Unmasking the Code: JS Analyzer Automates JavaScript Recon & Secret Discovery
JS Analyzer
A powerful Burp Suite extension for JavaScript static analysis. Extracts API endpoints, URLs, secrets, and email addresses from JavaScript files with intelligent noise filtering. The goal is reduce noise as much as possible to ensure the accuracy.
Features
- Endpoint Detection – Finds API paths, REST endpoints, OAuth URLs, admin routes
- URL Extraction – Extracts full URLs including cloud storage (AWS S3, Azure, GCP)
- Secret Scanning – Detects API keys, tokens, credentials (AWS, Stripe, GitHub, Slack, JWT, etc.)
- Email Extraction – Finds email addresses in JS code
- File Detection – Detects references to sensitive files (.sql, .csv, .bak, .env, .pdf, etc.)
- Smart Filtering – Removes noise from XML namespaces, module imports, build artifacts
- Source Tracking – Shows which JS file each finding came from
- Live Search – Filter results in real-time
- Copy Function – Copy individual or all findings to clipboard
- JSON Export – Export all findings to JSON file
What It Detects
Endpoints
| Pattern | Example |
|---|---|
| API paths | /api/v1/users, /api/v2/auth |
| REST endpoints | /rest/data, /graphql |
| OAuth/Auth | /oauth2/token, /auth/login, /callback |
| Admin routes | /admin, /dashboard, /internal |
| Well-known | /.well-known/openid-configuration |
Secrets
| Type | Pattern |
|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} |
| Google API Key | AIza[0-9A-Za-z\-_]{35} |
| Stripe Live Key | sk_live_[0-9a-zA-Z]{24,} |
| GitHub PAT | ghp_[0-9a-zA-Z]{36} |
| Slack Token | xox[baprs]-... |
| JWT | eyJ... |
| Private Keys | -----BEGIN PRIVATE KEY----- |
| Database URLs | mongodb://, postgres://, mysql:// |
#Note: Feel free to fork and add more secrets detections as required.
Noise Filtering
The extension automatically filters out:
- XML namespaces (
schemas.openxmlformats.org,www.w3.org) - Module imports (
./,../,@angular/, etc.) - PDF internal paths (
/Type,/Font,/Filter) - Excel/XML paths (
xl/,docProps/,worksheets/) - Locale files (
en.js,fr-ca.js) - Crypto library internals (
sha.js,aes,bn.js)
Files
Detects references to sensitive file types:
| Category | Extensions |
|---|---|
| Data | .sql, .csv, .xlsx, .json, .xml, .yaml |
| Config | .env, .conf, .ini, .cfg, .config |
| Backup | .bak, .backup, .old, .orig |
| Certs | .key, .pem, .crt, .p12, .pfx |
| Docs | .pdf, .doc, .docx |
| Archives | .zip, .tar, .gz |
| Scripts | .sh, .bat, .ps1, .py |
Download & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
