Extension in Chrome

1. Open Google Chrome and navigate to chrome://extensions/.
2. Enable "Developer mode" by toggling the switch in the upper-right corner.
3. Click the "Load unpacked" button.
4. Select the "chunkloader" subdirectory from where you cloned the repository (chunkloader).

Step 3: Use the Extension

1. Click on the Chunk Loader extension icon in the Chrome toolbar to open the popup.
2. Enter the URL of the main JavaScript file in the "JS File URL" field, or just click the auto-find and try the suggested resources ! (You can cycle the sources by hitting the button multiple times)
3. (bis) Use the "Run against All" to try to execute discovery script against all the js files.
4. The base path for chunk files will be automatically populated based on the JS file URL. You can modify it if needed.
5. Enter the file extension for the chunk files in the "File Extension" field (default is .chunk.js, but it might try to adapt to the techno you're on).
6. Click the "Load Chunks" button to load the specified chunks and see the magic happen.

Customize

As the extension is a bit "hacky", the webpack might have a different file format for it's chunks. In some cases, you might need to transform the file format, you can do it by using burp 's match and replace feature.

Contributing

Contributions are welcome! If you have any suggestions or improvements, please open an issue or submit a pull request.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Contact

For any questions or inquiries, you can reach out to me on Twitter.