1. Support Center
  2. BApp Store
  3. JS Miner

JS Miner

This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.


While assessing a web application, it is expected to enumerate information residing inside static ".js" and ".json" files.

This tool tries to help with this "initial" phase, which should be followed by manual review/analysis of the reported issues.

Note: Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).


  • Scans for secrets / credentials
    • It uses Shannon entropy to improve the confidence level.
  • Scans for subdomains
  • Scans for cloud URLs
    • Support for (AWS, Azure, Google, CloudFront, Digital Ocean, Oracle, Alibaba, Firebase, Rackspace, Dream Host)
  • Tries to identify "dependency confusion" issues.
    • Reports a critical issue when a dependency or an organization is missing from the NPM registry.
    • Reports informational issues for identified dependencies.
  • Tries to construct source code from JavaScript Source Map Files (if found).
    • Actively tries to guess the common location of the ".map" files;
    • It can also (passively) parse inline base64 JS map files.

How to use this tool

In a nutshell: Passive scans are invoked automatically, while active scans require manual invocation ( by right-clicking your targets) from the site map or other Burp windows.

More information

The tool contains two main scans:

  • Passive scans, which are enabled by default (to search for inline JS map files, secrets, subdomains and cloud URLs).
  • Actively try to guess JavaScript source map files. (During the process, HTTP requests will be sent)

For the best results, ensure to navigate your target first in order for all the static files to be loaded then right-click on the target domain (example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options.

Note:JS Source mapper scan is not included in Burp's "Active scan".

Author Mina M. Edwar
Version 1.14
Last updated 04 November 2021

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore