1 - Gather Jsfile Links from different sources. 2 - Import File Containing JSUrls 3 - Extract Endpoints from Jsfiles 4 - Find Secrets from Jsfiles 5 - Get Jsfiles store locally for manual analysis 6 - Make a Wordlist from Jsfiles 7 - Extract Variable names from jsfiles for possible XSS. 8 - Scan JsFiles For DomXSS.
There are two ways of executing this script: Either locally on the host machine or within a Docker container
Installing all dependencies locally
Note: Make sure you have installed golang properly before running installation script locally.
$ sudo chmod +x install.sh $ ./install.sh
Building the docker container
When using the docker version, everything will be installed automatically. You just have to execute the following commands:
$ git clone https://github.com/KathanP19/JSFScan.sh $ cd JSFScan/ $ docker build . -t jsfscan
In order to start the pre-configured container run the following command:
$ docker run -it jsfscan "/bin/bash"
After that an interactive bash session should be opened.
Target List should be with
http:// use httpx or httprobe for this.
And if you want to add cookie then edit the command at line 23
cat $target | hakrawler -js -cookie "cookie here" -depth 2 -scope subs -plain >> jsfile_links.txt
NOTE: If you feel tool is slow just comment out hakrawler line at 23 in JSFScan.sh script , but it might result in little less jsfileslinks.
_______ ______ _______ ______ _ (_______/ _____(_______/ _____) | | _ ( (____ _____ ( (____ ____ _____ ____ ___| |__ _ | | ____ | ___) ____ / ___(____ | _ /___| _ | |_| | _____) | | _____) ( (___/ ___ | | | |_|___ | | | | ___/ (______/|_| (______/ _________|_| |_(_(___/|_| |_| Usage: -l Gather Js Files Links -f Import File Containing JS Urls -e Gather Endpoints For JSFiles -s Find Secrets For JSFiles -m Fetch Js Files for manual testing -o Make an Output Directory to put all things Together -w Make a wordlist using words from jsfiles -v Extract Vairables from the jsfiles -d Scan for Possible DomXSS from jsfiles