This release is a hotfix to address a couple of issues reported by customers. Here are the highlights:

• Chunk Pre-Fetcher/Extractor now normalizes paths on the server more intelligently.
• The ingestion engine will now ignore responses with code shouldn't be parsed.
• Mac OS memory management has been improved.

Chunk Extractor

• Path normalization logic has been added on the server.

Ingestion

• Any code marked as Flow code will not be processed anymore.
• Any HTML response to a Sec-Fetch-Dest: script request will now be ignored.

Mac OS

• Changed the Garbage Collector to run concurrently, rather than batch mode.

This will reduce memory usage after jswzl has been running for a while and reduce stalls/hangs from the GC running.

‍

Chunk Pre-Fetcher

• The logic for determining the path has now been moved to the server.

General

• Remove the "Show Source Diff" option for sources, as it was intended for internal debugging.

This release has a few highlights:

• Disabled compression of source code in the project files, reducing memory usage a lot.
• Search is now quite a lot faster.
• A new Email address extractor.
• Webpack chunk extractor has been rewritten

This is in addition to a lot of little quality of life improvements.

Chunk extractor

• Rewritten almost from scratch! 
• It now supports a lot more variations of chunk types.
• Added extra protections to avoid fetching invalid chunks.

Email Extractor

• Added an extractor for email addresses.

Search

• Searching without regex is now significantly faster

Project file

The project file used to store the raw source with compression to reduce file size. This release changes that. When you open an old project with the new version, it will migrate the database.

Why?

• It makes search faster
• It makes combining multiple sources much faster
• It reduces memory usage A LOT

The only real downside to this is that the size of a project file is about 50% larger.

Improvements

• Added a number of reserved/local TLDs to the hostname detector.
• No error is printed when the license cache is refreshed anymore.

Fixes

• Fixed an issue where the option to send to jswzl wouldn't be shown if a request without a response was selected.

Improvements

• Source Tree
  • Better indicated when a source reference couldn't be resolved for script references.
  • URLs for script references are now simplified in the tree to reduce clutter.
• Search
  • Improved the performance of loading search results.
• Changed the retrying logic for API requests to the server to be less aggressive.

• Combining files, or search results exceeding 50mb can't be loaded due to a limitation in VS Code

This is a small release to add a features based on customer feedback.

• Added a `--no-ssl` flag for environments which proxies TLS connections, such that it can connect to the jswzl API to validate its license.
• Added an extractor for hostnames.
• Fixed a bug with the path extractor.

New Features

• Added an extractor for hostnames
• Added a `--no-ssl` flag to be able to connect to the jswzl API behind

Fixes

• The Path extractor now works better when the path has a query string

Fixes

• The chunk extractor now has extra protection against recursive loops

No changes.

By popular request, jswzl now makes it much easier to navigate and review code in complex packed sources. Rather than show a flat list of extracted sources, it now builds a proper directory structure with the sources! 

This is a first step towards providing a much better experience when you are reviewing large, complex SPAs. Future releases will hopefully take this concept further, getting MUCH closer to the experience in Chrome Dev Tools with packed sources!

‍

Besides this, the release improves performance again. The loading time for a project has been reduced in the realm of 50-75% compared to last release. And the behavior observed on loading is more consistent now.

New features

• Source map and unpacked sources are now exposed as a virtual directory structure

Fixes

• Improved performance when loading the Source Tree
• Prevented logging of errors when a request is cancelled
• Fixed a bug where source unpacking would fail when encountering a certain type of arrow function

New features

• Source map and unpacked sources now get rendered as a source tree

Fixes

• Made initial project load faster
• Improved data polling behavior
• Updating the Source Tree now batches updates
• Improved descriptor mappings and names

This release contains a bunch of bug fixes and quality of life improvements. One area that's received a lot of work is the Host Tree, while there are also bug fixes in other parsing logic.

Host Tree

Major improvements were made to the Host Tree:

• The resolution of elements from HTML pages has been made much more reliable
• Fixed a number of timing/race condition issues that lead to showing incomplete data
• The tree can now refresh itself when it notices data has become stale

• Fixed a bug in the source unpacker when presented with certain types of arrow functions
• Fixed a bug in the string optimizer when a spread operator is passed as an argument to Array.prototype.concat
• Fixed a bug in the Client Behavior descriptor extraction when invalid calls to addEventListener without invalid arguments were parsed
• Fixed a bug in the resolution of a HTML script reference to a source request, where it'd only allow one reference to be matched to a request
• Fixed a race condition between saving a HTML page and its inline and referenced sources
• Fixed an issue where script references in HTML pages would get assigned an invalid source hash
• Fixed an issue where code with a UTF-8 BOM would fail to parse

No changes!

• Fixed some race conditions where items in the Host Tree would show incorrect data
• Improved the presentation of script references from HTML pages in the Host Tree.
• You can now copy values of a group of descriptors in the Expression Tree by selecting a group, without selecting each individual value
• Added a notification to indicate when jswzl is fetching project data on startup

Here's the highlights of this release:

• This upgrades from .NET 6 to .NET 8, which brings a host of improvements to performance.
• Performance improvements! The memory usage of the server has dropped significantly, and load time for data gone down to match. It's a night and day difference.
• Refactored Object Schemas to be structured similar to other descriptors.
• Expanded on Client Behavior descriptors. Adding a whole host of new ones!
• Native ARM64 build for Apple Silicon (M1/2/3) for OS X! 

And of course, there's a bunch of quality of life improvements and small bug fixes.

Performance

This one is huge. The memory usage of the GraphQL API has been reduced by orders of magnitude in some cases. Load times of data has gone way up as a result.

Object schemas

Object Schemas have had a big overhaul. Previously the results would be a "flat" hierarchy. This has been changed to be a proper grouped hierarchy like all other descriptors.

Client Behaviors

As promised in the last release, this feature has been extended!

React

• dangerouslySetInnerHTML

Angular

• bypassSecurityTrustHtml
• bypassSecurityTrustStyle
• bypassSecurityTrustScript
• bypassSecurityTrustUrl
• bypassSecurityTrustResourceUrl

jQuery

• html

JS

• innerHTML
• document.write

‍

Improvements

• Fixed a couple of issues in GraphQL parser

Improvements

• Fixed an issue in "Send to jswzl", where it'd fail if any request was selected without a response

Improvements

• Added progress indicator when combining sources
• Improved reliability of combining sources by chunking the requests
• Fixed a bug where combining sources under a host wouldn't include the first-level items
• Fixed a race condition in the loading of the request list
• Added icons for a bunch of descriptors that didn't previously have

This release is a game changer for the many of you I've heard from that like to hunt for client-side bugs. It introduces a new type of descriptor: Client Behavior.

It's just a first version for now. Expect more being added in January/February. And if you have any code patterns you would like to see integrated, please do reach out to support@jswzl.io and let me know. It's immensely helpful. This initial release was very much shaped by those that did, which include:

• @nmdhkr
• BloodHound

Client behavior

jswzl now has a new type of descriptor: Client Behavior. The initial version catches these code patterns:

• document.cookie
• Local / Session Storage (Get, Set, Remove item)
• Messages (addEventListener, onmessage, postMessage)

Improvements

• The source tree is now collapsed by default
• The source tree now has a description label with a count of how many children each node has
• The navigation actions of the source tree have been cleaned up by removing functions that weren't useful
• When you "Combine Sources" on a Host node, it now automatically recurses all children

This release contains two important fixes. First one is for the analysis engine where strings with escaped quotes weren't handled correctly, and the other being the chunk prefetcher which could spin out of control.

It's recommended to update as soon as possible.

Fixes

• Fixed an issue where strings with escaped quotes were not correctly analyzed

Fixes

• Fixed an issue where the chunk prefetcher could infitiely recurse and generate a lot of requests under very specific circumstances

Fixes

• You can now sort the requests grid

New features

• You can now right-click on a request(s), and send them directly to jswzl

New features

• You can now delete a host from the source tree, deleting all data within it

Fixes

• When you click the requests list, it now highlights that request
• Fixed an issue where requests weren't updated once analysis results were completed
• When opening code, it no longer drags focus to the descriptors list
• Improved handling of paging of sources
• The requests list now sort ascendingly on the timestamp
• Fixed loading of HTML sources
• You can now select text in the requests grid
• Combining sources will now only combine a single source once

This release contains a handful of bug fixes in parsing and UI issues.

Parser upgrade

esprima has been upgraded to 3.0.2, which contains fixes for two issues:

• Fixed an issue with prettifying code with a lot of parenthesis/nested logical expressions
• Fixed an issue with parsing code with export default statements

Chunk Extractor

• Ensure that the same result is only returned once
• Fixed an issue where a dictionary contains string literal keys

Other

• Improved license handling when changing license key

• Fixed rendering of decorators in code
• Fixed issue where the requests list didn't show any results

This release contains a few major highlights:

• Fixes wordlist generation.
• Detect package.json files embedded in JS.
• Detect React Router routes.

Extractors

• Added extractor for package.json files.
• Added extractor for React Router routes.

Performance

• Improved performance of the Object Schema validator by adding a type cache.
• Prevent storing of invalid sourcemaps.

No changes

• Fixed wordlist generation not working.
• Improved error message when unable to load sources.

This release addresses some issues introduced in 2023.4.1, mostly covering performance and the chunk pre-fetching.

Improvements

• Fixed a database overfetching issue that impacted performance when first starting up a VS Code client.

Improvements

• Fixed an issue where chunks would not be prefetched even if detected by the server.

Improvements

• Reduced the amount of requests being loaded at a time on startup to improve responsiveness.
• If you try to load a file that has not yet been processed, you'll now get the non-processed source rather than an error message.

This release contains first iterations of the top 3 most commonly requested features! 

Search

You can now search all sources from the Search panel.

Combine files

You can now combine multiple files into a single view.

Only send in-scope requests

You can now opt to only send in-scope requests for analysis.

Webpack chunk extraction

Webpack chunk detection and prefetching has had a dramatic overhaul. On top of upgrading the version of Jint to fix a bug, the heuristics for detection of webpack chunks has been dramatically improved. This was possible thanks to creating a test corpus of real-life Webpack runtime files for automatic testing consisting of just over 1000 files.

The initial testing showed a ~10% success rate of detecting the chunks. The fixes in this release brings that success rate up to 90%. In coming releases the goal is to get this number way up.

‍

Webpack chunks

• Upgraded to latest Jint release, fixing an issue in the Webpack chunk extraction runtime.
• Added a few more heuristics for finding chunks.

Improvements

• Added icon to the binary for Windows.

‍

New features

• You can now configure the extension to only forward requests that are in scope.

New features

• You can now combine multiple files into one by right-clicking them in the Source Tree.
• You can now search across all sources from the Search panel in the Source Tree.

Improvements

• Improved polling behavior to be more consistent for new data.
• Decrease batching behavior of requests list.
• Improved the Descriptors Tree to better stay in sync with the active document.

‍

• Code with optional chaining may fail to parse.

This is a minor hotfix, fixing an issue that lead to a lot of JS not being processed and logged.

• Fixed an issue where some JS would not be processed if it contained valid HTML also.

This release brings improvements to commonly requested features. Here are the highlights!

Scope information

This has been a popular request. And I want to take a minute to explain how this was implemented. When the Burp extension processes a request, it tests two things:

1. Is the requested URL in scope?
2. Is the referer (If present) in scope?

It includes this information in the data submitted to the jswzl server. Why this approach? Because the Burp Suite "Montoya" API only provides a single function for our purposes, which is to check if a URL is in scope or not.

This places some limitations on how this could be implemented. The biggest limitation being that if you change your scope in Burp Suite, it will NOT be reflected in jswzl for historical data. It also means that all existing data you have will have all requests marked as out of scope.

Having said that, with this data now stored, you can filter the data in the VS Code extension! 

‍

Source maps

Previously, the Burp Suite extension would take any `.js` file requested, and request it again with `.map` as a suffix to discover any source map. This has been improved a few ways:

• The Burp Suite extension now checks if there's any sourceMappingUrl comment either on the first or last line of the source
• If there is a path, it will resolve that path (It will NOT resolve if it's an absolute URL though for safety reasons)
• If there's an inline source map, it extracts that

There's still one technical limitation: Any packed/nested code with their own source map is not applied indepdently. This is a slightly more complex case to handle, and will hopefully be addressed later this year.

New features

• Scope information is now stored with JS and HTML requests.
• Script tags stored for HTML pages now contains their `type` value.
• It now finds and applies inline source maps.

Performance

• Improved performance by no longer trying to parse non-tolerantly first.
• Improved performance from upgrading to esprima-dotnet v3.0.1.

Fixes

• Fixed the timestamp stored with sources.
• Fixed pretty printing of JSX.

Dependencies

We upgraded to the final release of esprima-dotnet (v3.0.1), thanks to the team, especially lahma and adam85. This has a number of important improvements:

• Performance improvements!
• Fixes an issue with parsing import expressions inside a yield expression.
• Fixes an issue with parsing empty JSX elements.
• Fixes an issue with parsing legacy octal escapes in string literals.
• Fixes an issue with parsing some invalid JS, making it error gracefully.
• Fixes parsing strict code when the code is a Expression, rather than Script/Module.

New features

• Source map URLs are now discovered and fetched.
• If no source map URL is found, it will still try to fetch any `.js` file with a `.map` extension also as previous.

New features

• You can now filter the Source Tree by whether the request was in scope or not.
• You can now filter the Request List by whether the request was in scope or not.

This is a double-hotfix for 2023.3.4 fixing two issues. It also happens to contain improvements to the request list!

Note: A version of 2023.3.5 was released on September 3rd originally. Another version of 2023.3.5 was released on September 4th which also fixes the wordlist generator.

• MacOS deadlock has been fixed
• Wordlist generation has been fixed
• You can now filter the request list table

• MacOS deadlock has been fixed
• Wordlist generation has been fixed

‍

• You can now filter the request list table

This release has been a while in the making now, and contains really big improvements to the tool. Before we get to all the good news, first the bad news:

Breaking changes

You can not use your old project database anymore, as the database schema was changed so dramatically that it was impossible to remain backwards compatible.

But it'll be worth it

I'm pretty confident that those of you who have used the tool for a while will find that the changes and improvements contained make it well worth it! Here's highlights:

• Really big performance improvements.
• Improved VS Code responsiveness.
• Support for JSX.
• Improved secret detection, including base64 values, JWTs and GUIDs.
• Request list UI has been dramatically improved, and has more information.
• You can now see HTML requests in the Host Tree and Requests List.
• You can now see HTML pages, all pretty printed, when clicking on a HTML page/request in the Host tree and requests list.
• In-line HTML is now shown in the Host Tree.
• References to JavaScript sources from HTML pages are now extracted, and any corresponding request is linked.

What's next? 

First of all, thanks to everybody who's provided feedback on jswzl, and sent in feature requests. This release addresses a number of common requests I've received, and enables for more easily addressing others in releases to come! 

Because this release included a major refactoring of the Database and API schema, it took a while to get out the door. With this out of the way, I hope to be able to achieve a faster cadence of releases for the rest of the year.

New features

• JSX support.
• HTML responses are now prettified and stored.
• JavaScript inside HTML <script> tags is now stored and analyzed.
• References to JavaScript files in <script> tags are now stored.
• Base64 encoded JSON strings are now identified as potential secrets
• JWTs are now detected as secrets
• GUIDs are now detected as secrets

Performance

• Switched to a faster HTML parsing library (From HtmlAgilityPack to AngleSharp).
• Improved database performance by refactoring the database schema to rely less on updates to large rows.
• Improved database performance by using bulk inserting.
• Upgraded to latest esprima-dotnet which contained some nice performance improvements. Thanks to the esprima-dotnet team for their hard work.
• Switched from Json.NET to System.Text.Json, which improves performance.
• Analysis result statistics are now cached, improving load times.
• Reduced expensive duplicate work, improving performance on ingestion.

• Improved performance by not base64 encoding response bodies before transmitting them to the server.
• Include the request timestamp when sending to the server.

New features

• The UI of the Requests list has been dramatically improved.
• Greatly improved performance.
• Data is now loaded in batches, improving responsiveness and initial load time.
• The Host Tree now shows HTML pages also, including all inline and JS references.
• You can now view HTML pages, and inline sources.
• The Requests List now shows HTML pages loaded.

Highlights:

Improved GraphQL classification. Now most types of GraphQL entities are extracted into their own category.

Wordlist generation. You can now generate a wordlist from the source tree, or the editor.

You can now configure which IP and port the VS Code extension should connect to from the settings.

New features

• Added ability to extract a wordlist from JavaScript code.
• Added a /health endpoint to check if the server is alive.

Improvements

• Improve detection of GraphQL. The findings are now split into Query, Mutation, Subscription, Fragment, Type, etc.
• Increased the max assignment depth of the JavaScript parser.
• Improved license handling.
• Upgraded to latest esprima-dotnet version, which had some nice performance improvements!

Fixes

• Fixed extraction of packed sources
• You no longer get a console error when the analysis of a file doesn't contain any descriptors.

• Improved performance during heavy load
• You can now see how many requests are queued in the jswzl tab
• Added timestamps to error logs

New features

• Added the ability to generate wordlists from sources or text editor through the right-click menu. Multiple items can be selected.
• Added indicator to status bar if the jswzl Server is no longer heart beating.
• You can now change the IP and port to connect to in extension settings.

Improvements

• When selecting a descriptor it is now briefly highlighted in the editor.
• Improved the icon/decorator handling to be more consistent between the editor and descriptor tree.

Performance

• Improved responsiveness when new sources and analysis results are available.

None

I launched jswzl a week ago now. And in the time since, I've been hard at work fixing issues reported. Thank you to everybody who's provided feedback and let me know of bugs. Please continue to reach out if you encounter any issues, or have suggestions for improvements.

The highlights of this release is:

• Improved performance and reliability across the board
• Improved GraphQL and Secret detection
• Fixed bugs

‍

Analysis

• Improved detection for secrets: Added detection for AWS key names.
• Improved detection for GraphQL queries: Some GraphQL queries were not detected due to being filtered by a CSS filter.

Performance

• Improved concurrency limiter to better prevent system overloading, while still being responsive to real-time events.
• Added a `-t/--threads` flag. This sets how many analysis processes can run at any given time. The default is half of the total cores.
• [Mac OS] Improved reliability in under memory pressure.

System

• [Linux/Mac OS] Fixed the ability to open a browser window with download links for latest release.

• Changed the executor poll size to be limited to prevent making too many requests to the jswzl at a time.

• Utilize multiple connections to jswzl Server for improved responsiveness and error handling
• Prevented retries to jswzl Server in cases where a request fail

• [Apple Silicon] When the machine is under memory pressure, it may cause the jswzl server to hang. This release contains a handful of mitigations to this issue and the ability to reduce the number of analysis processes with `-t`.