How I Got 200 euro bounty?

Hi everyone, i am back with another writeup.

Today i explain how i found the information disclosure vulnerability using JWT and API key exploit.

actually JS files are best friends of hackers most of the time.when we

carefully read the JS files, definitely you will get something.

lets consider the target name example.com

without delay lets start with our main topic,its limited scope

private progam.but its 2 years old program.main domains in scope.

i opended the target https://example.com in browser. then i start looking

for js files enumeration,then i go to =>view page source (cntrl+U)=>

search for (cntrl+f) .js.

then i was start checking every js file with some common words like:

eyj(jwt token)

api(key)

https://(urls)

amazonaws(s3bucket or aws keys)

admin(path)

password(any credentials)

id(some time some apis named as id)

sk_(stripe apikey)

above all are some of the common keywords for searching in js files.