A high-performance, asynchronous JavaScript reconnaissance toolkit for security researchers and bug bounty hunters.
Features • Installation • Usage • Patterns
dedjs is an asynchronous JavaScript reconnaissance toolkit designed to hunt for secrets, hidden API endpoints, and potential client-side vulnerabilities in massive JavaScript bundles. Powered by httpx and asyncio, dedjs automatically reconstructs unminified source trees from source maps, extracts contextual code snippets, classifies vulnerabilities, and flags obfuscated script blocks to streamline target triage.
- Asynchronous & Concurrent: Rewritten from the ground up using
asyncioandhttpxfor high-performance concurrent downloading and scanning. - Source Map Directory Reconstruction: Rebuilds the original unminified developer directory structure (
unpacked/) based on.mapfiles rather than dumping code into a single flat file. - Contextual Code Snippets: Automatically captures the surrounding code block (before and after matches) to provide instant triage value.
- Contextual DOM-XSS Engine: Pairs dangerous sinks (like
innerHTMLoreval) with user input sources found in the same file to identify high-confidence vulnerabilities. - Obfuscation Detection: Flags scripts packed with Obfuscator.io, JSFuck, AAEncode, JJEncode, Dean Edwards packers, or heavy hex/array mapping.
- Interactive HTML Dashboards: Generates fully-featured responsive HTML reports containing categories tabs, interactive charts, and text searches.
- Deduplication Mode: Condenses duplicate findings across multiple targets into a single, clean deduplicated master list.
- Customizable Patterns: Load all regex patterns (API keys, endpoints, patterns, etc.) from a simple
patterns.jsonfile.
dedjs requires Python 3 and is lightweight to run.
git clone https://github.com/Asbawy/dedjs.git
cd dedjs
pip install -r requirements.txtPass URLs via an input file or pipe them directly from tools like gau, waybackurls, or waymore.
# Scan from a URL list file and generate an HTML report
python3 dedjs.py -f urls.txt --html report.html
# Pipe from another tool with deduplication enabled
cat urls.txt | python3 dedjs.py -1
# Use in pipelines with katana
katana -u https://target.com | grep "\.js" | python3 dedjs.py --html report.html# Focus exclusively on Secrets (API keys, credentials, tokens...)
python3 dedjs.py -f urls.txt -S
# Focus exclusively on Parameters & Endpoints
python3 dedjs.py -f urls.txt -P
# Both modes — full scan saving markdown and HTML dashboards
python3 dedjs.py -f urls.txt -A --html dashboard.html
# Scan a local folder without downloading, sanitizing old data first
python3 dedjs.py --no-download -o javascripts/ --cleanFlags:
-f, --file Input text file containing URLs [Required/stdin fallback]
-A, --all Run scan with everything enabled (forces Markdown generation)
-o, --output Custom directory to save downloaded JS / Source Map files (Default: javascripts)
-m, --markdown Save the contextual analyzer report as markdown (Default: report.md)
-j, --json Save findings to JSON format
-r, --report Output a plaintext colored log file (Default: report.txt)
-1, --unique Deduplicate terminal & plaintext report across all files
-v, --verbose Print verbose errors (e.g., source map decoding issues)
-T, --timeout HTTP timeout in seconds for downloads (Default: 15)
--patterns Path to your custom patterns.json (Default: patterns.json)
-P, --params Focus scan exclusively on URL Parameters & Endpoints
-S, --secrets Focus scan exclusively on Secrets & API Keys
--no-obfuscate Disable wildcard obfuscation detection engine
--no-download Skip network requests, only scan existing .js files locally
-t, --threads Concurrency limit for downloads & scans (Default: 20)
--clean Clean the output directory before starting downloads/scans
--verify-ssl Enable strict SSL verification during HTTP requests
--html Generate an interactive HTML report to specified FILEA standalone interactive dashboard featuring:
- Scanned stats cards
- Collapsible categories tabs showing extracted matches
- Contextual snippet viewer
- Security vulnerabilities table mapping severity (Critical, High, Medium) to code evidence
- In-page search filtering
A structured markdown report mapping extracted values and clean context snippets side-by-side in comparative tables, along with a vulnerability analysis and summary section.
Programmatic export format mapping every matched asset to its categorized findings sets, ideal for chaining with other tools in pipelines.
Dedjs loads all patterns from patterns.json. You can add your own categories:
{
"My Custom Patterns": [
"(?i)my_secret_key\\s*[:=]\\s*[\"']([A-Za-z0-9]{32})[\"']",
"https?://internal\\.corp\\.local/[a-z0-9/]+"
]
}No code changes needed — just edit the JSON and re-run.
dedjs is a static analysis utility, not an automated vulnerability scanner. The contextual engine helps reduce noise, but it will still generate false positives. You should manually review and verify all findings.