Home

Awesome

Burp JS Miner

This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

Background

While assessing a web application, it is expected to enumerate information residing inside static files such as JavaScript or JSON resources.

This tool tries to help with this "initial" recon phase, which should be followed by manual review/analysis of the reported issues.

Note: Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).

Features

Secrets / credentials (passive)

Subdomains (passive)

Cloud URLs (passive)

Dependency Confusion (passive but connects to NPM JS registry to verify the issue)

JS Source Mapper (active and passive)

Static files dumper (passive but requires manual invocation)

API Endpoints Finder (passive)

How to use this tool

More information

The tool contains two main scans:

For the best results:

Motivation and contribution

As I'm using Burp Suite almost every day, my goal was to have a burp extension that searches for information inside static files. (Many good command-line tools are out there that are doing what this extension is doing)

I'm open for ideas/suggestions to help improve or optimize this tool.

Contributors; thanks to

Build from source

git clone https://github.com/minamo7sen/burp-JS-Miner.git
cd burp-JS-Miner
gradle fatJar

Then, the jar file can be found at build/libs/burp-JS-Miner-all.jar.

Disclaimer

It is the user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not responsible for any misuse or damage caused by this tool.

License

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.