Skip to content
/ JavaScript-De-obfuscator-DOM-Sink-Analyzer Public

⚡ Tactical JS analysis engine to de-obfuscate bundles and map Source-to-Sink flows for DOM-based vulnerability discovery. Specialized for modern web architectures.

License

MIT license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

canmitm/JavaScript-De-obfuscator-DOM-Sink-Analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
jSmasher.py
jSmasher.py
 
 
requirements.txt
requirements.txt
 
 
signatures.json
signatures.json
 
 

Repository files navigation

⚡ jSmasher v1.0-stable

🚀 The "Source-to-Sink" Reconnaissance Engine

jSmasher isn't just another scanner. It is a tactical reconnaissance tool designed to tear down modern JavaScript bundles (React, Gatsby, Webpack) and identify the exact moment where untrusted input meets dangerous execution sinks.

Built by an offensive mindset for researchers who believe in Impact over Noise.

🛠️ Advanced Architectural Flow

  [!] Untrusted Source        [?] jSmasher Engine         [X] Execution Sink
  --------------------       --------------------        ------------------
  location.hash      ==>    Code De-obfuscation   ==>    innerHTML / eval()
  window.name        ==>    Logic Flow Mapping    ==>    document.write()
  URL Parameters     ==>    Pattern Recognition   ==>    setTimeout Injection



🔥 Key Offensive Features

    ⚡ On-the-fly Beautification: Automatically unpacks and formats minified/obfuscated production-grade JavaScript.

    🎯 Intelligent Sink-Mapping: Pinpoints the exact line where a Source (user-controlled data) flows into a Sink (execution point).

    🛡️ CSP/WAF Context Awareness: Identifies potential bypasses in modern security contexts.

    📦 State-Hijack Discovery: Specifically tuned to find hidden parameters (e.g., configUrl, callback) that lead to full UI Redressing.

📥 Installation

# Clone the offensive repository
git clone [https://github.com/canmitm/JavaScript-De-obfuscator-DOM-Sink-Analyzer.git](https://github.com/canmitm/JavaScript-De-obfuscator-DOM-Sink-Analyzer.git)

# Enter the terminal
cd JavaScript-De-obfuscator-DOM-Sink-Analyzer

# Arm the dependencies
pip3 install -r requirements.txt


🕹️ Field Operation (Usage)

# Basic reconnaissance on a single target
python3 jSmasher.py -u [https://target-app.com/app.js](https://target-app.com/app.js)

# Deep analysis with high-intensity logging
python3 jSmasher.py -u [https://target-app.com/](https://target-app.com/) --deep-scan

⚠️ Legal Disclaimer

This tool is strictly developed for educational purposes and authorized penetration testing only. The author, Ahmet Can, shall not be held responsible for any misuse or damage caused by this application. Play by the rules and respect the scope (Bugcrowd VRT / HackerOne).
🤝 Contact & Connection

    Researcher: Ahmet Can (@canmitm)

    Email: ahmetcan0x01@gmail.com

    Instagram: @canmitm

    Bugcrowd: canmitm Profile

About

⚡ Tactical JS analysis engine to de-obfuscate bundles and map Source-to-Sink flows for DOM-based vulnerability discovery. Specialized for modern web architectures.

Topics

static-analysis pentesting bugbounty dom-xss javascript-security

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages