loading
loading
Discovery
Extract URLs, paths, secrets, and other interesting bits from JavaScript.
overview
jsluice reads JavaScript with a real parser instead of regex, building a syntax tree and walking it for the things that matter in recon: URLs, paths, and secrets. Because it understands the code's structure, it recovers endpoints assembled from string concatenation and config objects that a flat pattern match would miss.
It runs in modes: urls to pull endpoints, secrets to find keys and tokens, tree to inspect the parse tree, and query to run a tree-sitter query for custom extraction. You can supply your own secret patterns, resolve relative paths against a base URL, and process whole folders of scripts concurrently.
On Trickest, jsluice is a Discovery node that takes a JavaScript file or a folder of scripts and writes a file and a folder of results. Chain it after a crawler or a JS-collection step, then feed the recovered URLs to a prober and the secrets to your triage path.
source github.com/BishopFox/jsluice
use cases
Run urls mode over a folder of scripts to recover API routes and paths, including ones built from concatenation that regex tools like LinkFinder skip.
Run secrets mode to surface API keys and tokens left in bundles, and supply a --patterns JSON file to match project-specific token formats.
Pass a base URL to --resolve-paths so jsluice turns the relative paths it finds into absolute endpoints ready for a prober to hit.
Use query mode with a --query expression to extract exactly the syntax nodes you care about, or tree mode to inspect the parse tree first.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| mode | STRING | · | Mode to run (urls, secrets, tree, query, format). |
| input-file | FILE | · | A JavaScript file to analyze. |
| input-folder | FOLDER | · | Folder of JavaScript files to analyze. |
| query | STRING | --query | Tree-sitter query to run, e.g. '(string) @matches'. |
| patterns | FILE | --patterns | JSON file of user-defined secret patterns to look for. |
| resolve-paths | STRING | --resolve-paths | Resolve relative paths using the absolute URL provided. |
| unique | BOOLEAN | --unique | Only output each URL once per input file. |
| concurrency | STRING | --concurrency | Number of files to process concurrently (default 1). |
Showing key inputs. jsluice exposes 17 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| mode | STRING | · | Mode to run (available modes: urls, secrets, tree, query, format). |
| input-file | FILE | · | A JavaScript file to analyze. |
| input-folder | FOLDER | · | Folder including JavaScript files to analyze. |
| query | STRING | --query | Tree-sitter query to run; e.g. '(string) @matches'. |
| patterns | FILE | --patterns | JSON file containing user-defined secret patterns to look for. |
| resolve-paths | STRING | --resolve-paths | Resolve relative paths using the absolute URL provided. |
| unique | BOOLEAN | --unique | Only output each URL once per input file. |
| concurrency | STRING | --concurrency | Number of files to process concurrently (default 1). |
| warc | BOOLEAN | --warc | Treat the input files as WARC (Web ARChive) files. |
| cookie | STRING | --cookie | Cookies to use when making requests to the specified HTTP based arguments. |
| header | STRING | --header | Headers to use when making requests to HTTP based arguments (can be specified multiple times). |
| format | BOOLEAN | --format | Format source code in the output. |
| raw-output | BOOLEAN | --raw-output | Do not convert values to native types. |
| placeholder | STRING | --placeholder | Set the expression placeholder to a custom string (default 'EXPR'). |
| ignore-strings | BOOLEAN | --ignore-strings | Ignore matches from string literals. |
| include-source | BOOLEAN | --include-source | Include the source code where the URL was found. |
| include-filename | BOOLEAN | --include-filename | Include the filename in the output. |
example
# pull URLs from a folder of scripts, resolve relative paths, de-duplicatejsluice urls --resolve-paths https://example.com --unique ./scripts{"url":"https://example.com/api/v1/users","queryParams":["id"],"bodyParams":[],"method":"GET","type":"fetch"}{"url":"https://example.com/api/v1/login","queryParams":[],"bodyParams":["username","password"],"method":"POST","type":"fetch"}{"url":"https://example.com/graphql","queryParams":[],"bodyParams":["query"],"method":"POST","type":"fetch"}{"url":"/assets/app.min.js","queryParams":[],"bodyParams":[],"method":"GET","type":"script"}{"url":"/api/v1/config","queryParams":["env"],"bodyParams":[],"method":"GET","type":"xhr"}{"url":"wss://198.51.100.20/socket","queryParams":[],"bodyParams":[],"method":"GET","type":"websocket"}{"url":"https://203.0.113.40/upload","queryParams":[],"bodyParams":["file"],"method":"POST","type":"form"}guidance
Use jsluice when you have JavaScript to mine and want a parser, not a regex, so it catches endpoints and secrets that pattern tools miss. It reads JS, it does not fetch it, so run a crawler or JS collector first. For pure regex endpoint discovery, LinkFinder is the lighter sibling.
Regex endpoint discovery in JS. jsluice uses a real parser and also extracts secrets.
Collects JavaScript files from a target. Run it before jsluice to gather the scripts to parse.
Regex secret hunting in JS. jsluice's parser-driven secrets mode is the structural counterpart.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A folder of JS files feeds jsluice, which parses out URLs and passes them to httpx so only live endpoints land as output.
Facts on this page come from the live Trickest tool library.