Skip to content

jenish-sojitra/JSAnalyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
ui
ui
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
js_analyzer.py
js_analyzer.py
 
 

Repository files navigation

JS Analyzer - Burp Suite Extension by Jensec (https://x.com/_jensec)

A powerful Burp Suite extension for JavaScript static analysis. Extracts API endpoints, URLs, secrets, and email addresses from JavaScript files with intelligent noise filtering. The goal is reduce noise as much as possible to ensure the accuracy

Burp Suite Python License

Features

  • Endpoint Detection - Finds API paths, REST endpoints, OAuth URLs, admin routes
  • URL Extraction - Extracts full URLs including cloud storage (AWS S3, Azure, GCP)
  • Secret Scanning - Detects API keys, tokens, credentials (AWS, Stripe, GitHub, Slack, JWT, etc.)
  • Email Extraction - Finds email addresses in JS code
  • File Detection - Detects references to sensitive files (.sql, .csv, .bak, .env, .pdf, etc.)
  • Smart Filtering - Removes noise from XML namespaces, module imports, build artifacts
  • Source Tracking - Shows which JS file each finding came from
  • Live Search - Filter results in real-time
  • Copy Function - Copy individual or all findings to clipboard
  • JSON Export - Export all findings to JSON file

Installation

  1. Download Jython standalone JAR
  2. In Burp Suite: Extensions > Extensions-Settings > Python Environment
  3. Set the Jython JAR path
  4. Extensions > Installed > Add
  5. Select Python and browse to js_analyzer.py

Usage

  1. Browse websites with your browser proxied through Burp Suite
  2. Right-click on any raw(s) containing JS response in (either of following tabs):
    • Proxy > HTTP history
    • Target > Site map
    • Repeater
  3. Select "Analyze JS with JS Analyzer"
  4. Check the JS Analyzer tab for results

You can select multiple requests from HTTP history or Dashboard and send it all together to JS Analayzer.

What It Detects

Endpoints

Pattern Example
API paths /api/v1/users, /api/v2/auth
REST endpoints /rest/data, /graphql
OAuth/Auth /oauth2/token, /auth/login, /callback
Admin routes /admin, /dashboard, /internal
Well-known /.well-known/openid-configuration

Secrets

Type Pattern
AWS Access Key AKIA[0-9A-Z]{16}
Google API Key AIza[0-9A-Za-z\-_]{35}
Stripe Live Key sk_live_[0-9a-zA-Z]{24,}
GitHub PAT ghp_[0-9a-zA-Z]{36}
Slack Token xox[baprs]-...
JWT eyJ...
Private Keys -----BEGIN PRIVATE KEY-----
Database URLs mongodb://, postgres://, mysql://

#Note: Feel free to fork and add more secrets detections as required.

Noise Filtering

The extension automatically filters out:

  • XML namespaces (schemas.openxmlformats.org, www.w3.org)
  • Module imports (./, ../, @angular/, etc.)
  • PDF internal paths (/Type, /Font, /Filter)
  • Excel/XML paths (xl/, docProps/, worksheets/)
  • Locale files (en.js, fr-ca.js)
  • Crypto library internals (sha.js, aes, bn.js)

Files

Detects references to sensitive file types:

Category Extensions
Data .sql, .csv, .xlsx, .json, .xml, .yaml
Config .env, .conf, .ini, .cfg, .config
Backup .bak, .backup, .old, .orig
Certs .key, .pem, .crt, .p12, .pfx
Docs .pdf, .doc, .docx
Archives .zip, .tar, .gz
Scripts .sh, .bat, .ps1, .py

Standalone Engine

For use in your own Python projects or APIs:

from js_analyzer_engine import JSAnalyzerEngine

engine = JSAnalyzerEngine()
results = engine.analyze(javascript_content)

print(results["endpoints"])  # ['/api/v1/users', ...]
print(results["urls"])       # ['https://api.example.com', ...]
print(results["secrets"])    # [{'type': 'AWS Key', 'value': '...', 'masked': '...'}, ...]
print(results["emails"])     # ['[email protected]', ...]

Flask API Example

from flask import Flask, request, jsonify
from js_analyzer_engine import JSAnalyzerEngine

app = Flask(__name__)
engine = JSAnalyzerEngine()

@app.route('/analyze', methods=['POST'])
def analyze():
    content = request.json.get('content', '')
    results = engine.analyze(content)
    return jsonify(results)

if __name__ == '__main__':
    app.run(port=5000)

File Structure

JSextension/
├── js_analyzer.py          # Main Burp extension entry point
├── ui/
│   ├── __init__.py
│   └── results_panel.py    # Burp UI panel
├── README.md
└── LICENSE

Contributing

Contributions are welcome! Feel free to:

  • Add new secret patterns
  • Improve noise filtering
  • Add new endpoint patterns
  • Report bugs or issues

License

MIT License - see LICENSE file.

Credits

Inspired by:

Author

Jenish Sojitra (https://x.com/_jensec)

Created with ❤️ for the InfoSec and Tech community.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

898 stars

Watchers

3 watching

Forks

147 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages