README
¶
jxscout+
A security-analysis fork of jxscout. Same capture
pipeline (proxy → organize → beautify → chunks → sourcemaps), plus deep client-side vulnerability
detection built in — secret/credential analyzers, framework-aware DOM-XSS sinks & sources, JWT
decoding, route reachability. Built on jxscout (MIT, see COPYING).
Install
One command — the analyzer bundles are committed and //go:embed-ed, so there's no build step:
# private repo: skip Go's public proxy/checksum DB (git must be able to auth to the repo)
GOPRIVATE=github.com/FOUEN/* go install github.com/FOUEN/jxscout-plus/cmd/jxscout-plus@latest
Puts jxscout-plus in $(go env GOPATH)/bin — make sure that's on your $PATH.
Use
jxscout-plus --project-name mytarget
That's the whole workflow. It starts the local server + TUI; everything else runs automatically — organize, beautify, Webpack/Vite chunk pre-fetch, sourcemap reversal, and all analyzers. Then:
- Point your proxy at it — Caido or
Burp plugin — and browse the target with
browser cache disabled. Assets land in
~/jxscout/mytargetand are analyzed on the fly. - Findings are stored in the project DB and shown in the VSCode extension tree.
Optional ranked report / MCP server for AI assistants (these live in the repo — clone it):
bun tools/jxfindings/report.ts mytarget # ranked secrets/JWTs/routes/XSS
claude mcp add --scope user jxscout -- bun "$PWD/tools/jxfindings/mcp.ts"
Differences: jxscout (normal) vs jxscout+
Everything in normal jxscout is unchanged (capture, beautify, chunk pre-fetch, sourcemap reversal,
the robust-paths/secrets/inner-html/eval/postmessage/… analyzers). jxscout+ adds:
6 detection analyzers (pkg/ast-analyzer/tree-analyzers/):
| analyzer | finds (and the gap in normal jxscout it closes) |
|---|---|
secrets-keyed |
secret on a secret-named key, AST property-key aware — catches client_secret behind ternaries, BASIC_PASSWORD/API_CLIENT_SECRET (SNAKE_CASE), concatenated/Basic-encoded secrets, punctuated passwords (normal secrets needs a provider keyword adjacent → misses these) |
angular-sanitizer-bypass |
Angular bypassSecurityTrust*() + compiled ɵɵproperty("innerHTML") (normal had no Angular XSS sink) |
dom-sinks |
document.write, insertAdjacentHTML, setAttribute(on*/src/href/srcdoc), outerHTML=, srcdoc= (normal inner-html only caught .innerHTML=) |
jwt |
hardcoded JWTs decoded — alg/iss/scope/exp, flags alg:none/long-lived (normal only regex-matched them) |
route-guards |
route objects → auth-guarded vs no-auth-guard = XSS reachability (normal had none) |
react-router-source |
React Router URL sources (useParams/useSearchParams/router.query) for source→sink (normal had none) |
Findings layer (tools/jxfindings/, entirely new): report.ts (ranked/deduped/decoded
secrets/JWTs/routes/XSS) + mcp.ts (MCP server for AI assistants). Normal jxscout has no
aggregation/ranking/MCP.
Core tweaks: analyzerVersion bumped (cached results re-run on the new analyzers); /ingest
returns 400 on a wrong-schema payload instead of silently dropping it.
Net effect (validated on bancolombia): normal jxscout surfaced none of 11 real leaked secrets nor the Angular reflected-XSS; jxscout+ surfaces all of them.
Build from source (only if you change analyzers)
Requires Go and Bun (≥1.2.12).
make install && make build # re-bundle the TS analyzers (+ embed)
go build -o jxscout-plus ./cmd/jxscout-plus
bunx vitest run pkg/ast-analyzer # analyzer tests
License
MIT (COPYING). Derived from jxscout by francisco neves — all upstream credit to that project.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
jxscout-plus
command
|
|
|
internal
|
|
|
pkg
|
|
|
scripts
|
|
|
get-github-webpack-examples
command
|