This release is a hotfix to address a couple of issues reported by customers. Here are the highlights:
Sec-Fetch-Dest: script
request will now be ignored.This will reduce memory usage after jswzl has been running for a while and reduce stalls/hangs from the GC running.
This release has a few highlights:
This is in addition to a lot of little quality of life improvements.
The project file used to store the raw source with compression to reduce file size. This release changes that. When you open an old project with the new version, it will migrate the database.
Why?
The only real downside to this is that the size of a project file is about 50% larger.
This is a small release to add a features based on customer feedback.
No changes.
By popular request, jswzl now makes it much easier to navigate and review code in complex packed sources. Rather than show a flat list of extracted sources, it now builds a proper directory structure with the sources!
This is a first step towards providing a much better experience when you are reviewing large, complex SPAs. Future releases will hopefully take this concept further, getting MUCH closer to the experience in Chrome Dev Tools with packed sources!
Besides this, the release improves performance again. The loading time for a project has been reduced in the realm of 50-75% compared to last release. And the behavior observed on loading is more consistent now.
New features
Fixes
New features
Fixes
This release contains a bunch of bug fixes and quality of life improvements. One area that's received a lot of work is the Host Tree, while there are also bug fixes in other parsing logic.
Major improvements were made to the Host Tree:
No changes!
Here's the highlights of this release:
And of course, there's a bunch of quality of life improvements and small bug fixes.
This one is huge. The memory usage of the GraphQL API has been reduced by orders of magnitude in some cases. Load times of data has gone way up as a result.
Object Schemas have had a big overhaul. Previously the results would be a "flat" hierarchy. This has been changed to be a proper grouped hierarchy like all other descriptors.
As promised in the last release, this feature has been extended!
React
Angular
jQuery
JS
This release is a game changer for the many of you I've heard from that like to hunt for client-side bugs. It introduces a new type of descriptor: Client Behavior.
It's just a first version for now. Expect more being added in January/February. And if you have any code patterns you would like to see integrated, please do reach out to support@jswzl.io and let me know. It's immensely helpful. This initial release was very much shaped by those that did, which include:
jswzl now has a new type of descriptor: Client Behavior. The initial version catches these code patterns:
This release contains two important fixes. First one is for the analysis engine where strings with escaped quotes weren't handled correctly, and the other being the chunk prefetcher which could spin out of control.
It's recommended to update as soon as possible.
This release contains a handful of bug fixes in parsing and UI issues.
esprima has been upgraded to 3.0.2, which contains fixes for two issues:
This release contains a few major highlights:
No changes
This release addresses some issues introduced in 2023.4.1, mostly covering performance and the chunk pre-fetching.
This release contains first iterations of the top 3 most commonly requested features!
You can now search all sources from the Search panel.
You can now combine multiple files into a single view.
You can now opt to only send in-scope requests for analysis.
Webpack chunk detection and prefetching has had a dramatic overhaul. On top of upgrading the version of Jint to fix a bug, the heuristics for detection of webpack chunks has been dramatically improved. This was possible thanks to creating a test corpus of real-life Webpack runtime files for automatic testing consisting of just over 1000 files.
The initial testing showed a ~10% success rate of detecting the chunks. The fixes in this release brings that success rate up to 90%. In coming releases the goal is to get this number way up.
This is a minor hotfix, fixing an issue that lead to a lot of JS not being processed and logged.
This release brings improvements to commonly requested features. Here are the highlights!
This has been a popular request. And I want to take a minute to explain how this was implemented. When the Burp extension processes a request, it tests two things:
It includes this information in the data submitted to the jswzl server. Why this approach? Because the Burp Suite "Montoya" API only provides a single function for our purposes, which is to check if a URL is in scope or not.
This places some limitations on how this could be implemented. The biggest limitation being that if you change your scope in Burp Suite, it will NOT be reflected in jswzl for historical data. It also means that all existing data you have will have all requests marked as out of scope.
Having said that, with this data now stored, you can filter the data in the VS Code extension!
Previously, the Burp Suite extension would take any `.js` file requested, and request it again with `.map` as a suffix to discover any source map. This has been improved a few ways:
There's still one technical limitation: Any packed/nested code with their own source map is not applied indepdently. This is a slightly more complex case to handle, and will hopefully be addressed later this year.
We upgraded to the final release of esprima-dotnet (v3.0.1), thanks to the team, especially lahma and adam85. This has a number of important improvements:
This is a double-hotfix for 2023.3.4 fixing two issues. It also happens to contain improvements to the request list!
Note: A version of 2023.3.5 was released on September 3rd originally. Another version of 2023.3.5 was released on September 4th which also fixes the wordlist generator.
This release has been a while in the making now, and contains really big improvements to the tool. Before we get to all the good news, first the bad news:
You can not use your old project database anymore, as the database schema was changed so dramatically that it was impossible to remain backwards compatible.
I'm pretty confident that those of you who have used the tool for a while will find that the changes and improvements contained make it well worth it! Here's highlights:
First of all, thanks to everybody who's provided feedback on jswzl, and sent in feature requests. This release addresses a number of common requests I've received, and enables for more easily addressing others in releases to come!
Because this release included a major refactoring of the Database and API schema, it took a while to get out the door. With this out of the way, I hope to be able to achieve a faster cadence of releases for the rest of the year.
Highlights:
Improved GraphQL classification. Now most types of GraphQL entities are extracted into their own category.
Wordlist generation. You can now generate a wordlist from the source tree, or the editor.
You can now configure which IP and port the VS Code extension should connect to from the settings.
New features
Improvements
Fixes
New features
Improvements
Performance
None
I launched jswzl a week ago now. And in the time since, I've been hard at work fixing issues reported. Thank you to everybody who's provided feedback and let me know of bugs. Please continue to reach out if you encounter any issues, or have suggestions for improvements.
The highlights of this release is:
Analysis
Performance
System