A Chrome/Firefox extension that passively detects exposed JavaScript source map (.map) files as you browse.
Adapted from DotGit by davtur19. DotGit detects exposed
.gitrepositories. DotMap takes the same passive-detection approach and applies it to JavaScript source maps — a different misconfiguration, different attack surface.
Detecting exposed .git directories is effective, but most WAFs (Web Application Firewalls) have rules to block or blacklist clients that probe for /.git/. This makes systematic detection noisy and likely to get you blocked.
JavaScript source maps are a different story. During development, bundlers like Webpack, Vite, and Rollup generate .map files that map minified/bundled code back to the original source. These files are essential for debugging — but they should never reach production servers.
They frequently do. CI/CD pipelines often forget to strip them, or deploy them alongside the JS assets without realizing the implication: anyone who requests app.abc123.js.map gets the complete original source code, including:
- Business logic
- Internal API routes and parameters
- Hardcoded secrets or tokens left in dev code
- Internal architecture and module structure
Unlike .git probing (one request per domain, easily detected), map file checks are per-asset and blend in naturally with normal browsing traffic. There is no single endpoint to block.
- The extension registers a
webRequest.onCompletedlistener that watches every network request your browser makes. - For each
.jsfile that loads, it sends aHEADrequest to<same-url>.map. - If the server responds with HTTP
200, the file is publicly accessible — a finding is recorded. - A badge counter updates on the extension icon. A toast notification is injected into the page (no Chrome system popups).
Deduplication is handled in-memory per session, so each unique JS URL is only checked once.
- Passive detection — works silently as you browse, no manual scanning
- Groups findings by domain in the popup
- Open all maps from a domain in one click
- Real-time filter by domain or path
- Configurable toast notifications (duration, on/off)
- Domain blacklist with wildcard support
- Badge counter on the extension icon
Chrome:
- Go to
chrome://extensions - Enable Developer mode (top-right toggle)
- Click Load unpacked and select the project folder
Firefox:
- Go to
about:debugging→ This Firefox - Click Load Temporary Add-on
- Select the
manifest.jsonfile
Install the extension and browse normally. When a site has exposed source maps, you will see:
- The badge counter increment on the extension icon
- A toast notification in the bottom-right corner of the page
- Full listing in the popup, grouped by domain
Click any .map link to open the source map directly. Use Open all to open every map from a domain at once.
| Option | Default | Description |
|---|---|---|
| Notification | On | Show toast when new map is found |
| Toast duration | 5s | How long the toast stays visible |
| Max findings shown | 500 | Limit for the popup list |
| Blacklist | localhost |
Hostnames to skip (wildcards supported) |
| Debug mode | Off | Logs to the service worker console |
This tool is intended for:
- Security professionals performing authorized penetration tests
- Bug bounty hunters operating within program scope
- Developers auditing their own deployments
- Security researchers and educators
Use only on systems you are authorized to test. Exposing source maps is a misconfiguration on the server side — the responsibility for fixing it lies with the site owner.
dotmap.js — background service worker (core logic)
manifest.json — extension manifest (MV3)
popup/ — extension popup UI
options/ — settings page
icons/ — extension icons
lib/ — Materialize CSS
- Materialize CSS — popup styling