jxscout

jxscout is a tool designed to help security researchers analyze and find vulnerabilities in JavaScript code. It works with your favorite proxy (Burp or Caido), capturing requests and saving optimized versions locally for easy analysis in your preferred code editor.

Work in Progress 🏗️ jxscout is currently under active development. As it continues to be improved and features expanded there may be breaking changes in future updates.

Key Features

• Asset Organization: Automatically saves and organizes relevant static assets (HTML, JavaScript) into an intuitive folder structure.
• Chunks Pre-Fetching: Detects and pre-fetches Webpack and Vite chunks for comprehensive analysis.
• Code Beautification: Automatically beautifies JavaScript files, making them easier to read and analyze.
• Source Map Discovery: Automatically reverses application source code if .map files are available.

Requirements

• golang: https://go.dev/doc/install - jxscout is written in golang
• bun: https://bun.sh/docs/installation - used for the chunk discovery script

Installation & Setup

To install, just run the below command or download pre-compiled binary from release page.

go install github.com/francisconeves97/jxscout/cmd/jxscout@latest

You can then run the install command to get all the necessary dependencies (bun, prettier and reverse-sourcemap)

Proxy Setup

To get started with jxscout, you'll need to set up a proxy to forward requests to it. Here's how:

• For Caido users: Check out https://github.com/francisconeves97/jxscout-caido for installation instructions
• For Burp users: Head over to https://github.com/francisconeves97/jxscout-burp for setup details

Usage

jxscout

Once jxscout is running, you can:

• Run the guide command for a quick walkthrough
• Watch the video tutorial for a visual guide on configuring and using jxscout

Demo

Watch the demo movie to see jxscout in action:

demo_compressed.mp4

CLI Options

jxscout | static files downloader for vulnerability analysis

Usage:
  jxscout [flags]

Flags:
SERVER CONFIGURATION:
   -hostname string  the hostname where jxscout will listen for requests (default "localhost")
   -port int         the port where jxscout will listen for requests (default 3333)

JXSCOUT CONFIGURATION:
   -project-name string  name of your project folder where downloaded files will be stored (default "default")
   -scope string[]       comma-separated list of patterns to filter requests (e.g. *google*,*youtube*)
   -debug                turn on detailed logs for troubleshooting

CONCURRENCY CONFIGURATION:
   -fetch-concurrency int             how many files to download at once (for chunks and source maps) (default 5)
   -save-concurrency int              how many files to save to disk at once (default 5)
   -beautifier-concurrency int        how many files to beautify at once (default 5)
   -chunk-discoverer-concurrency int  how many chunk discovery processes to run at once (default 5)

CHUNK DISCOVERY CONFIGURATION:
   -chunk-discoverer-bruteforce-limit int  how many potential chunks to bruteforce when automatic discovery fails (default 3000)

CACHE CONFIGURATION:
   -js-requests-cache-ttl value    how long to wait before re-downloading the same JS file (default 1h0m0s)
   -html-requests-cache-ttl value  how long to wait before re-downloading the same HTML page (default 1h0m0s)

GIT COMMITER CONFIGURATION:
   -git-commit-interval value  how often commits are made to the working directory (default 5m0s)

RATE LIMITING CONFIGURATION:
   -rate-limiter-max-requests-per-minute int  max requests per minute for source maps and chunk discovery (default 120)

JS INGESTION CONFIGURATION:
   -download-refered-js  download JS files from out-of-scope domains if they're linked from in-scope pages

LOGGING CONFIGURATION:
   -log-buffer-size int       how many log lines to show in the logs panel (default 10000)
   -log-file-max-size-mb int  max size of the log file in MB (default 10)

Building locally

1. Clone the repository

git clone https://github.com/francisconeves97/jxscout.git
cd jxscout

2. Install dependencies and build the project

make install
make build

3. Run the server

• Using the binary

./dist/jxscout

• Or directly with Go

go run cmd/jxscout/main.go

4. Setup your proxy to ingest requests into jxscout

Chunk Discovery Script

The chunk discovery script is written in TypeScript and can be used standalone outside of jxscout. You can use any JS runtime to run it (jxscout uses bun).

You can check the script here: https://github.com/francisconeves97/jxscout/blob/main/pkg/chunk-discoverer/index.ts

The script expects two args:

• The path to the JS file to analyze for webpack chunks
• A bruteforce limit, used when the Webpack chunk loading function can create an unlimited number of valid chunk names.

Example:

bun run pkg/chunk-discoverer/index.ts /path/to/the/js/file 10

Contributing

Feel free to leave suggestions and open pull requests, all contributions are welcome!

License

This project is licensed under the GNU General Public License. See the COPYING file for the full license text.