JavaScript Surface Analyzer

Purpose

Extract attacker-relevant intelligence from front-end code and convert it into testable hypotheses.

Inputs

• target_url
• seed_pages (optional)
• auth_context (optional)

Workflow

Phase 1: Asset Enumeration

1. Collect static and dynamic script URLs.
2. Expand via source maps and chunk manifests where available.
3. Track script origin, load condition, and execution context.

Phase 2: Artifact Extraction

1. Endpoints, route builders, and API clients.
2. Header/token construction logic.
3. Feature flags, debug modes, hidden route toggles.
4. Secret candidates and key material references.

Phase 3: Sink Analysis

1. DOM write sinks: innerHTML, outerHTML, template insertion.
2. Code execution sinks: eval, Function, setTimeout string usage.
3. URL/navigation sinks: dynamic redirects, iframe/src assignments.
4. Storage sinks: local/session storage of sensitive artifacts.

Phase 4: Controllability Assessment

1. Determine if attacker can influence source data.
2. Trace sanitization or encoding at boundaries.
3. Estimate exploit preconditions per sink.

Phase 5: Follow-up Planning

1. Create endpoint verification cases.
2. Create DOM-XSS and open redirect probes.
3. Create token misuse and privilege abuse checks.

Minimum Extraction Targets

Output Contract

{
  "script_inventory": [],
  "endpoint_candidates": [],
  "secret_candidates": [],
  "sink_map": [],
  "hidden_features": [],
  "follow_up_tests": []
}

Constraints

• Treat secret candidates as sensitive.
• Mark uncertainty for heavily obfuscated code.

Quality Checklist

• Dynamic script loading is covered.
• Sink report includes controllability.
• Follow-up tests are concrete and scoped.

Detailed Operator Notes

Static + Runtime Correlation

• Correlate bundled route constants with observed network calls.
• Correlate feature flags with guarded code branches.
• Correlate secret candidates with call-site usage.

Sink Prioritization Heuristics

• Prioritize sinks fed by URL, query string, postMessage, or storage.
• Prioritize sinks reachable pre-auth and in shared pages.
• Prioritize sinks with partial sanitization or legacy wrappers.

Obfuscation Strategy

• Start with string table recovery and call-graph sketch.
• Identify decoder/dispatcher stubs before deep tracing.
• Mark unresolved obfuscated segments as explicit unknowns.

Reporting Rules

• Include controllable_source for each sink candidate.
• Include execution_context (HTML, attribute, JS string, URL).
• Include follow-up payload family per sink.

Quick Scenarios

Scenario A: Authorization Drift

• Baseline with owned resource.
• Replay with foreign resource identifier.
• Repeat with role shift and fresh session.
• Confirm read/write/delete differences.

Scenario B: Input Handling Weakness

• Send syntactically valid control payload.
• Send semantically malicious variant.
• Verify parser or execution side effect.
• Re-test with content-type variation.

Scenario C: Workflow Bypass

• Execute expected state sequence.
• Attempt out-of-order transition.
• Attempt repeated action replay.
• Confirm server-side state enforcement.

Conditional Decision Matrix

Advanced Coverage Extensions

1. Correlate source-map names with production minified call sites.
2. Extract hidden API capabilities from autogenerated client stubs.
3. Detect unsafe postMessage listeners and origin validation gaps.
4. Detect dynamic import paths controlled by user data.
5. Detect insecure local storage coupling to auth flows.