JS Is a Goldmine — Where It All Started
Everyone says JavaScript is a goldmine. For the longest time, all I found were leaked keys. Then one night, something clicked — and everything changed.
Hey, I'm Darya Hakeem Abubaker. People call me Ray. I run SteelGateSec.
This is my first writeup ever, so I want to start from the beginning. I've been into security since 2015. I already knew computers, I just had this thing where I'd look at anything and want to use it differently than it was supposed to be used. Push the wrong button on purpose and see what happens. So at some point I downloaded Kali, started messing around, and that's how it began. No real plan, just trying things and breaking things until stuff started making sense.
Bug bounty came around 2021. That's when I stopped messing around and got serious about it.
Quick Context
Since then I've reported 131+ vulnerabilities to around 20+ companies. Apple, Microsoft, PayPal, DoD, AT&T, T-Mobile, Meta, Yahoo, Recorded Future, and more. I'm currently on Apple's Hall of Fame for January, February, and March 2026 — three months consecutive — with 28+ vulnerabilities reported across Apple web properties. The goal is to stay on it the entire year.
Most of my bugs are still under NDA so I can't talk about them yet, and honestly I never wrote about any of it publicly until now. No blog, no Twitter, nothing. I just reported and moved on. Today I'm changing that.
Anyway. Let me actually get to the point.
The Surface Level
When I started bug bounty I did the same stuff everyone does. YouTube, courses, the usual. Open Burp, intercept some requests, try to bypass a rate limit, look for XSS in input fields, mess with parameters, replay old paths from Wayback. Standard.
It worked, I learned a lot, but something always bugged me. I felt like I was working on the surface. I knew the techniques but I didn't really get why the bugs existed. What's the dev thinking when they wrote this? What's actually happening behind the request? I wanted to understand the apps, not just attack them.
Later I subscribed to HTB and PentesterLab. Both helped a lot. But I still felt there was a level above me I couldn't reach.
There was one Jim Rohn quote stuck in my head the whole time:
"Why not you?"
That's it. That sentence is what kept me at the desk on the bad nights. Books also played a big role for me but that's a different writeup.
"JavaScript Is a Goldmine"
Now the part I actually want to talk about.
You know that phrase everyone repeats: "JavaScript is a goldmine." Every YouTuber, every top hunter on Twitter, every writeup. I heard it constantly and I wanted to know what they meant by it. So I tried.
For a long time, all I got out of JS was secrets. Hardcoded API key here, leaked token there, hidden endpoint nobody linked. Cool, find a key, report it, move on. That was my version of "goldmine."
But it didn't sit right. I knew the top guys weren't talking about leaked keys. There was something deeper they could see and I couldn't, and it bothered me for a long time.
I'm not gonna lie, it was months of opening JS files and understanding nothing. Minified code. Variables called a, b, c. Functions inside functions inside functions. I'd sit there at night just staring at it like, what am I even looking at.
The Click
Then last year something clicked. I can't fully explain it, I just stopped skimming and started actually reading. Slower. Following the logic instead of grepping for keywords. Once that happened, the whole thing opened up.
I was hunting on a small exchange program at the time. Nothing famous. Going through their JS like usual but with this new patience, and I started noticing how their password reset flow worked. The whole logic was sitting in the client. How the token got generated, how verification was checked, what got sent where.
Followed it, dug deeper, and found a Prototype Pollution that let me change anyone's password just by knowing their email.
Anyone. On a platform where people had real money in their accounts. Just an email.
That was my first real bug, and when I confirmed it actually worked I got up and walked away from the desk for a minute. Not because of the bounty. Because I finally understood what people meant.
JS being a goldmine was never about leaked keys. It's about reading the application's logic. Watching how the dev built the thing. Seeing every decision they made laid out in front of you, and then finding the exact spot where their logic falls apart.
That bug was my door. I walked through and never looked back.
Everything Changed
After that, JavaScript looked completely different. It wasn't just a file the browser loaded, it was the blueprint. Auth flows, role checks, internal endpoints that were never meant to be public, admin panels gated by checks that fall apart the second you understand what's being checked, hidden parameters the UI never shows but the JS sends quietly in the background. All of it sitting there in plain text. Just waiting for someone to read.
My methodology changed completely. I stopped throwing payloads and praying. Now I read first, understand the app first, then attack. By the time I send anything I usually already know where it'll break, because the JS told me.
After that the bugs came fast. Apple, PayPal, Microsoft, DoD, AT&T, T-Mobile, Meta, Yahoo, Recorded Future, more. 131+ across 20+ companies. Most of them started the same way. Just me sitting and reading JS that everyone else scrolled past.
Apple is the one I'm proudest of right now. 28+ vulnerabilities in three months, three consecutive months on the Hall of Fame, and I'm not stopping. The plan is the full year.
I'd love to share the details on each bug but most are still under disclosure. When they open up I'll write about them. Some are pretty wild and worth waiting for.
If You're Where I Was
If you're at the start of all this, doing what I was doing — watching videos, grinding HTB, looking for XSS, fuzzing params, crawling Wayback — and you've got that feeling there's a deeper level you can't reach yet, this is it. Read the JavaScript. Not just for secrets. Actually read it. Follow the logic. Think about what the dev was building and where they messed up.
It'll feel impossible at first, you'll want to close the tab a hundred times, just come back the next day and the day after.
One day it clicks.
That's how a tiny exchange and a Prototype Pollution bug ended up leading to Apple, the Pentagon, and 131+ vulns.
And every time I almost quit, the same line dragged me back:
Why not you?
JS is a goldmine. The gold doesn't come find you though. You go get it.
— Darya "Ray" Hakeem Abubaker
SteelGateSec