FireJS is a powerful tool designed to scan JavaScript files for sensitive information such as hardcoded URLs, API endpoints, usernames, passwords, API keys, version information, email addresses, phone numbers, and other security-related data. This tool can be used to identify potential vulnerabilities in web applications and ensure sensitive data is not exposed in client-side code.
Developed by @jrhackerman & @Padayali-JD.
- Detects hardcoded URLs.
- Identifies API endpoints in JavaScript files.
- Searches for hardcoded usernames and passwords.
- Finds API keys, authentication tokens, and other sensitive information.
- Identifies email addresses and phone numbers.
- Detects version information.
- Option to scan local files or fetch remote JavaScript files via URL.
- Bypasses SSL certificate verification when fetching remote JavaScript files.
- Python 3.x
- Install required Python libraries using the following command:
pip install -r requirements.txtYou can run FireJS in two ways:
-
Scan a Local JavaScript File: To scan a local file, use the
-for--fileoption:python firejs.py -f /path/to/your/javascript_file.js
-
Scan a JavaScript File from a URL: To scan a JavaScript file from a URL, use the
-uor--urloption. FireJS will automatically bypass SSL certificate verification if needed.python firejs.py -u https://example.com/path/to/javascript_file.js
python firejs.py -u https://example.com/app.jsOutput:
______ _
| ____(_)
| |__ _ _ __ ___
| __| | | '_ \/ __|
| | | | | | \__ |_| |_|_| |_|___/
by jrhackerman
Scanning /
=== Findings ===
Hardcoded Urls:
- https://example.com/api
Api Endpoints:
- /api/v1/login
- /api/v1/get-data
Hardcoded Usernames:
None
Hardcoded Passwords:
None
Api Keys Tokens:
- ABC123TOKEN
Version Info:
- 1.0.0
Email Addresses:
- [email protected]
Phone Numbers:
- +1234567890
While scanning, the tool shows a simple loader animation to indicate the scanning process. This ensures that the user knows the process is ongoing, especially when scanning large files or fetching files over the network.
FireJS scans for various categories of sensitive data, including:
-
Personally Identifiable Information (PII):
- Full names
- Email addresses
- Phone numbers
- Passport or driver's license numbers
-
Financial Information:
- Bank account numbers
- Credit/debit card information
-
Authentication Credentials:
- Hardcoded passwords
- API tokens
- Authentication tokens
- OAuth tokens
-
Government-Issued Identifiers:
- Tax IDs
- National IDs
- Voter IDs
-
Version Information:
- Extracts version data from files.
This project is licensed under the MIT License - see the LICENSE file for details.
Feel free to contribute by creating issues or submitting pull requests. This tool is designed for educational purposes, and any contributions that help improve security are highly welcome.
This tool is intended for educational purposes and ethical security testing only. Ensure you have permission to scan any web applications or JavaScript files before using this tool. Unauthorized use may be illegal.
Enjoy scanning with FireJS by @jrhackerman & Padayali-JD 🔥
