JavaScript Analysis

// Common patterns to grep in JS files
fetch('/api/
$.ajax({url: '
XMLHttpRequest
axios.get('/
axios.post('/
.get('/api/
.post('/api/
window.location
document.location
href="/
action="/

# LinkFinder - Extract endpoints from JS files
python3 linkfinder.py -i https://target.com/script.js -o cli

# Bulk JS analysis
python3 linkfinder.py -i https://target.com -d -o results.html

# GAP Burp Extension
# Passively analyzes JS for endpoints

# JSParser
python3 jsparser.py -u https://target.com/app.js

# Find API endpoints
grep -oP '["'"'"'](/api/[^"'"'"']+)["'"'"']' script.js

# Find URLs
grep -oP 'https?://[^\s"'"'"'<>]+' script.js

# Find paths
grep -oP '["'"'"']/([\w-]+/)+[\w-]*["'"'"']' script.js

# One-liner for multiple files
cat *.js | grep -oP '"/api/[^"]+"|'"'"'/api/[^'"'"']+'"'"'' | sort -u

// API Keys
apiKey: 'AKIA...'
api_key = "..."
Authorization: 'Bearer ...'
x-api-key: '...'

// AWS
AKIA[0-9A-Z]{16}
aws_secret_access_key
aws_access_key_id

// Google
AIza[0-9A-Za-z-_]{35}
ya29\.[0-9A-Za-z\-_]+

// Firebase
apiKey: "AIza..."
authDomain: "...firebaseapp.com"

// Tokens
token: '...'
secret: '...'
password: '...'
private_key: '...'

# TruffleHog (JS files)
trufflehog filesystem --directory ./js-files/

# SecretFinder
python3 SecretFinder.py -i https://target.com/app.js -o cli

# JSScanner
python3 jsscanner.py -u https://target.com

# Nuclei templates for secrets
nuclei -u https://target.com -t exposures/tokens/

# Beautify first
js-beautify bundle.min.js > bundle.pretty.js

# Or use online tools
# https://beautifier.io/
# https://www.prettifyjs.net/

# Then search
grep -i "api\|key\|secret\|token\|password" bundle.pretty.js

Original source → Bundler → Minified JS + .map file
Source maps allow reverse-engineering minified code

# Check for sourceMappingURL in JS files
grep -r "sourceMappingURL" *.js

# Common patterns
//# sourceMappingURL=app.js.map
//# sourceMappingURL=bundle.min.js.map

# Try common extensions
https://target.com/js/app.js.map
https://target.com/js/bundle.js.map
https://target.com/static/js/main.chunk.js.map

# unwebpack-sourcemap
python3 unwebpack_sourcemap.py --make-directory https://target.com/app.js.map

# source-map-explorer
npx source-map-explorer bundle.js.map

# sourcemapper
sourcemapper -url https://target.com/js/app.js.map -output ./extracted/

# After extraction, search for:
grep -r "password\|secret\|api" ./extracted/
grep -r "TODO\|FIXME\|HACK" ./extracted/
grep -r "admin\|debug\|test" ./extracted/

# Find hardcoded credentials
grep -r "const.*=.*['\"].*password" ./extracted/

# Crawl for JS files
gospider -s https://target.com -d 2 | grep "\.js"

# GAU (Get All URLs)
gau target.com | grep "\.js$"

# Wayback for old JS files
waybackurls target.com | grep "\.js$" | sort -u

# Hakrawler
hakrawler -url https://target.com -plain | grep "\.js"

# Get old JS versions from Wayback
waybackurls target.com | grep "\.js" | httpx -mc 200 -o live-js.txt

# Download and compare versions
wget https://web.archive.org/web/20200101/https://target.com/app.js -O old.js
wget https://target.com/app.js -O new.js
diff old.js new.js

// Look for dangerous functions
eval(
document.write(
innerHTML =
outerHTML =
.html(
setTimeout(
setInterval(
new Function(

// DOM XSS sinks
location.hash
location.search
document.URL
document.referrer
postMessage

# Retire.js - Find vulnerable JS libraries
retire --path ./js-files/
retire --js https://target.com/jquery.min.js

# ESLint security plugin
npx eslint --plugin security script.js

# SemGrep
semgrep --config=p/javascript script.js

// Webpack
webpackJsonp
__webpack_require__
/******/ (function(modules)

// Rollup
define(['exports']
(function (global, factory)

// Parcel
parcelRequire

// Browserify
require('...')
module.exports =

# webpack-bundle-analyzer
npx webpack-bundle-analyzer stats.json

# Extract routes from React apps
grep -oP 'path:\s*["'"'"'][^"'"'"']+' bundle.js

# Find component names
grep -oP '(class|function)\s+\w+' bundle.js | head -50

# Common patterns
/api/v1/users
/api/v2/products
/rest/admin
/graphql

# Extract full URLs
grep -oP '(https?://[^"'"'"'\s]+|/api/[^"'"'"'\s]+)' app.js

// Look for GraphQL queries
query {
mutation {
subscription {
__schema
__typename

// Common endpoints
/graphql
/graphql/console
/v1/graphql

// Search for query params
?id=
?user=
?token=
?debug=
?admin=
&page=
&limit=
&filter=

# Endpoint extraction
LinkFinder
GAP (Burp Extension)
JSParser

# Secrets
SecretFinder
TruffleHog
jsluice

# Source maps
unwebpack-sourcemap
sourcemapper

# JS file discovery
GAU
Waybackurls
Gospider

# Vulnerability scanning
Retire.js
ESLint Security
SemGrep

# Full JS recon
gau target.com | grep "\.js$" | httpx -mc 200 | \
while read url; do
  python3 linkfinder.py -i $url -o cli
  python3 SecretFinder.py -i $url -o cli
done

# Check for source maps
gau target.com | grep "\.js$" | \
while read url; do
  curl -s "${url}.map" | head -1 | grep -q "version" && echo "[+] Found: ${url}.map"
done

1. Hardcoded API keys and secrets
2. Internal/staging endpoints
3. Hidden admin functionality
4. Debug modes and test accounts
5. Deprecated API versions
6. Unprotected API endpoints
7. Source maps exposing original code
8. Comments with sensitive info

// Admin functions
isAdmin = true
role: 'admin'
/admin/api/

// Debug/Dev modes  
debug: true
NODE_ENV: 'development'
?debug=1

// Internal endpoints
internal-api.target.com
staging.target.com
dev.target.com

// Feature flags
feature_enabled
beta_features