This python based tool can be used to discover API keys, access tokens, and other sensitive data in JavaScript files. It can scan JavaScript files in a specified folder, analyze the content using various regex patterns, and output the results either in a CLI format or as an HTML report with highlighted matches.
Note: Since the tool is entirely based on REGEX there will be false positives, make sure to check manually for confirmation.
This script is forked from @m4ll0k's SecretFinder. I modified the script to run against a list of URLs and display a neat output in the terminal or as an HTML file.
Sample HTML output:
Sample CLI output:
- Scans JavaScript files for sensitive information
- Supports multiple regex patterns for various API keys and tokens
- Outputs results in both CLI and HTML formats
- Highlights different types of sensitive data with different colors
- Clone the repository:
git clone https://github.com/ifconfig-me/JSSecret-Extractor.git cd JSSecret-Extractor - Install the required dependencies:
Alternatively, you can manually install the dependencies:
pip install -r requirements.txt
pip install jsbeautifier requests lxml colorama
- Basic usage:
To scan a folder containing JavaScript files and output the results to an HTML file:
python JSSecret-Extractor.py -i /path/to/your/js/folder -o output.html
- CLI output:
To scan a folder and print the results directly to the console:
python JSSecret-Extractor.py -i /path/to/your/js/folder -o cli
- Additional options:
-r, --regex: RegEx for filtering purposes against found endpoints (e.g.,^/api/). Example:
python JSSecret-Extractor.py -i /path/to/your/js/folder -o output.html -r "^/api/"
Sample HTML output:
Sample CLI output: