This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.
While assessing a web application, it is expected to enumerate information residing inside static files such as JavaScript or JSON resources.
This tool tries to help with this "initial" recon phase, which should be followed by manual review/analysis of the reported issues.
Note: Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).
- Uses Shannon entropy to improve the confidence level.
- A good resource to verify found API keys:
- Nothing special here.
- Support for (AWS, Azure, Google, CloudFront, Digital Ocean, Oracle, Alibaba, Firebase, Rackspace, Dream Host)
- Reports a critical issue when a dependency or an organization is missing from the NPM registry.
- Reports informational issues for identified dependencies.
- Tries to construct source code from JavaScript Source Map Files (if found).
- Actively tries to guess the common location of the ".map" files;
- It can also (passively) parse inline base64 JS map files.
- A one-click option to dump static files from one or multiple websites.
- Think
ctrl+A
in your Burp'ssitemap
, then dump all static files. - You can use this feature to run your custom tools to find specific patterns for example.
- Tries to find
GET
/POST
/PUT
/DELETE
/PATCH
API endpoints.
- Download from BApp Store, or download the pre-built "jar" file from "Releases" then load it normally to your Burp Suite.
- Passive scans are invoked automatically, while active scans require manual invocation ( by right-clicking your targets) from the site map or other Burp windows.
- No configuration needed, no extra Burp Suite tab.
- Just install and maybe enjoy.
The tool contains two main scans:
- Passive scans, which are enabled by default (to search for inline JS map files, secrets, subdomains and cloud URLs).
- Actively try to guess JavaScript source map files. (During the process, HTTP requests will be sent)
- Ensure to navigate your target first in order for all the static files to be loaded;
- Passive scans will trigger automatically. Ensure Burp's Sitemap is displaying your target's static files.
- Then right-click on the target domain (example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options.
- Sometimes you may need to allow cookies to be sent by the extension. Check the wiki for how to do that.
As I'm using Burp Suite almost every day, my goal was to have a burp extension that searches for information inside static files. (Many good command-line tools are out there that are doing what this extension is doing)
I'm open for ideas/suggestions to help improve or optimize this tool.
- Stanislav Kravchenko: For suggesting the dependency confusion feature, besides helping with testing and improving the functionality.
git clone https://github.com/minamo7sen/burp-JS-Miner.git
cd burp-JS-Miner
gradle fatJar
Then, the jar file can be found at build/libs/burp-JS-Miner-all.jar
.
It is the user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not responsible for any misuse or damage caused by this tool.
This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.