3 min read

How to monitor JS URLs with Jsmon.sh?

In today's competitive landscape of bugbounties, it's very important for a bug bounty hunter to monitor what developers are changing or adding in the applications. The moment developers changes feature X or adds feature Y, javascript on the client side will be modified too.
How to monitor JS URLs with Jsmon.sh?

In today's competitive landscape of bugbounties, it's very important for a bug bounty hunter to monitor what developers are changing or adding in the applications. The moment developers changes feature X or adds feature Y, javascript on the client side will be modified too. Today, many top bugbounty hunters are monitoring JS files to be updated of these changes before you get notified via changelogs, developer release notes, etc.

With this blog, I'll demonstrate how bugbounty hunters or security researchers can monitor the JS files via jsmon.sh. For demonstration, we are monitoring our own JS URL.

JS URL: https://jsmon-js-files.s3.ap-south-1.amazonaws.com/main.js

We've made it very simple to monitor JS URLs. You need to follow these 3 simple steps to start monitoring at https://jsmon.sh.

Initial data: You need to add JS URLs first. There are three ways to input the JS URLs: File scan (input a file containing JS URLs), JS URL scan, and domain scan.

Changing the JS file before turning on monitoring - added CHATS_API.

Enable monitoring: Go to monitoring, select the domain that you want to monitor, notification channel (Email, Slack or Discord), time and Start.

Finding changes: You'll receive your report on the selected notification channel.

In your report, you'll see new JS URLs and changed JS URLs both sections. New JS URLs are completely new and never found in your account before.

Download responses for the changed JS URLs from the JS URLs section by clicking on View button.

Comparing changes: Use online diff tools, Burpsuite's comparer or linux diff utility to compare the two downloaded files.

diff -c <file1> <file2>

Pros of monitoring via jsmon.sh

  • No need to maintain your own server.
  • Jsmon's design helps to bypass IP rate limitation from HTTP requests.
  • Whole codebase is inhouse, no need to worry about third party issues.
  • Comes with other features like JS Intelligence, Secrets detection, etc.

If you've read till the end here, thank you so much for reading this blog!!

Thank you,
Inderjeet Singh