While assessing a web application, it is expected to enumerate information residing inside static ".js" and ".json" files.
This tool tries to help with this "initial" phase, which should be followed by manual review/analysis of the reported issues.
Note: Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).
- Scans for secrets / credentials
- It uses Shannon entropy to improve the confidence level.
- Scans for subdomains
- Scans for cloud URLs
- Support for (AWS, Azure, Google, CloudFront, Digital Ocean, Oracle, Alibaba, Firebase, Rackspace, Dream Host)
- Tries to identify "dependency confusion" issues.
- Reports a critical issue when a dependency or an organization is missing from the NPM registry.
- Reports informational issues for identified dependencies.
- Actively tries to guess the common location of the ".map" files;
- It can also (passively) parse inline base64 JS map files.
How to use this tool
In a nutshell: Passive scans are invoked automatically, while active scans require manual invocation ( by right-clicking your targets) from the site map or other Burp windows.
The tool contains two main scans:
- Passive scans, which are enabled by default (to search for inline JS map files, secrets, subdomains and cloud URLs).
For the best results, ensure to navigate your target first in order for all the static files to be loaded then right-click on the target domain (example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options.
Note:JS Source mapper scan is not included in Burp's "Active scan".
|Author||Mina M. Edwar|
|Last updated||04 November 2021|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|You can view the source code for this BApp by visiting our GitHub page.|
|Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.|
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.