loading
loading
Discovery
Extract JavaScript source trees from Sourcemap files.
overview
sourcemapper downloads a JavaScript sourcemap and reconstructs the original source tree the bundler embedded inside it. Production builds often leave .js.map files reachable next to minified bundles; when they do, the map points back to readable modules, paths, and comments that never belonged in a public asset.
Point it at a map URL with -url, or at a script URL with -jsurl when the map is referenced from the bundle. Optional -proxy and -header values mirror how you would fetch the file with curl, and -insecure skips TLS verification for lab hosts with broken certificates.
On Trickest, sourcemapper is a Discovery node that takes a map or script URL and writes a folder of recovered sources. Run it after a crawler surfaces .map references so you can review the rebuilt tree for endpoints, secrets, and internal paths.
use cases
Fetch a discovered sourcemap URL and write the original file tree for offline review of modules the minified bundle hid.
Pass -jsurl when you have the bundled JavaScript and need sourcemapper to locate and pull the linked map automatically.
Search the rebuilt tree for API routes, admin screens, and feature flags that never appear in the minified output.
Set -proxy and -header when the map is only reachable through an authenticated or corporate egress path.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -url | URL to the Sourcemap file (cannot be used with jsurl). |
| jsurl | STRING | -jsurl | URL to JavaScript file (cannot be used with url). |
| sourcemap | FILE | -url | Path to a local Sourcemap file (cannot be used with jsurl). |
| proxy | STRING | -proxy | Proxy URL for the fetch. |
| header | STRING | -header | Extra request header, similar to curl -H (repeatable). |
| insecure | BOOLEAN | -insecure | Ignore invalid TLS certificates. |
Showing key inputs. sourcemapper exposes 6 inputs in total.
example
# rebuild sources from a public sourcemap on example.comsourcemapper -url https://example.com/static/app.js.map[+] Retrieving sourcemap from https://example.com/static/app.js.map[+] Sourcemap retrieved, unpacking sources...[+] Writing src/components/App.js[+] Writing src/api/client.js[+] Writing src/pages/Login.js[+] Writing src/utils/config.js[+] Writing webpack:///external/vendor.js[+] Done: 48 files under ./example.com/guidance
Reach for sourcemapper when a crawler finds .map files or JavaScript bundles with sourcemaps still attached. It reconstructs source, it does not crawl, so run it after katana or a JS endpoint finder. To pull endpoints straight out of minified JS without a map, use a JS-link extractor instead.
Crawls a site and surfaces .js and .js.map references. Run it before sourcemapper to find the maps.
Scrapes JavaScript for subdomains and secrets without rebuilding source. Complements a full source recovery.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A target feeds katana, which surfaces sourcemap references that sourcemapper rebuilds into an original source tree written as output.
Facts on this page come from the live Trickest tool library.