Skip to content
Reconnaissance

JS Analysis

JavaScript analysis for endpoints, secrets, and vulnerabilities

JavaScript Analysis Cheat Sheet

Extracting valuable information from JavaScript files.

Finding JS Files

BASH 
# katana
katana -u https://target.com -jc | grep "\.js$"

# gau + grep
gau target.com | grep -E "\.js(\?|$)"

# waybackurls
waybackurls target.com | grep "\.js$"

# From source
curl -s https://target.com | grep -oE 'src="[^"]+\.js"'

Endpoint Extraction

Manual Regex

BASH 
# Find API endpoints
grep -oE '["'"'"'](/[a-zA-Z0-9_/\-]+)["'"'"']' app.js

# Find full URLs
grep -oE 'https?://[^"'"'"'\s]+' app.js

LinkFinder

BASH 
python3 linkfinder.py -i https://target.com/app.js -o cli

# From URL list
cat js_files.txt | xargs -I{} python3 linkfinder.py -i {} -o cli

jsluice

BASH 
# Extract URLs and secrets
jsluice urls app.js
jsluice secrets app.js

Secret Discovery

Manual Patterns

BASH 
# API keys
grep -oE '(api[_-]?key|apikey)['"'"'"\s:=]+[a-zA-Z0-9_\-]{20,}' app.js

# AWS keys
grep -oE 'AKIA[0-9A-Z]{16}' app.js

# Private keys
grep -oE '-----BEGIN (RSA |EC )?PRIVATE KEY-----' app.js

# JWTs
grep -oE 'eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*' app.js

SecretFinder

BASH 
python3 SecretFinder.py -i https://target.com/app.js -o cli

Trufflehog

BASH 
trufflehog filesystem --directory=/path/to/js/files

Webpack/Source Maps

Finding Source Maps

BASH 
# Check for .map files
curl https://target.com/app.js.map

# Look in JS file header
head -1 app.js | grep "sourceMappingURL"

Extracting Source

BASH 
# source-map toolkit
npm install -g source-map-toolkit
source-map-extract app.js.map output/

# unwebpack-sourcemap
python3 unwebpack_sourcemap.py app.js.map output/

JavaScript Deobfuscation

Tools

BASH 
# js-beautify
js-beautify -o pretty.js ugly.js

# de4js (online)
# JStillery (advanced)
# synchrony (for obfuscator.io)

Common Obfuscation

JAVASCRIPT 
// Hex strings
\x68\x65\x6c\x6c\x6f  // "hello"

// Unicode
\u0068\u0065\u006c\u006c\u006f  // "hello"

// Array mapping
var _0x1234 = ['log', 'Hello'];
console[_0x1234[0]](_0x1234[1]);
BASH 
# Credentials
password, passwd, pwd, secret, token
api_key, apikey, api-key, auth
bearer, Authorization

# Cloud
aws, azure, gcp, firebase
s3.amazonaws.com, storage.googleapis.com

# URLs
localhost, 127.0.0.1, internal
/api/, /v1/, /admin/, /graphql

# Debug
debug, test, dev, staging
console.log, console.error

Automation Script

BASH 
#!/bin/bash
# js_enum.sh

TARGET=$1

# Get JS files
echo "[*] Finding JS files..."
katana -u $TARGET -jc -silent | grep "\.js$" | sort -u > js_urls.txt

# Download
mkdir js_files
while read url; do
    filename=$(echo $url | md5sum | cut -d' ' -f1).js
    curl -s "$url" -o "js_files/$filename"
done < js_urls.txt

# Extract
echo "[*] Extracting endpoints..."
grep -rohE '["'"'"'](/[a-zA-Z0-9_/\-]+)["'"'"']' js_files/ | sort -u > endpoints.txt

echo "[*] Looking for secrets..."
grep -rohE '(api[_-]?key|secret|token)['"'"'"\s:=]+[a-zA-Z0-9_\-]{16,}' js_files/ > secrets.txt
Back to Cheatsheets
On this page