JSXtract 作成者: Device1

This tool is a great way to get an initial look on what may exist within the application. You can use the tool to get some basic data such as urls, endpoints and parameters or get a good initial look of sinks, postmessages and then go deeper from there etc.

How it's used
- First the user should open dev tools and check which domains the JS files of the application are from i.e. netflix uses nflxext.com, in which case you'd place something like "nflx" into the whitelist input (this input is comma separated array i.e. nflx,netflix), which will then get all JS files from sources which include "nflx" in them. The whitelist was created to separate thirdparty JS from the applications JS files.
- Second you'd press start and a new tab called "results" opens up in your browser which allows you to see the data which we're found through various regex.

Results
- Urls
- Endpoints
- Parameters
- Sinks (various sinks with a bit of context)
- PostMessages (These also have a bit of context)
- Misc. (These are values of .get() & .set() with some context)

The regex used
Urls: > /https?:\/\/[a-zA-Z0-9.-_\/\${}:]+/g

Endpoints: > /(?<=[\"\'])\/[a-zA-Z0-9-._\/\${}:]{2,}/g

Parameters: > /(?<=\?)[a-zA-Z0-9-_]{2,}(?==)/g

Misc.: > /[()[]{}\w]{0,20}.[sg]et([\"\'][^\"\']+[\"\'][^)]*)/g

Sinks: > /document.(write(ln)([^)]+)|domain\s?=\s?[^;)]}]{1,300})|.(innerHTML|outerHTML|insertAdjacentHTML|onevent|srcdoc)\s?[=]\s?[^;]{1,300};|dangerouslySetInnerHTML[=:]\s?{?[^;}]{1,300}[;}]|location.(host|hostname|href|pathname|search|protocol)\s?=[^;]{1,300};|location.(assign(|replace()[^)]{1,300})|document.cookie\s?=\s?[^;]{1,300};|(eval(uate)?|execCommand|execScript)([^)]+)|.(href|src|action)\s?=\s?[^;]{1,300};|FileReader.(readAsArrayBuffer|readAsBinaryString|readAsDataURL|readAsText|readAsFile|root.getFile)([^)]{1,300})/g

PostMessages: > /postMessage(.{1,300});|addEventListener([\'\"]message[\'\"].{1,300});/g

Github
https://github.com/Antp1k/jsxtract/