BFScan: Uncover Hidden URLs, Paths, & Secrets in JAR/WAR/APK Files

BFScan – Tool for initial processing of APK / XAPK / DEX / JAR / WAR applications.

• Search for strings in source code and resources that look like URIs, paths, or secrets
• Generate raw HTTP requests and OpenAPI specifications based on config files, class and method annotations
  • Supported client libraries
    • Square Retrofit
    • Ktorfit
    • Feign
  • Supported server libraries
    • Spring Web Annotations
    • JAX-RS, Jakarta RESTful Web Services
    • JAX, Jakarta Servlet Annotations
    • Micronaut
    • web.xml Servlets
    • jetty.xml Servlets
    • Struts 1 & Struts 2 Actions
    • Swagger & OpenApi Annotations

Use

java -jar bfscan.jar <jar_war_apk> <...> [-m <mode>] [-ma <minifiedAnnotationsSupport>] [-r <mappingFile>] [-s <searchString>] [-u <url>] [-v <verbose>]

 -m <mode>                          Mode ([a]ll, [s]ecrets, [h]ttp), default: all
 -ma <minifiedAnnotationsSupport>   Minified or unknown annotations support (yes, no), default: yes
 -r <mappingFile>                   Deobfuscation mapping file
 -s <searchString>                  Search string
 -u <url>                           API base url (http://localhost/api/)
 -v <verbose>                       Log level (off, error, warn, info, debug, trace)

java -jar bfscan.jar test/*.apk -u https://example.tld/api/

Example

For this class using Spring annotations, the following results will be generated.

@RestController
@RequestMapping("/api")
public class UserController {

    @PostMapping("createUser")
    public String create(@RequestParam Optional<String> someParamName, @RequestBody User user) {
        return "response";
    }

Results

Method: com.mycompany.springbootexample.UserController->create

• Spring Method

  POST /api/createUser?someParamName=value HTTP/1.1
  Host: localhost
  Connection: close
  Content-Type: application/json
  
  {
    "name": "name",
    "age": 1
  }

Obfuscated code

If you are analyzing an application that uses a supported library, but its code is obfuscated, you can create a mapping file to replace the class names.

To do this, you can manually use the “Rename” function in the decompiled code in the jadx-gui, and then save the generated mapping file (File > Save mappings). Or use an example mapping file for Retrofit and modify it according to your application.

Example of analyzing an application with renaming classes using a mapping file.

java -jar BFScan.jar ./tests/example.apk -r ./tests/mapping.txt

Download