Listen to this Post

Introduction:
In the modern bug bounty landscape, static HTML pages are a relic of the past. Today’s complex web applications rely heavily on dynamic JavaScript files, which often conceal a treasure trove of undiscovered API endpoints, hidden administrative panels, and forgotten subdomains. Mastering the art of JavaScript endpoint extraction is no longer an advanced technique; it is a fundamental recon skill that can separate a successful hunter from the crowd, revealing vulnerabilities that scanners often miss.
Learning Objectives:
- Master both manual and automated techniques for efficiently parsing JavaScript files to extract endpoints.
- Learn to filter, validate, and prioritize extracted endpoints for maximum bug hunting efficiency.
- Integrate JS reconnaissance into a comprehensive workflow for uncovering critical security vulnerabilities.
You Should Know:
1. Manual Extraction with Browser DevTools
Verified Linux/Windows/Cybersecurity command list or code snippet or tutorials related to article
Step‑by‑step guide explaining what this does and how to use it.
The simplest method requires no tools beyond your browser, making it ideal for a quick, initial assessment.
Step-by-Step Guide:
- Navigate: Open your target web application in Chrome or Firefox.
- Inspect: Right-click on the page and select “Inspect” to open Developer Tools.
- Search: Navigate to the “Sources” (Chrome) or “Debugger” (Firefox) tab. Here you will find all the loaded JavaScript files for the current page.
- Scan: Open relevant JS files (often those with app-specific names, not just common libraries). Use `Ctrl+F` (or `Cmd+F` on Mac) to search for patterns like:
`/api/`
`fetch(`
`axios.get(`
`.ajax(`
"https://`endpoint`
<h2 style="color: yellow;">
5. Extract: Manually copy any discovered URLs, API paths, or subdomains into your notes for further testing.
This method provides immediate context but can be time-consuming for large applications.
2. Automated Extraction with `LinkFinder`
`LinkFinder` is a powerful Python tool designed specifically to parse JavaScript files and extract endpoints.
Command & Usage:
Install LinkFinder git clone https://github.com/GerbenJavado/LinkFinder.git cd LinkFinder python3 setup.py install Basic usage against a single JS file python3 LinkFinder.py -i https://example.com/static/app.js -o cli Usage against a list of JS URLs python3 LinkFinder.py -i urls.txt -o cli
Step-by-Step Guide:
- Installation: Clone the repository from GitHub and run the installation command as shown above.
- Input: The `-i` flag specifies the input, which can be a direct URL to a JS file or a text file containing a list of JS URLs.
- Output: The `-o cli` flag prints the results to your terminal. You can also use `-o html` to generate an interactive HTML report for easier analysis.
- Analysis: The tool outputs all found endpoints, including relative paths (e.g.,
/api/v1/users), and full URLs. Pipe the output to a file for later use:python3 LinkFinder.py -i urls.txt -o cli > endpoints.txt.
3. Comprehensive Recon with `subjs` and `httpx`
This method combines passive discovery with active fetching to build a comprehensive list of endpoints from all accessible JavaScript files on a target domain.
Command & Usage:
1. Use subjs to find JS files from a list of subdomains echo "https://example.com" | subdomain-enumeration-tool | httpx -silent | subjs > js_urls.txt <ol> <li>Feed the list of JS URLs to LinkFinder for endpoint extraction cat js_urls.txt | while read url; do python3 LinkFinder.py -i $url -o cli; done | grep -v "[" > all_endpoints.txt</p></li> <li><p>(Alternative) Use a tool like gospider to crawl and find JS files gospider -s "https://example.com" -d 2 -t 10 -c 5 | grep -oP 'http[bash]?://[^\"]+.js' | sort -u > gospider_js_urls.txt
Step-by-Step Guide:
- Subdomain Discovery: First, gather a list of subdomains using your preferred tool (e.g.,
subfinder,assetfinder). - Probe for Active Hosts: Use `httpx` to probe these subdomains and find live websites.
- Find JS Files: Pipe the live URLs into
subjs, a tool that passively crawls the page source to find referenced JavaScript files. - Extract Endpoints: Feed the resulting list of JS file URLs into `LinkFinder` in a loop to extract endpoints from every file.
- Result: You now have a file,
all_endpoints.txt, containing a wide array of endpoints gathered from across the entire attack surface.
4. Endpoint Validation and Fuzzing with `ffuf`
Finding endpoints is only half the battle. The next step is to validate which are live and fuzz for hidden parameters.
Command & Usage:
1. Filter out the extracted full URLs and check if they are active cat all_endpoints.txt | grep "https://" | httpx -silent > live_endpoints.txt <ol> <li>Fuzz a discovered API endpoint for hidden parameters ffuf -w /usr/share/wordlists/parameter-names.txt:PARAM \ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt:VALUE \ -u "https://api.example.com/v1/userFUZZ" \ -mr "error" \ -X POST \ -d "PARAM=VALUE" \ -H "Content-Type: application/x-www-form-urlencoded"
Step-by-Step Guide:
- Filter Live URLs: Use `grep` to isolate full URLs from your extracted list, then use `httpx` to check which ones are accessible (return a 200/3xx/403 status code).
- Prepare for Fuzzing: Identify a promising endpoint, such as
/api/v1/user. - Configure FFuf: Use two wordlists: one for parameter names (e.g.,
id,token,debug) and one for values. The `-w` flag with a placeholder allows this. - Analyze Results: The `-mr` (match regex) flag tells `ffuf` to highlight responses containing “error,” which can indicate a parameter is being processed but the value is incorrect—a strong lead for further testing.
5. Advanced Parsing with `jsubfinder`
For a more sophisticated analysis that looks for secrets as well as endpoints, `jsubfinder` is an excellent choice.
Command & Usage:
Install jsubfinder go install github.com/ThreatUnkown/jsubfinder@latest Run against a list of domains to find endpoints and secrets jsubfinder -l domains.txt -o results.json -s
Step-by-Step Guide:
- Installation: Install the tool using the Go package manager.
- Execution: Provide a list of target domains with the `-l` flag. The tool will automatically discover and analyze JavaScript files.
- Output: The `-o` flag saves the results in a structured JSON file. The `-s` flag enables the search for secrets like API keys and tokens.
- Review: The output will categorize findings, making it easy to separate endpoints from potential credential leaks, streamlining your triage process.
6. Windows PowerShell for Local JS Analysis
On a Windows machine, you can perform basic endpoint extraction using native PowerShell commands.
Command & Usage:
Find all strings in a JS file that look like URLs
Select-String -Path "C:\temp\app.js" -Pattern 'https?://[^\s"''<>]+' -AllMatches | % { $<em>.Matches } | % { $</em>.Value } | Sort-Object -Unique > endpoints_win.txt
Or using curl and findstr in Command Prompt
curl -s https://example.com/app.js | findstr /R "https://." > endpoints_win2.txt
Step-by-Step Guide:
- Download the File: Use `curl` or `Invoke-WebRequest` in PowerShell to download the target JS file locally.
- Parse with Select-String: The `Select-String` cmdlet uses a regular expression to find all strings matching the `http://` or `https://` pattern.
- Extract and Deduplicate: The command pipeline extracts just the matched text, sorts it, and removes duplicates.
- Result: You get a clean list of full URLs found within the JavaScript file, ready for further investigation.
What Undercode Say:
- Recon is a Goldmine: The most critical vulnerabilities are often hidden in client-side code, not in the main sitemap. Automated scanners frequently overlook these JS-discovered endpoints, providing a significant advantage to manual hunters.
- Context is King: An endpoint is just a path; a vulnerability is a path plus a flawed interaction. Always test the extracted endpoints with various HTTP methods (GET, POST, PUT, DELETE) and analyze the application’s logic for flaws like Broken Object Level Authorization (BOLA) and business logic errors.
The shift towards single-page applications (SPAs) and API-driven architectures means an ever-increasing amount of application logic is buried within JavaScript. Relying solely on traditional crawling is a recipe for missed scope and low-hanging fruit. The hunters who consistently earn bounties are those who have automated the process of JS endpoint extraction and, more importantly, developed the intuition to prioritize and test the unique application pathways they uncover. This methodology turns a scattergun recon approach into a precision-guided hunt for critical business logic flaws.
Prediction:
The reliance on client-side JavaScript will only intensify with frameworks like React, Vue, and Angular dominating development. This will make JS reconnaissance not just a valuable skill but a non-negotiable one for effective application security testing. We will see a corresponding evolution in tooling, with more integrated platforms that automatically map the entire application attack surface by combining static JS analysis with dynamic API traffic inspection. Furthermore, as defenses improve, attackers and bug hunters will increasingly pivot towards finding “second-order” vulnerabilities—flaws that are not present in a single request but are revealed by chaining actions across multiple, hidden endpoints discovered through these precise recon techniques.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


