Skip to content

mouteee/jsrip

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
core
core
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
jsrip.py
jsrip.py
 
 
requirements.txt
requirements.txt
 
 
setup.sh
setup.sh
 
 

Repository files navigation

jsrip

JavaScript ripper for the offensive web. Crawls targets, rips their JS, and tears it apart looking for secrets, endpoints, and things developers forgot to hide.

Built for bug bounty hunters and pentesters who are tired of doing this by hand.

What it does

  • Rips secrets -- API keys, tokens, passwords, credentials, hardcoded connection strings, env fallbacks, and 1600+ patterns across every major service
  • Maps endpoints -- API routes, internal paths, hidden URLs, GraphQL endpoints, fetch/XHR targets
  • Smart analysis -- Shannon entropy scoring, variable assignment detection, config object extraction, environment leak detection, DOM storage analysis
  • Multi-domain crawling -- Feed it a list of subdomains, it scopes them all
  • Exports clean reports -- Interactive HTML dashboard, JSON, Markdown, CSV

Quick start

git clone https://github.com/mouteee/jsrip.git
cd jsrip
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
playwright install chromium

python3 jsrip.py -u https://target.com

Usage

# Single target
python3 jsrip.py -u https://target.com

# List of targets (one per line, supports multiple domains)
python3 jsrip.py -l targets.txt

# HTML + JSON reports
python3 jsrip.py -u https://target.com -f html json

# Watch it work
python3 jsrip.py -u https://target.com --show-browser -v

# Custom output dir
python3 jsrip.py -u https://target.com -o ./loot

Options

Flag What it does Default
-u URL Single target --
-l FILE Target list --
-o DIR Output directory auto-timestamped
-f FORMAT Report format(s): html json md csv json
--depth N Crawl depth 2
--max-pages N Page limit 500
--include-external Include off-scope URLs in results off
--show-browser Visible browser window headless
--headers FILE Custom headers (JSON) --
--cookies FILE Session cookies (JSON) --
--user-agent STR Custom UA string jsrip/1.0
-v Verbose output off

Output

jsrip_output_20260402_163015/
├── javascript/          # All downloaded JS (beautified)
├── sourcemaps/          # Downloaded .map files
├── reports/
│   ├── report.html      # Interactive dashboard
│   ├── report.json      # Structured data
│   ├── secrets.csv
│   └── endpoints.csv
└── jsrip.log

How it works

Crawling

Playwright drives a real Chromium instance. It follows links, intercepts network responses, extracts inline scripts, discovers webpack chunks, downloads source maps, parses sitemaps, opens iframes, clicks buttons and tabs to trigger lazy-loaded content. All JS gets beautified and deduplicated by content hash.

Analysis

Every JS file runs through three layers:

Pattern matching -- 1670+ regex patterns covering AWS, GCP, Azure, Stripe, OpenAI, Anthropic, Supabase, Vercel, Cloudflare, Clerk, and hundreds more. Each match gets Shannon entropy scored and classified into confidence tiers.

Smart detection -- Beyond regex, jsrip reads code structure:

  • Variable assignments with sensitive names (const apiKey = "...")
  • Config objects with credential properties ({secretKey: "..."})
  • Environment variable fallbacks (process.env.DB_URL || "postgres://...")
  • DOM storage of auth tokens (localStorage.setItem("token", ...))
  • Fetch/XHR/Axios URL extraction

False positive filtering -- Multi-layer filtering kills noise before it reaches the report:

  • Placeholder detection (YOUR_API_KEY, CHANGEME, template vars)
  • camelCase JS identifier recognition (filters function/class names)
  • URL path filtering (not every string with "password" is a password)
  • Entropy thresholds (low-entropy matches get downgraded or dropped)
  • Known-safe value allowlist, CSS hex colors, version strings, base64 noise

Confidence levels

Level Meaning
High Strong pattern match + high entropy. Likely real.
Medium Pattern match, decent entropy. Worth checking.
Low Weak match or low entropy. Probably noise.
Info Informational -- env references, storage keys. Context, not credentials.

Authentication

For targets behind login, pass session cookies:

[
  {
    "name": "session",
    "value": "your-session-token",
    "domain": "target.com"
  }
]
python3 jsrip.py -u https://target.com --cookies cookies.json

Custom headers work the same way:

{
  "Authorization": "Bearer your-token"
}
python3 jsrip.py -u https://target.com --headers headers.json

Full send

python3 jsrip.py \
  -l targets.txt \
  -o ./loot \
  -f html json \
  --depth 3 \
  --max-pages 1000 \
  --include-external \
  --cookies session.json \
  --headers auth.json \
  -v

Troubleshooting

Playwright not installed

playwright install chromium

Few JS files found -- The target might be behind Cloudflare or require auth. Try --show-browser to see what's happening, add --cookies, or increase --depth.

Browser won't start -- Make sure you're in the venv:

source venv/bin/activate

Requirements

  • Python 3.9+
  • Chromium (via Playwright)
playwright>=1.40.0
aiohttp>=3.9.0
jsbeautifier>=1.14.0
colorama>=0.4.6

Legal

Only use jsrip on systems you have explicit authorization to test. The author takes no responsibility for misuse.

Credits

Secret patterns adapted from Secrets Patterns DB by @mazen160.

Links

Star the repo if it helped you find something good.

About

Crawl and analyze JavaScript for secrets, tokens, and API endpoints. A powerful bug bounty tool for automated JS analysis.

Topics

javascript security crawler automation osint secrets hacking infosec pentesting recon bugbounty hacktoberfest playwright jsrip

Resources

Readme

License

CC-BY-SA-4.0 license
Activity

Stars

16 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages