pwneglyph logo

Note

web javascript enumeration information-disclosure docs recon

Treat leaked docs, bundles, and operational endpoints as the shortest path to the intended primitive, not just enumeration.

Exposed API Docs / README / JS Sources as Functional Oracles

Many web CTFs leak the intended surface in docs, bundled JS, or operational endpoints. This is not "just enumeration" — it is often the shortest path to the real primitive.

Why It Matters

  • Leaked routes, enum values, internal hostnames, and secret fragments sharpen every later step.

Vulnerable Pattern

  • Public /docs, OpenAPI, GraphQL schema, README.md, rules files, or chat-history endpoints assumed harmless.

Exploit Flow

  1. Enumerate documentation and frontend source before deep fuzzing.
  2. Map hidden routes, enum values, internal hostnames, secondary auth flows, or static secrets exposed there.
  3. Use the docs to sharpen the next exploit, not as a disconnected side task.

Variations

  • Hidden HTTP headers, comments in JS bundles, generated API clients, or rule files containing secret fragments.

Common Blockers

  • Docs stale or incomplete — but even stale docs reveal naming, object shapes, and route families.

PoC Sketch

/robots.txt  /rules.txt  /README.md  /docs  /openapi.json  /graphql  /api/history
# enumerate before spending time on blind exploitation

Good Situations To Use It

  • The app ships docs, bundles, or operational endpoints.
  • You need to map hidden routes/enums quickly.
  • Before committing to blind fuzzing.

Sources

  • ehaxctf2026/web/tictactoe
  • 0xFUN2026/web/skyport_ops
  • hackday2026/web/epoch_guardian