TL;DR
A new Burp Suite extension, JS Analyzer, is available on GitHub to extract endpoints, URLs, secrets and emails from JavaScript assets while filtering common noise. The tool also provides a standalone engine and simple Flask API example for integrating the scanner into other workflows.
What happened
A public repository for JS Analyzer (JSAnalyzer) by Jenish Sojitra was published, offering a Burp Suite extension focused on static analysis of JavaScript responses. The extension scans JavaScript files for API paths, full URLs (including cloud storage links), various secret patterns (AWS, Google, Stripe, GitHub, Slack tokens, JWTs and private keys), email addresses and references to potentially sensitive files. It includes smart filtering to reduce false positives from XML namespaces, module imports, build artifacts and crypto internals, and it reports which JavaScript file produced each finding. Users can install the extension into Burp Suite using a Jython standalone JAR, run analyses via context menu actions in Proxy/Target/Repeater, and export results or copy findings. The project also exposes a standalone Python engine with example code and a Flask route to integrate the scanner programmatically. The code is licensed MIT and the GitHub repo shows community activity, contributions and forks.
Why it matters
- Helps security testers and researchers locate exposed endpoints and credentials hidden in client-side JavaScript, which can accelerate discovery of attack surface.
- Noise filtering aims to reduce false positives, improving triage efficiency when scanning large amounts of frontend code.
- Dual usage as a Burp extension and standalone engine makes the tool adaptable for both manual testing and automation in pipelines or APIs.
- Export and source-tracking features let teams trace findings back to specific JS files and share structured results (JSON) with others.
Key facts
- Author: Jenish Sojitra (GitHub: jenish-sojitra).
- Core capabilities: endpoint detection, URL extraction, secret scanning, email extraction and sensitive file references.
- Secret patterns include AWS access keys (AKIA…), Google API keys (AIza…), Stripe live keys (sk_live_), GitHub PATs (ghp_), Slack tokens and JWTs; private key blocks and common database URLs are also detected.
- Noise filtering removes matches from XML namespaces, module imports, PDF/Excel internals, locale files and selected crypto library internals.
- Installation into Burp requires a Jython standalone JAR and adding js_analyzer.py via Burp's Extensions interface.
- Usage integrates with Burp's Proxy, Target and Repeater tabs via a context-menu action that analyzes selected JS responses.
- The project provides a standalone Python engine (JSAnalyzerEngine) and a minimal Flask API example to analyze supplied JavaScript content.
- Repository metadata: MIT license, approximately 600 stars and 108 forks at the time of publication; two contributors listed and no formal releases published.
What to watch next
- Contributions to add more secret regexes, improve noise filtering or expand endpoint detection patterns — the project explicitly invites these updates.
- Adoption metrics, formal releases, or integration with other tooling — not confirmed in the source.
- Fork activity and community-submitted rules or rulesets that could broaden detection capabilities.
Quick glossary
- Burp Suite: A popular integrated platform for testing web application security that provides tools to intercept, inspect and manipulate web traffic.
- Static analysis: Examination of code or content without executing it, used to find patterns, secrets or configuration issues in source files.
- API endpoint: A URL or path where an application exposes functionality or data for clients to call, such as /api/v1/users or /auth/login.
- Secret scanning: Automated detection of sensitive tokens, keys or credentials embedded in code or configuration files.
- Jython: An implementation of the Python language for the Java platform, often used to run Python-based Burp extensions.
Reader FAQ
Who developed JS Analyzer?
The repository lists Jenish Sojitra (jenish-sojitra) as the author.
How do I install the Burp extension?
Download a Jython standalone JAR, configure it in Burp's Python environment settings, then add js_analyzer.py via Extensions > Installed.
Can the scanner be used outside Burp Suite?
Yes. The project includes a standalone Python engine (JSAnalyzerEngine) and a Flask example demonstrating a POST /analyze endpoint.
Which secret types does it detect?
The source lists patterns for AWS, Google API keys, Stripe, GitHub PATs, Slack tokens, JWTs, private keys and common database URLs.
Is there an official release or enterprise support?
Not confirmed in the source.
JS Analyzer – Burp Suite Extension by Jensec (https://x.com/_jensec) A powerful Burp Suite extension for JavaScript static analysis. Extracts API endpoints, URLs, secrets, and email addresses from JavaScript files with…
Sources
Related posts
- Windows Update Failure Likely Bricked Snapdragon Dev Kit, Owner Says
- Ruby Array#pack flaw lets pack templates disclose string buffer memory
- Why Most Small Business Sites Don’t Actually Need Cookie Banners