JShunter
jshunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for and bug bounty hunters and security researchers.
Install / Use
/learn @cc1a2b/JShunterREADME
JSHunter
<div align="center">
🔍 Professional JavaScript Security Analysis Tool
Complete endpoint discovery, sensitive data detection, and advanced code analysis for security professionals
</div>📖 About
JSHunter is a comprehensive command-line tool for JavaScript security analysis and endpoint discovery. Built for security professionals, penetration testers, and developers, it delivers enterprise-grade analysis capabilities with high accuracy detection algorithms and professional reporting features.
<div align="center"> <img alt="JSHunter Demo Screenshot" src="https://github.com/user-attachments/assets/f0197c36-c40b-48e9-bec5-c306acd4a613" width="100%">JSHunter in action - Professional JavaScript security analysis
</div>📑 Table of Contents
- About
- Features
- Installation
- Quick Start
- Usage Examples
- Command Reference
- Advanced Usage
- Contributing
- License
- Support
✨ Features
🎯 Core Capabilities
- 🔍 Comprehensive Endpoint Discovery: Automatically extracts URLs, API endpoints, and hidden parameters from JavaScript files
- 🔐 Advanced Security Analysis: Identifies API keys, JWT tokens, credentials, and potential vulnerabilities with high accuracy
- 📥 Flexible Input Methods: Supports URLs, file lists, local files, stdin piping, and recursive discovery
- ⚡ High-Performance Architecture: Multi-threaded concurrent processing with intelligent rate limiting
- 🎭 Professional Stealth Features: Proxy support, custom headers, user-agent rotation, and bypass detection
🎯 Intelligent Detection Engine
Enterprise-grade accuracy with advanced analysis algorithms
- 🎯 Smart Base64 Detection: High-accuracy filtering eliminates false positives from media content and encoded data
- 🏢 Professional Interface: Enterprise-ready terminology, documentation, and comprehensive reporting formats
- 🧠 Context-Aware Analysis: Advanced algorithms distinguish real security tokens from encoded media data
- 📊 Entropy Analysis: Mathematical algorithms identify genuine security tokens and credentials with precision
🌐 Professional HTTP & Networking Suite
<details> <summary><strong>Enterprise-Grade Network Configuration</strong></summary>Authentication & Headers:
- 🔧 Custom Headers (
-H): Repeatable authentication headers and custom request headers - 🍪 Cookie Management (
-c): Session cookies for accessing protected resources - 🎭 User-Agent Control (
-U): Custom UA strings or file-based rotation for stealth
Performance & Reliability:
- ⏱️ Rate Limiting (
-R): Configurable request delays (milliseconds) to avoid detection - ⏰ Smart Timeouts (
-T): Custom timeout settings for different network conditions - 🔄 Intelligent Retry (
-y): Automatic retry mechanism with exponential backoff for failed requests
Professional Integration:
- 🔗 Proxy Support (
-p): Full Burp Suite and custom proxy integration (HTTP/HTTPS/SOCKS5) - 🔒 TLS Flexibility (
-k): Optional certificate verification bypass for testing environments - 🎯 Thread Control (
-t): Configurable concurrent request handling for optimal performance
</details>🔒 Security Professional Features: Designed for penetration testing and security assessments
Example:jshunter -l targets.txt -p 127.0.0.1:8080 -H "Authorization: Bearer token" -R 1000
📝 Advanced JavaScript Analysis
<details> <summary><strong>Complete Code Analysis & Deobfuscation Suite</strong></summary>Core Analysis Tools:
- 🧩 Deobfuscation Engine (
-d): Unpacks minified and obfuscated JavaScript for deep analysis - 🗺️ Source Map Parser (
-m): Extracts and analyzes original source code from source maps - 🔍 Obfuscation Detection (
-z): Identifies and classifies obfuscation techniques and patterns
Dynamic Analysis:
- ⚡ Eval Analysis (
-e): Analyzes dynamic code execution (eval(),Function(), runtime generation)
Code Intelligence:
- 🔍 Pattern Recognition: Identifies common JavaScript frameworks and libraries
- 📊 Code Structure Analysis: Maps application architecture and data flows
- 🎯 Context-Aware Detection: Understands code context to reduce false positives
</details>💡 Professional Usage: Combine analysis tools with security detection for maximum coverage
Example:jshunter -u target.js -d -m -e -s -g(full deobfuscation + security analysis)
🔐 Security Analysis Suite
<details> <summary><strong>Complete Security Assessment Toolkit</strong></summary>Core Security Detection:
- 🔑 Secrets Detection (
-s): API keys, access tokens, passwords, and hardcoded credentials - 🎫 JWT Token Analysis (
-x): Authentication token extraction, validation, and payload inspection - 🔥 Firebase Security (
-F): Configuration analysis, API keys, and database URL detection
Advanced Analysis:
- 📋 Parameter Discovery (
-P): Hidden form parameters, variables, and configuration keys - 🔗 URL Parameter Extraction (
-PU): Advanced parameter analysis with full URL context - 📊 GraphQL Analysis (
-g): Schema detection, query extraction, and endpoint discovery - 🛡️ WAF Bypass Detection (
-B): Security bypass patterns and evasion techniques
Scope & Context:
- 🏠 Internal Endpoint Filtering (
-i): Private/internal resource identification and classification - 🌐 Link Analysis (
-L): Comprehensive URL extraction and relationship mapping
</details>🎯 Professional Tip: Combine flags for comprehensive analysis (e.g.,
jshunter -u target.js -s -x -F -g)
🎯 Scope & Discovery
<details> <summary><strong>Intelligent Crawling & Targeting</strong></summary>- 🔍 Recursive Discovery: Multi-depth JavaScript file crawling
- 🌍 Domain Scoping: Focus analysis on specific domains
- 📂 Extension Filtering: Target specific JavaScript file types
📤 Professional Reporting & Export Suite
<details> <summary><strong>Enterprise-Grade Output & Integration</strong></summary>Core Output Formats:
- 🖥️ Console Display: Color-coded terminal output with professional formatting and clear categorization
- 📄 File Export (
-o): Save comprehensive results to custom file locations - 📊 JSON Export (
-j): Structured data format for automation and programmatic processing - 📈 CSV Export (
-C): Spreadsheet-compatible format for executive reporting and analysis
Professional Integration:
- 🔴 Burp Suite Export (
-n): Direct integration with Burp Suite Professional for immediate testing - 🎯 Regex Filtering (
-r): Custom pattern matching for targeted result filtering - 🔍 Verbose Analysis (
-v): Detailed analysis output with debugging information and context
Result Management:
- ✨ Clean Mode (
--found-only): Hide empty results for focused security reporting - 🤫 Quiet Mode (
-q): Suppress banner for automated scripting and CI/CD integration
</details>📋 Reporting Workflow: Use JSON for automation, CSV for management reports, Burp export for immediate testing
Example:jshunter -l targets.txt -s -j -o security-findings.json(structured security report)
📦 Installation
Go Install (Recommended)
# Install JSHunter
go install -v github.com/cc1a2b/jshunter@latest
# Verify installation
jshunter --help
Build from Source
git clone https://github.com/cc1a2b/jshunter.git
cd jshunter
go build -o jshunter jshunter.go
System Requirements
- Go 1.22.5+ (for building from source)
- Linux, macOS, or Windows (64-bit architecture)
- Network connectivity for remote JavaScript analysis
🚀 Quick Start
Basic Analysis
# Analyze a single JavaScript file
jshunter -u "https://example.com/app.js"
# Scan multiple URLs from file
jshunter -l urls.txt
# Analyze local JavaScript file
jshunter -f app.js
Complete Security Analysis
# Find API keys, secrets, and credentials
jshunter -u "https://target.com/app.js" -s
# Full analysis with deobfuscation, GraphQL, and Firebase detection
jshunter -u "https://target.com/app.js" -d -s -g -F -x -L
# Professional security assessment with all tools
jshunter -u "https://target.com/app.js" -d -m -e -s -x -P -g -F -B -L
# Export comprehensive results for reporting
jshunter -l targets.txt -s -g -F -j -o security_findings.json
💡 Usage Examples
# Analyze single URL
jshunter -u "https://example.com/app.js"
# Analyze multiple URLs from file
jshunter -l urls.txt
# Pipe URLs from stdin
cat urls.txt | grep "\.js" | jshunter
# Complete security analysis - find secrets, API keys, and credentials
jshunter -u "https://example.com/app.js" -s -x -F
# Full analysis suite with deobfuscation and all security tools
jshunter -u "https://target.com/app.js" -d -m -e -s -x -P -g -F -B -L
# Professional assessment with source map analysis
jshunter -u "https://target.com/bundle.js" -d -m -s -g -F
# Export comprehensive results to structured formats
jshunter -l targets.txt -s -x -F -g -j -o security_findings.json
# Stealth scanning with Burp Suite integration
jshunter -l targets.txt -p 127.0.0.1:8080 -s -g -F -n -o burp_findings.
Related Skills
healthcheck
337.7kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
337.7kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
337.7kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
83.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
