Skip to content

JavaScript Analysis Tools

JavaScript analysis is critical for modern web applications. BeDefended uses a pipeline approach to extract endpoints, secrets, and vulnerabilities from JavaScript files.

Pipeline: JSLuice → LinkFinder → SecretFinder → JSHunter

1. JSLuice (AST-Based Analysis)

GitHub: nevkontakte/jsluice Purpose: Extract all imported modules and dependencies using AST (Abstract Syntax Tree)

Most accurate JavaScript analysis. Parses JavaScript as code, not strings.

docker run --rm -v $(pwd):/work pentest-tools \
  jsluice -u https://api.example.com \
  --mode sources \
  -o js-sources.json

Modes: - sources — All imported modules/dependencies - sinks — Data sinks (DOM manipulation, eval, etc.) - sources-sinks — Both sources and sinks

Output: 

{
  "sources": [
    "https://api.example.com/js/app.js",
    "https://cdn.example.com/lib/jquery.js"
  ]
}

Advantages: - ✅ Accurate (parses as code, not regex) - ✅ Finds all dependencies - ✅ Identifies tech stack (React, Vue, Angular, etc.)

2. LinkFinder (Endpoint Discovery)

GitHub: GerbenJavado/LinkFinder Purpose: Regex-based endpoint discovery from JavaScript

Finds URL patterns in JavaScript code using regex matching.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 linkfinder.py \
  -i js-sources.json \
  -o linkfinder-results.txt

Regex Patterns: - /api/v1/users — REST endpoints - /graphql — GraphQL endpoints - /soap/ — SOAP endpoints - URLs, domains, email addresses

Output: 

/api/v1/users
/api/v1/users/{id}
/api/v1/tickets
/api/v1/tickets/{id}/comments
/admin/settings
/internal/health

Advantages: - ✅ Fast - ✅ Finds hardcoded endpoints - ❌ Misses dynamically constructed URLs - ❌ Regex-based (prone to false positives/negatives)

3. SecretFinder (Secrets Extraction)

GitHub: m4ll0k/SecretFinder Purpose: Find API keys, tokens, and other secrets in JavaScript

Searches for high-entropy strings and known secret patterns.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 secretfinder.py \
  -i js-sources.json \
  -o secrets.txt

Secrets Detected: - AWS credentials (AKIA*) - Stripe keys (sk_live_*, pk_live_*) - Private API keys (api_key=, apiKey=) - JWT tokens - OAuth tokens - Database connection strings - Slack tokens - GitHub PATs

Output: 

AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
STRIPE_KEY=sk_live_51234567890
JWT_SECRET=supersecretkey123
DATABASE_URL=postgres://user:pass@localhost/db

Severity: Critical — exposed secrets allow account takeover

4. JSHunter (Deobfuscation & Entropy)

GitHub: jshunter/jshunter Purpose: Deobfuscation and high-entropy string detection

Deobfuscates minified JavaScript and finds encoded secrets.

docker run --rm -v $(pwd):/work pentest-tools \
  jshunter -u https://api.example.com -entropy 4.5

Features: - Deobfuscation (beautify minified JS) - Entropy analysis (find base64 encoded secrets) - Variable name recovery - Dead code removal

Additional Tools

SubJS (JavaScript URL Collector)

GitHub: lc/subjs Purpose: Find all JavaScript files on a domain

docker run --rm -v $(pwd):/work pentest-tools \
  subjs -u https://api.example.com -o js-files.txt

Output: 

https://api.example.com/js/app.bundle.js
https://api.example.com/js/vendor.js
https://cdn.example.com/jquery.min.js

GetJS

GitHub: 003random/getJS Purpose: Extract JavaScript from HTML and JavaScript files

docker run --rm -v $(pwd):/work pentest-tools \
  getjs -u https://api.example.com -d 3

Crawls: - <script src=""> tags - Imported modules - Dynamic script creation

Source Maps Analysis

JavaScript source maps (.js.map) are critical for security testing. They reveal: - Exact API endpoints - Function names and logic - Parameter names and types - Business logic flow - Error handling

Manual Source Map Extraction

# Download source map
curl https://api.example.com/js/app.js.map > app.js.map

# Parse with jq to extract sources
jq '.sources[]' app.js.map | head -20

Source Map Reveals

Example from Spring Boot app:

// From app.js (minified):
fetch("/api/u/"+e,{method:"DELETE"})

// From app.js.map (original source):
fetch("/api/v1/users/"+userId, {method: "DELETE"})

// Reveals exact API path!

Inline JavaScript Analysis

Modern SPAs render content with inline JavaScript. Critical patterns to search:

1. DOM XSS Sinks

// Dangerous patterns
element.innerHTML = userInput;  // ❌ DOM XSS
element.textContent = userInput;  // ✅ Safe

// Vue
<div v-html="userInput"></div>  <!-- ❌ DOM XSS -->
<div>{{ userInput }}</div>  <!-- ✅ Safe (auto-escaped) -->

// React
<div dangerouslySetInnerHTML={{__html: input}} />  <!--  DOM XSS -->
<div>{input}</div>  <!-- ✅ Safe (auto-escaped) -->

2. API Endpoints

// Hardcoded API calls
fetch('/api/v1/users')
axios.post('/api/v1/tickets', data)
$.ajax({url: '/api/v1/comments'})

3. Configuration & Secrets

const API_KEY = 'sk_live_1234567890';  // ❌ Exposed
const API_BASE = 'https://api.example.com';  // ℹ️ Endpoint leak
const STRIPE_KEY = process.env.REACT_APP_STRIPE_KEY;  // ✅ Correct

4. Prototype Pollution Patterns

// Dangerous merge/extend
Object.assign(target, userInput);  // ❌ Vulnerable
_.merge(obj, userInput);  // ❌ Vulnerable
JSON.parse(userInput);  // ❌ If merged

5. PostMessage API (XSS vector)

window.parent.postMessage(data, '*');  // ❌ No origin check
window.parent.postMessage(data, 'https://trusted.com');  // ✅ Correct

// Listener
window.addEventListener('message', (e) => {
  if (e.origin !== 'https://trusted.com') return;  // ✅ Validate origin
  eval(e.data);  // ❌ But eval is dangerous!
});

JavaScript Analysis Workflow

  1. Download all JS files using SubJS or GetJS
  2. Extract endpoints using LinkFinder
  3. Search for secrets using SecretFinder
  4. Deobfuscate minified code using JSHunter
  5. Download source maps (if available)
  6. Analyze inline JS for DOM XSS, DOM clobbering, prototype pollution
  7. Identify tech stack (React, Vue, Angular, etc.)

Example: Complete JavaScript Analysis

# Step 1: Find all JS files
subjs -u https://api.example.com -o js-files.txt

# Step 2: Analyze with JSluice
jsluice -u https://api.example.com -mode sources -o sources.json

# Step 3: Extract endpoints
linkfinder -i sources.json -o endpoints.txt

# Step 4: Find secrets
secretfinder -i sources.json -o secrets.txt

# Step 5: Download source maps
for file in $(cat js-files.txt); do
  curl "${file}.map" -o "$(basename $file).map" 2>/dev/null
done

# Step 6: Analyze inline JavaScript
grep -r "innerHTML\|eval\|postMessage\|deepMerge" js-files.txt > potential-vulns.txt

# Result: Complete JavaScript attack surface mapped

Summary Table

Tool Purpose Accuracy Speed
JSLuice AST analysis Very High Medium
LinkFinder Endpoint discovery High Fast
SecretFinder Secret detection High Fast
JSHunter Deobfuscation High Medium
SubJS JS file collection Very High Fast
GetJS JS extraction High Medium