{"id":13636205,"url":"https://github.com/parsiya/eslinter","last_synced_at":"2026-02-28T11:10:44.066Z","repository":{"id":118393531,"uuid":"216741402","full_name":"parsiya/eslinter","owner":"parsiya","description":"Manual JavaScript Linting is a Bug","archived":false,"fork":false,"pushed_at":"2021-03-06T00:39:11.000Z","size":12751,"stargazers_count":49,"open_issues_count":14,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-11T01:47:27.574Z","etag":null,"topics":["burpsuite","eslint","javascript","security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/parsiya.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-22T06:41:01.000Z","updated_at":"2024-04-20T22:20:01.000Z","dependencies_parsed_at":"2023-07-29T16:01:49.396Z","dependency_job_id":null,"html_url":"https://github.com/parsiya/eslinter","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/parsiya/eslinter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/parsiya%2Feslinter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/parsiya%2Feslinter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/parsiya%2Feslinter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/parsiya%2Feslinter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/parsiya","download_url":"https://codeload.github.com/parsiya/eslinter/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/parsiya%2Feslinter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29931549,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T09:58:13.507Z","status":"ssl_error","status_checked_at":"2026-02-28T09:57:57.047Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burpsuite","eslint","javascript","security"],"created_at":"2024-08-02T00:00:58.506Z","updated_at":"2026-02-28T11:10:44.034Z","avatar_url":"https://github.com/parsiya.png","language":"Java","funding_links":[],"categories":["Scanners"],"sub_categories":[],"readme":"# Manual JavaScript Linting is a Bug  \u003c!-- omit in toc --\u003e\n`ESLinter` is a Burp extension that extracts JavaScript from responses and lints\nthem with [ESLint][eslint-org] while you do your manual testing.\n\n[eslint-org]: https://eslint.org/\n\n## Features\n\n1. Use your own artisanal hand-crafted ESLint rules.\n    * Extend Burp's JavaScript analysis engine.\n2. Pain-free setup.\n    * Get up and running with three commands.\n3. Results Are stored in two different places.\n    * SQLite is forever.\n4. It doesn't interrupt your work flow.\n    * Let the extension lint while you do your magic.\n5. It's hella configurable.\n    * Running Burp on a slow machine? Reduce the number of threads.\n    * Don't want to lint now? Click that shiny `Process` button to pause it.\n    * Want to close Burp? No problem. Unfinished tasks will be read from the\n      database and executed when the extension is loaded again.\n    * Want to only process requests from certain hosts? Add it to the scope and\n      set the associated key in the config file to `true`.\n    * Don't like large JavaScript files? Set the max size in the config.\n    * Want to process requests from another extension? See [Process Requests Made by Other Extensions](#process-requests-made-by-other-extensions).\n6. Filter results by host.\n    * Start typing in the text field in the extension tab.\n\n![ESLinter in action](.github/google.gif)\n\n## Quickstart\n\n1. Install `git`, `npm` and `JDK 11`.\n    1. [AdoptOpenJDK 11][adoptopenjdk11] is recommended. Make sure `JAVA_HOME`\n       is set.\n2. Clone the repository.\n3. `gradlew -q clean`. Not needed for a fresh installation.\n4. `gradlew -q install`\n    1. Clones the `eslint-security` git submodule.\n    2. Runs `npm install` in `eslint-security`.\n5. `gradlew -q config -Ptarget=/relative/or/absolute/path/to/your/desired/project/location`\n    1. E.g., `gradlew -q config -Ptarget=testproject` creates a directory named\n       `testproject` inside the `eslinter` directory.\n    2. Creates `config.json` in the `release` directory with a sane configuration.\n6. Add the extension jar at `release/eslint-all.jar` to Burp.\n    1. The first time a new config is loaded, you might get an error not being\n       able to connect to the database, this is OK.\n7. Navigate to the `ESLinter` tab and click on the `Process` button.\n8. Browse the target website normally with Burp as proxy.\n9.  Observe the extracted JavaScript being linted.\n10. Look in the project directory to view all extracted and linted files.\n11. Double-click on any result to open a dialog box. Choose a path to save both\n    the beautified JavaScript and lint results.\n\n* For build troubleshooting please see [Building the\n  Extension](#building-the-extension) below.\n\n**Double click in action**\n\n![Doubleclick](.github/doubleclick.gif)\n\n[adoptopenjdk11]: https://adoptopenjdk.net/?variant=openjdk11\u0026jvmVariant=hotspot\n\n## Table of Content \u003c!-- omit in toc --\u003e\n\n- [Features](#features)\n- [Quickstart](#quickstart)\n- [Extension Configuration](#extension-configuration)\n    - [Change the ESLint Rules](#change-the-eslint-rules)\n    - [Change the ESLint Rule File](#change-the-eslint-rule-file)\n    - [Change the Number of Linting Threads](#change-the-number-of-linting-threads)\n    - [Process Requests Made by Other Extensions](#process-requests-made-by-other-extensions)\n    - [Process Requests Made by Other Burp Tools](#process-requests-made-by-other-burp-tools)\n    - [Customize ESLint Rules](#customize-eslint-rules)\n- [Triage The Results](#triage-the-results)\n- [Technical Details](#technical-details)\n- [Common Bugs](#common-bugs)\n    - [Supported Platforms](#supported-platforms)\n    - [The Connection to the Database Is Not Closed](#the-connection-to-the-database-is-not-closed)\n    - [My Selected Row is Gone](#my-selected-row-is-gone)\n- [FAQ](#faq)\n    - [Why Doesn't the Extension Create Burp Issues?](#why-doesnt-the-extension-create-burp-issues)\n    - [SHA-1 Is Broken](#sha-1-is-broken)\n- [Development](#development)\n    - [Building the Extension](#building-the-extension)\n    - [Development](#development-1)\n    - [Diagnostics](#diagnostics)\n    - [Debugging](#debugging)\n- [Credits](#credits)\n    - [Lewis Ardern](#lewis-ardern)\n    - [Jacob Wilkin](#jacob-wilkin)\n    - [Tom Limoncelli](#tom-limoncelli)\n    - [Similar Unreleased Extension by David Rook](#similar-unreleased-extension-by-david-rook)\n    - [Source Code Credit](#source-code-credit)\n- [Future Work and Feedback](#future-work-and-feedback)\n- [License](#license)\n\n## Extension Configuration\nIt's recommended to use the `config` Gradle task. You can also create your own\nextension configs. Open the config file in any text editor and change the\nvalues. For in-depth configuration, please see\n[docs/configuration.md](docs/configuration.md).\n\n### Change the ESLint Rules\n\n**Option 1:** If you used the config Gradle task.\n\n1. Edit the `eslint-security/eslintrc-parsia.js` file and add/remove rules.\n    1. Make a copy first if you want to use it as a guideline.\n2. Reload the extension.\n\n**Option 2:** If you want to keep your ESLint rules in a different path.\n\n1. Create your own rules and store them at any path.\n2. Edit the `release/config.json` file.\n3. Change the `eslint-config-path` to the ESLint rule path from step 1.\n4. Reload the extension.\n\n### Change the ESLint Rule File\nEdit the `eslint-config-path` key in the `release/config.json` file and point it\nto your custom ESLint rule file.\n\n### Change the Number of Linting Threads\nThe number of linting threads can be configured. For slower machines, it might\nneed to be reduced.\n\n1. Edit the extension config file.\n2. Change the value of `number-of-linting-threads`.\n\n### Process Requests Made by Other Extensions\n\n1. Add `extender` to the `process-tool-list` in the config file.\n2. Move ESLinter to the bottom of your extension list in the Extender tab.\n3. Reload the extension.\n4. ESLinter should be able to see requests created by other extensions.\n\n### Process Requests Made by Other Burp Tools\n\n1. Add the tool name to the `process-tool-list` in the config file. E.g.,\n   `Scanner`.\n2. Move ESLinter to the bottom of your extension list in the Extender tab.\n3. Reload the extension.\n4. ESLinter should be able to see requests created by other Burp tools.\n\n### Customize ESLint Rules\nStart by modifying one of the ESLint rule files in the\n[eslint-security][eslint-security] repository.\n\nTo disable a rule either comment it out or change the numeric value of its key\nto `0`.\n\nIf you are adding a rule that needs a new plugin you have to add it manually\n(usually via npm) to the location of your `eslint` and `js-beautify` commands.\n\nIf you want to contribute your custom ESLint rules please feel free to create\npull requests in [eslint-security][eslint-security].\n\n[eslint-security]: https://github.com/parsiya/eslint-security\n\nFor more information on configuring ESLint and writing custom rules please see:\n\n* https://eslint.org/docs/user-guide/configuring\n* https://eslint.org/docs/developer-guide/working-with-rules\n\n## Triage The Results\n\n1. Open the project directory in your editor (set in the config command).\n2. Open any file in the `linted` sub-directory. These files contain the results.\n3. Alternatively, double-click any row in the extension's tab to select a\n   directory to save both the original JavaScript and lint results for an\n   individual request.\n4. The extension uses the ESLint [codeframe][eslint-codeframe] output format.\n   This format includes a few lines of code before and after what was flagged by\n   ESLint. You can use these results to understand the context. This is usually\n   not enough.\n5. To view the corresponding JavaScript file, open the file with the same name\n   (minus `-linted`) in the `beautified` sub-directory.\n6. The json object at the top of every file contains the URL and the referer of\n   the request that contained the JavaScript. Use this information to figure out\n   where this JavaScript was located.\n\n[eslint-codeframe]: https://eslint.org/docs/user-guide/formatters/#codeframe\n\n## Technical Details\nThe innerworkings of the extension are discussed in\n[docs/technical-details.md](docs/technical-details.md).\n\n## Common Bugs\nMake a Github issue if you encounter a bug. Please use the Bug issue template\nand fill it as much as you can. Be sure to remove any identifying information\nfrom the config file.\n\n### Supported Platforms\nESLinter was developed and tested on Windows and Burp 2.1. It should work on\nmost platforms. If it does not please make a Github issue.\n\n### The Connection to the Database Is Not Closed\nYou cannot delete the database if you unload the extension.\n\nWorkaround:\n\n* Close Burp and delete the file.\n\n### My Selected Row is Gone\nThe table in the extension tab is updated every few seconds (controlled via the\n`update-table-delay` key in the config file). This means your selected row will\nbe unselected when the table updates. This is not an issue.\n\nThis might look odd when double-clicking a row. The FileChooser dialog pops up\nto select a path. When the table is updated, the selection is visually gone.\nThis is not an issue. The data in the row is retrieved when you double-click\nand is not interrupted when the row is deselected after the table update.\n\n## FAQ\n\n### Why Doesn't the Extension Create Burp Issues?\n\n1. This is not a Burp pro extension. Burp Issues are supported in the pro\n   version.\n2. Depending on the ESLint rules, this will create a lot of noise.\n\n### SHA-1 Is Broken\nYes, but the extension uses SHA-1 to create a hash of JavaScript text. This hash\nis an identifier to detect duplicates. Adversarial collisions are not important\nhere.\n\n## Development\n\n### Building the Extension\n\n1. Install [AdoptOpenJDK 11][adoptopenjdk11]\n1. Run `gradlew bigjar`.\n2. The jar file will be stored inside the `release` directory.\n\n### Development\n\n1. Fork the repository.\n2. Create a new branch.\n3. Modify the extension.\n4. Run `gradlew bigjar` to build it. Then test it in Burp.\n5. Create a pull request. Please mention what has been modified.\n\n### Diagnostics\nSet `\"diagnostics\": true` in the config file to see debug messages. These\nmessages are useful when you are testing a single file in Burp Repeater. For\nmore information, please see the `The Diagnostics Flag` section in\n[docs/configuration.md](docs/configuration.md).\n\n### Debugging\nSee the following blog post to see how you can debug Java Burp extensions in\n[Visual Studio Code][vscode-website]. The instructions can be adapted to use in\nother IDEs/editors.\n\n* https://parsiya.net/blog/2019-12-02-developing-and-debugging-java-burp-extensions-with-visual-studio-code/\n\n[vscode-website]: https://code.visualstudio.com/\n\n## Credits\n\n### Lewis Ardern\nFor being a [Solid 5/7 JavaScript guy][lewis-twitter].\n\nSee his presentation [Manual JavaScript Analysis is a Bug][lewis-slides].\n\n[lewis-twitter]: https://twitter.com/lewisardern\n[lewis-slides]: https://www.slideshare.net/LewisArdern/manual-javascript-anaylsis-is-a-bug-176308491\n\n### Jacob Wilkin\nThe original idea for the ESLinting JavaScript received in Burp was from the\nfollowing blog post by [Jacob Wilkin][jacob-wilkin-twitter]:\n\n* https://medium.com/greenwolf-security/linting-for-bugs-vulnerabilities-49bc75a61c6\n\nSummary:\n\n1. Browse the target and perform manual testing as usual.\n2. Extract JavaScript from Burp.\n3. Clean them up a bit and remove minified standard libraries.\n4. Run ESLint with some security rules on the remaining JavaScript.\n5. Triage the results.\n6. ???\n7. Profit.\n\n[jacob-wilkin-twitter]: https://twitter.com/jacob_wilkin\n\n### Tom Limoncelli\nMy main drive for automation comes from reading the amazing article named\n[Manual Work is a Bug][manual-work] by [Thomas Limoncelli][tom-twitter].\n**READ IT**.\n\nThe article defines four levels of automation:\n\n1. Document the steps.\n    * Jacob's post above. \n2. Create automation equivalents.\n    * I created a prototype that linted JavaScript files after I extracted them\n      from Burp manually.\n3. Create automation.\n    * This extension.\n4. Self-service and autonomous systems.\n    * Almost there in future work.\n \n[manual-work]: https://queue.acm.org/detail.cfm?id=3197520\n[tom-twitter]: https://twitter.com/yesthattom\n\n### Similar Unreleased Extension by David Rook\nSearching for [\"eslint burp\" on Twitter][eslint-burp-twitter] returns a series\nof tweets from 2015 by [David Rook][david-rook-twitter]. It appears that he was\nworking on a Burp extension that used ESLint to create issues. The extension was\nnever released.\n\n[eslint-burp-twitter]: https://twitter.com/search?q=eslint%20burp\u0026src=typed_query\n[david-rook-twitter]: https://twitter.com/davidrook\n\n### Source Code Credit\nThis extension uses a few open source libraries. You can see them in the\n`dependencies` section of the [build.gradle](build.gradle) file.\n\nIn addition, it uses code copied from Apache Commons libraries. I copied\nindividual files instead of the complete Apache Commons-Lang library.\n\n* [src/utils/StringUtils.java](src/utils/StringUtils.java) uses code from the\n  Apache commons-lang.StringUtils.\n* [src/utils/SystemUtils](src/utils/SystemUtils.java) is an almost exact copy of\n  Apache commons-lang.SystemUtils.\n\n## Future Work and Feedback\nPlease see the Github issues. If you have an idea, please make a Github issue\nand use the `Feature request` template.\n\n## License\nOpensourced under the \"GNU General Public License v3.0\" and later. Please see\n[LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fparsiya%2Feslinter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fparsiya%2Feslinter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fparsiya%2Feslinter/lists"}