Unpacking the Bundle - Weaponizing Webpack & Source Maps for Critical Info

Workshop

Modern Single Page Applications (SPAs) rely heavily on bundlers like Webpack, Vite, and Parcel to package dependencies and business logic. However, the transition from development to production can leave sensitive information, leading to an information disclosure. In this workshop, I will dissect the internal structure of JavaScript bundles and the associated Source Map standard. We will look specifically at how the devtool configuration in webpack.config.js impacts the final artifact and why developers frequently leave full source recovery enabled by mistake.

From a technical perspective, we will analyze the JSON structure of .map files, specifically targeting the sourcesContent field, which usually holds the original, unminified source code. I will demonstrate how to automate the retrieval of these maps even when they are not explicitly linked via the //# sourceMappingURL comment, using heuristic analysis of the main bundle. Once the source tree is reconstructed, we will use static analysis (AST parsing) to hunt for high-entropy strings (secrets) and internal API routes that represents a significant risk.

José Emiliano Pérez Garduño is a Pentester specializing in Web Application Security. With a focus on secure code development he has spent years analyzing how modern development stacks introduce new attack surfaces. Passionate about bridging the gap between DevOps and Web Security, he regularly contributes to the community through talks and sharing knowledge via intern programs or by working with teams in CTF's.