Vulnerability Scanning
Created bymhmdiaa-trickest
Last updated11/7/2024

Input Parameters

urls
file
required
List of script URLs
header
string
Header(s) to include in HTTP requests
in-scope
file
List of URLs, paths, or regular expressions used to identify endpoints for extraction
out-of-scope
file
List of URLs, paths, or regular expressions to ignore during endpoint extraction

Outputs

endpointscodepath-wordlistparameter-wordlistfindings

Analyze JavaScript Code

Description

Retrieve JavaScript code from a list of URLs while preserving its original location structure. When available, extract sourcemaps to obtain non-minified code, then beautify and deobfuscate all code. Analyze the code to discover hidden endpoints, generate custom path and parameter brute-force wordlists based on script content, and scan for vulnerabilities by identifying outdated dependencies, insecure code patterns, and exposed secrets.

Features

  • Prepares code for manual review by downloading all files to a single location, extracting sourcemaps when available to obtain original, non-minified code.
  • Simplifies code review by beautifying and deobfuscating code, and applying transformations such as unpacking arrays and removing redundant proxy functions.
  • Extracts hidden endpoints and paths from the code, including parameters and request methods.
  • Generates a custom wordlist for path discovery based on identified endpoints.
  • Creates a custom wordlist for parameter discovery using found endpoints and variable names.
  • Checks for outdated dependencies and identifies associated CVEs when available.
  • Scans for a wide range of exposed secrets.
  • Analyzes code for insecure patterns and client-side vulnerabilities.

Inputs

Required

  • urls: List of JavaScript code URLs (non-JS URLs will be automatically filtered out)
https://example.com/script.js
https://cdn.example.com/assets/app.min.js
https://another-example.com/js/main.js

Outputs

  • findings: JSONLines records of finding details
{"finding": "Potential exposed secret: URI","location": "https://cdn.example.com/assets/app.min.js","severity": "unknown","hostname": "cdn.example.com","domain_name": "example.com","method": "GET","matches": ["http://admin:password@example.com"]}
{"finding": "Outdated JavaScript component: jquery 2.2.3","location": "https://example.com/script.js","severity": "medium","hostname": "example.com","domain_name": "example.com","method": "GET","matches": ["CVE-2015-9251","CVE-2019-11358","CVE-2020-11023","CVE-2020-11022"]}
{"finding": "DOM Based XSS","location": "https://another-example.com/js/main.js","severity": "medium","description": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.","hostname": "another-example.com","domain_name": "another-example.com","method": "GET","matches": ["line 27"]}
  • endpoints: JSONLines records of endpoint details, including parameters and request methods
{"url": "/api/login", "query_parameter": "", "body_parameter": "username", "method": "POST", "source_files": ["https://another-example.com/js/main.js"]}
{"url": "/api/login", "query_parameter": "", "body_parameter": "password", "method": "POST", "source_files": ["https://another-example.com/js/main.js"]}
{"url": "/api/users", "query_parameter": "id", "body_parameter": "", "method": "GET", "source_files": ["https://another-example.com/js/main.js"]}
{"url": "/Dashboard", "query_parameter": "", "body_parameter": "", "method": "", "source_files": ["https://another-example.com/js/main.js"]}
  • path-wordlist: List of possible paths derived from identified endpoints
api/login/
api/users
Dashboard
  • parameter-wordlist: List of possible parameters derived from identified endpoints and variable names within the code
username
password
id
url
role
  • code: Folder containing the downloaded and analyzed code, with files beautified, deobfuscated, simplified, and sourcemaps resolved where available.
code/
├── example.com/
│   └── app.js             # Original source from resolved sourcemap
├── cdn.example.com/
│   ├── script.js          # Beautified and deobfuscated version of the original minified script
└── another-example.com/
    └── main.js

Changelog

  • v1.0.0
    • Initial release
  • v1.0.1
    • Added header input
  • v1.0.2
    • Improved source map handling for locations that have no corresponding content available
  • v2.0.0
    • Update endpoints output format to be compatible with the url-details format
    • Add in-scope and out-of-scope inputs for filtering extracted endpoints