Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/midoxnet/mapperplus
MapperPlus facilitates the extraction of source code from a collection of targets that have publicly exposed .js.map files.
https://github.com/midoxnet/mapperplus
automation javascript map pentest recon security security-tools source sourcemapper
Last synced: about 2 months ago
JSON representation
MapperPlus facilitates the extraction of source code from a collection of targets that have publicly exposed .js.map files.
- Host: GitHub
- URL: https://github.com/midoxnet/mapperplus
- Owner: midoxnet
- Created: 2023-10-24T09:25:29.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-02-24T12:46:49.000Z (9 months ago)
- Last Synced: 2024-02-24T13:46:45.996Z (9 months ago)
- Topics: automation, javascript, map, pentest, recon, security, security-tools, source, sourcemapper
- Language: JavaScript
- Homepage:
- Size: 4.15 MB
- Stars: 88
- Watchers: 1
- Forks: 7
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Mapperplus - An advanced source map extractor based on headless browser.
![cover](https://github.com/midoxnet/mapperplus/assets/27289397/b8fabf60-6737-4739-865e-663693ed6960)
- MapperPlus facilitates the validation and retrieval of all .js/.js.map files from a specified target or a list of targets. It subsequently employs SourceMapper to extract source code for all your designated targets.
- MapperPlus utilizes a Chrome Headless browser to intercept every request and response, ensuring the download of JavaScript files goes beyond heuristic scans or regular expressions, and includes the handling of all requested JS files.
- MapperPlus is based on an already existing tool called SourceMapper which helps you extract the source code from a single .map file.# Consider these suggestions for integrating MapperPlus into your reconnaissance automation pipeline:
MapperPlus could be used with httpx , jsluice or Trufflehog and more.
(https://github.com/BishopFox/jsluice/ , https://github.com/projectdiscovery/httpx , https://github.com/trufflesecurity/trufflehog )
1. You can use httpx to retrieve live webservers and then use its output as an input of MapperPlus.
2. After downloading and extracting all JS files, use JSluice to extract endpoints from every target and then go beyond your recon process.
3. You can use Jsluice or trufflehog also to extract secrets from your source code JS files.
4. And more...!
# Requirements:MapperPlus requires :
1. Google Chrome : **You can install it using the following command :** ```apt install google-chrome-stable```
2. Node.Js : **You can install it using the following command:** ```apt install nodejs```
3. Npm : **You can install it using the following command:** ```apt install npm```
4. Go
5. Python
6. SourceMapper : **You can download it from here:** https://github.com/denandz/sourcemapper# Installation:
1. Run the requirements.sh script in order to download the latest version of required node modules.
2. Make sure Chrome is installed in your machine: **Run this command to verify** ```google-chrome --version```
3. Make sure you have npm, Node.js and Sourcemapper installed.# How to use:
MapperPlus have some features and accepts some arguments:
1. To download all .map files for a specific website, utilize the `-u` option with the URL of your target, and the `-t` option with the destination directory where the JS files will be saved. ( `-u` and `-t` are required.)
``` python3 mapperplus.py -u https://www.example.com/ -t ```
MapperPlus also offers the option to include cookies and custom headers if needed. You can use `-c` to specify a cookie file and `-h` to provide custom headers.**Example 1:** ```python3 mapperplus.py -u https://www.example.com/ -t example_output_directory -c cookiefile.txt -h "Authorization: Basic YWRtaW46YWRtaW4="```
2. In order to download and extract source codes of multiple targets at once, you can use the `-r` with the list of your targets.
**Example 2:** ```python3 mapperplus.py -r targets.txt -t example_output_directory -c cookiefile.txt -h "Authorization: Basic YWRtaW46YWRtaW4="```
# Some under construction features:
1. Download Lazy loaded .js files/chunks and look for their .map files too. (This will uncover the hidden parts of a number of websites) - **Security By Obscurity**.
2. Address specific scenarios: When retrieving multiple .js files from multiple sources, some websites may require specific cookies to avoid encountering 4xx errors.**You can add more ideas or contact me on my X profile to share your ideas or needs:** https://twitter.com/silentgh00st