BLACKBOX JS ENUMERATION + SAST
Find what's hiding
in the client bundle.
JS Recon crawls, maps, and statically analyzes JavaScript in any target — surfacing endpoints, secrets, and dangerous sinks without needing source access.
js-recon run -u https://app.example.com
$ js-recon run -u https://app.example.com
✓ lazyload — 48 files fetched
✓ strings — 312 paths, 19 endpoints
✓ map — 1,204 functions indexed
⚠ analyze — 3 medium findings
✗ analyze — hardcoded AWS key in bundle.42a1.js
✗ analyze — eval() sink reachable from URL param
→ report written to ./report.json
$
What it does
Recon and exploitability, built in
Every module targets a real step in an offensive JavaScript workflow — from pulling the bundle to reaching a vulnerable sink.
Lazyload every chunk
Crawl and download every dynamically-loaded JavaScript file — Next.js, Nuxt, Svelte, Angular, Vue, and React — not just what ships on first paint.
Vulnerability detection
The analyze module runs AST and request rules over the mapped bundle to surface hardcoded secrets, dangerous sinks, and eval() reachable from user input.
WAF bypass via IP rotation
Route requests through a rotating pool of AWS API Gateway IPs with the api-gateway module to slip past IP-based firewall and rate-limit rules.
Framework-aware analysis
Next.js, React, Vue, Svelte, Astro, and Angular each get a tailored crawl, function map, and endpoint pipeline instead of one generic pass.
Function & endpoint mapping
Index every function and resolve fetch, Axios, and GraphQL calls into a client-side route tree and a ready-to-fuzz OpenAPI spec.
Automate in CI
Run on every build with the GitHub Action or the GitLab CI template — surface source maps, exposed endpoints, and client-side bugs before defenders notice.
The pipeline
One command, full recon
01
lazyload
Fetch JS from the target URL
02
strings
Extract paths, URLs, secrets
03
map
Index functions & relationships
04
analyze
Run static rules for findings
05
report
Structured output, ready to act on
Run it anywhere
Install once, ship it everywhere
Pick the surface that fits your workflow — a local CLI, a container, a CI step, or infrastructure-as-code across the major clouds.
$ npm i -g @shriyanss/js-recon ✓ js-recon@1.3.1 installed