Find vulnerable external JS calls trying to include javascript from domains that don't exist
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


This script is a penetration tester's recon tool to verify valid external javascript calls.

Inspired by this story of how an NHS developer mistakingly requested javascript from (extra 's'). A malicious actor was able to purchase the mispelling of the domain name and served malicious javascript to over 800 NHS pages.

requires phantomjs (apt-get install phantomjs or brew install phantomjs)

usage: [-h] [-o output] [-u URL] [-w url_list]

Check for misspelled or expired external JS calls

optional arguments:
  -h, --help   show this help message and exit
  -o output    Output file to write to
  -u URL       Single URL to scan
  -w url_list  A file containing multiple URLs to scan


python -u http://localhost/index.html -o outfile <<< doesnt exist!
full error:
URL: http://localhost/index.html

will output a file only if positive results are found.