jswzl

Discover its secrets

fingerprint

Instantly find relevant code

jswzl instantly analyses code to find the most relevant expressions in the code, and highlights them for you. Instantly get an overview of the code, and dig into most important parts.

api/users/1

/scripts/main.js

rest/v1/admin/info

String Expressions

Find paths, secrets, GraphQL queries, and other pertinent text content.

const httpOptions = {

method: 'POST',

headers: {

'api-key': 'secret'

}

Object Schemas

Find objects that match specific schemas, for things like HTTP options, route definitions, and other objects.

const resp = await fetch(

url,

httpOptions

);

Call Patterns

Find method calls to things like HTTP/Ajax requests and other relevant sinks.

localStorage.setItem("token", "....");

document.cookie = "...";

window.addEventListener("message", ...);

Client Behavior

Find client-side behavior that influences the behavior of the application.

· Integrates with your existing tools

integration_instructions

Fits in with your existing tools

Leverage your existing experience with tools you love.

01. Integrate with Burp Suite

Ingest data from your testing

A simple Burp Suite extension ensures that requests going through the Proxy is sent to jswzl for analysis.

> Burp Suite Plugin

02. jswzl analysis engine
‍

Advanced analysis of JS code

Ingests HTML and JS code to analyze through static analysis to find code that helps guide your testing.

> Analysis Engine

03. View code in VS Code

Utilize best-in-class code editor

Use your existing VS Code installation, with all your favorite settings and plugins.

> VS Code Extension

04. Ingest data from your own tools

A simple OpenAPI API is available to ingest HTTP requests from any type of tool/proxy, even if it is not officially supported.

> API Overview

05. Consume data with GraphQL API

The analyzed data can be consumed using the same GraphQL API that the official VS Code extension uses.

> API Overview

ANALYSIS ENGINE

Analysis Engine overview

Multiple layers of Advanced Static Code Analysis brings work together to improve the results of the analysis, and make review easier.

Pre-analysis

jswzl improves visibility by pre-analyzing code for:

- Detecting & applying sourcemaps
- Detecting & downloading chunked sources
- Extracting packed files

> Pre-analysis

Optimization

Minified, packed code? No problem.

jswzl will optimize the code to undo a lot of code patterns applied by packers, or otherwise makes analysis harder. It also prettifies the code to make it easier to read!

> Optimization

Analysis

The optimized code is analyzed, extracting descriptors for the code. The static analysis engine finds things like HTTP requests, paths, secrets, routes, and other code relevant to understand the application, assisting your testing efforts.

> Analysis

See it in action

integration_instructions

See in action

Dealing with a large amount of JS files

How do you best get an overview of a large amount of JS files during your testing? In this video, you will see how, by combining multiple JS files into one, you can get a great overview at a glance, extract data for brute forcing, and improve your testing efforts.

WAIT! THERE'S MORE

While also adding extra capabilities

privacy_tip

Pre-fetch lazy-loaded scripts

Tools like Webpack often split code into chunks, and lazy loads them. jswzl will detect and pre-fetch chunks that are dynamically referenced.

loyalty

Unpack packed scripts

Packed scripts can be a pain to work with. But jswzl will unpack packed code into their own logical files, and let you view the original structure of the code.

addchart

Discover & apply source mappings

When a HTTP response contains JavaScript, the jswzl Burp Plugin will attempt to load the `.map` file, if the source map is not in the file directly. It will then apply the source mapping, making the code more readable.

search_off

Prettify code

Most JavaScript served these days is heavily minified, which is impossible to read. But all code analyzed by jswzl is prettified and consistent in formatting.
‍

lock_clock

Optimize code

Transpilers and minifiers often create weird code that makes no sense. Sometimes developers do weird things, that can be greatly simplified. jswzl optimizes certain types of codes to make interpretation easier.

dynamic_form

Resolve code references

The analysis engine in jswzl utilizes static analysis to reference variables, in order to better be able to identify expressions of interest, which may not be easily found without the ability to dereference variables.

loyalty

Framework agnostic

jswzl doesn't care what frameworks the code uses. Thanks to JavaScript being dynamically typed, the analysis engine relies entirely on heuristics. This means it's not tied specific frameworks.

privacy_tip

Supports common frameworks

But we've ALSO enhanced the engine with the ability to understand code patterns from frameworks like Angular, React, Ext JS, and many other frameworks.

testimonials

What do users say?

shubs
Co-founder @ assetnote.io

@infosec_au · Aug 22 2023

I’ve been using https://jswzl.io for the last month. If you reverse engineer JavaScript this is a must have tool. @CharlieEriksen has done an excellent job.

Jason Haddix
CEO @ Arcanum Information Security

@Jhaddix · Aug 23 2023

jswzl is becoming one of de-facto tools for javascript analysis for career web app security testers.

Modern frameworks and apps require careful js analysis and jswzl makes life easier in that department. Check it out.

Corben Leo
Co-founder @ boring.co

@hacker_ · Aug 23 2023

Finding vulnerabilities got easier.

Pair @WeaselJs + Cursor by @anysphere.

Javascript analysis will never be the same

Abartan Dhakal
Penetration Testing Lead @ StickmanCyber

@imhaxormad · Jul 18 2023

Did the beta testing, one of the best tool I have used so far. Great work @CharlieEriksen! Can't wait to see what more amazing stuffs you'll implement in the area of easy JS analysis via JSWZL.

Turn JavaScript analysis into a joy