jsana 1.0.0

package/bin/jsana.js

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { run } from '../lib/pipeline.js';
+import { categories } from '../lib/patterns.js';
+
+const HELP = `
+jsana - JavaScript Security Analyzer for Bug Bounty
+
+Usage:
+  jsana <urls-file> [options]
+
+Options:
+  -o, --output <file>      Output file (default: jsana-results.txt)
+  -j, --json               NDJSON output
+  -c, --concurrency <n>    Concurrent fetches (default: 50)
+  -r, --retries <n>        Max retries per URL (default: 2)
+  -t, --timeout <ms>       Request timeout in ms (default: 30000)
+  --category <name>        Filter to specific categories (repeatable)
+  -h, --help               Show this help
+
+Categories:
+  ${categories.join(', ')}
+
+Examples:
+  jsana urls.txt
+  jsana urls.txt -o results.txt -c 100 --json
+  jsana urls.txt --category secret --category xss-sink
+`;
+
+function parseArgs(argv) {
+  const args = {
+    urlsFile: null,
+    output: 'jsana-results.txt',
+    json: false,
+    concurrency: 50,
+    retries: 2,
+    timeout: 30000,
+    categories: [],
+    help: false,
+  };
+
+  let i = 0;
+  while (i < argv.length) {
+    const arg = argv[i];
+    switch (arg) {
+      case '-h': case '--help':
+        args.help = true; break;
+      case '-j': case '--json':
+        args.json = true; break;
+      case '-o': case '--output':
+        args.output = argv[++i]; break;
+      case '-c': case '--concurrency':
+        args.concurrency = parseInt(argv[++i], 10); break;
+      case '-r': case '--retries':
+        args.retries = parseInt(argv[++i], 10); break;
+      case '-t': case '--timeout':
+        args.timeout = parseInt(argv[++i], 10); break;
+      case '--category':
+        args.categories.push(argv[++i]); break;
+      default:
+        if (!arg.startsWith('-') && !args.urlsFile) {
+          args.urlsFile = arg;
+        } else {
+          process.stderr.write(`Unknown option: ${arg}\n`);
+          process.exit(1);
+        }
+    }
+    i++;
+  }
+
+  return args;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+
+  if (args.help || !args.urlsFile) {
+    process.stdout.write(HELP);
+    process.exit(args.help ? 0 : 1);
+  }
+
+  const urlsFile = resolve(args.urlsFile);
+  if (!existsSync(urlsFile)) {
+    process.stderr.write(`Error: file not found: ${urlsFile}\n`);
+    process.exit(1);
+  }
+
+  await run(urlsFile, {
+    output: args.output,
+    json: args.json,
+    concurrency: args.concurrency,
+    retries: args.retries,
+    timeout: args.timeout,
+    categories: args.categories,
+  });
+}
+
+main().catch(err => {
+  process.stderr.write(`Fatal: ${err.message}\n`);
+  process.exit(1);
+});

package/lib/fetcher.js

@@ -0,0 +1,108 @@
+import { Pool } from 'undici';
+import { createBrotliDecompress, createGunzip, createInflate } from 'node:zlib';
+import { PassThrough } from 'node:stream';
+
+const BINARY_TYPES = /^(image|audio|video|font|application\/(pdf|zip|gzip|octet-stream|x-tar|x-7z|x-rar))/;
+const MAX_RESPONSE_SIZE = 10 * 1024 * 1024; // 10 MB
+
+// LRU pool cache: origin → { pool, lastUsed }
+const poolCache = new Map();
+const MAX_POOLS = 500;
+
+function getPool(origin) {
+  let entry = poolCache.get(origin);
+  if (entry) {
+    entry.lastUsed = Date.now();
+    return entry.pool;
+  }
+
+  // Evict oldest if at capacity
+  if (poolCache.size >= MAX_POOLS) {
+    let oldestKey = null, oldestTime = Infinity;
+    for (const [key, val] of poolCache) {
+      if (val.lastUsed < oldestTime) {
+        oldestTime = val.lastUsed;
+        oldestKey = key;
+      }
+    }
+    if (oldestKey) {
+      poolCache.get(oldestKey).pool.close();
+      poolCache.delete(oldestKey);
+    }
+  }
+
+  const pool = new Pool(origin, { connections: 6, pipelining: 1 });
+  poolCache.set(origin, { pool, lastUsed: Date.now() });
+  return pool;
+}
+
+export async function closeAllPools() {
+  const promises = [];
+  for (const { pool } of poolCache.values()) {
+    promises.push(pool.close());
+  }
+  poolCache.clear();
+  await Promise.allSettled(promises);
+}
+
+// Returns a Readable stream of the response body, or null if skipped.
+export async function fetchUrl(rawUrl, { timeout = 30000 } = {}) {
+  const url = new URL(rawUrl);
+  const origin = url.origin;
+  const pool = getPool(origin);
+
+  const { statusCode, headers, body } = await pool.request({
+    path: url.pathname + url.search,
+    method: 'GET',
+    headers: {
+      'User-Agent': 'Mozilla/5.0 (compatible; jsana/1.0)',
+      'Accept': '*/*',
+      'Accept-Encoding': 'gzip, deflate, br',
+    },
+    headersTimeout: timeout,
+    bodyTimeout: timeout,
+  });
+
+  // Skip non-success
+  if (statusCode < 200 || statusCode >= 400) {
+    // Drain the body to free the socket
+    body.resume();
+    throw new Error(`HTTP ${statusCode}`);
+  }
+
+  // Skip binary content types
+  const ct = (headers['content-type'] || '').toLowerCase();
+  if (BINARY_TYPES.test(ct)) {
+    body.resume();
+    return null;
+  }
+
+  // Handle content-encoding decompression
+  const encoding = (headers['content-encoding'] || '').toLowerCase();
+  let stream;
+  if (encoding === 'gzip' || encoding === 'x-gzip') {
+    stream = body.pipe(createGunzip());
+  } else if (encoding === 'br') {
+    stream = body.pipe(createBrotliDecompress());
+  } else if (encoding === 'deflate') {
+    stream = body.pipe(createInflate());
+  } else {
+    stream = body;
+  }
+
+  // Enforce size limit via a transform
+  let received = 0;
+  const limiter = new PassThrough({
+    transform(chunk, _enc, cb) {
+      received += chunk.length;
+      if (received > MAX_RESPONSE_SIZE) {
+        cb(new Error('Response too large'));
+        body.destroy();
+      } else {
+        cb(null, chunk);
+      }
+    },
+  });
+
+  return stream.pipe(limiter);
+}

package/lib/patterns.js

@@ -0,0 +1,78 @@
+// All regex patterns compiled once at load time.
+// Each pattern: { id, regex, category, severity, description }
+
+const patterns = [
+  // ── Dangerous Sinks (XSS) ──
+  { id: 'xss-innerhtml', regex: /\.innerHTML\s*=/, category: 'xss-sink', severity: 'high', description: 'innerHTML assignment' },
+  { id: 'xss-outerhtml', regex: /\.outerHTML\s*=/, category: 'xss-sink', severity: 'high', description: 'outerHTML assignment' },
+  { id: 'xss-document-write', regex: /document\.write(ln)?\s*\(/, category: 'xss-sink', severity: 'high', description: 'document.write()' },
+  { id: 'xss-eval', regex: /[^a-zA-Z_$]eval\s*\(/, category: 'xss-sink', severity: 'critical', description: 'eval()' },
+  { id: 'xss-function-ctor', regex: /new\s+Function\s*\(/, category: 'xss-sink', severity: 'critical', description: 'new Function()' },
+  { id: 'xss-settimeout-str', regex: /setTimeout\s*\(\s*['"`]/, category: 'xss-sink', severity: 'high', description: 'setTimeout with string' },
+  { id: 'xss-setinterval-str', regex: /setInterval\s*\(\s*['"`]/, category: 'xss-sink', severity: 'high', description: 'setInterval with string' },
+  { id: 'xss-insertadjacenthtml', regex: /\.insertAdjacentHTML\s*\(/, category: 'xss-sink', severity: 'high', description: 'insertAdjacentHTML()' },
+  { id: 'xss-jquery-html', regex: /\.\$\s*\(.*\)\s*\.html\s*\(|\$\(.*\)\.html\s*\(/, category: 'xss-sink', severity: 'high', description: 'jQuery .html()' },
+  { id: 'xss-jquery-append', regex: /\.\$\s*\(.*\)\s*\.append\s*\(|\$\(.*\)\.append\s*\(/, category: 'xss-sink', severity: 'medium', description: 'jQuery .append()' },
+  { id: 'xss-react-dangerously', regex: /dangerouslySetInnerHTML/, category: 'xss-sink', severity: 'high', description: 'React dangerouslySetInnerHTML' },
+  { id: 'xss-vue-vhtml', regex: /v-html\s*=/, category: 'xss-sink', severity: 'high', description: 'Vue v-html directive' },
+  { id: 'xss-angular-bypass', regex: /bypassSecurityTrust(Html|Script|Style|Url|ResourceUrl)/, category: 'xss-sink', severity: 'critical', description: 'Angular bypassSecurityTrust*' },
+
+  // ── User-Controlled Sources ──
+  { id: 'source-location-hash', regex: /location\.hash/, category: 'source', severity: 'medium', description: 'location.hash' },
+  { id: 'source-location-search', regex: /location\.search/, category: 'source', severity: 'medium', description: 'location.search' },
+  { id: 'source-location-href', regex: /location\.href/, category: 'source', severity: 'medium', description: 'location.href' },
+  { id: 'source-location-pathname', regex: /location\.pathname/, category: 'source', severity: 'low', description: 'location.pathname' },
+  { id: 'source-document-url', regex: /document\.URL/, category: 'source', severity: 'medium', description: 'document.URL' },
+  { id: 'source-document-referrer', regex: /document\.referrer/, category: 'source', severity: 'medium', description: 'document.referrer' },
+  { id: 'source-document-cookie', regex: /document\.cookie/, category: 'source', severity: 'medium', description: 'document.cookie' },
+  { id: 'source-window-name', regex: /window\.name/, category: 'source', severity: 'medium', description: 'window.name' },
+  { id: 'source-urlsearchparams', regex: /new\s+URLSearchParams/, category: 'source', severity: 'low', description: 'URLSearchParams' },
+  { id: 'source-localstorage', regex: /localStorage\.(getItem|setItem)\s*\(/, category: 'source', severity: 'low', description: 'localStorage access' },
+  { id: 'source-sessionstorage', regex: /sessionStorage\.(getItem|setItem)\s*\(/, category: 'source', severity: 'low', description: 'sessionStorage access' },
+
+  // ── API Endpoints & Secrets ──
+  { id: 'secret-aws-key', regex: /AKIA[0-9A-Z]{16}/, category: 'secret', severity: 'critical', description: 'AWS Access Key ID' },
+  { id: 'secret-jwt', regex: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.?[A-Za-z0-9_-]*/, category: 'secret', severity: 'high', description: 'JWT token' },
+  { id: 'secret-google-api', regex: /AIza[0-9A-Za-z\-_]{35}/, category: 'secret', severity: 'high', description: 'Google API key' },
+  { id: 'secret-github-token', regex: /(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/, category: 'secret', severity: 'critical', description: 'GitHub token' },
+  { id: 'secret-generic-token', regex: /['"`](token|api[_-]?key|apikey|secret|password|passwd|authorization)\s*['"`]\s*[:=]\s*['"`][^'"`]{8,}['"`]/i, category: 'secret', severity: 'high', description: 'Generic secret/token in string' },
+  { id: 'secret-bearer', regex: /['"` ]Bearer\s+[A-Za-z0-9_\-.~+/]{20,}/, category: 'secret', severity: 'high', description: 'Bearer token' },
+  { id: 'api-fetch', regex: /fetch\s*\(\s*['"`]https?:\/\//, category: 'api', severity: 'info', description: 'fetch() call with URL' },
+  { id: 'api-xhr-open', regex: /\.open\s*\(\s*['"`](GET|POST|PUT|DELETE|PATCH)['"`]/, category: 'api', severity: 'info', description: 'XHR open()' },
+  { id: 'api-axios', regex: /axios\.(get|post|put|delete|patch|request)\s*\(/, category: 'api', severity: 'info', description: 'axios call' },
+  { id: 'api-auth-header', regex: /['"`](Authorization|X-Api-Key|X-Auth-Token)['"`]\s*:/, category: 'api', severity: 'medium', description: 'Auth header' },
+  { id: 'api-endpoint', regex: /['"`]\/api\/[a-zA-Z0-9_/\-{}]+['"`]/, category: 'api', severity: 'info', description: 'API endpoint path' },
+
+  // ── Prototype Pollution ──
+  { id: 'proto-proto', regex: /__proto__/, category: 'prototype-pollution', severity: 'high', description: '__proto__ access' },
+  { id: 'proto-constructor', regex: /constructor\s*\[\s*['"`]prototype['"`]\s*\]|constructor\.prototype/, category: 'prototype-pollution', severity: 'high', description: 'constructor.prototype access' },
+  { id: 'proto-merge', regex: /deepmerge|deep[_-]?extend|merge\s*\(|extend\s*\(|Object\.assign\s*\(\s*\{\s*\}/, category: 'prototype-pollution', severity: 'medium', description: 'Deep merge/extend function' },
+
+  // ── Open Redirects ──
+  { id: 'redirect-location-assign', regex: /location\s*=\s*[^=]|location\.assign\s*\(/, category: 'open-redirect', severity: 'high', description: 'location assignment/assign()' },
+  { id: 'redirect-location-replace', regex: /location\.replace\s*\(/, category: 'open-redirect', severity: 'high', description: 'location.replace()' },
+  { id: 'redirect-window-open', regex: /window\.open\s*\(/, category: 'open-redirect', severity: 'medium', description: 'window.open()' },
+  { id: 'redirect-navigate', regex: /\.navigate\s*\(\s*['"`]?http/, category: 'open-redirect', severity: 'medium', description: '.navigate() with URL' },
+
+  // ── PostMessage Issues ──
+  { id: 'postmessage-listener', regex: /addEventListener\s*\(\s*['"`]message['"`]/, category: 'postmessage', severity: 'medium', description: 'message event listener' },
+  { id: 'postmessage-send', regex: /\.postMessage\s*\(/, category: 'postmessage', severity: 'medium', description: 'postMessage() call' },
+
+  // ── Debug / Admin ──
+  { id: 'debug-todo', regex: /\/\/\s*(TODO|FIXME|HACK|XXX|BUG)\b/i, category: 'debug', severity: 'low', description: 'TODO/FIXME/HACK comment' },
+  { id: 'debug-admin-path', regex: /['"`]\/?admin(\/[a-zA-Z0-9_/-]*)?['"`]/, category: 'debug', severity: 'medium', description: 'Admin path reference' },
+  { id: 'debug-console-log', regex: /console\.(log|debug|info|warn|error)\s*\(/, category: 'debug', severity: 'low', description: 'Console logging' },
+  { id: 'debug-debugger', regex: /\bdebugger\b/, category: 'debug', severity: 'low', description: 'debugger statement' },
+  { id: 'debug-feature-flag', regex: /['"`](feature[_-]?flag|is[_-]?enabled|enable[_-]?feature|canary|experiment)['"`]/i, category: 'debug', severity: 'low', description: 'Feature flag reference' },
+  { id: 'debug-sourcemap', regex: /\/\/[#@]\s*sourceMappingURL\s*=/, category: 'debug', severity: 'info', description: 'Source map reference' },
+];
+
+const categories = [...new Set(patterns.map(p => p.category))];
+
+export function getPatterns(filterCategories) {
+  if (!filterCategories || filterCategories.length === 0) return patterns;
+  const set = new Set(filterCategories);
+  return patterns.filter(p => set.has(p.category));
+}
+
+export { categories, patterns };

package/lib/pipeline.js

@@ -0,0 +1,138 @@
+import { createReadStream } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { fetchUrl, closeAllPools } from './fetcher.js';
+import { scan } from './scanner.js';
+import { Reporter } from './reporter.js';
+import { Progress, countLines } from './progress.js';
+import { getPatterns } from './patterns.js';
+import { withRetry } from './retry.js';
+
+// Simple semaphore for concurrency control
+class Semaphore {
+  constructor(max) {
+    this.max = max;
+    this.current = 0;
+    this.queue = [];
+  }
+  acquire() {
+    if (this.current < this.max) {
+      this.current++;
+      return Promise.resolve();
+    }
+    return new Promise(resolve => this.queue.push(resolve));
+  }
+  release() {
+    this.current--;
+    if (this.queue.length > 0) {
+      this.current++;
+      this.queue.shift()();
+    }
+  }
+}
+
+export async function run(urlsFile, opts) {
+  const {
+    output = 'jsana-results.txt',
+    json = false,
+    concurrency = 50,
+    retries = 2,
+    timeout = 30000,
+    categories = [],
+  } = opts;
+
+  const patterns = getPatterns(categories);
+  if (patterns.length === 0) {
+    process.stderr.write('[jsana] No patterns matched the selected categories.\n');
+    return;
+  }
+
+  // Pre-count lines for progress
+  const totalLines = await countLines(urlsFile);
+  const progress = new Progress(totalLines);
+  const reporter = new Reporter(output, { json });
+  const sem = new Semaphore(concurrency);
+
+  let shuttingDown = false;
+  const inFlight = new Set();
+
+  // Graceful shutdown
+  const shutdown = () => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    process.stderr.write('\n[jsana] Shutting down gracefully...\n');
+  };
+  process.on('SIGINT', shutdown);
+
+  progress.start();
+
+  const rl = createInterface({
+    input: createReadStream(urlsFile, { encoding: 'utf8' }),
+    crlfDelay: Infinity,
+  });
+
+  for await (const rawLine of rl) {
+    if (shuttingDown) break;
+
+    const line = rawLine.trim();
+    // Skip empty lines and comments
+    if (!line || line.startsWith('#')) {
+      progress.tick();
+      continue;
+    }
+
+    // Basic URL validation
+    let url;
+    try {
+      url = new URL(line);
+      if (url.protocol !== 'http:' && url.protocol !== 'https:') throw new Error('bad proto');
+    } catch {
+      progress.tick();
+      progress.addError();
+      continue;
+    }
+
+    await sem.acquire();
+    if (shuttingDown) { sem.release(); break; }
+
+    const task = (async () => {
+      try {
+        const stream = await withRetry(
+          () => fetchUrl(url.href, { timeout }),
+          { maxRetries: retries }
+        );
+
+        if (!stream) return; // skipped (binary, etc.)
+
+        let findingsInUrl = 0;
+        for await (const finding of scan(stream, url.href, patterns)) {
+          reporter.write(finding);
+          findingsInUrl++;
+        }
+        progress.addFindings(findingsInUrl);
+      } catch (err) {
+        progress.addError();
+      } finally {
+        progress.tick();
+        sem.release();
+      }
+    })();
+
+    inFlight.add(task);
+    task.finally(() => inFlight.delete(task));
+  }
+
+  // Wait for all in-flight tasks
+  await Promise.allSettled([...inFlight]);
+
+  progress.stop();
+  await reporter.close();
+  await closeAllPools();
+
+  process.removeListener('SIGINT', shutdown);
+
+  process.stderr.write(
+    `[jsana] Done. ${progress.processed} URLs processed, ` +
+    `${reporter.count} findings, ${progress.errors} errors. ` +
+    `Output: ${output}\n`
+  );
+}

package/lib/progress.js

@@ -0,0 +1,51 @@
+import { createInterface } from 'node:readline';
+import { createReadStream } from 'node:fs';
+
+// Fast line count: streams through the file counting newlines.
+export async function countLines(filePath) {
+  return new Promise((resolve, reject) => {
+    let count = 0;
+    const s = createReadStream(filePath, { encoding: 'utf8', highWaterMark: 64 * 1024 });
+    s.on('data', chunk => {
+      for (let i = 0; i < chunk.length; i++) {
+        if (chunk[i] === '\n') count++;
+      }
+    });
+    s.on('end', () => resolve(count || 1));
+    s.on('error', reject);
+  });
+}
+
+export class Progress {
+  constructor(total) {
+    this.total = total;
+    this.processed = 0;
+    this.findings = 0;
+    this.errors = 0;
+    this.startTime = Date.now();
+    this._interval = null;
+  }
+
+  start() {
+    this._render();
+    this._interval = setInterval(() => this._render(), 500);
+  }
+
+  tick() { this.processed++; }
+  addFindings(n) { this.findings += n; }
+  addError() { this.errors++; }
+
+  _render() {
+    const elapsed = ((Date.now() - this.startTime) / 1000).toFixed(1);
+    const rate = this.processed > 0 ? (this.processed / (elapsed || 1)).toFixed(1) : '0.0';
+    const pct = ((this.processed / this.total) * 100).toFixed(1);
+    const line = `\r[jsana] ${this.processed}/${this.total} (${pct}%) | findings: ${this.findings} | errors: ${this.errors} | ${rate} URLs/s | ${elapsed}s`;
+    process.stderr.write(line);
+  }
+
+  stop() {
+    if (this._interval) clearInterval(this._interval);
+    this._render();
+    process.stderr.write('\n');
+  }
+}

package/lib/reporter.js

@@ -0,0 +1,30 @@
+import { createWriteStream } from 'node:fs';
+
+export class Reporter {
+  constructor(outputPath, { json = false } = {}) {
+    this.json = json;
+    this.stream = createWriteStream(outputPath, { flags: 'w', encoding: 'utf8' });
+    this.count = 0;
+  }
+
+  write(finding) {
+    this.count++;
+    if (this.json) {
+      this.stream.write(JSON.stringify(finding) + '\n');
+    } else {
+      this.stream.write(
+        `[${finding.severity.toUpperCase()}] [${finding.category}] ${finding.description}\n` +
+        `  URL:  ${finding.url}\n` +
+        `  Line: ${finding.line}\n` +
+        `  Code: ${finding.snippet}\n\n`
+      );
+    }
+  }
+
+  async close() {
+    return new Promise((resolve, reject) => {
+      this.stream.end(() => resolve());
+      this.stream.on('error', reject);
+    });
+  }
+}

package/lib/retry.js

@@ -0,0 +1,17 @@
+// Exponential backoff retry with jitter.
+
+export async function withRetry(fn, { maxRetries = 2, baseDelay = 500 } = {}) {
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn(attempt);
+    } catch (err) {
+      lastError = err;
+      if (attempt < maxRetries) {
+        const delay = baseDelay * Math.pow(2, attempt) + Math.random() * baseDelay;
+        await new Promise(r => setTimeout(r, delay));
+      }
+    }
+  }
+  throw lastError;
+}

package/lib/scanner.js

@@ -0,0 +1,28 @@
+import { createInterface } from 'node:readline';
+
+// Async generator: yields Finding objects as patterns match on response stream lines.
+export async function* scan(stream, url, patterns) {
+  const rl = createInterface({ input: stream, crlfDelay: Infinity });
+  let lineNum = 0;
+
+  for await (const line of rl) {
+    lineNum++;
+    if (line.length < 3) continue;
+
+    for (const pat of patterns) {
+      if (pat.regex.test(line)) {
+        // Extract a snippet: trim and cap at 200 chars
+        const snippet = line.trim().slice(0, 200);
+        yield {
+          url,
+          line: lineNum,
+          patternId: pat.id,
+          category: pat.category,
+          severity: pat.severity,
+          description: pat.description,
+          snippet,
+        };
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "jsana",
+  "version": "1.0.0",
+  "description": "JavaScript Security Analyzer for Bug Bounty",
+  "type": "module",
+  "license": "MIT",
+  "keywords": ["security", "bug-bounty", "javascript", "scanner", "xss", "secrets", "recon"],
+  "bin": {
+    "jsana": "./bin/jsana.js"
+  },
+  "files": [
+    "bin/",
+    "lib/"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "undici": "^6.21.1"
+  }
+}