loading
loading
Discovery
Discover endpoints and their parameters in JavaScript files.
overview
LinkFinder is a Python script that pulls endpoints out of JavaScript. It runs the source through jsbeautifier and then a large regular expression to surface paths, API routes, and parameters that the application references in its scripts but never links in plain HTML. For single-page apps where the navigation lives in bundled JavaScript, this recovers surface a static crawler walks right past.
It takes a single URL to fetch and analyze, a local JavaScript file, or a Burp 'Save selected' export containing many scripts at once. The domain toggle walks every JavaScript file it finds under a target, and a regex filter narrows the output to the routes you care about, such as everything under an API prefix.
On Trickest, LinkFinder is a Discovery node that takes a URL or file and writes a file and a folder of endpoints. Run it after a crawler collects scripts, then feed the recovered routes to httpx and a scanner so probing and testing work against endpoints the app itself calls.
use cases
Analyze a script to surface API routes and paths defined in JavaScript that never appear as links in the rendered HTML.
Use the -d toggle to enumerate all JavaScript under a target and extract endpoints from each one in a single pass.
Feed a Burp 'Save selected' file of multiple scripts with -b so LinkFinder analyzes the whole bundle captured during a manual session.
Apply a regex with -r, such as ^/api/, so the output keeps only the endpoints worth probing instead of every string it matched.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-url | STRING | -i | A URL to fetch and analyze for endpoints. |
| input-file | FILE | -i | A local JavaScript file to analyze. |
| analyze-entire-domain | BOOLEAN | -d | Enumerate and analyze every JavaScript file found on the domain. |
| filter-regex | STRING | -r | Regex to filter found endpoints, e.g. ^/api/. |
| use-burp-save-selected-file | BOOLEAN | -b | Input a Burp 'Save selected' file containing multiple JS files. |
| cookies | STRING | -c | Cookies to add to the request when fetching a URL. |
Showing key inputs. linkfinder exposes 6 inputs in total.
example
# extract API endpoints from every JS file under a domainpython linkfinder.py -i https://example.com -d -r ^/api/ -o cli/api/v1/session/api/v1/users/{userId}/api/v2/orders/graphqlhttps://api.example.com/v1/notifications/static/js/vendor.4f2a9c.js/assets/settings.jsonwss://ws.example.com/stream/internal/metricsguidance
Use LinkFinder when you want a quick regex sweep of JavaScript for endpoints and parameters. It is lightweight and fast to wire. For parser-accurate extraction that also catches concatenated URLs and secrets, jsluice is the structural sibling.
Parses JavaScript with tree-sitter for cleaner results and secrets. LinkFinder is the lighter regex approach.
Collects JavaScript files from a target. Run it first, then point LinkFinder at the gathered scripts.
A sibling regex script tuned for secrets in JS rather than endpoints. Pair them for routes and credentials.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A target feeds katana, which crawls and collects JavaScript, then LinkFinder extracts the endpoints and writes them as a queryable output.
Facts on this page come from the live Trickest tool library.