sourcemap-hunter

introduction

in web security, javascript files are like a gold mine that security researchers use to understand how the app works but there is always 1 issue which is “minified code”, basically developers wants their code to run as fast as possible, so they remove spaces, rename variables with long names to 1 character and that basically makes our task harder because it’s really easy to get lost and feel overwhelmed pretty fast.

there is something called, sourcemaps and it’s job is to help developers with debugging, if something went wrong sourcemaps can help developers match what went wrong in their minified javascript code with the original code and luckily we can use that, if the javascript file is called `app.js` sourcemaps are usually located at ‘app.js.map` and if the developers forgot to remove these sourcemaps from production, we as security researchers can reverse it to retrieve the unminified, original javascript code, which will make our task way easier.

but there are 3 more issues, 1. sometimes these sourcemaps urls are deleted from the bottom of the javascript files, and most assume it’s just not there, 2. finding sourcemaps needs manual inspection, 3. the way we reverse sourcemaps to retrieve original code needs a 3rd party tool or package to perform our reversing and that will almost always happen on our systems.

sourcemap-hunter

sourcemap-hunter v0.1 is a firefox extension, you install it and it will start running out of the box and look for sourcemaps for you, and even better, when it finds sourcemaps it will verify they exist and even reverse them for you, so with just 1 click you can see the original javascript code, “all within your browser” 

how the extension works?

• Uses webRequest to observe network traffic in real time.
• Flags source maps discovered through:
• SourceMap, X-SourceMap, Source-Map, or SourceMappingURL response headers.
• Direct .js.map, .mjs.map, and .cjs.map responses.
• //# sourceMappingURL=... or /*# sourceMappingURL=... */ comments inside JavaScript responses.
• Proactive guessing for every loaded JavaScript file:
• app.js → app.js.map
• bundle.mjs → bundle.mjs.map
• main.cjs → main.cjs.map
• Validates source map candidates before reporting them.
• Suppresses common false positives by requiring valid JSON with:
• version
• sources
• mappings
• Extracts embedded original source files from sourcesContent.
• Shows a red browser action badge with the number of confirmed source maps found on the current tab.
• Popup UI lists discovered source map URLs.
• Viewer page displays reconstructed source files in a clean, readable interface.
• Basic syntax highlighting for JavaScript-like files.

sourcemap-hunter has no framework, bo build steps, no backend, no analytics, what’s in your browser, stays in your browser and can be removed with just one click.

sourcemap-hunter is written with HTML, CSS, Javascript and it’s completely free and open source so you can change it in any way you want!

give it a try and don’t forget to leave a star if you found it useful! https://github.com/YousefM0hamed/sourcemap-hunter