BFScan: Tool for Finding URLs, Paths, and Secrets in JAR/WAR/APK Applications

By /

Listen to this Post

GitHub – BlackFan/BFScan: https://github.com/BlackFan/BFScan

BFScan is a powerful tool designed to extract URLs, paths, secrets, and generate raw HTTP requests from configuration files and annotations in JAR, WAR, and APK applications. It also supports OpenAPI specification generation, making it invaluable for security researchers, red teams, and blue teams.

You Should Know:

Installation & Setup

1. Clone the Repository:

git clone https://github.com/BlackFan/BFScan.git
cd BFScan

2. Install Dependencies:

pip install -r requirements.txt

3. Run BFScan:

python3 bfscan.py -h

Key Commands & Usage

  • Scan a JAR/WAR/APK for Secrets & Endpoints: 
    python3 bfscan.py -f target_app.jar -o output.json
  • Generate OpenAPI Specs: 
    python3 bfscan.py -f app.war --openapi openapi_spec.json
  • Extract Raw HTTP Requests: 
    python3 bfscan.py -f app.apk --http http_requests.txt

Advanced Scanning

  • Brute-Force Hidden Paths: 
    python3 bfscan.py -f target.jar --brute --wordlist paths.txt
  • Filter Results by Keywords: 
    python3 bfscan.py -f app.war --filter "admin,api,config"

Linux/Win Tools Integration

  • Combine with `grep` for Quick Analysis: 
    python3 bfscan.py -f app.jar | grep "password|token"
  • Use `jq` for JSON Output Parsing (Linux): 
    cat output.json | jq '.endpoints[]'
  • Windows Equivalent (findstr): 
    python bfscan.py -f app.war | findstr "secret"

What Undercode Say:

BFScan is a must-have for penetration testers and security analysts working with Java-based applications. Its ability to extract hidden endpoints, secrets, and generate OpenAPI specs makes reverse engineering and vulnerability discovery more efficient.

For defenders, integrating BFScan into CI/CD pipelines can help detect accidental secret leaks in build artifacts. Combine it with tools like `Ghidra` for deeper binary analysis or `Burp Suite` for testing extracted endpoints.

Pro Tip: Automate scans with cron jobs (Linux) or Task Scheduler (Windows) for continuous monitoring.

Expected Output:

{
"endpoints": ["/api/admin", "/config/passwords"],
"secrets": ["api_key=12345", "db_pass=secret123"],
"openapi": {"paths": {"/login": {"post": {}}}}
}

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: