Guide to Jsmon Burpsuite Extension: Fetch Leaked Secrets, PII Data, API Paths, and More

Security researchers and bug hunters, the game just changed. We are thrilled to announce the latest version of the Jsmon Burpsuite Extension.

In previous versions, the extension acted primarily as a bridge, you could configure settings and send URLs to Jsmon, but you had to switch back to the Jsmon dashboard to actually see what you found. With this new update, we’ve brought the full power of Jsmon's intelligence directly into your Burp Suite interface.

Here is everything you need to know to install, configure, and start hunting with the Jsmon extension.

Why Use the Jsmon Extension?

Jsmon is designed to automate the tedious process of analyzing publicly available files for security vulnerabilities. By integrating it with Burp Suite, you can:

• Identify Leaked Secrets: Find API keys, hardcoded credentials, and tokens instantly.
• Extract API Endpoints: Map out the hidden attack surface of an application.
• Find PII & Sensitive Data: Detect leaked emails, IP addresses, and S3 buckets.
• Automate Your Workflow: Scan HTTP responses in the background while you browse.

🛠 Installation Guide

Getting started is quick and easy. Follow these steps to get the extension up and running:

1. Download the Extension: Head over to the Jsmon Burp Suite Extension GitHub and navigate to the Releases tab. Download the latest .jar file.
2. Add to Burp Suite:
   • Open Burp Suite and go to the Extensions tab.
   • Click Add.
   • Select Java as the extension type.
   • Select the downloaded .jar file from your system and click Next.
3. Verify: Once loaded, you will see a brand new Jsmon tab in your Burp Suite top navigation bar.

⚙️ Configuration & Setup

To start scanning, you need to link the extension to your Jsmon account.

1. Get Your API Key: Inside the Jsmon tab, click on Get API Key. This will redirect you to your Jsmon dashboard. If you don't have an account, you can sign up here.
2. Fetch Workspaces: Paste your API key into the extension and click Fetch Workspaces.
3. Select or Create a Workspace: You can select an existing workspace or create a new one (e.g., "Bug Bounty Project") directly from the extension interface.
4. Domain Scoping (Optional): You can define a scope (e.g., example.com) to ensure the extension only targets specific domains and ignores noise from other tabs.

🚀 Hunting for Vulnerabilities

Once configured, there are two ways to use the extension:

1. Automatic Scanning

Toggle the Enable Automatic Scanning button. As you browse the target application in your browser (configured with Burp), the extension will automatically pick up URLs from your HTTP history and send them to Jsmon for analysis.

2. Manual Scanning

If you find a specific HTTP request you want to investigate, you can right-click it in your Burp Suite HTTP history and select Send to Jsmon.

📊 Analyzing Results in Burp

The standout feature of this update is the Results View. You no longer need to leave Burp Suite to see your findings.

• JS Intelligence Tab: View a comprehensive list of extracted API endpoints, cloud storage buckets (S3), and internal URLs.
• Keys & Secrets Tab: Instantly see if URLs have leaked any sensitive credentials or PII.
• Data Export: Use the Copy All Secrets or Copy All API Paths buttons to quickly move data into your favorite text editor or Burp's Intruder for further fuzzing.

Conclusion

The Jsmon Burpsuite Extension is a force multiplier for any security professional. By automating the extraction of hidden data from HTTP responses, it allows you to focus on the high-value vulnerabilities that others might miss.

Ready to start hunting?

👉 Download the Extension on GitHub

 👉 Visit Jsmon.sh

Happy Hacking! 🛡️🔍