A tool designed to scrape a list of .js files and extract urls, as well as juicy information. (as long as you modify regex :P)
- Somewhere to run PHP. I've tested this on PHP 7.1.7 and I recommend running XAMPP locally so you can just run the PHP from your computer locally. You can grab XAMPP from here: https://www.apachefriends.org/index.html.
- Some PHP knowledge if you wish to modify the script
- InputScanner to scrape .js files
I recommend using my InputScanner to gather a list of .js files (https://github.com/zseano/InputScanner). It outputs in the following format: found@https://www.example.com/https://www.example.com/eg.js|, which is parsed when using this script to easily show you where each .js file was discovered. Useful when you find interesting functions etc..
If using InputScanner, your JS-output.txt file should contain data, so copy it over to this script. If not, load your own data. If using your own data, you may want to modify the index.php file and set $usingInputScanner to "no", in the processUrls() function.
If setup correctly, you should see this:
Click "Run Scanner" and you'll see something similar to this:
This script currently doesn't save any data. Feel free to modify.
Currently the regex used is: $a = ['|url:"/(.)"|U', "|url:'/(.)'|U"];. This means it'll look for url:"/string" and url:'/string'. You can modify this to look for other stuff, such as app secrets, interesting functions etc. This can be found in the processUrls() function, on line 60.
I am not responsible for how you use this tool. You are free to modify this script as you see fit.
You can also check out @NahamSec and @bbuerhaus JS link parser here: https://github.com/nahamsec/JSParser. It is a tool designed to scrape urls from .js files.
https://twitter.com/TomNomNom reported an issue regarding output not being sanitized which could of potentially lead to XSS being executed when data was outputted.