Skills
skills/1ikeadragon/awesome-offsec-claude/javascript-surface-analyzer

javascript-surface-analyzer

SKILL.md

JavaScript Surface Analyzer

Purpose

Extract attacker-relevant intelligence from front-end code and convert it into testable hypotheses.

Inputs

  • target_url
  • seed_pages (optional)
  • auth_context (optional)

Workflow

Phase 1: Asset Enumeration

  1. Collect static and dynamic script URLs.
  2. Expand via source maps and chunk manifests where available.
  3. Track script origin, load condition, and execution context.

Phase 2: Artifact Extraction

  1. Endpoints, route builders, and API clients.
  2. Header/token construction logic.
  3. Feature flags, debug modes, hidden route toggles.
  4. Secret candidates and key material references.

Phase 3: Sink Analysis

  1. DOM write sinks: innerHTML, outerHTML, template insertion.
  2. Code execution sinks: eval, Function, setTimeout string usage.
  3. URL/navigation sinks: dynamic redirects, iframe/src assignments.
  4. Storage sinks: local/session storage of sensitive artifacts.

Phase 4: Controllability Assessment

  1. Determine if attacker can influence source data.
  2. Trace sanitization or encoding at boundaries.
  3. Estimate exploit preconditions per sink.

Phase 5: Follow-up Planning

  1. Create endpoint verification cases.
  2. Create DOM-XSS and open redirect probes.
  3. Create token misuse and privilege abuse checks.

Minimum Extraction Targets

Category Required Extraction
API surface method + path hints + caller context
Secrets key/token candidates with confidence tag
Sinks sink type + source controllability
Hidden features flag name + activation condition

Output Contract

{
  "script_inventory": [],
  "endpoint_candidates": [],
  "secret_candidates": [],
  "sink_map": [],
  "hidden_features": [],
  "follow_up_tests": []
}

Constraints

  • Treat secret candidates as sensitive.
  • Mark uncertainty for heavily obfuscated code.

Quality Checklist

  • Dynamic script loading is covered.
  • Sink report includes controllability.
  • Follow-up tests are concrete and scoped.

Detailed Operator Notes

Static + Runtime Correlation

  • Correlate bundled route constants with observed network calls.
  • Correlate feature flags with guarded code branches.
  • Correlate secret candidates with call-site usage.

Sink Prioritization Heuristics

  • Prioritize sinks fed by URL, query string, postMessage, or storage.
  • Prioritize sinks reachable pre-auth and in shared pages.
  • Prioritize sinks with partial sanitization or legacy wrappers.

Obfuscation Strategy

  • Start with string table recovery and call-graph sketch.
  • Identify decoder/dispatcher stubs before deep tracing.
  • Mark unresolved obfuscated segments as explicit unknowns.

Reporting Rules

  • Include controllable_source for each sink candidate.
  • Include execution_context (HTML, attribute, JS string, URL).
  • Include follow-up payload family per sink.

Quick Scenarios

Scenario A: Authorization Drift

  • Baseline with owned resource.
  • Replay with foreign resource identifier.
  • Repeat with role shift and fresh session.
  • Confirm read/write/delete differences.

Scenario B: Input Handling Weakness

  • Send syntactically valid control payload.
  • Send semantically malicious variant.
  • Verify parser or execution side effect.
  • Re-test with content-type variation.

Scenario C: Workflow Bypass

  • Execute expected state sequence.
  • Attempt out-of-order transition.
  • Attempt repeated action replay.
  • Confirm server-side state enforcement.

Conditional Decision Matrix

Condition Action Evidence Requirement
Endpoint found in code but not traffic create targeted trigger path for invocation call-site + trigger proof
Secret candidate appears in multiple bundles map runtime use and scope usage map with confidence
Sink appears sanitized verify context-specific sanitizer match sink-context trace
Obfuscated dispatcher controls routes recover dispatcher map before sink triage dispatcher mapping artifact
Feature flag gates privileged behavior test activation constraints and fallback paths flag-state behavior diff

Advanced Coverage Extensions

  1. Correlate source-map names with production minified call sites.
  2. Extract hidden API capabilities from autogenerated client stubs.
  3. Detect unsafe postMessage listeners and origin validation gaps.
  4. Detect dynamic import paths controlled by user data.
  5. Detect insecure local storage coupling to auth flows.
Weekly Installs
3
Repository
1ikeadragon/awe…c-claude
GitHub Stars
4
First Seen
14 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
opencode3
gemini-cli3
claude-code3
github-copilot3
codex3
amp3