原文
A powerful Burp Suite extension for JavaScript static analysis. Extracts API endpoints, URLs, secrets, and email addresses from JavaScript files with intelligent noise filtering. The goal is reduce noise as much as possible to ensure the accuracy
- Endpoint Detection - Finds API paths, REST endpoints, OAuth URLs, admin routes
- URL Extraction - Extracts full URLs including cloud storage (AWS S3, Azure, GCP)
- Secret Scanning - Detects API keys, tokens, credentials (AWS, Stripe, GitHub, Slack, JWT, etc.)
- Email Extraction - Finds email addresses in JS code
- File Detection - Detects references to sensitive files (.sql, .csv, .bak, .env, .pdf, etc.)
- Smart Filtering - Removes noise from XML namespaces, module imports, build artifacts
- Source Tracking - Shows which JS file each finding came from
- Live Search - Filter results in real-time
- Copy Function - Copy individual or all findings to clipboard
- JSON Export - Export all findings to JSON file
- Download Jython standalone JAR
- In Burp Suite:
Extensions > Extensions-Settings > Python Environment - Set the Jython JAR path
Extensions > Installed > Add- Select
Pythonand browse tojs_analyzer.py
- Browse websites with your browser proxied through Burp Suite
- Right-click on any raw(s) containing JS response in (either of following tabs):
- Proxy > HTTP history
- Target > Site map
- Repeater
- Select "Analyze JS with JS Analyzer"
- Check the JS Analyzer tab for results
You can select multiple requests from HTTP history or Dashboard and send it all together to JS Analayzer.
| Pattern | Example |
|---|---|
| API paths | /api/v1/users, /api/v2/auth |
| REST endpoints | /rest/data, /graphql |
| OAuth/Auth | /oauth2/token, /auth/login, /callback |
| Admin routes | /admin, /dashboard, /internal |
| Well-known | /.well-known/openid-configuration |
| Type | Pattern |
|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} |
| Google API Key | AIza[0-9A-Za-z\-_]{35} |
| Stripe Live Key | sk_live_[0-9a-zA-Z]{24,} |
| GitHub PAT | ghp_[0-9a-zA-Z]{36} |
| Slack Token | xox[baprs]-... |
| JWT | eyJ... |
| Private Keys | -----BEGIN PRIVATE KEY----- |
| Database URLs | mongodb://, postgres://, mysql:// |
#Note: Feel free to fork and add more secrets detections as required.
The extension automatically filters out:
- XML namespaces (
schemas.openxmlformats.org,www.w3.org) - Module imports (
./,../,@angular/, etc.) - PDF internal paths (
/Type,/Font,/Filter) - Excel/XML paths (
xl/,docProps/,worksheets/) - Locale files (
en.js,fr-ca.js) - Crypto library internals (
sha.js,aes,bn.js)
Detects references to sensitive file types:
| Category | Extensions |
|---|---|
| Data | .sql, .csv, .xlsx, .json, .xml, .yaml |
| Config | .env, .conf, .ini, .cfg, .config |
| Backup | .bak, .backup, .old, .orig |
| Certs | .key, .pem, .crt, .p12, .pfx |
| Docs | .pdf, .doc, .docx |
| Archives | .zip, .tar, .gz |
| Scripts | .sh, .bat, .ps1, .py |
For use in your own Python projects or APIs:
from js_analyzer_engine import JSAnalyzerEngine
engine = JSAnalyzerEngine()
results = engine.analyze(javascript_content)
print(results["endpoints"]) # ['/api/v1/users', ...]
print(results["urls"]) # ['https://api.example.com', ...]
print(results["secrets"]) # [{'type': 'AWS Key', 'value': '...', 'masked': '...'}, ...]
print(results["emails"]) # ['[email protected]', ...]from flask import Flask, request, jsonify
from js_analyzer_engine import JSAnalyzerEngine
app = Flask(__name__)
engine = JSAnalyzerEngine()
@app.route('/analyze', methods=['POST'])
def analyze():
content = request.json.get('content', '')
results = engine.analyze(content)
return jsonify(results)
if __name__ == '__main__':
app.run(port=5000)JSextension/
├── js_analyzer.py # Main Burp extension entry point
├── ui/
│ ├── __init__.py
│ └── results_panel.py # Burp UI panel
├── README.md
└── LICENSE
Contributions are welcome! Feel free to:
- Add new secret patterns
- Improve noise filtering
- Add new endpoint patterns
- Report bugs or issues
MIT License - see LICENSE file.
Inspired by:
Jenish Sojitra (https://x.com/_jensec)
Created with ❤️ for the InfoSec and Tech community.