inspectJS is a security auditing tool designed to automatically discover and analyze JavaScript files in web applications.
It extracts endpoints, API keys, tokens, and potential client-side vulnerabilities.
git clone https://github.com/ynsmroztas/InspectJS.git
cd inspectjs
pip install -r requirements.txt
python inspectjs.py -u https://example.com┌─────────────────────────────────────────────────────────────┐
│ INSPECTJS SECURITY SCANNER │
│─────────────────────────────────────────────────────────────│
│ Target: https://example.com │
│ Threads: 10 SSL: Disabled Depth: 2 │
├─────────────────────────────────────────────────────────────┤
│ [+] Discovered: 8 JS files │
│ [+] Detected API Keys: 3 │
│ [+] Endpoints Found: 5 │
│ [+] Risk Level: HIGH ⚠️ │
└─────────────────────────────────────────────────────────────┘
[CRITICAL] 🔑 API Keys, Secrets, JWT Tokens
[HIGH] 🌐 API Endpoints, Login Routes, Admin Panels
[MEDIUM] 📧 Email Addresses, IPs, Subdomains
[LOW] 🧱 Comments, Debug Statements, Paths
# Save report
python inspectjs.py -u https://target.com -o report.txt
# Multi-threaded scan
python inspectjs.py -u https://target.com -t 10
# Verify SSL
python inspectjs.py -u https://target.com --verify-ssl
# Set depth
python inspectjs.py -u https://target.com -d 3═══════════════════════════════════════════════════════════
🔗 Target: https://example.com
📅 Date: 2024-01-15 14:30:22
📁 JS Files: 8
[CRITICAL] API Key found → "api_key_123456789"
↳ Source: https://example.com/app.js
↳ Context: const API_KEY = "api_key_123456789";
[ALERT] Endpoint → POST /api/v1/login
↳ Parameters: username, password
═══════════════════════════════════════════════════════════
📈 Findings Summary
───────────────────────────────────────────────────────────
Critical Secrets ......... 3
HTTP Requests ............ 5
High-Risk Endpoints ...... 2
Overall Risk ............. 🔴 HIGH
═══════════════════════════════════════════════════════════
- 🛡️ Penetration Testing – Identify exposed client-side secrets
- 🪲 Bug Bounty Hunting – Automate discovery of key leaks
- 🧮 Code Review – Check for unsafe hardcoded values
- 🧰 CI/CD Integration – Pre-deployment security validation
inspectJS must only be used for authorized testing and educational purposes.
Unauthorized scanning or exploitation of systems without permission is illegal.
mitsec
- 🐦 Twitter: @ynsmroztas
- 💻 GitHub: github.com/ynsmroztas
- 🌐 Project: inspectJS
© 2025 mitsec — Licensed under the MIT License
