diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md index 88d97b97a79..283b8917e4e 100644 --- a/src/network-services-pentesting/pentesting-web/README.md +++ b/src/network-services-pentesting/pentesting-web/README.md @@ -245,6 +245,12 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi - [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes. - [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals. - [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code. +- [**JS Analyzer**](https://github.com/jenish-sojitra/JSAnalyzer) (Burp extension/Jython): Static JS parser to pull endpoints/URLs (incl. S3/Azure/GCP), secrets/tokens (cloud keys, JWTs, DB URIs), emails and sensitive file references while filtering common noise. Load `js_analyzer.py` in Burp, select JS responses → **Analyze JS with JS Analyzer**. The engine can also be called from Python: + ```python + from js_analyzer_engine import JSAnalyzerEngine + engine = JSAnalyzerEngine() + print(engine.analyze(javascript_content)["endpoints"]) + ``` - [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration. - [**katana**](https://github.com/projectdiscovery/katana) (go): Awesome tool for this. - [**Crawley**](https://github.com/s0rg/crawley) (go): Print every link it's able to find. @@ -437,4 +443,8 @@ Entry_12: +## References + +- [JS Analyzer - Burp Suite Extension](https://github.com/jenish-sojitra/JSAnalyzer) + {{#include ../../banners/hacktricks-training.md}}