Awesome-offsec-claude javascript-surface-analyzer

Enumerate and analyze client-side JavaScript for hidden endpoints, secrets, dangerous sinks, and exploitable browser behaviors.

install

source · Clone the upstream repo

git clone https://github.com/1ikeadragon/awesome-offsec-claude

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/1ikeadragon/awesome-offsec-claude "$T" && mkdir -p ~/.claude/skills && cp -r "$T/javascript-surface-analyzer" ~/.claude/skills/1ikeadragon-awesome-offsec-claude-javascript-surface-analyzer && rm -rf "$T"

manifest: javascript-surface-analyzer/SKILL.md

source content

JavaScript Surface Analyzer

Purpose

Extract attacker-relevant intelligence from front-end code and convert it into testable hypotheses.

Inputs

```
target_url
```
```
seed_pages
```
(optional)
```
auth_context
```
(optional)

Workflow

Phase 1: Asset Enumeration

Collect static and dynamic script URLs.
Expand via source maps and chunk manifests where available.
Track script origin, load condition, and execution context.

Phase 2: Artifact Extraction

Endpoints, route builders, and API clients.
Header/token construction logic.
Feature flags, debug modes, hidden route toggles.
Secret candidates and key material references.

Phase 3: Sink Analysis

DOM write sinks:
```
innerHTML
```
,
```
outerHTML
```
, template insertion.
Code execution sinks:
```
eval
```
,
```
Function
```
,
```
setTimeout
```
string usage.
URL/navigation sinks: dynamic redirects, iframe/src assignments.
Storage sinks: local/session storage of sensitive artifacts.

Phase 4: Controllability Assessment

Determine if attacker can influence source data.
Trace sanitization or encoding at boundaries.
Estimate exploit preconditions per sink.

Phase 5: Follow-up Planning

Create endpoint verification cases.
Create DOM-XSS and open redirect probes.
Create token misuse and privilege abuse checks.

Minimum Extraction Targets

Category	Required Extraction
API surface	method + path hints + caller context
Secrets	key/token candidates with confidence tag
Sinks	sink type + source controllability
Hidden features	flag name + activation condition

Output Contract

{
  "script_inventory": [],
  "endpoint_candidates": [],
  "secret_candidates": [],
  "sink_map": [],
  "hidden_features": [],
  "follow_up_tests": []
}

Constraints

Treat secret candidates as sensitive.
Mark uncertainty for heavily obfuscated code.

Quality Checklist

Dynamic script loading is covered.
Sink report includes controllability.
Follow-up tests are concrete and scoped.

Detailed Operator Notes

Static + Runtime Correlation

Correlate bundled route constants with observed network calls.
Correlate feature flags with guarded code branches.
Correlate secret candidates with call-site usage.

Sink Prioritization Heuristics

Prioritize sinks fed by URL, query string, postMessage, or storage.
Prioritize sinks reachable pre-auth and in shared pages.
Prioritize sinks with partial sanitization or legacy wrappers.

Obfuscation Strategy

Start with string table recovery and call-graph sketch.
Identify decoder/dispatcher stubs before deep tracing.
Mark unresolved obfuscated segments as explicit unknowns.

Reporting Rules

Include
```
controllable_source
```
for each sink candidate.
Include
```
execution_context
```
(HTML, attribute, JS string, URL).
Include follow-up payload family per sink.

Quick Scenarios

Scenario A: Authorization Drift

Baseline with owned resource.
Replay with foreign resource identifier.
Repeat with role shift and fresh session.
Confirm read/write/delete differences.

Scenario B: Input Handling Weakness

Send syntactically valid control payload.
Send semantically malicious variant.
Verify parser or execution side effect.
Re-test with content-type variation.

Scenario C: Workflow Bypass

Execute expected state sequence.
Attempt out-of-order transition.
Attempt repeated action replay.
Confirm server-side state enforcement.

Conditional Decision Matrix

Condition	Action	Evidence Requirement
Endpoint found in code but not traffic	create targeted trigger path for invocation	call-site + trigger proof
Secret candidate appears in multiple bundles	map runtime use and scope	usage map with confidence
Sink appears sanitized	verify context-specific sanitizer match	sink-context trace
Obfuscated dispatcher controls routes	recover dispatcher map before sink triage	dispatcher mapping artifact
Feature flag gates privileged behavior	test activation constraints and fallback paths	flag-state behavior diff

Advanced Coverage Extensions

Correlate source-map names with production minified call sites.
Extract hidden API capabilities from autogenerated client stubs.
Detect unsafe postMessage listeners and origin validation gaps.
Detect dynamic import paths controlled by user data.
Detect insecure local storage coupling to auth flows.