Skip to content

This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

License

Notifications You must be signed in to change notification settings

yyzsec/js-miner

 
 

Repository files navigation

Forked from https://github.com/PortSwigger/js-miner

Burp JS Miner

This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

CHANGELOG

与原项目的不同

2023年9月24日

  • 新增 腾讯云|百度云|华为云|七牛云|京东云 OSS相关的URL
  • 新增 github token|公有云常见aksk形式 的识别

TODO

  • 修改cloud-resources 的LOG等级
  • 增加API返回的内容检查,不在仅限于static file

直接下载使用

https://github.com/yyzsec/js-miner/releases

源码编译

git clone https://github.com/yyzsec/js-miner
cd burp-JS-Miner
gradle fatJar

# find your jar bianry at: build/libs/burp-JS-Miner-all.jar

Github Action 自动编译: 参照.github/workflows/gradle-build-and-release.yml

Background

While assessing a web application, it is expected to enumerate information residing inside static files such as JavaScript or JSON resources.

This tool tries to help with this "initial" recon phase, which should be followed by manual review/analysis of the reported issues.

Note: Like many other tools of the same nature, this tool is expected to produce false positives. Also, as it is meant to be used as a helper tool, but it does not replace manual review/analysis (nothing really can).

Features

Secrets / credentials (passive)

Subdomains (passive)

  • Nothing special here.

Cloud URLs (passive)

  • Support for (AWS, Azure, Google, CloudFront, Digital Ocean, Oracle, Alibaba, Firebase, Rackspace, Dream Host)

Dependency Confusion (passive but connects to NPM JS registry to verify the issue)

  • Reports a critical issue when a dependency or an organization is missing from the NPM registry.
  • Reports informational issues for identified dependencies.

JS Source Mapper (active and passive)

  • Tries to construct source code from JavaScript Source Map Files (if found).
  • Actively tries to guess the common location of the ".map" files;
  • It can also (passively) parse inline base64 JS map files.

Static files dumper (passive but requires manual invocation)

  • A one-click option to dump static files from one or multiple websites.
  • Think ctrl+A in your Burp's sitemap, then dump all static files.
  • You can use this feature to run your custom tools to find specific patterns for example.

API Endpoints Finder (passive)

  • Tries to find GET/POST/PUT/DELETE/PATCH API endpoints.

How to use this tool

  • Download from BApp Store, or download the pre-built "jar" file from "Releases" then load it normally to your Burp Suite.
  • Passive scans are invoked automatically, while active scans require manual invocation ( by right-clicking your targets) from the site map or other Burp windows.
  • No configuration needed, no extra Burp Suite tab.
    • Just install and maybe enjoy.

More information

The tool contains two main scans:

  • Passive scans, which are enabled by default (to search for inline JS map files, secrets, subdomains and cloud URLs).
  • Actively try to guess JavaScript source map files. (During the process, HTTP requests will be sent)

For the best results:

  • Ensure to navigate your target first in order for all the static files to be loaded;
  • Passive scans will trigger automatically. Ensure Burp's Sitemap is displaying your target's static files.
  • Then right-click on the target domain (example.com) from Burp Suite's site map tree, then select one of "JS Miner" scan options.
  • Sometimes you may need to allow cookies to be sent by the extension. Check the wiki for how to do that.

Motivation and contribution

As I'm using Burp Suite almost every day, my goal was to have a burp extension that searches for information inside static files. (Many good command-line tools are out there that are doing what this extension is doing)

I'm open for ideas/suggestions to help improve or optimize this tool.

Contributors; thanks to

Disclaimer

It is the user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not responsible for any misuse or damage caused by this tool.

License

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.

About

This tool tries to find interesting stuff inside static files; mainly JavaScript and JSON files.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 97.2%
  • HTML 2.8%