js-maid started off as an idea to break down JavaScript into an AST (something like a blueprint) and then run some smart checks on it. It's a handy little tool for folks diving into code, looking for bugs, or just trying to get a grip on what's happening under the hood.
Usage: js-maid <target-folder-or-file> [--unpack] [--deobfuscate] [--unminify] [--unpackOutputDir <path>]
Options:
--unpack Unpack the code before analysis
--deobfuscate Deobfuscate the code before analysis
--unminify Unminify the code before analysis
--unpackOutputDir Specify the output directory for unpacked files (default: "unpacked")
Note: Use the flags to enable specific features as needed.If you want to run the tool straight away, there are compiled binaries for you here
- In-depth Analysis: Thorough investigation of JavaScript code to identify patterns and potential vulnerabilities.
- Debundling: Debundling, deobfuscation, unminifying through webcrack
- Custom Rules: Utilize predefined rules to enhance your code investigation.
- Regex Guide: Leverage detailed regex patterns to pinpoint specific code structures.
Check this out: Bun.sh installation instructions
Get started with js-maid by installing the necessary dependencies:
npm installTo start investigating your JavaScript code, run:
bun run App.tsCompile your findings with js-maid:
bun build App.ts --compile --outfile=js-maidEnsure your code's integrity by running tests:
bun test-
LiteralRule: Checks text inside quotes against patterns to find important info like secrets.
-
ReferenceResolverRule: Tracks variable names to their values for deeper code analysis.
-
TemplateLiteralRule: Builds and analyzes dynamic strings with variables for pattern matching.
-
More rules to come. The tool is not perfect and there are corner cases that I didn't know about.
In our application, we use the MatchingRule feature to create specific instances for different matching needs. Here are a couple of examples:
const urlMatchingRule = new MatchingRule("endpoints", urlPattern);
const secretsMatchingRule = new MatchingRule("secrets", secretsPatterns);In the above code:
-
urlMatchingRuleis aMatchingRuleinstance that matches URLs. It uses the pattern defined inurlPattern. The label "endpoints" is used to identify matches found with this rule. -
secretsMatchingRuleis aMatchingRuleinstance that matches secrets. It uses the pattern defined insecretsPatterns. The label "secrets" is used to identify matches found with this rule.
These instances can then be used throughout the application to check if certain strings match their respective patterns. The labels ("endpoints" or "secrets") can be used to identify which rule a match was found with.
We welcome contributions to js-maid! Whether it's enhancing the rules, expanding the regex patterns, or improving documentation, your input is invaluable.
js-maid is open-source software licensed under the MIT license.
Love js-maid? Star this on GitHub and spread the word! Your support motivates me to continuously improve.
Dive into your JavaScript investigations with js-maid and uncover the insights you need. Happy coding!