JavaScript Analysis¶

JavaScript analysis means digging through client-side code to find vulnerabilities, endpoints, and sensitive info. Modern web apps rely heavily on JavaScript, so the source code is full of useful intel.

1. Introduction to JavaScript Analysis¶

During recon, you want to understand the app's attack surface. JavaScript files (served directly to the browser) often contain:

API Endpoints: URLs for backend APIs, including hidden or administrative ones.
Hardcoded Secrets: API keys, tokens, or other credentials mistakenly left in the code.
Business Logic: Insight into how the application processes data, which can reveal logic flaws.
Hidden Parameters: Parameters that are used in AJAX requests but not visible in the UI.
Dependencies: Information about the libraries and frameworks used, which may have known vulnerabilities.

2. Core Methodology¶

A systematic JS analysis approach involves discovery, beautification, and both static and dynamic analysis. Here's the process:

Discovery: Gather all JavaScript files associated with the target application. This can be done by crawling the site and using tools to query web archives.
Beautification: Production JavaScript is often "minified" (all whitespace and comments removed) or "obfuscated" (intentionally made difficult to read). The first step is to make it human-readable.
Static Analysis: Read through the beautified code, searching for keywords, patterns, and interesting strings. This is where you'll find most endpoints and potential secrets.
Dynamic Analysis: Use browser developer tools to execute the code, set breakpoints, and observe its behavior in real-time. This is essential for understanding complex logic and de-obfuscating dynamic values.

3. Discovery and Information Gathering¶

First, you need to collect all the JS files.

Tools for Finding JS Files¶

gau / waybackurls These tools are excellent for finding historical JS files that may still be active but are no longer linked on the live site.

# Get all URLs for a domain, then filter for .js files
gau --subs example.com | grep '\.js$' | sort -u > js_files.txt

See the Archive Analysis cheatsheet for more details.

subjs A tool that fetches JavaScript files from a list of web pages.

# Provide a list of hosts
subjs -i hosts.txt

4. Static Analysis: Reading the Code¶

Once you have the files, the hunt for information begins.

Beautifying and De-obfuscating¶

Browser DevTools: The "Sources" tab in Chrome/Firefox has a {} "Pretty Print" button that instantly formats minified code.
Online Tools: Websites like jsbeautifier.org or prettier.io can reformat code.
Deobfuscators: For heavily obfuscated code, tools like de4js can help reverse common patterns.

What to Search For (Keywords and Regex)¶

Use grep or your text editor's search function to look for these patterns in the JS code.

Category	Keywords / Regex	Purpose
API Endpoints	`api/`, `/v[0-9]`, `graphql`, `const url =`, `path:`	Find backend communication routes.
Secrets	`api_key`, `token`, `secret`, `password`, `auth`, `aws_access_key`	Discover hardcoded credentials.
Subdomains	`https?:\/\/[a-zA-Z0-9\-\.]+\.example\.com`	Find subdomains and internal hostnames.
Dependencies	`react`, `angular`, `vue`, `jquery-[0-9\.]+\.js`	Identify frameworks and libraries to check for known vulnerabilities.
Interesting Vars	`isAdmin`, `debug`, `isProd`, `canEdit`	Find variables that might control security-sensitive logic.
File Paths	`\.json`, `\.xml`, `\.csv`	Find paths to static data files that might contain sensitive info.

Automated Static Analysis Tools¶

LinkFinder A Python script that finds endpoints in JavaScript files.

python linkfinder.py -i https://example.com/main.js -o cli

SecretFinder A tool that detects secrets and other sensitive data in JS files.

python secretfinder.py -i https://example.com/app.js -o cli

5. Dynamic Analysis: Using the Browser¶

Dynamic analysis is about interacting with the code as it runs. The browser's Developer Tools (F12) are your best friend here.

The Console¶

Inspect Global Variables: Type window in the console and press Enter to inspect all global variables. Look for objects containing user data, tokens, or configuration.
Test Functions: You can call any globally accessible function directly from the console to see what it does.

The Debugger ("Sources" Tab)¶

Set Breakpoints: Find a line of code you're interested in (e.g., an AJAX request) and click the line number to set a breakpoint. When the code executes, it will pause at that line.
Inspect Variables: While paused, you can hover over variables to see their current value. This is invaluable for de-obfuscating data that is constructed at runtime.
Step Through Code: Use the controls to step over, into, or out of functions to follow the application's logic flow.

Function Hooking¶

A powerful advanced technique where you override a native function to intercept its calls. This is great for logging all network requests or cryptographic operations.

Example: Hooking fetch to Log All API Calls

Paste this into the browser console.

const originalFetch = window.fetch;
window.fetch = function(...args) {
    console.log("Intercepted fetch request to:", args[0]);
    console.log("Request details:", args[1]);

    // Call the original function to let the request proceed
    return originalFetch.apply(this, args);
};

console.log("[*] Fetch hooking enabled. All network requests will be logged.");

Now, as you use the application, every fetch request will be printed to the console, revealing the URL, headers, and body.

6. Source Maps¶

Developers sometimes upload JavaScript "source maps" (.js files) to production. These are special files that map the minified, production code back to the original, readable source code (including comments and original variable names).

Finding and Using Source Maps¶

Check DevTools: The browser will often detect a source map and show a warning in the console.
Guess the URL: If you have app.min.js, try downloading app.min.js.
Unpack: Once you have the map file, you can use tools like unwebpack-sourcemap or source-map-explorer to reconstruct the original source code, which is often much easier to analyze.

7. Notes and Pitfalls¶

Don't Get Lost in Framework Code: Modern JS bundles contain a lot of framework code (React, Vue, etc.). Try to focus your analysis on the application's own logic, not the library code.
Dead Code: Old JS files found via archives may contain endpoints that are no longer active. Always verify your findings.
Web Workers: Don't forget to inspect JavaScript running in Web Workers, as they can also perform sensitive operations and make API calls. You can see these in the "Sources" tab of the browser's developer tools.
Content Security Policy (CSP): A strong CSP can make it harder to find and exploit vulnerabilities like XSS, but it doesn't prevent you from reading the JS code itself for reconnaissance.

8. Quick Reference Table¶

Tool / Technique	Primary Use	Example / Note
`gau` / `waybackurls`	Find historical JS files.	`gau example.com \\| grep '\.js$'`
`LinkFinder`	Extract endpoints from JS code.	`linkfinder.py -i file.js`
`SecretFinder`	Find secrets/credentials in JS code.	`secretfinder.py -i file.js`
Browser DevTools	Beautifying, debugging, and dynamic analysis.	Use the `{}` button, set breakpoints, and use the console.
Function Hooking	Intercepting function calls at runtime.	Hook `window.fetch` to log all network requests.
Source Map Analysis	Reconstructing original source from `.js` files.	Look for `.js` files and use `unwebpack-sourcemap`.
`grep` / Search	Static analysis for keywords.	`grep -E 'api_key\|token' *.js`