@shriyanss/js-recon 1.0.0 → 1.1.0-beta.1

package/docs/example-scenario.md

@@ -0,0 +1,258 @@
+# Example Scenario of using JS-Recon
+
+This document highlights using the modules of JS-Recon individually. All of this can be automated, which can be found at the end of the file in the [Run Module](#run-module).
+
+This example assumes that the app is a Next.JS targets. The tool is currently optimized for Next.JS.
+
+The `lazyload` module will work on Next.JS, Nuxt.JS, and Svelte apps. All other modules are only expected to work on Next.JS apps.
+
+## Table of Contents
+
+- [Target](#target)
+- [Initial Recon](#initial-recon)
+- [Downloading JS files](#downloading-js-files)
+- [Finding strings](#finding-strings)
+- [Subseqent Requests](#subseqent-requests)
+- [Getting more with strings analysis](#getting-more-with-strings-analysis)
+- [Getting client-side endpoints](#getting-client-side-endpoints)
+- [Mapping all the functions](#mapping-all-the-functions)
+- [Launching interactive console](#launching-interactive-console)
+- [Run Module](#run-module)
+
+## Target
+
+The client provides the pentester a wildcard target `*.example.com`
+
+## Initial Recon
+
+The pentester starts by gathering subdomains for the target, and then uses HTTP probe to filter out all the available HTTP servers.
+
+They decide to analyze JavaScript of all the websites to gain access to additional attack surface.
+
+## Downloading JS files
+
+To download JS files, the pentester can use the [`lazyload` module](./lazyload.md) of the tool. To run this, they can use the following command:
+
+```bash
+js-recon lazyload -u https://app.example.com
+```
+
+The tool will then analyze the responses from the server, and then download all the JS files it could find. The JS files will be written in the `./output/app.example.com` directory. If the app contains external scripts, then those will be written in the `./output/<domain>` directory.
+
+The pentester could get the URL from the top of each file, as the tool writes all the JS files with their source commented on the top
+
+_At the time of writing this, the tool is capable of downloading JS files for **Next.JS, Nuxt.JS, and Svelte**. For all other apps, it will download the JS files that are loaded on the webpage_
+
+## Finding strings
+
+Once the pentester has downloaded all the JS files, the first thing that they would like to do is to analyze all the strings that are found in the app. To do so, they can run the [`strings` module](./strings.md).
+
+```bash
+js-recon strings -d output/app.example.com -e
+```
+
+Breakdown of the command:
+
+- `strings`: Run the module to analyze strings
+- `-d`: Shorthand flag for `--directory`. Defines the directory containing the JS files. If any changes to default values hasn't been done in previous command, it should be `./output/<domain>`
+- `-e`: Shorthand flag for `--extract-urls`. Iterates through all the strings found, and prints any potential URLs or paths by matching against the regex
+    - The output for this flag is `extracted_urls.json`
+    - In case that the pentester wants to output it as an OpenAPI collection to load in an API client, they can use the `--openapi` flag. It will be written in `extracted_urls-openapi.json`
+
+The `extracted_urls.json` has the following structure:
+
+```json
+{
+    "urls": [
+        "https://api.example.com",
+        "https://rum.example.com",
+        "https://www.example.com",
+        "https://app.example.com",
+        "https://internal.app.com"
+    ],
+    "paths": [
+        "/v1/admin",
+        "/v1/dashboard",
+        "/v1/members",
+        "/v1/report",
+        "/v1/settings",
+        "/v1/edit"
+    ]
+}
+```
+
+## Subseqent Requests
+
+JS-Recon has found that the app is using Next.JS. This framework has a feature that upon sending requests to a valid client-side endpoints along with the `RSC: 1` header, the application returns a response with content type `text/x-component`, which contains more client-side paths and JS files. To get this, the tool requires the `extracted_urls.json` from the strings module, which has been generated in the previous step.
+
+To use this method, the pentester can pass the `--subsequent-requests` flag to the lazyload command:
+
+```bash
+js-recon lazyload -u https://app.example.com --subsequent-requests
+```
+
+By passing this flag, the tool will read the `extracted_urls.json` file, and make HTTP requests accordingly, and then save the files found in the `output/app.example.com` directory.
+
+## Getting more with strings analysis
+
+Now that the tester has got more JS files, they can run string analysis again. This time, they should pass a few more arguments to the tool:
+
+```bash
+js-recon strings -d output/app.example.com -e -p --openapi -s
+```
+
+Breakdown of additional flags:
+
+- `-p`: Shorthand flag for `--permutate`. This will permutate the `urls` and `paths` in the `extracted_urls.json` file. The output will be a plaintext (`.txt`) file called `extracted_urls.txt`
+- `--openapi`: This flag will genetate an output file called `extracted_urls-openapi.json`. This file is based on the `paths` in the `extracted_urls.json`, and can be directly loaded into an API client like [Postman](https://www.postman.com) or [Bruno](https://usebruno.com)
+- `-s`: Shorthand flag for `--scan-secrets`. This will iterate over all the strings found, and match it against regex for popular secrets
+
+## Getting client-side endpoints
+
+Now that the pentester has got all the JS files and a rough ideation of what the app can do (through string analysis), they can now get the exact client-side endpoints. Apart from unique implementations, there are some common ways a web-app stores client-side endpoints. The tool utilizes the common methods to find the client-side endpoints in the web app.
+
+To do so, they can use the `endpoints` module of the tool
+
+```bash
+js-recon endpoints -d output/app.example.com -u https://app.example.com -t next --subsequent-requests-dir output/app.example.com/___subsequent_requests
+```
+
+Breakdown of the command:
+
+- `endpoints`: This module extracts client-side endpoints from the app
+- `-d`: Shorthand flag for `--directory`. Defines the directory in which the JS files are stored for the given target
+- `-u`: Shorthand flag for `--urls`. The URL of the target (the paths found are prepended to it)
+- `-t`: Shorthand flag for `--tech`. Defines the framework (aka tech) that the target is using. It is required to find the suitable methods
+    - Run with `-l`/`--list` to see list of supported tech: `js-recon endpoints -l`
+- `--subsequent-requests-dir`: Flag specific to Next.js (`-t next`) targets. Defines the directory containing response texts for requests with `RSC: 1` header. By default, it is `output/<domain>/___subsequent_requests` (triple underscore `_` before `subsequent_requests`)
+
+This command will write a file called `endpoints.json`. Following is an example of this file:
+
+```json
+{
+    "https://app.example.com": {
+        "/": {},
+        "/dash": {
+            "/dash/clients",
+            "/dash/automations",
+            "/dash/usage"
+        },
+        "/settings": {
+            "/settings/clients": {
+                "/settings/clients/edit",
+                "/settings/clients/add"
+            },
+            "/settings/automations",
+            "/settings/usage"
+        }
+    },
+    "https://internal.example.com": {
+        "/prod": {
+            "/prod/env"
+        }
+    }
+}
+```
+
+## Mapping all the functions
+
+At this point, the pentester has got an idea of what the app looks like. They have also used the app to see the functionality in action. Now, they suspect that the app contains a secret endpoint. They have seen `https://internal.app.com` in the strings output, but are unsure how it works. They decide to manually analyze the JS files. This is where the `map` modules could help them.
+
+They would like to first get all the instances of `fetch()` to know which functions can make the API calls. Apart from this, they would also like to get the AI-generated descriptions for the functions, as it would significantly speed up the process of analyzing the flow of all the functions. To do so, they can run the `map` module of the tool.
+
+```bash
+js-recon map -d output/app.example.com -t next --ai description
+```
+
+Breakdown of the command:
+
+- `map`: Runs the `map` module
+- `-d`: Shorthand flag for `--directory`. Defines the directory of the JS files
+- `-t`: Shorthand flag for `--tech`. Defines the technology (aka framework) used by the app
+    - Run with `-l`-/`--list` flag to see a supported frameworks
+    - `js-recon map -l`
+- `--ai`: Enable AI parsing. `description` is used as its value, which means that the tool will write descriptions for the functions
+
+The pentester can also adjust some AI settings:
+
+- `--ai-provider`: AI provider to use
+    - `openai` and `ollama` are supported as of writing this
+- `--model`: AI model to use
+- `--openai-api-key`: API key to use for OpenAI
+    - The value for environment variable `$OPENAI_API_KEY` will be used if not provided
+- `--ai-threads <threads>`: Number of threads to simultaneously run to generate descriptions
+    - Refer to [Organization Limits](https://platform.openai.com/settings/organization/limits) in [OpenAI API Platform](https://platform.openai.com) for limits for your OpenAI Account
+    - For Ollama, adjust the value as per capacity of machine running Ollama
+- `--ai-endpoint`: Endpoint to use with AI models
+    - Defaults to `https://api.openai.com/v1` for OpenAI
+        - Some providers like xAI supported supported using OpenAI SDK to use their models. Refer to their docs to know latest updates
+    - Defaults to `http://127.0.0.1:11434` for Ollama
+
+## Launching interactive console
+
+Now that the pentester has got the mappings of all the functions, they can now use interactive console. To launch it, they can add `-i`/`--interative` flag to the previous command
+
+```bash
+js-recon map -d output/app.example.com -t next --ai description -i
+```
+
+_This feature might look complex, so it is recommended to get an overview through the [Interactive Mode Docs](./interactive-mode.md) before reading further_
+
+The pentester would first like to get the instances of `fetch()`, so that they can know the sites where an API call could be made. So, they will run the following command in interactive mode:
+
+```
+list fetch
+```
+
+This will list all the functions that have a fetch function. If the pentester had enabled the AI descriptions, then they could also see a brief of what the function does. Now, they can go to any function that seems suspicious
+
+```
+go to 1234
+```
+
+By running this command, the tool would clear the output of the interactive mode, and print the code of the function. The tool provides vim like interface and shortcuts. The user can scroll on the function to go either up or down. Also, they can press `Esc`, and then use the arrow keys to navigate. To focus again on the input box, they can press the `i` key. To quit the app, they can press `Esc` and then `q` or `Ctrl-c`
+
+Since the pentester prefers to see the function code in the IDE of their choice, they can write this to a separate file. To do so, they can run the following command in the interactive mode:
+
+```
+set funcwritefile <filename>
+```
+
+Now, every time when the `go to <id>` command will be ran, the tool will write the code to the specified file.
+Once they open it in the IDE of their choice, they can go to the instances of fetch by finding it through `C-f` in the IDE. Once they find an instance, they could manually reverse engineer the full request.
+
+To assist in doing the same, they used the following commands:
+
+- `list all`: Lists all the functions, their descriptions, and the file they are found in
+- `trace <functionName>`: This lists all the other function that the given function imports, as well as the functions to which this is being exported
+    - For example, a function required to modify the UI, so it will import those function, and hence they will be listed as imports
+    - This function is called at multiple places, which are listed as exports
+- `go back`: This will take the pentester to the previous function they viewed
+- `go ahead`: This will take the pentester to the next function they viewed (should work if they used `go back`)
+
+## Run Module
+
+If this process seems tidious (which it is), the pentester can use the `run` module of the tool. It will:
+
+- [Download all the JS files](#downloading-js-files)
+- [Find all the strings](#finding-strings)
+- [Check for subsequent requests if required](#subseqent-requests)
+- [Run string analysis again](#getting-more-with-strings-analysis)
+- [Get all client-side endpoints](#getting-client-side-endpoints)
+- [Map all the functions](#mapping-all-the-functions)
+
+Here's what it will **NOT** do:
+
+- Understand the output files to build a good attack vector
+    - The pentester can fuzz the `paths` from the `strings` module on multiple hosts
+    - They can see the UI on the client-side paths found by `endpoints` module
+    - They can come up with new methods to get the most from the output of different modules
+- Completely resolve all the requests (it would go as deep as possible, but couldn't fully resolve some requests as of writing this)
+
+The docs for the `run` module can be found [here](./run.md)
+
+The pentester could now automate the mentioned steps by running the following command:
+
+```bash
+js-recon run -u https://app.example.com --secrets --ai description
+```

package/docs/interactive-mode.md

@@ -0,0 +1,76 @@
+# Interactive Mode for Next.js Maps
+
+The interactive mode for Next.js maps provides a terminal-based interface to explore and analyze the functions within your Next.js application. This guide will walk you through the features and commands available in this mode.
+
+## Getting Started
+
+To launch the interactive mode, run the following command:
+
+```bash
+js-recon map <other options> -i
+```
+
+## User Interface
+
+The interactive mode interface is composed of three main components:
+
+- **Title Box**: Displays the title "JS Recon Interactive Mode".
+- **Output Box**: Shows the output of commands and function information. You can scroll through this box using the arrow keys when it's in focus.
+- **Input Box**: This is where you type your commands.
+
+## Keybindings
+
+The following keybindings are available for navigation and control:
+
+| Key             | Description                                                                                           |
+| --------------- | ----------------------------------------------------------------------------------------------------- |
+| `Ctrl+C` or `q` | Exit the interactive mode (when not in the input box). To exit from the input box, press `Esc` first. |
+| `i`             | Focus the input box.                                                                                  |
+| `o`             | Focus the output box.                                                                                 |
+| `Esc`           | When in the input box, focuses the output box.                                                        |
+| `Up Arrow`      | In the input box, navigate to the previous command.                                                   |
+| `Down Arrow`    | In the input box, navigate to the next command.                                                       |
+| `Up Arrow`      | In the output box, scroll up.                                                                         |
+| `Down Arrow`    | In the output box, scroll down.                                                                       |
+
+## Commands
+
+Here is a list of available commands and their usage:
+
+### `help`
+
+Displays the help menu with a list of all available commands.
+
+### `exit`
+
+Exits the interactive mode.
+
+### `clear`
+
+Clears the content of the output box.
+
+### `list`
+
+Lists different types of information. Usage: `list <option>`
+
+- `list fetch`: Lists all functions that contain `fetch` instances.
+- `list all`: Lists all functions found in the application.
+- `list nav`: Lists your function navigation history.
+
+### `go`
+
+Navigates between functions. Usage: `go <option>`
+
+- `go to <functionID>`: Displays the code for a specific function.
+- `go back`: Navigates to the previously viewed function.
+- `go ahead`: Navigates to the next function in your history.
+
+### `set`
+
+Sets configuration options. Usage: `set <option> <value>`
+
+- `set funcwritefile <filename>`: Sets the file where function code will be written when you use the `go to` command.
+
+### `trace`
+
+Traces the imports for a given function. Usage: `trace <functionName>`

package/docs/lazyload.md

@@ -0,0 +1,56 @@
+# Lazyload Command
+
+The `lazyload` command is used to download JavaScript files from a given URL or a list of URLs. It simulates various techniques to discover and fetch JS files that are loaded dynamically.
+
+## Usage
+
+```bash
+js-recon lazyload -u <url/file> [options]
+```
+
+## Options
+
+| Option                        | Alias | Description                                                                         | Default                    | Required |
+| ----------------------------- | ----- | ----------------------------------------------------------------------------------- | -------------------------- | -------- |
+| `--url <url/file>`            | `-u`  | Target URL or a file containing a list of URLs (one per line).                      |                            | Yes      |
+| `--output <directory>`        | `-o`  | Output directory to save the downloaded JS files.                                   | `output`                   | No       |
+| `--strict-scope`              |       | Download JS files from only the input URL domain.                                   | `false`                    | No       |
+| `--scope <scope>`             | `-s`  | Download JS files from specific domains (comma-separated). Use `*` for all domains. | `*`                        | No       |
+| `--threads <threads>`         | `-t`  | Number of threads to use for downloading.                                           | `1`                        | No       |
+| `--subsequent-requests`       |       | Download JS files from subsequent requests (Next.JS only).                          | `false`                    | No       |
+| `--urls-file <file>`          |       | Input JSON file containing URLs (for `--subsequent-requests`)                       | `extracted_urls.json`      | No       |
+| `--api-gateway`               |       | Generate requests using API Gateway for IP rotation.                                | `false`                    | No       |
+| `--api-gateway-config <file>` |       | API Gateway config file.                                                            | `.api_gateway_config.json` | No       |
+| `--cache-file <file>`         |       | File to contain response cache.                                                     | `.resp_cache.json`         | No       |
+| `--disable-cache`             |       | Disable response caching.                                                           | `false`                    | No       |
+| `--yes`                       | `-y`  | Auto-approve executing JS code from the target.                                     | `false`                    | No       |
+
+## Examples
+
+### Basic Usage
+
+Download all JavaScript files from a single URL:
+
+```bash
+js-recon lazyload -u https://example.com
+```
+
+### Setting Scope
+
+Download JavaScript files only from `example.com` and `cdn.example.com`:
+
+```bash
+js-recon lazyload -u https://example.com -s "example.com,cdn.example.com"
+```
+
+Using the `--strict-scope` will only download JS files from the URL provided. This will skip any files from external CDN.
+
+### Using API Gateway
+
+Use AWS API Gateway to rotate IP addresses while downloading:
+
+```bash
+js-recon lazyload -u https://example.com --api-gateway
+```
+
+Read docs of [API Gateway](./api-gateway.md) for more information.

package/docs/map.md

@@ -0,0 +1,53 @@
+# Map Command
+
+The `map` command is used to map and analyze the functions within a directory of JavaScript files. It can help you understand the codebase by identifying function definitions and, optionally, using AI to generate descriptions.
+
+## Usage
+
+```bash
+js-recon map -d <directory> -t <technology> [options]
+```
+
+## Options
+
+| Option                     | Alias | Description                                                                        | Default                                                                         | Required |
+| -------------------------- | ----- | ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | -------- |
+| `--directory <directory>`  | `-d`  | Directory containing JS files.                                                     |                                                                                 | Yes      |
+| `--tech <tech>`            | `-t`  | Technology used in the JS files (run with `-l`/`--list` to see available options). |                                                                                 | Yes      |
+| `--list`                   | `-l`  | List available technologies.                                                       | `false`                                                                         | No       |
+| `--output <file>`          | `-o`  | Output file name (without extension).                                              | `mapped`                                                                        | No       |
+| `--format <format>`        | `-f`  | Output format for the results (comma-separated; available: `json`).                | `json`                                                                          | No       |
+| `--interactive`            | `-i`  | Interactive mode for exploring the mapped functions.                               | `false`                                                                         | No       |
+| `--ai <options>`           |       | Use AI to analyze the code (comma-separated; available: `description`).            |                                                                                 | No       |
+| `--ai-provider <provider>` |       | Service provider to use for AI (available: openai, ollama)                         | `openai`                                                                        | No       |
+| `--ai-endpoint <endpoint>` |       | Endpoint to use for AI service (for Ollama, etc)                                   | `https://api.openai.com/v1` for OpenAI, and `http://127.0.0.1:11434` for Ollama | No       |
+| `--openai-api-key <key>`   |       | OpenAI API key for AI analysis.                                                    |                                                                                 | No       |
+| `--model <model>`          |       | AI model to use for analysis.                                                      | `gpt-4o-mini` for OpenAI, and `llama3.1` for Ollama                             | No       |
+
+## Examples
+
+### Basic Usage
+
+The `map` command requires you to specify the directory containing the JavaScript files and the technology used.
+
+For example, to map a Next.JS application:
+
+```bash
+js-recon map -d /path/to/js-files -t next
+```
+
+### Interactive Mode
+
+Map functions and explore them in an interactive session. For a detailed guide, see the [Interactive Mode documentation](./interactive-mode.md).
+
+```bash
+js-recon map -d /path/to/js-files -t next -i
+```
+
+### AI-Powered Analysis
+
+Use an AI model to generate descriptions for the mapped functions by providing the `--ai` flag and an OpenAI API key.
+
+```bash
+js-recon map -d /path/to/js-files -t next --ai description --openai-api-key <your-key>
+```

package/docs/run.md

@@ -0,0 +1,54 @@
+# Run Command
+
+The `run` command is a powerful feature that automates the most of the JavaScript reconnaissance workflow by executing a series of modules in a predefined order. This command is ideal for users who want to perform a basic analysis of a target without running each module individually.
+
+## Workflow
+
+The `run` command executes the following modules in sequence:
+
+1.  **Lazy Load (Initial)**: Downloads the initial set of JavaScript files from the target URL.
+2.  **Strings (Initial)**: Extracts strings, URLs, and paths from the downloaded JavaScript files.
+3.  **Lazy Load (Subsequent Requests - for Next.JS)**: Downloads additional JavaScript files discovered from the extracted URLs and paths.
+4.  **Strings (Final)**: Performs another round of string extraction on the newly downloaded files to find more endpoints, secrets, and other valuable information.
+5.  **Endpoints**: Analyzes the collected data to identify and list all potential API endpoints.
+6.  **Map**: Maps all the functions and their relationships within the JavaScript files to provide a clear overview of the application's structure.
+
+## Usage
+
+```bash
+js-recon run -u <url/file> [options]
+```
+
+### Required Arguments
+
+- `-u, --url <url/file>`: The target URL or a file containing a list of URLs (one per line).
+
+### Options
+
+| Option                        | Alias | Description                                                          | Default                                                                         | Required |
+| ----------------------------- | ----- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------- | -------- |
+| `--url <url/file>`            | `-u`  | Target URL or a file containing a list of URLs (one per line)        |                                                                                 | Yes      |
+| `--output <directory>`        | `-d`  | Output directory                                                     | `output`                                                                        | No       |
+| `--strict-scope`              |       | Download JS files from only the input URL domain                     | `false`                                                                         | No       |
+| `--scope <scope>`             | `-s`  | Download JS files from specific domains (comma-separated)            | `*`                                                                             | No       |
+| `--threads <threads>`         | `-t`  | Number of threads to use                                             | `1`                                                                             | No       |
+| `--api-gateway`               |       | Generate requests using API Gateway                                  | `false`                                                                         | No       |
+| `--api-gateway-config <file>` |       | API Gateway config file                                              | `.api_gateway_config.json`                                                      | No       |
+| `--cache-file <file>`         |       | File to store response cache                                         | `.resp_cache.json`                                                              | No       |
+| `--disable-cache`             |       | Disable response caching                                             | `false`                                                                         | No       |
+| `--yes`                       | `-y`  | Auto-approve executing JS code from the target                       | `false`                                                                         | No       |
+| `--secrets`                   |       | Scan for secrets                                                     | `false`                                                                         | No       |
+| `--ai <options>`              |       | Use AI to analyze the code (comma-separated; available: description) |                                                                                 | No       |
+| `--ai-threads <threads>`      |       | Number of threads to use for AI                                      | `5`                                                                             | No       |
+| `--ai-provider <provider>`    |       | Service provider to use for AI (available: openai, ollama)           | `openai`                                                                        | No       |
+| `--ai-endpoint <endpoint>`    |       | Endpoint to use for AI service (for Ollama, etc)                     | `https://api.openai.com/v1` for OpenAI, and `http://127.0.0.1:11434` for Ollama | No       |
+| `--openai-api-key <key>`      |       | OpenAI API Key                                                       |                                                                                 | No       |
+| `--model <model>`             |       | AI model to use                                                      | `gpt-4o-mini` for OpenAI, and `llama3.1` for Ollama                             | No       |
+
+## Example
+
+```bash
+js-recon run -u https://example.com -o results --secrets --ai description
+```
+
+This command will perform a full analysis on `https://example.com`, save the output to the `results` directory, scan for secrets, and use AI to generate descriptions for the mapped functions.

package/docs/strings.md

@@ -0,0 +1,75 @@
+# Strings Command
+
+The `strings` command is used to extract strings, URLs, and secrets from a directory of JavaScript files. This is useful for identifying sensitive information and potential API endpoints.
+
+## Usage
+
+```bash
+js-recon strings -d <directory> [options]
+```
+
+## Options
+
+| Option                        | Alias | Description                                                   | Default          | Required |
+| ----------------------------- | ----- | ------------------------------------------------------------- | ---------------- | -------- |
+| `--directory <directory>`     | `-d`  | Directory containing JS files.                                |                  | Yes      |
+| `--output <file>`             | `-o`  | JSON file to save the extracted strings.                      | `strings.json`   | No       |
+| `--extract-urls`              | `-e`  | Extract URLs from the strings.                                | `false`          | No       |
+| `--extracted-url-path <file>` |       | Output file for extracted URLs and paths (without extension). | `extracted_urls` | No       |
+| `--permutate`                 | `-p`  | Permutate the URLs and paths found.                           | `false`          | No       |
+| `--openapi`                   |       | Generate an OpenAPI specification from the paths found.       | `false`          | No       |
+| `--scan-secrets`              | `-s`  | Scan for secrets within the strings.                          | `false`          | No       |
+
+## Examples
+
+### Basic Usage
+
+Extract all strings from a directory of JS files and save them to `strings.json`:
+
+```bash
+js-recon strings -d /path/to/js-files
+```
+
+### Extract URLs
+
+Extract strings and also identify and save any URLs found within them:
+
+```bash
+js-recon strings -d /path/to/js-files -e
+```
+
+This will write a new file called `extracted_urls.json` along with the default `strings.json`
+
+### Scan for Secrets
+
+Extract strings and scan for any potential secrets or sensitive information:
+
+```bash
+js-recon strings -d /path/to/js-files -s
+```
+
+This will print all the potential finds on the terminal window.
+
+*Please note that this process could be memory and compute intensive, and can take longer to run.*
+
+### Generate OpenAPI Specification
+
+Extract URLs and paths, and then generate an OpenAPI specification:
+
+```bash
+js-recon strings -d /path/to/js-files -e --openapi
+```
+
+This will generate the default `strings.json`, the `extracted_urls.json` file with URLs and paths in simple JSON format, and the `extracted_urls-openapi.json` file. The `extracted_urls-openapi.json` can be imported into API clients like [Postman](https://www.postman.com), [Bruno](https://www.usebruno.com), etc.
+
+### Permutate URLs and Paths
+
+The `--permutate` (`-p`) flag generates new potential endpoints by combining the base of found URLs with all discovered paths. This requires the `-e` flag to be active.
+
+For example, if the tool finds the URL `https://api.example.com/v1/users` and the path `/v2/orders`, it will generate `https://api.example.com/v2/orders`.
+
+```bash
+js-recon strings -d /path/to/js-files -e -p
+```
+
+The permuted URLs will be saved to `extracted_urls.txt` along with `strings.json` and `extracted_urls.json`

package/endpoints.json

@@ -0,0 +1,77 @@
+{
+  "https://x.ai": {
+    "/": {},
+    "/news": {
+      "/news/grok-3": {},
+      "/news/series-c": {},
+      "/news/grok-1212": {},
+      "/news/grok-image-generation-release": {},
+      "/news/api": {},
+      "/news/grok-2": {},
+      "/news/series-b": {},
+      "/news/grok-1.5v": {},
+      "/news/grok-1.5": {},
+      "/news/grok-os": {},
+      "/news/prompt-ide": {},
+      "/news/grok": {}
+    },
+    "/careers": {
+      "/careers/open-roles": {}
+    },
+    "/grok": {
+      "/grok/business": {}
+    },
+    "/api": {},
+    "/company": {},
+    "/colossus": {},
+    "/contact": {},
+    "/legal": {
+      "/legal/privacy-policy": {}
+    }
+  },
+  "https://job-boards.greenhouse.io": {
+    "/": {},
+    "/xai": {
+      "/xai/jobs": {
+        "/xai/jobs/4754207007": {},
+        "/xai/jobs/4758530007": {},
+        "/xai/jobs/4730111007": {},
+        "/xai/jobs/4758535007": {},
+        "/xai/jobs/4703116007": {},
+        "/xai/jobs/4703137007": {}
+      }
+    }
+  },
+  "https://grok.com": {
+    "/": {}
+  },
+  "https://docs.x.ai": {
+    "/": {},
+    "/docs": {
+      "/docs/models": {},
+      "/docs/overview": {}
+    }
+  },
+  "https://console.x.ai": {
+    "/": {}
+  },
+  "https://grok.x.com": {
+    "/": {}
+  },
+  "https://apps.apple.com": {
+    "/": {},
+    "/app": {
+      "/app/apple-store": {
+        "/app/apple-store/id6670324846": {}
+      }
+    }
+  },
+  "https://play.google.com": {
+    "/": {},
+    "/store": {
+      "/store/apps": {
+        "/store/apps/details": {}
+      }
+    }
+  }
+}