Home

Awesome

<img width="599" alt="Screenshot 2020-12-30 at 13 09 55" src="https://user-images.githubusercontent.com/38838852/103442471-1dc53680-4c5f-11eb-9fac-5e0a07e87125.png">

Javascript security analysis (JSA) is a program for javascript analysis during web application security assessment.

Capabilities of jsa.py:

asciicast

Capabilities of automation.sh:

<img width="966" alt="Screenshot 2021-01-02 at 17 27 21" src="https://user-images.githubusercontent.com/38838852/103461010-ad341d80-4d23-11eb-82ca-398f0bd1c573.png">

Usage & installation for jsa.py:

git clone https://github.com/w9w/JSA.git && cd JSA && pip3 install -r requirements.txt

echo "https://host.com/file.js" | python3 jsa.py

Example for pulling out js files and processing:

echo "https://subdomain.host.com" | subjs | python3 jsa.py

Usage & installation for automation.sh:

paste your github API key into the .tokens file

chmod +x installation.sh && ./installation.sh

echo "https://example.com" | ./automation.sh

Usage for massive and parallel scanning (~lightning-fast execution):

cat ~/lists/domains/host.com/http_s_hosts.txt | subjs | parallel -j 20 'echo "{}" | python3 jsa.py'

You can get parallel GNU here https://www.gnu.org/software/parallel/. Don't forget to delete that annoying message.

Roadmap:

Special thanks to these awesome people from who I s̶t̶e̶a̶l̶e̶d̶ borrowed some tools for automation.sh :D :

Corben Leo @lc for github.com/lc/subjs and github.com/lc/gau;

Luke Stephens @hakluke for github.com/hakluke/hakrawler;

Gwendal Le Coguic @gwen001 for https://github.com/gwen001/github-search/raw/master/github-endpoints.py;

Project discovery @projectdiscovery for github.com/projectdiscovery/nuclei and github.com/projectdiscovery/httpx;

Somdev Sangwan @s0md3v for https://github.com/s0md3v/Arjun (I needed to fork it for automation ease).

̶I̶n̶t̶e̶n̶d̶e̶d̶ ̶f̶e̶a̶t̶u̶r̶e̶s̶ known bugs:

Ways to contribute