Category

Vulnerability Scanning

Inputs

urls
file
required
List of script URLs

Outputs

endpointscodepath-wordlistparameter-wordlistfindings

Analyze JavaScript Code

Description

Retrieve JavaScript code from a list of URLs while preserving its original location structure. When available, extract sourcemaps to obtain non-minified code, then beautify and deobfuscate all code. Analyze the code to discover hidden endpoints, generate custom path and parameter brute-force wordlists based on script content, and scan for vulnerabilities by identifying outdated dependencies, insecure code patterns, and exposed secrets.

Features

  • Prepares code for manual review by downloading all files to a single location, extracting sourcemaps when available to obtain original, non-minified code.
  • Simplifies code review by beautifying and deobfuscating code, and applying transformations such as unpacking arrays and removing redundant proxy functions.
  • Extracts hidden endpoints and paths from the code, including parameters and request methods.
  • Generates a custom wordlist for path discovery based on identified endpoints.
  • Creates a custom wordlist for parameter discovery using found endpoints and variable names.
  • Checks for outdated dependencies and identifies associated CVEs when available.
  • Scans for a wide range of exposed secrets.
  • Analyzes code for insecure patterns and client-side vulnerabilities.

Inputs

Required

  • urls: List of JavaScript code URLs (non-JS URLs will be automatically filtered out)
https://example.com/script.js

https://cdn.example.com/assets/app.min.js

https://another-example.com/js/main.js

Outputs

  • findings: JSONLines records of finding details
{"finding": "Potential exposed secret: URI","location": "https://cdn.example.com/assets/app.min.js","severity": "unknown","hostname": "cdn.example.com","domain_name": "example.com","method": "GET","matches": ["http://admin:password@example.com"]}

{"finding": "Outdated JavaScript component: jquery 2.2.3","location": "https://example.com/script.js","severity": "medium","hostname": "example.com","domain_name": "example.com","method": "GET","matches": ["CVE-2015-9251","CVE-2019-11358","CVE-2020-11023","CVE-2020-11022"]}

{"finding": "DOM Based XSS","location": "https://another-example.com/js/main.js","severity": "medium","description": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.","hostname": "another-example.com","domain_name": "another-example.com","method": "GET","matches": ["line 27"]}
  • endpoints: JSONLines records of endpoint details, including parameters and request methods
{"url": "/api/login", "query_parameter": "", "body_parameter": "username", "method": "POST", "source_files": ["https://another-example.com/js/main.js"]}

{"url": "/api/login", "query_parameter": "", "body_parameter": "password", "method": "POST", "source_files": ["https://another-example.com/js/main.js"]}

{"url": "/api/users", "query_parameter": "id", "body_parameter": "", "method": "GET", "source_files": ["https://another-example.com/js/main.js"]}

{"url": "/Dashboard", "query_parameter": "", "body_parameter": "", "method": "", "source_files": ["https://another-example.com/js/main.js"]}
  • path-wordlist: List of possible paths derived from identified endpoints
api/login/

api/users

Dashboard
  • parameter-wordlist: List of possible parameters derived from identified endpoints and variable names within the code
username

password

id

url

role
  • code: Folder containing the downloaded and analyzed code, with files beautified, deobfuscated, simplified, and sourcemaps resolved where available.
code/

├── example.com/

│   └── app.js             # Original source from resolved sourcemap

├── cdn.example.com/

│   ├── script.js          # Beautified and deobfuscated version of the original minified script

└── another-example.com/

    └── main.js

Changelog

  • v1.0.0
    • Initial release