FixVibe

// secrets / spotlight

Exposed Source Maps

If your .map files are public, the attacker is reading your TypeScript.

Kaitnya

Source maps are designed to be discoverable β€” that's the whole point. When the developer opens devtools, the browser fetches the `.map` file pointed at by the bundle's `sourceMappingURL` comment and remaps minified stack traces back to original source. Wonderful in development, dangerous in production: the same `.map` file is fetchable by anyone with curl, and inside it sits your TypeScript, your component names, your internal comments, your API path constants, and any string that survived minification by being in a non-minified code path. Public bug bounty programs are full of source-map-leak findings; companies as large as Twitter and Google have shipped them at various points.

Cara kerjanya

Modern bundlers (Webpack, Vite, esbuild, Next.js, Rollup) emit a comment at the end of each minified bundle: `//# sourceMappingURL=main.abc123.js.map`. Browsers honor this only when devtools is open, but anyone can fetch the URL directly. The `.map` file is JSON containing your original source files keyed by path, plus mapping data that lets a tool reconstruct exactly what you wrote. Tools like webcrack, source-map-explorer, and shujisr automate the reconstruction β€” feed them a public bundle and a public map and they output your repo structure as plain TypeScript or JavaScript. Even without the map URL, some bundlers leak via `.map` files that ship without the comment but live at predictable paths.

Varian-variannya

Inline sourceMappingURL

The comment at the bundle's end points at a .map file. Most common shape; most easily exploited.

Predictable .map paths

Even without the comment, bundlers ship .map files alongside .js files at the same path. `main.abc123.js` => `main.abc123.js.map`. Probing for the .map directly works.

Inlined data: URI source map

The map is base64-encoded inline at the end of the bundle (`sourceMappingURL=data:application/json;base64,...`). Same data, slightly less obvious to humans, equally useful to tools.

Radius dampak

Reveals internal API routes (your component code referenced `/api/admin/users` even though the route never appeared in the rendered HTML), comment-marked TODOs and FIXMEs that read like an attacker's wishlist, internal naming conventions, third-party API keys that survived minification because they were imported from a string constant, and the entire shape of your client logic. Every reverse-engineering task the attacker would otherwise have to do becomes a quick read.

// apa yang fixvibe periksa

Apa yang FixVibe periksa

FixVibe checks shipped client assets for high-confidence secret exposure signals and known credential formats. Reports identify the affected asset and rotation path. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Pertahanan kokoh

Emit source maps only for trusted error trackers and strip the discovery comment from the production bundle. Most bundlers support 'hidden' source maps β€” Webpack's `devtool: 'hidden-source-map'`, Vite's `build.sourcemap: 'hidden'`, Next.js's `productionBrowserSourceMaps: false` (default; or `'hidden'` if you ship them to Sentry). Upload the maps to your error tracker (Sentry's CLI, Bugsnag, Rollbar) at deploy time so stack-trace symbolication still works internally. If you genuinely need public source maps for some reason (rare), at least ensure the bundle itself contains no secrets β€” the rotate-everything-that-shipped principle applies. As a final layer, configure your CDN to refuse requests for `.map` files unless coming from your own dev tooling IPs.

// run it on your own app

Terus rilis sementara FixVibe yang berjaga.

FixVibe menguji permukaan publik app kamu sebagaimana seorang penyerang akan melakukannya β€” tanpa agent, tanpa instalasi, tanpa kartu. Kami terus meneliti pola kerentanan baru dan mengubahnya jadi check praktis serta perbaikan siap-tempel untuk Cursor, Claude, dan Copilot.

Secrets
39
tes yang dijalankan di kategori ini
modules
5
check secrets khusus
setiap pemindaian
487+
tes di seluruh kategori
  • Gratis β€” tanpa kartu kredit, tanpa instalasi, tanpa ping Slack
  • Cukup tempel URL β€” kami crawl, probe, dan laporkan
  • Temuan berperingkat severity, di-dedupe jadi sinyal saja
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Jalankan scan gratis β†’

// latest checks Β· practical fixes Β· ship with confidence

Exposed Source Maps β€” Sorotan Kerentanan | FixVibe Β· FixVibe