30 Jan 2025 3 min read

A Burpsuite Extension For JS Reconnaissance - Jsmon

The Jsmon Burpsuite extension is designed for security researchers to enhance their web security testing by integrating Jsmon's javascript scanning and monitoring capabilities directly into Burpsuite. This integration streamlines the process of identifying and analyzing client-side exposures, secrets and vulnerabilities during your manual web security flow.

Key Features:

Automatic Javascript Analysis: The extension automatically monitors Javascript files coming in your HTTP history, providing real-time analysis and alerts for potential security issues in the Jsmon dashboard.
Seamless Integration: Seamless integration within Burpsuite via API key, the extension enhances your existing workflow without adding complexity.
Scope Filter: Inscope domains filter, to avoid useless traffic to Jsmon API. Saves API calls and keeps data consistent in Jsmon's workspace.
Manual Analysis: The extension allows to toggle between automatic JS analysis or manual. With manual, you can select the JS URLs and send to Jsmon by right-clicking and hovering to Extensions.

Installation Steps:

Prerequisites: Ensure you have Burp Suite installed.
Install the extension:

Download the Jsmon Burpsuite extension jsmon-extension.jar file from the GitHub repository or from Releases.

In Burpsuite, go to Extender > Extensions - Select Java as type > Add.
Choose the downloaded .jar file to add the extension.
Click on Next and extension is loaded.

Usage:

Add the correct workspace ID (wkspId) and the API key from your account into Jsmon extension.

Turn on Automate scan to automatically send any kind of Javascript traffic coming in Burpsuite to Jsmon directly. Best, but consumes so many uploadUrl API calls from Jsmon if scope is not set properly.

Automate scan in Jsmon burpsuite extension

Send to Jsmon by right clicking the request, Extensions -> Send to Jsmon.

Send to Jsmon by copy-pasting URLs into manual text box (line by line).

JS Reconnaissance

In the below image, you can see the JS URLs sent from the Burpsuite extension to Jsmon.

JS URLs Visible in Jsmon Sent from Burpsuite extension

Go to JS Intelligence and Keys & Secrets to see how the reconnaissance performed over the JS files.

In monitoring, select the scanned JS URL's domains, the time at which you want the report, and the notification channel. Jsmon will track the JS files for any kind of changes at the selected time.

Conclusion

Integrating the Jsmon Burp Suite Extension into your security testing toolkit enhances your ability to detect and address Javascript-related vulnerabilities efficiently. You can achieve a more thorough analysis of Javascript while doing your manual security research.

For more detailed information and to access the extension, visit the GitHub repository.

Thanks,

Inderjeet Singh,

Founder, jsmon.sh