sourcemaps helps developers in debugging, sometimes it gets exposed at the last line of the client side javascript/typescript code, usually the sourcemap file ends in js_filename.js.map and to retrieve the unminified javascript/typescript code, with all the comments that were written by the developers, you need to download the sourcemap file and reverse it using external tools or packages.
i created a tool called, sourcemap-hunter that literally automates the most wanted 4 core functionalities
look for sourcemaps automatically using various ways (it doesn’t give up when the last line indicating path to sourcemap file is missing) and verifies findings
it reverses sourcemaps and shows you the full original javascript/typescript code
it allows you to download both the current javascript/typescript file you are viewing or download a zip file having the entire original source code
it allows you to filter domains so it leaves you with all the sourcemaps that were found for your target and ignores any 3rd party files which might be out of scope
it allows you to search using plain text or with regex to match for sources and sinks to identify DOM XSS (coming very very soon in the next update - v1.2)
all within the browser, I was not able to locate any other publicly available browser extension that effectively integrates these functionalities, and i don’t need to mention the difference between minified javascript/typescript code and original code, it’s day and night difference.
you can try it here: https://github.com/YousefM0hamed/sourcemap-hunter
the neat part is that this extension is only built with HTML, CSS, Javascript
nothing more than that.
Top comments (0)