Hunting for Secrets in Source Maps (.map Files)

How exposed source maps can leak API keys, hidden routes, and full JavaScript logic — and how bug hunters can exploit them

Monika sharma

OSINT Team

· ~2 min read · June 3, 2025 (Updated: June 3, 2025) · Free: No

Intro

Bug bounty hunters often look for juicy endpoints, misconfigured headers, or forgotten subdomains. But there's one hidden gem that often goes unnoticed: source maps. These .map files can expose an application's original source code — including API keys, internal logic, and even admin routes.

What Are Source Maps?

Source maps (.map files) are used in frontend development to map minified code back to its original readable form. They're essential for debugging in development but should never be publicly accessible in production.

Example

<script src="/static/js/app.min.js"></script>
<!-- Source map (should not be public) -->
<!-- <script src="/static/js/app.min.js.map"> -->

Why Are They Dangerous?

When exposed, source maps can:

Reveal full JavaScript logic
Disclose hidden API endpoints
Leak internal comments & dev notes
Expose hardcoded secrets, like:

Firebase keys
JWT secrets
AWS credentials
Internal feature flags

How to Find .map Files?

Manual Browsing

Look for main.min.js, bundle.js, etc.
Try appending .map (e.g., main.min.js.map)
Common paths:

/static/js/main.js.map  
/assets/js/app.min.js.map

2. Automated Tools

Use getsource
Dirbuster/Dirsearch with a .map wordlist
Gau/Waybackurls + grep for .map$

3. JS Reference Hunting

Use DevTools → Network → JS files
Check the bottom of each JS file — you might find:

//# sourceMappingURL=app.min.js.map

Real-World Exploitation

Let's say you find this:

https://target.com/static/js/main.min.js.map

Use a tool like:

npx source-map-unpacker main.min.js.map

Now you might see:

// TODO: Hide this before production
const adminToken = 'eyJhbGciOiJIUzI1NiIsInR5...';

fetch('/api/internal/getUserData?debug=true')

Boom! You've found a hidden internal endpoint or leaked token.

Bonus Tip: Combine with Recon

After extracting the original JS files:

Run LinkFinder to extract endpoints
Use gf patterns (e.g., gf jwt) on the unpacked JS
Try secret scanners like truffleHog or Gitleaks

Responsible Disclosure Tips

Always verify the leak is actually exploitable
Don't include full secrets in your report — redact sensitive data
Suggest a fix:

Disable public access to source maps in production. Use proper build configs like devtool: false in Webpack.

Conclusion

Exposed source maps are like breadcrumbs leading to the application's brain. Most developers don't realize how much information they leak but as a bug hunter now you do.

Happy Hunting!

#bug-bounty #tips-and-tricks #technology #penetration-testing #hacking

Hunting for Secrets in Source Maps (.map Files)

How exposed source maps can leak API keys, hidden routes, and full JavaScript logic — and how bug hunters can exploit them

Responsible Disclosure Tips

Reporting a Problem