Analyze JavaScript Code
Identify vulnerabilities, collect useful data, and prepare JavaScript code for manual review
Outputs
endpointscodepath-wordlistparameter-wordlistfindings
Analyze JavaScript Code
Description
Retrieve JavaScript code from a list of URLs while preserving its original location structure. When available, extract sourcemaps to obtain non-minified code, then beautify and deobfuscate all code. Analyze the code to discover hidden endpoints, generate custom path and parameter brute-force wordlists based on script content, and scan for vulnerabilities by identifying outdated dependencies, insecure code patterns, and exposed secrets.
Features
- Prepares code for manual review by downloading all files to a single location, extracting sourcemaps when available to obtain original, non-minified code.
- Simplifies code review by beautifying and deobfuscating code, and applying transformations such as unpacking arrays and removing redundant proxy functions.
- Extracts hidden endpoints and paths from the code, including parameters and request methods.
- Generates a custom wordlist for path discovery based on identified endpoints.
- Creates a custom wordlist for parameter discovery using found endpoints and variable names.
- Checks for outdated dependencies and identifies associated CVEs when available.
- Scans for a wide range of exposed secrets.
- Analyzes code for insecure patterns and client-side vulnerabilities.
Inputs
Required
- urls: List of JavaScript code URLs (non-JS URLs will be automatically filtered out)
Outputs
- findings: JSONLines records of finding details
- endpoints: JSONLines records of endpoint details, including parameters and request methods
- path-wordlist: List of possible paths derived from identified endpoints
- parameter-wordlist: List of possible parameters derived from identified endpoints and variable names within the code
- code: Folder containing the downloaded and analyzed code, with files beautified, deobfuscated, simplified, and sourcemaps resolved where available.
Changelog
- v1.0.0
- Initial release