Skip to content

Asbawy/dedjs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation


Dedjs

A high-performance, asynchronous JavaScript reconnaissance toolkit for security researchers and bug bounty hunters.

FeaturesInstallationUsagePatterns


dedjs is an asynchronous JavaScript reconnaissance toolkit designed to hunt for secrets, hidden API endpoints, and potential client-side vulnerabilities in massive JavaScript bundles. Powered by httpx and asyncio, dedjs automatically reconstructs unminified source trees from source maps, extracts contextual code snippets, classifies vulnerabilities, and flags obfuscated script blocks to streamline target triage.

Features

  • Asynchronous & Concurrent: Rewritten from the ground up using asyncio and httpx for high-performance concurrent downloading and scanning.
  • Source Map Directory Reconstruction: Rebuilds the original unminified developer directory structure (unpacked/) based on .map files rather than dumping code into a single flat file.
  • Contextual Code Snippets: Automatically captures the surrounding code block (before and after matches) to provide instant triage value.
  • Contextual DOM-XSS Engine: Pairs dangerous sinks (like innerHTML or eval) with user input sources found in the same file to identify high-confidence vulnerabilities.
  • Obfuscation Detection: Flags scripts packed with Obfuscator.io, JSFuck, AAEncode, JJEncode, Dean Edwards packers, or heavy hex/array mapping.
  • Interactive HTML Dashboards: Generates fully-featured responsive HTML reports containing categories tabs, interactive charts, and text searches.
  • Deduplication Mode: Condenses duplicate findings across multiple targets into a single, clean deduplicated master list.
  • Customizable Patterns: Load all regex patterns (API keys, endpoints, patterns, etc.) from a simple patterns.json file.

Installation

dedjs requires Python 3 and is lightweight to run.

git clone https://github.com/Asbawy/dedjs.git
cd dedjs
pip install -r requirements.txt

Usage

Pass URLs via an input file or pipe them directly from tools like gau, waybackurls, or waymore.

Basic Execution

# Scan from a URL list file and generate an HTML report
python3 dedjs.py -f urls.txt --html report.html

# Pipe from another tool with deduplication enabled
cat urls.txt | python3 dedjs.py -1

# Use in pipelines with katana
katana -u https://target.com | grep "\.js" | python3 dedjs.py --html report.html

Advanced Modes

# Focus exclusively on Secrets (API keys, credentials, tokens...)
python3 dedjs.py -f urls.txt -S

# Focus exclusively on Parameters & Endpoints
python3 dedjs.py -f urls.txt -P

# Both modes — full scan saving markdown and HTML dashboards
python3 dedjs.py -f urls.txt -A --html dashboard.html

# Scan a local folder without downloading, sanitizing old data first
python3 dedjs.py --no-download -o javascripts/ --clean

CLI Options

Flags:
  -f, --file        Input text file containing URLs [Required/stdin fallback]
  -A, --all         Run scan with everything enabled (forces Markdown generation)
  -o, --output      Custom directory to save downloaded JS / Source Map files (Default: javascripts)
  -m, --markdown    Save the contextual analyzer report as markdown (Default: report.md)
  -j, --json        Save findings to JSON format
  -r, --report      Output a plaintext colored log file (Default: report.txt)
  -1, --unique      Deduplicate terminal & plaintext report across all files
  -v, --verbose     Print verbose errors (e.g., source map decoding issues)
  -T, --timeout     HTTP timeout in seconds for downloads (Default: 15)
  --patterns        Path to your custom patterns.json (Default: patterns.json)
  -P, --params      Focus scan exclusively on URL Parameters & Endpoints
  -S, --secrets     Focus scan exclusively on Secrets & API Keys
  --no-obfuscate    Disable wildcard obfuscation detection engine
  --no-download     Skip network requests, only scan existing .js files locally
  -t, --threads     Concurrency limit for downloads & scans (Default: 20)
  --clean           Clean the output directory before starting downloads/scans
  --verify-ssl      Enable strict SSL verification during HTTP requests
  --html            Generate an interactive HTML report to specified FILE

📄 Output Reports

1. Interactive HTML Dashboard (--html dashboard.html)

A standalone interactive dashboard featuring:

  • Scanned stats cards
  • Collapsible categories tabs showing extracted matches
  • Contextual snippet viewer
  • Security vulnerabilities table mapping severity (Critical, High, Medium) to code evidence
  • In-page search filtering

2. Markdown (-m report.md or -A)

A structured markdown report mapping extracted values and clean context snippets side-by-side in comparative tables, along with a vulnerability analysis and summary section.

3. JSON Reports (-j report.json)

Programmatic export format mapping every matched asset to its categorized findings sets, ideal for chaining with other tools in pipelines.

Patterns

Dedjs loads all patterns from patterns.json. You can add your own categories:

{
  "My Custom Patterns": [
    "(?i)my_secret_key\\s*[:=]\\s*[\"']([A-Za-z0-9]{32})[\"']",
    "https?://internal\\.corp\\.local/[a-z0-9/]+"
  ]
}

No code changes needed — just edit the JSON and re-run.


Disclaimer

dedjs is a static analysis utility, not an automated vulnerability scanner. The contextual engine helps reduce noise, but it will still generate false positives. You should manually review and verify all findings.

⭐ If this tool helped you find a bug, consider giving it a star!

About

DEDJS is a context-aware JavaScript static analysis tool designed for bug bounty and pentesting. It reduces false positives by correlating user-controlled sources with dangerous sinks, enabling accurate detection of vulnerabilities like DOM XSS, IDOR, and SSRF.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages