GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → KathanP19 → Jsfscan.sh

KathanP19 / Jsfscan.sh

Automation for javascript recon in bug bounty.

Programming Languages

shell
77523 projects

Labels

bugbounty

Projects that are alternatives of or similar to Jsfscan.sh

cf-check
CloudFlare Checker written in Go
Stars: ✭ 147 (-48.78%)
Mutual labels:  bugbounty
WDIR
Good resources about web security that I have read.
Stars: ✭ 14 (-95.12%)
Mutual labels:  bugbounty
Cloudscraper
CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
Stars: ✭ 276 (-3.83%)
Mutual labels:  bugbounty
swiss-bugbounty-programs
List of bug bounty and coordinated vulnerability disclosure programs of companies/organisations in Switzerland
Stars: ✭ 25 (-91.29%)
Mutual labels:  bugbounty
sub404
A python tool to check subdomain takeover vulnerability
Stars: ✭ 205 (-28.57%)
Mutual labels:  bugbounty
Php Security Check List
PHP Security Check List [ EN ] 🌋 ☣️
Stars: ✭ 262 (-8.71%)
Mutual labels:  bugbounty
ORtester
Open Redirect scanner - (out of date)
Stars: ✭ 24 (-91.64%)
Mutual labels:  bugbounty
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning
Stars: ✭ 3,391 (+1081.53%)
Mutual labels:  bugbounty
Priest
Extract server and IP address information from Browser SSRF
Stars: ✭ 13 (-95.47%)
Mutual labels:  bugbounty
Recon My Way
This repository created for personal use and added tools from my latest blog post.
Stars: ✭ 271 (-5.57%)
Mutual labels:  bugbounty
PandorasBox
Security tool to quickly audit Public Box files and folders.
Stars: ✭ 56 (-80.49%)
Mutual labels:  bugbounty
JWTweak
Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.
Stars: ✭ 85 (-70.38%)
Mutual labels:  bugbounty
Cloudbrute
Awesome cloud enumerator
Stars: ✭ 268 (-6.62%)
Mutual labels:  bugbounty
awesome-list-of-secrets-in-environment-variables
🦄🔒 Awesome list of secrets in environment variables 🖥️
Stars: ✭ 538 (+87.46%)
Mutual labels:  bugbounty
Recon Pipeline
An automated target reconnaissance pipeline.
Stars: ✭ 278 (-3.14%)
Mutual labels:  bugbounty
quick-recon.py
Do some quick reconnaissance on a domain-based web-application
Stars: ✭ 13 (-95.47%)
Mutual labels:  bugbounty
Project Black
Pentest/BugBounty progress control with scanning modules
Stars: ✭ 257 (-10.45%)
Mutual labels:  bugbounty
Subzy
Subdomain takeover vulnerability checker
Stars: ✭ 287 (+0%)
Mutual labels:  bugbounty
Lazyrecon
An automated approach to performing recon for bug bounty hunting and penetration testing.
Stars: ✭ 282 (-1.74%)
Mutual labels:  bugbounty
Megplus
Automated reconnaissance wrapper — TomNomNom's meg on steroids. [DEPRECATED]
Stars: ✭ 268 (-6.62%)
Mutual labels:  bugbounty
View All Similar Projects ➔

JSFScan.sh

Blog can be found at https://medium.com/@patelkathan22/beginners-guide-on-how-you-can-use-javascript-in-bugbounty-492f6eb1f9ea?sk=21500dc4288281c7e6ed2315943269e7

Script made for all your javascript recon automation in bugbounty. Just pass subdomain list to it and options according to your preference.

Features

1 - Gather Jsfile Links from different sources.
2 - Import File Containing JSUrls
3 - Extract Endpoints from Jsfiles
4 - Find Secrets from Jsfiles
5 - Get Jsfiles store locally for manual analysis
6 - Make a Wordlist from Jsfiles
7 - Extract Variable names from jsfiles for possible XSS.
8 - Scan JsFiles For DomXSS.
9 - Generate Html Report.

Installation

There are two ways of executing this script: Either locally on the host machine or within a Docker container

Installing all dependencies locally

Note: Make sure you have installed golang properly before running installation script locally.

$ sudo chmod +x install.sh
$ ./install.sh

Building the docker container

When using the docker version, everything will be installed automatically. You just have to execute the following commands:

$ git clone https://github.com/KathanP19/JSFScan.sh
$ cd JSFScan/
$ docker build . -t jsfscan

In order to start the pre-configured container run the following command:

$ docker run -it jsfscan "/bin/bash"

After that an interactive bash session should be opened.

Usage

Target List should be with https:// and http:// use httpx or httprobe for this.

https://hackerone.com
https://github.com

And if you want to add cookie then edit the command at line 23 cat $target | hakrawler -js -cookie "cookie here" -depth 2 -scope subs -plain >> jsfile_links.txt

NOTE: If you feel tool is slow just comment out hakrawler line at 23 in JSFScan.sh script , but it might result in little less jsfileslinks.

 _______ ______ _______ ______                          _     
(_______/ _____(_______/ _____)                        | |    
     _ ( (____  _____ ( (____   ____ _____ ____     ___| |__  
 _  | | \____ \|  ___) \____ \ / ___(____ |  _ \   /___|  _ \ 
| |_| | _____) | |     _____) ( (___/ ___ | | | |_|___ | | | |
 \___/ (______/|_|    (______/ \____\_____|_| |_(_(___/|_| |_|
                                                              
Usage: 
       -l   Gather Js Files Links
       -f   Import File Containing JS Urls
       -e   Gather Endpoints For JSFiles
       -s   Find Secrets For JSFiles
       -m   Fetch Js Files for manual testing
       -o   Make an Output Directory to put all things Together
       -w   Make a wordlist using words from jsfiles
       -v   Extract Vairables from the jsfiles
       -d   Scan for Possible DomXSS from jsfiles
       -r   Generate Scan Report in html
       --all Scan Everything!

Check Video Here.

JSFScan.sh

Thank You For Trying!

Your Contribution and Suggestions are welcomed.

If the project helped you if any case you can buy a coffee for me ;)

Buy Me A Coffee

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].