Stop Missing Hidden API Keys in JS Files: JSAnalyzer Exposed

What if I told you that every day, developers are accidentally leaking AWS keys, database passwords, and admin API endpoints—and they're hiding in plain sight inside JavaScript files?

Here's the terrifying truth: modern web applications ship massive amounts of JavaScript to browsers. Minified bundles, chunked modules, lazy-loaded scripts—all of it potentially contains secrets that should never see the light of day. And here's what keeps security researchers up at night: most of these leaks go completely undetected because traditional security scanners weren't built to parse JavaScript the way browsers do.

You've probably used Burp Suite. Maybe you've even tried manually grepping through JS files for interesting strings. But let me guess—your results were drowning in noise. XML namespace URLs. Module import paths. Build artifact references. The signal-to-noise ratio makes manual analysis practically impossible at scale.

Enter JSAnalyzer by Jenish Sojitra—a Burp Suite extension specifically engineered to solve this exact problem. This isn't another generic regex tool that floods you with false positives. JSAnalyzer was built with intelligent noise filtering as its core philosophy, designed to extract only what matters: real API endpoints, actual secrets, genuine URLs, and sensitive file references.

In this deep dive, I'll show you exactly why top bug bounty hunters and penetration testers are quietly adding JSAnalyzer to their arsenal. You'll learn how it works under the hood, see real code examples you can deploy today, and discover why its standalone Python engine might become your new favorite reconnaissance tool.

What is JSAnalyzer?

JSAnalyzer is a powerful Burp Suite extension for JavaScript static analysis that extracts API endpoints, URLs, secrets, and email addresses from JavaScript files with intelligent noise filtering. Created by Jenish Sojitra, a security researcher known as "Jensec" in the InfoSec community, this tool addresses a critical gap in web application security testing workflows.

The extension operates as a Jython 2.7-based plugin that integrates directly into Burp Suite's ecosystem, allowing security professionals to analyze JavaScript responses without leaving their primary testing environment. But here's where it gets interesting—unlike many Burp extensions that remain tethered to the platform, JSAnalyzer ships with a standalone Python engine that you can embed into your own automation pipelines, APIs, or custom tools.

Why is JSAnalyzer trending now? The answer lies in how modern web development has evolved. Single-page applications (SPAs), micro-frontends, and edge-computed JavaScript have exploded the attack surface. Every webpack chunk, every dynamically imported module, every third-party SDK loaded at runtime becomes a potential reconnaissance goldmine—or a liability if you're the defender. Traditional tools like LinkFinder pioneered endpoint extraction, and TruffleHog revolutionized secret detection. JSAnalyzer synthesizes these approaches with a crucial innovation: context-aware filtering that understands what JavaScript actually is.

The project's MIT license and active contribution culture have accelerated its adoption. Security engineers are forking it to add custom secret patterns for their specific targets, improving noise filters for niche frameworks, and integrating the standalone engine into CI/CD pipelines for continuous JavaScript exposure monitoring.

Key Features That Set JSAnalyzer Apart

Let's dissect what makes JSAnalyzer genuinely powerful—not just marketing bullet points, but technical capabilities that translate to real findings.

Intelligent Endpoint Detection

JSAnalyzer doesn't just hunt for strings containing slashes. It recognizes semantic patterns in API construction: versioned paths (/api/v1/users), RESTful resource patterns (/rest/data), OAuth flows (/oauth2/token, /callback), administrative interfaces (/admin, /internal), and well-known discovery endpoints (/.well-known/openid-configuration). This contextual understanding dramatically reduces false positives compared to naive regex approaches.

Multi-Cloud URL Extraction

The extension identifies full URLs including cloud storage references—AWS S3 buckets, Azure Blob Storage, and Google Cloud Storage URLs that developers frequently embed in client-side code. These often reveal misconfigured buckets or unintended data exposure vectors that automated scanners miss.

Comprehensive Secret Scanning

This is where JSAnalyzer shines. The built-in pattern library detects:

AWS Access Keys: AKIA[0-9A-Z]{16} format with proper validation
Google API Keys: AIza[0-9A-Za-z\-_]{35} for Maps, Cloud, and other services
Stripe Live Keys: sk_live_[0-9a-zA-Z]{24,}—critical for payment flow testing
GitHub Personal Access Tokens: ghp_[0-9a-zA-Z]{36}
Slack Tokens: Multiple xox prefix variants
JWT Tokens: Base64-encoded eyJ... patterns
Private Keys: PEM-formatted cryptographic material
Database Connection Strings: mongodb://, postgres://, mysql:// protocols

Smart Noise Filtering: The Secret Sauce

Here's what separates JSAnalyzer from tools that drown you in garbage. The extension automatically eliminates:

XML namespace URIs (schemas.openxmlformats.org, www.w3.org)
Relative module imports (./, ../, @angular/, react/)
PDF internal structure paths (/Type, /Font, /Filter)
Excel/XML document internals (xl/, docProps/, worksheets/)
Localization files (en.js, fr-ca.js, de-de.json)
Cryptographic library internals (sha.js, aes, bn.js)

This filtering isn't hardcoded lazily—it understands why these patterns occur in JavaScript and excludes them based on contextual clues, not just string matching.

Operational Features for Real Workflows

Source Tracking: Every finding maps back to its originating JavaScript file
Live Search: Real-time filtering of results without re-running analysis
Copy Functionality: Individual or bulk clipboard export for rapid reporting
JSON Export: Structured output for integration with other tools and automation

Use Cases: Where JSAnalyzer Dominates

Bug Bounty Reconnaissance at Scale

When you're targeting a modern web application, the JavaScript footprint can span hundreds of files across multiple subdomains and CDNs. Manually analyzing this volume is impractical. JSAnalyzer lets you bulk-select requests from Burp's HTTP history or Dashboard and analyze them simultaneously. The noise filtering means you're reviewing actual findings, not wading through thousands of module import paths.

Post-Exploitation Intelligence Gathering

After gaining initial access or during grey-box testing, JavaScript files often contain environment-specific configuration that reveals internal architecture. Staging API endpoints, internal admin panels, and service URLs that don't appear in public documentation frequently surface in client-side code. JSAnalyzer extracts these systematically.

Supply Chain Security Auditing

Third-party JavaScript SDKs, analytics scripts, and embedded widgets are opaque attack surfaces. By analyzing these through JSAnalyzer, you can identify whether vendors are embedding secrets in their distributed code, or whether their scripts reference unexpected endpoints that could indicate compromise or data exfiltration.

Continuous Security Monitoring

Using the standalone engine (detailed below), organizations can build automated pipelines that analyze JavaScript artifacts from builds, CDN distributions, or archived versions. This catches secret leakage before deployment, or identifies historical exposures in previously shipped code.

Penetration Test Reporting Efficiency

The JSON export and copy functionality streamline report generation. Instead of manually documenting findings with screenshots of grep output, you get structured, reproducible data that integrates cleanly with standard reporting templates.

Step-by-Step Installation & Setup Guide

Getting JSAnalyzer operational requires proper Jython configuration in Burp Suite. Follow these steps precisely:

Prerequisites

Download Jython Standalone JAR Visit https://www.jython.org/download and download the latest Jython 2.7 standalone JAR file. Save it to a persistent location—Burp will reference this path permanently.
Verify Burp Suite Compatibility JSAnalyzer requires Burp Suite Professional or Community Edition with extension support. The extension uses Jython 2.7, so ensure your Burp installation can load Python extensions.

Burp Suite Configuration

Step 1: Configure Python Environment

Extensions → Extension Settings → Python Environment

Set the Jython JAR path to your downloaded jython-standalone-2.7.x.jar file.

Step 2: Install JSAnalyzer Extension

Extensions → Installed → Add

Select Extension type: Python
Click Select file... and browse to js_analyzer.py from the JSAnalyzer repository
Burp will load the extension and display it in the Installed extensions list

Step 3: Verify Installation After successful loading, you should see:

JSAnalyzer in your Installed extensions list
A new "JS Analyzer" tab in Burp's interface
No error messages in the Extensions output panel

Operational Workflow

Once installed, using JSAnalyzer becomes seamless:

Proxy traffic through Burp during normal browsing or targeted reconnaissance
Identify JavaScript responses in:
- Proxy → HTTP history (look for Content-Type: application/javascript or .js URLs)
- Target → Site map (aggregated by domain)
- Repeater (for manual request analysis)
Right-click on any response containing JavaScript content
Select "Analyze JS with JS Analyzer" from the context menu
Review results in the dedicated JS Analyzer tab

Pro tip: You can select multiple requests simultaneously from HTTP history or Dashboard using Ctrl/Cmd+click, then send them all to JSAnalyzer in one operation. This is invaluable for bulk analysis of an entire application's JavaScript footprint.

REAL Code Examples from the Repository

JSAnalyzer's true power extends beyond Burp integration. The standalone engine enables custom automation. Here are the actual implementations from the repository, explained in depth:

Example 1: Core Engine Usage

from js_analyzer_engine import JSAnalyzerEngine

# Initialize the analysis engine
engine = JSAnalyzerEngine()

# Analyze raw JavaScript content
results = engine.analyze(javascript_content)

# Access structured findings by category
print(results["endpoints"])  # ['/api/v1/users', '/api/v2/auth', ...]
print(results["urls"])       # ['https://api.example.com', 'https://cdn.site.com', ...]
print(results["secrets"])    # [{'type': 'AWS Key', 'value': '...', 'masked': '...'}, ...]
print(results["emails"])     # ['admin@company.com', 'security@target.com', ...]

What's happening here? The JSAnalyzerEngine class encapsulates all detection logic. When you call analyze(), it orchestrates multiple specialized regex engines in sequence: endpoint extraction runs first, then URL discovery, then secret pattern matching with the built-in credential library, and finally email extraction. Each category returns appropriately structured data—endpoints and URLs as simple lists, secrets as dictionaries with type classification and masked values for safe logging.

The javascript_content parameter expects a string of raw JavaScript—this could come from an HTTP response body, a file read operation, or any other source. The engine is stateless, so you can reuse the same instance across multiple analyses without cross-contamination of results.

Example 2: Production-Ready Flask API

from flask import Flask, request, jsonify
from js_analyzer_engine import JSAnalyzerEngine

app = Flask(__name__)
engine = JSAnalyzerEngine()  # Reuse single engine instance for efficiency

@app.route('/analyze', methods=['POST'])
def analyze():
    # Extract JavaScript content from JSON payload
    content = request.json.get('content', '')
    
    # Perform analysis
    results = engine.analyze(content)
    
    # Return structured JSON response
    return jsonify(results)

if __name__ == '__main__':
    app.run(port=5000)

This is where things get powerful. The Flask wrapper transforms JSAnalyzer from a manual Burp tool into an automated microservice. In production deployments, you'd want to add:

Input size limits to prevent DoS via massive JavaScript payloads
Authentication/authorization for the /analyze endpoint
Rate limiting for API abuse prevention
Async processing with Redis/Celery for large-scale analysis queues

The jsonify(results) call automatically serializes the engine's output structure, making integration with SIEMs, vulnerability management platforms, or custom dashboards straightforward. The JSAnalyzerEngine() instantiation outside the route handler ensures connection pooling efficiency—the engine's compiled regex patterns stay in memory, eliminating recompilation overhead per request.

Example 3: Understanding the Detection Patterns

While not explicit code, the README reveals the regex architecture through pattern documentation:

# AWS Access Key pattern (from documentation)
AKIA[0-9A-Z]{16}

# Google API Key pattern
AIza[0-9A-Za-z\-_]{35}

# Stripe Live Secret Key
sk_live_[0-9a-zA-Z]{24,}

# GitHub Personal Access Token
ghp_[0-9a-zA-Z]{36}

These patterns demonstrate precision engineering over naive matching. The AWS pattern AKIA[0-9A-Z]{16} encodes structural knowledge: all AWS access keys start with "AKIA" (for long-term credentials; "ASIA" for temporary), followed by exactly 16 alphanumeric characters. The Stripe pattern sk_live_[0-9a-zA-Z]{24,} specifically targets production keys (sk_live_) versus test keys (sk_test_), prioritizing highest-impact findings.

The 24, quantifier means "24 or more characters"—Stripe increased key length over time, and this pattern remains compatible with legacy and current formats. These aren't random regexes; they're maintained, tested patterns derived from actual secret formats.

Advanced Usage & Best Practices

Custom Secret Pattern Extension

The README explicitly invites contributions: "Feel free to fork and add more secrets detections as required." For internal tools, extend the engine's pattern library with organization-specific tokens:

Internal API gateway keys
Custom JWT claim structures
Proprietary service identifiers

Noise Filter Tuning for Specialized Targets

Analyzing React Native bundles? Ionic apps? Electron applications? Each framework generates characteristic JavaScript patterns that may trigger false positives. Study the built-in noise filters and add framework-specific exclusions:

React Native: __fbBatchedBridge, RCT prefixed modules
Electron: node_modules paths in bundled renderer processes
Webpack 5: webpack_chunk_load internal URLs

Scaled Automation Architecture

For enterprise deployment, wrap the standalone engine in a message-queue worker:

S3/CloudFront logs → SQS queue → Lambda/ECS worker → JSAnalyzer → DynamoDB/Elasticsearch

This enables retrospective analysis of all JavaScript served by your CDN, with historical trending and alerting on new secret exposures.

Correlation with Other Reconnaissance

JSAnalyzer findings gain power when correlated:

Feed endpoints into directory brute-forcing tools (ffuf, gobuster)
Cross-reference secrets against cloud provider APIs for validation
Map discovered URLs to subdomain enumeration results for completeness checking

Comparison with Alternatives

Feature	JSAnalyzer	LinkFinder	TruffleHog	Manual Grep
Burp Suite Integration	✅ Native	❌ CLI only	❌ CLI only	❌
Noise Filtering	✅ Advanced	⚠️ Basic	⚠️ Moderate	❌ None
Secret Detection	✅ Built-in	❌	✅ Extensive	⚠️ Manual regex
Standalone Engine	✅ Python	❌	✅ Go/Python	✅ Any
Real-time UI	✅ Burp tab	❌	❌	❌
JSON Export	✅	❌	✅	❌
Email Extraction	✅	❌	❌	⚠️ Manual
File Reference Detection	✅	❌	❌	⚠️ Manual
Live Search/Filter	✅	❌	❌	❌
Open Source	✅ MIT	✅	✅ AGPL	N/A

Why JSAnalyzer wins: LinkFinder excels at endpoint discovery but lacks secret detection and Burp integration. TruffleHog has superior secret coverage but no JavaScript-specific context or real-time analysis workflow. Manual grep is flexible but unscalable and noisy. JSAnalyzer occupies the optimal intersection: purpose-built for JavaScript, integrated into the standard penetration testing workflow, with extensibility for custom automation.

FAQ: Common Developer and Security Researcher Questions

Q: Does JSAnalyzer work with Burp Suite Community Edition? A: Yes, the extension loads in both Professional and Community editions, provided Jython is properly configured. Some Community Edition limitations on extension performance may apply with very large JavaScript files.

Q: Can I use JSAnalyzer without Burp Suite entirely? A: Absolutely. The js_analyzer_engine.py module is completely independent. Import it in any Python 2.7/3.x project, pass JavaScript strings to analyze(), and receive structured results.

Q: How does JSAnalyzer handle minified or obfuscated JavaScript? A: The regex patterns work on raw text, so minification doesn't impede detection. Obfuscation that transforms string literals (like eval-based packers) may reduce effectiveness. For heavily obfuscated code, consider deobfuscation preprocessing.

Q: Is there a risk of false negatives with the noise filtering? A: The filtering is conservative—designed to exclude obvious non-findings rather than aggressively suppress borderline cases. If you encounter legitimate findings being filtered, the patterns are open-source and modifiable. The project welcomes filter improvement contributions.

Q: Can I add custom secret patterns without modifying core code? A: Currently, pattern extension requires forking and modifying the engine. The modular structure makes this straightforward. Future versions may support external pattern configuration files.

Q: Does JSAnalyzer send any data to external services? A: No. All analysis occurs locally within your Burp instance or Python runtime. No telemetry, no cloud processing, no data exfiltration.

Q: What Jython version is required? A: Jython 2.7 is specified. Ensure you download the standalone JAR from the official Jython website, not a system package manager version that may lack complete standard library support.

Conclusion: Why JSAnalyzer Deserves Your Attention

JavaScript has become the largest attack surface most organizations never systematically analyze. Every webpack bundle, every imported SDK, every dynamically loaded module is a potential source of credential leakage, API exposure, and architectural intelligence for attackers. The tools we've historically used either weren't designed for this domain or drown practitioners in unusable noise.

JSAnalyzer by Jenish Sojitra solves this with surgical precision. Its intelligent noise filtering demonstrates genuine understanding of JavaScript's ecosystem—not just regex thrown at text. The dual architecture (Burp extension + standalone engine) serves both interactive testing and automated pipelines. The open, extensible design invites community contribution rather than locking you into vendor-controlled pattern libraries.

For bug bounty hunters, this is a reconnaissance force multiplier. For defenders, it's a continuous monitoring enabler. For penetration testers, it's a reporting efficiency engine that transforms tedious manual analysis into structured, actionable intelligence.

The security community has already recognized its value—forks are adding enterprise-specific secret patterns, integrations are being built with CI/CD platforms, and the noise filtering continues to improve with real-world feedback.

Your next step is simple: clone the JSAnalyzer repository, install it in Burp Suite, and point it at your next target's JavaScript. The secrets hiding in plain sight will surprise you. They always do.

Found this analysis valuable? Star the repository, contribute patterns from your own findings, and follow @_jensec for updates. The best security tools are built by the community, for the community.