jshunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for and bug bounty hunters and security researchers.
JSHunter
Professional JavaScript Security Analysis Tool
Complete endpoint discovery, sensitive data detection, and advanced code analysis for security professionals
About
JSHunter is a comprehensive command-line tool for JavaScript security analysis and endpoint discovery. Built for security professionals, penetration testers, and developers, it delivers enterprise-grade analysis capabilities with high accuracy detection algorithms and professional reporting features.
JSHunter in action - Professional JavaScript security analysis
Table of Contents
- About
- Features
- Installation
- Quick Start
- Usage Examples
- Command Reference
- Advanced Usage
- Contributing
- License
- Support
Features
Core Capabilities
- Comprehensive Endpoint Discovery: Automatically extracts URLs, API endpoints, and hidden parameters from JavaScript files
- Advanced Security Analysis: Identifies API keys, JWT tokens, credentials, and potential vulnerabilities with high accuracy
- Flexible Input Methods: Supports URLs, file lists, local files, stdin piping, and recursive discovery
- High-Performance Architecture: Multi-threaded concurrent processing with intelligent rate limiting
- Professional Stealth Features: Proxy support, custom headers, user-agent rotation, and bypass detection
Intelligent Detection Engine
Enterprise-grade accuracy with advanced analysis algorithms
- Smart Base64 Detection: High-accuracy filtering eliminates false positives from media content and encoded data
- Professional Interface: Enterprise-ready terminology, documentation, and comprehensive reporting formats
- Context-Aware Analysis: Advanced algorithms distinguish real security tokens from encoded media data
- Entropy Analysis: Mathematical algorithms identify genuine security tokens and credentials with precision
Professional HTTP & Networking Suite
Enterprise-Grade Network Configuration
Authentication & Headers:
- Custom Headers (
-H): Repeatable authentication headers and custom request headers - Cookie Management (
-c): Session cookies for accessing protected resources - User-Agent Control (
-U): Custom UA strings or file-based rotation for stealth
- Rate Limiting (
-R): Configurable request delays (milliseconds) to avoid detection - Smart Timeouts (
-T): Custom timeout settings for different network conditions - Intelligent Retry (
-y): Automatic retry mechanism with exponential backoff for failed requests
- Proxy Support (
-p): Full Burp Suite and custom proxy integration (HTTP/HTTPS/SOCKS5) - TLS Flexibility (
-k): Optional certificate verification bypass for testing environments - Thread Control (
-t): Configurable concurrent request handling for optimal performance
Security Professional Features: Designed for penetration testing and security assessments
Example: jshunter -l targets.txt -p 127.0.0.1:8080 -H "Authorization: Bearer token" -R 1000
Advanced JavaScript Analysis
Complete Code Analysis & Deobfuscation Suite
Core Analysis Tools:
- Deobfuscation Engine (
-d): Unpacks minified and obfuscated JavaScript for deep analysis - Source Map Parser (
-m): Extracts and analyzes original source code from source maps - Obfuscation Detection (
-z): Identifies and classifies obfuscation techniques and patterns
- Eval Analysis (
-e): Analyzes dynamic code execution (eval(),Function(), runtime generation)
- Pattern Recognition: Identifies common JavaScript frameworks and libraries
- Code Structure Analysis: Maps application architecture and data flows
- Context-Aware Detection: Understands code context to reduce false positives
Professional Usage: Combine analysis tools with security detection for maximum coverage
Example: jshunter -u target.js -d -m -e -s -g (full deobfuscation + security analysis)
Security Analysis Suite
Complete Security Assessment Toolkit
Core Security Detection:
- Secrets Detection (
-s): API keys, access tokens, passwords, and hardcoded credentials - JWT Token Analysis (
-x): Authentication token extraction, validation, and payload inspection - Firebase Security (
-F): Configuration analysis, API keys, and database URL detection
- Parameter Discovery (
-P): Hidden form parameters, variables, and configuration keys - URL Parameter Extraction (
-PU): Advanced parameter analysis with full URL context - GraphQL Analysis (
-g): Schema detection, query extraction, and endpoint discovery - WAF Bypass Detection (
-B): Security bypass patterns and evasion techniques
- Internal Endpoint Filtering (
-i): Private/internal resource identification and classification - Link Analysis (
-L): Comprehensive URL extraction and relationship mapping
Professional Tip: Combine flags for comprehensive analysis (e.g., jshunter -u target.js -s -x -F -g)
Scope & Discovery
Intelligent Crawling & Targeting
- Recursive Discovery: Multi-depth JavaScript file crawling
- Domain Scoping: Focus analysis on specific domains
- Extension Filtering: Target specific JavaScript file types
Professional Reporting & Export Suite
Enterprise-Grade Output & Integration
Core Output Formats:
- Console Display: Color-coded terminal output with professional formatting and clear categorization
- File Export (
-o): Save comprehensive results to custom file locations - JSON Export (
-j): Structured data format for automation and programmatic processing - CSV Export (
-C): Spreadsheet-compatible format for executive reporting and analysis
- Burp Suite Export (
-n): Direct integration with Burp Suite Professional for immediate testing - Regex Filtering (
-r): Custom pattern matching for targeted result filtering - Verbose Analysis (
-v): Detailed analysis output with debugging information and context
- Clean Mode (
--found-only): Hide empty results for focused security reporting - Quiet Mode (
-q): Suppress banner for automated scripting and CI/CD integration
Reporting Workflow: Use JSON for automation, CSV for management reports, Burp export for immediate testing
Example: jshunter -l targets.txt -s -j -o security-findings.json (structured security report)
Installation
Go Install (Recommended)
# Install JSHunter
go install -v github.com/cc1a2b/jshunter/cmd/jshunter@latest
Verify installation
jshunter --help
Build from Source
git clone https://github.com/cc1a2b/jshunter.git
cd jshunter
go build -o jshunter ./cmd/jshunter
System Requirements
- Go 1.22.5+ (for building from source)
- Linux, macOS, or Windows (64-bit architecture)
- Network connectivity for remote JavaScript analysis
Quick Start
Basic Analysis
# Analyze a single JavaScript file
jshunter -u "https://example.com/app.js"
Scan multiple URLs from file
jshunter -l urls.txt
Analyze local JavaScript file
jshunter -f app.js
Complete Security Analysis
# Find API keys, secrets, and credentials
jshunter -u "https://target.com/app.js" -s
Full analysis with deobfuscation, GraphQL, and Firebase detection
jshunter -u "https://target.com/app.js" -d -s -g -F -x -L
Professional security assessment with all tools
jshunter -u "https://target.com/app.js" -d -m -e -s -x -P -g -F -B -L
Export comprehensive results for reporting
jshunter -l targets.txt -s -g -F -j -o security_findings.json
Usage Examples
# Analyze single URL
jshunter -u "https://example.com/app.js"
Analyze multiple URLs from file
jshunter -l urls.txt
Pipe URLs from stdin
cat urls.txt | grep "\.js" | jshunter
Complete security analysis - find secrets, API keys, and credentials
jshunter -u "https://example.com/app.js" -s -x -F
Full analysis suite with deobfuscation and all security tools
jshunter -u "https://target.com/app.js" -d -m -e -s -x -P -g -F -B -L
Professional assessment with source map analysis
jshunter -u "https://target.com/bundle.js" -d -m -s -g -F
Export comprehensive results to structured formats
jshunter -l targets.txt -s -x -F -g -j -o security_findings.json
Stealth scanning with Burp Suite integration
jshunter -l targets.txt -p 127.0.0.1:8080 -s -g -F -n -o burp_findings.txt
Scanning through SOCKS5 proxy (Tor, SSH tunnel, etc.)
jshunter -l targets.txt -p socks5://127.0.0.1:9050 -s -x -F
Rate-limited professional scanning with authentication
jshunter -l urls.txt -R 2000 -H "Authorization: Bearer token" -s -x -F -g -q
Complete endpoint and parameter discovery
jshunter -l urls.txt -ep -P -PU -L -w 2
Advanced obfuscation analysis with context detection
jshunter -f obfuscated.js -d -z -e -s -v
Command Reference
Get the complete help anytime with jshunter --help
Usage:
-u, --url URL Input a URL
-l, --list FILE.txt Input a file with URLs (.txt)
-f, --file FILE.js Path to JavaScript file
--har FILE Ingest a Chrome DevTools HAR archive
Basic Options: -t, --threads INT Number of concurrent threads (default: 5) -c, --cookies <cookies> Authentication cookies for protected resources -p, --proxy host:port HTTP/SOCKS5 proxy (e.g., 127.0.0.1:8080 for Burp Suite) -q, --quiet Suppress ASCII art output --no-color Disable ANSI color (auto-off when not a TTY) -o, --output FILENAME Output file path -r, --regex <pattern> RegEx for filtering results --update, --up Update the tool to latest version -ep, --end-point Extract endpoints from JavaScript files -k, --skip-tls Skip TLS certificate verification -fo, --found-only Only show results when sensitive data is found
HTTP Configuration: -H, --header "Key: Value" Custom HTTP headers (repeatable, including Auth) -U, --user-agent UA Custom User-Agent string or file path -R, --rate-limit MS Request rate limiting delay (milliseconds) -T, --timeout SEC HTTP request timeout (seconds) -y, --retry INT Retry attempts for failed requests (default: 2) --per-host INT Per-host outbound concurrency cap (default: 4) --max-bytes N Cap response body read in bytes (default: 32MiB) --allow-internal Permit localhost / RFC1918 / link-local targets --cache-dir DIR Persist responses on disk; revalidate via ETag
JavaScript Analysis: -d, --deobfuscate Deobfuscate minified and obfuscated JavaScript -m, --sourcemap Fetch and parse source maps + sourcesContent[] -e, --eval Analyze dynamic code execution (eval, Function) -z, --obfs-detect Detect code obfuscation patterns and techniques --inline-html Scan inline <script> tags + SRI/CSP in HTML responses --csp-origins Emit CSP-allowed origins as candidate endpoints
Security Analysis: -s, --secrets Detect API keys, tokens, and credentials -x, --tokens Extract JWT and authentication tokens -P, --params Discover hidden parameters and variables -PU, --param-urls Advanced parameter extraction with URL context -i, --internal Filter for internal/private endpoints -g, --graphql Analyze GraphQL endpoints and queries -B, --bypass Detect WAF bypass patterns and techniques -F, --firebase Analyze Firebase configurations and keys -L, --links Extract and analyze all embedded links
Detection Tuning: -mc, --min-confidence FLOAT Minimum confidence (0.0-1.0) for a finding (default: 0.50) -sc, --show-confidence Print [conf=X.XX] alongside each finding --no-fp-filter Disable the false-positive filter (debug) --ignore-file FILE Permanent suppressions (.jshunterignore) --diff PREVIOUS.json Report only NEW findings vs previous JSON envelope --rules-file FILE.json Load an external JSON rule pack --only-rules id,glob Run only matching rules (supports * glob) --disable-rule id,glob Disable matching rules (supports * glob)
Verification: --verify Probe findings against provider read-only endpoints --verify-timeout SEC Timeout per verification probe (default: 10) --verify-workers INT Concurrent verifier worker pool (default: 8)
Scope & Discovery: -w, --crawl DEPTH Recursive JavaScript discovery depth (default: 1) -D, --domain DOMAIN Limit analysis to specific domain -E, --ext Filter by JavaScript file extensions --robots Fetch /robots.txt for each input host and exit
Output Formats: -j, --json Structured JSON output (schema_version 2) --ndjson Newline-delimited JSON (jq / SIEM streaming) --sarif SARIF 2.1.0 (GitHub code-scanning compatible) -C, --csv CSV format for spreadsheet analysis -v, --verbose Detailed analysis and debug output -n, --burp Burp Suite compatible export format --stats Per-stage counters on stderr at end of run
Registry: --list-rules Print the rule registry as a table and exit --explain RULE_ID Print full rule details and exit --self-test Run rule registry against built-in TP/FP fixtures
-h, --help Display this help message
Confidence model
Every secret-class match is scored in [0.0, 1.0]. The score starts from a per-rule prior and is adjusted by:
| Signal | Effect | |------------------------------------------------|------------------------------| | Source path looks like a vendor/chunk bundle | −0.15 | | Surrounding context contains fixture wording | −0.30 | | Provider-specific validator passed | +0.10 | | Required context keyword present (generic rule)| +0.05 | | Shannon entropy ≥ 4.5 | +0.05 | | Character-class diversity ≥ 3 | +0.05 | | Match in the vendor-noise denylist | dropped before scoring | | Length / entropy below rule floor | dropped before scoring | | Line is a //# sourceMappingURL= marker | dropped before scoring |
The default --min-confidence 0.50 filters out the long tail of pattern-only matches. Use --min-confidence 0.80 for high-precision triage, --no-fp-filter for raw, unfiltered output.
Provider validators
| Provider | Validator | |----------|--------------------------------------------------------------------------| | AWS | Prefix family (AKIA/ASIA/A3T…) + 16-char base32 body | | Stripe | Prefix family (sk/rk/pklive/test) + clean base62 body | | GitHub | CRC32 base62 checksum verified against random body | | OpenAI | Family prefix + length window (sk-/sk-proj-/sk-svcacct-) | | Slack | Hyphen-segment shape (numeric inner segments, alphanumeric tail) | | JWT | base64url-decoded JSON header with alg field + JSON payload | | Twilio | 32-hex body + entropy gate |
Advanced Usage
Professional Security Assessment
# Complete security analysis with all tools
jshunter -l targets.txt -d -m -e -z -s -x -P -PU -g -F -B -L -j -v -o complete_assessment.json
Advanced deobfuscation and analysis pipeline
jshunter -l targets.txt -d -m -z -e -s -g -F --found-only -o deobfuscated_findings.json
Stealth reconnaissance with rate limiting and custom headers
jshunter -l targets.txt -R 2000 -U "Mozilla/5.0..." -H "X-Forwarded-For: 1.1.1.1" -s -x -F -q
Professional penetration testing through proxy
jshunter -l targets.txt -p 127.0.0.1:8080 -s -x -g -F -B -n -o burp_comprehensive.txt
Deep parameter and endpoint discovery
jshunter -l targets.txt -ep -P -PU -L -w 3 -i -j -o endpoint_discovery.json
Enterprise & Automation Integration
# CI/CD Security Pipeline Integration
jshunter -f dist/bundle.js -d -s -x -F -j --found-only > security-scan.json
Comprehensive automated security reporting
jshunter -l production-js.txt -d -s -x -P -g -F -B -C -o enterprise-security-report.csv
Source map analysis for development security
jshunter -f app.js -m -s -x -F -v -o sourcemap-analysis.json
Firebase and GraphQL focused assessment
jshunter -l targets.txt -g -F -L -j -o apisecurityfindings.json
Contributing
We welcome contributions! Here's how you can help:
- Report bugs via GitHub Issues
- Suggest features or improvements
- Improve documentation
- Submit pull requests with enhancements
Development Setup
git clone https://github.com/cc1a2b/jshunter.git
cd jshunter
go mod tidy
go build -o jshunter ./cmd/jshunter
License
JSHunter is released under the MIT License. See LICENSE for details.
Copyright (c) 2024-2026 Hussain Alsharman
Licensed under MIT License - free for commercial and personal use
Support
If JSHunter helps with your security research or professional work:
Star this repo • Follow @cc1a2b • Share with others
JSHunter - Professional JavaScript Security Analysis
Built with by cc1a2b for the security community