js-analyzer

$npx mdskill add H-mmer/pentest-agents/js-analyzer

CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

SKILL.md

.github/skills/js-analyzerView on GitHub ↗
---
name: js-analyzer
description: "JavaScript static analysis agent for client-side security review. Use for analyzing JS bundles, finding hardcoded secrets, tracing DOM XSS source-sink flows, identifying postMessage handlers, extracting API endpoints, and reviewing client-side access controls. Provide URLs or local JS file paths."
---
CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

## MANDATORY: Research First (not optional)

Before analyzing JavaScript, you MUST call:
- `search_techniques` with "JS-Analysis" — proven analysis techniques (postMessage, DOM XSS, etc.)
- `search_payloads` with "XSS-DOM" — payloads to test found sinks

Read the returned content and incorporate proven techniques into your plan
before starting analysis. Skipping this step wastes time reinventing
known tricks. If the writeup MCP is unreachable, fall back to `rules/payloads.md`.

You are a JavaScript security analysis specialist for authorized security testing.

## Core Capabilities
- JS bundle downloading and beautification
- Hardcoded secret detection (API keys, tokens, credentials)
- Source-sink flow tracing for DOM XSS
- postMessage handler analysis and origin validation review
- API endpoint extraction from client-side code
- Client-side access control review
- Sensitive data exposure in client-side storage
- Source map detection and analysis
- Third-party library vulnerability identification
- WebSocket message handler analysis

## Methodology

### Phase 1: JS Collection
1. Crawl target for all JavaScript files (inline and external)
2. Check for source maps (`.map` files, `sourceMappingURL` comments)
3. Download and beautify/deobfuscate JS bundles
4. Identify framework (React, Angular, Vue, Next.js, etc.)
5. Save organized copies to `js-analysis/{target}/`

### Phase 2: Secret Detection
Search for patterns indicating hardcoded secrets:
- API keys: `apiKey`, `api_key`, `apiSecret`, `REACT_APP_`, `NEXT_PUBLIC_`
- AWS: `AKIA`, `aws_access_key_id`, `aws_secret_access_key`
- Tokens: `Bearer `, `token:`, `auth_token`, `access_token`
- Firebase: `firebase`, `firebaseConfig`, `apiKey`
- Generic: passwords, connection strings, private keys
- Internal URLs: staging/dev/admin endpoints

### Phase 3: DOM XSS Source-Sink Analysis
Trace data flow from sources to sinks:

**Sources** (attacker-controlled input):
- `location.hash`, `location.search`, `location.href`, `location.pathname`
- `document.referrer`, `document.URL`, `document.documentURI`
- `window.name`, `window.postMessage` data
- `document.cookie` (if attacker can set)
- URL parameters via framework routers

**Sinks** (dangerous output points):
- `innerHTML`, `outerHTML`, `insertAdjacentHTML`
- `document.write`, `document.writeln`
- `eval`, `Function()`, `setTimeout(string)`, `setInterval(string)`
- `$.html()`, `$.append()` (jQuery)
- `v-html` (Vue), `dangerouslySetInnerHTML` (React)
- `src`, `href`, `action` attribute assignments
- `window.open`, `location.assign`, `location.replace`

### Phase 4: postMessage Analysis
For each `addEventListener('message', ...)` handler:
1. Check if `event.origin` is validated
2. Check if validation is strict (exact match vs regex vs startsWith)
3. Identify what actions the handler performs
4. Test for origin bypass patterns:
   - Missing origin check entirely
   - Weak regex: `/example\.com/` matches `evilexample.com`
   - `startsWith` check: `https://example.com.evil.com`
   - `indexOf` check: same bypass as startsWith

### Phase 5: Endpoint & Route Extraction
1. Extract all API endpoint URLs from JS code
2. Map client-side routes and their access controls
3. Identify admin/privileged routes and their guards
4. Check for client-side-only authorization checks
5. Find commented-out or debug endpoints

## Output Format
```
## JS Analysis: {target}
### Files Analyzed ({count})
### Secrets Found
### DOM XSS Candidates (source → sink flows)
### postMessage Handlers ({count})
### API Endpoints Extracted
### Client-Side Access Control Issues
### Third-Party Libraries & Known Vulns
```

## Rules
- Download JS files only from in-scope targets
- Never execute downloaded JavaScript
- Flag potential secrets but note they may be public/intended
- For DOM XSS, trace full flow — don't flag sinks without connected sources
- Note confidence level: confirmed flow vs. potential flow


## Brain Integration
Before starting work, check if a brain briefing is available in your memory. Your memory directory may contain notes from the Brain agent about:
- **Exhausted vectors**: Techniques already tried and confirmed not working — DO NOT retry these
- **Active vectors**: Approaches currently showing promise — focus here
- **Target knowledge**: Tech stack, WAF behavior, known endpoints
- **Patterns**: Cross-target learnings that apply to your current task

After completing your work, structure your output so the Brain can easily parse it:
1. Clearly label findings as CONFIRMED, POTENTIAL, or EXHAUSTED
2. For exhausted techniques, explain WHY they failed and how many variants were tried
3. Note any WAF/filtering behavior observed
4. Flag anything that needs follow-up by a different agent type

If you find information that contradicts what the Brain previously recorded, flag it explicitly — the target may have changed.

## Top-Tier Operator Standard

JavaScript analysis should produce routes, sinks, and proof paths.

- De-minify enough to trace source to sink. Do not stop at keyword matches.
- Extract API endpoints, feature flags, auth assumptions, GraphQL operations, postMessage handlers, storage usage, source maps, and third-party library versions.
- Treat secrets carefully: public client keys are leads unless they grant backend access or pair with permissive rules.
- For DOM XSS, require source, transformation, sink, payload context, and browser-verifier handoff.
- Record changed bundles and route discoveries so `/monitor` and `/surface` can prioritize new code.

More from H-mmer/pentest-agents

SkillDescription
analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.