javascript-surface-analyzer

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

JavaScript Surface Analyzer

JavaScript 表面分析器

Purpose

用途

Extract attacker-relevant intelligence from front-end code and convert it into testable hypotheses.

从前端代码中提取攻击者关注的情报，并将其转化为可测试的假设。

Inputs

输入

```
target_url
```
```
seed_pages
```
(optional)
```
auth_context
```
(optional)

```
target_url
```
```
seed_pages
```
（可选）
```
auth_context
```
（可选）

Workflow

工作流

Phase 1: Asset Enumeration

阶段1：资产枚举

Collect static and dynamic script URLs.
Expand via source maps and chunk manifests where available.
Track script origin, load condition, and execution context.

收集静态和动态脚本URL。
若存在source map和chunk manifest，通过其扩展资产范围。
记录脚本来源、加载条件和执行上下文。

Phase 2: Artifact Extraction

阶段2：信息提取

Endpoints, route builders, and API clients.
Header/token construction logic.
Feature flags, debug modes, hidden route toggles.
Secret candidates and key material references.

端点、路由构造器和API客户端。
请求头/令牌构造逻辑。
功能开关、调试模式、隐藏路由触发器。
敏感信息候选对象和密钥材料引用。

Phase 3: Sink Analysis

阶段3：Sink分析

DOM write sinks:
```
innerHTML
```
,
```
outerHTML
```
, template insertion.
Code execution sinks:
```
eval
```
,
```
Function
```
,
```
setTimeout
```
string usage.
URL/navigation sinks: dynamic redirects, iframe/src assignments.
Storage sinks: local/session storage of sensitive artifacts.

DOM写入sink：
```
innerHTML
```
、
```
outerHTML
```
、模板插入。
代码执行sink：
```
eval
```
、
```
Function
```
、
```
setTimeout
```
字符串用法。
URL/导航sink：动态重定向、iframe/src赋值。
存储sink：敏感信息的本地/会话存储。

Phase 4: Controllability Assessment

阶段4：可控性评估

Determine if attacker can influence source data.
Trace sanitization or encoding at boundaries.
Estimate exploit preconditions per sink.

判断攻击者是否可以影响源数据。
追踪边界处的消毒或编码逻辑。
评估每个sink的漏洞利用前置条件。

Phase 5: Follow-up Planning

阶段5：后续规划

Create endpoint verification cases.
Create DOM-XSS and open redirect probes.
Create token misuse and privilege abuse checks.

创建端点验证用例。
创建DOM-XSS和开放重定向探测用例。
创建令牌误用和权限滥用检查用例。

Minimum Extraction Targets

最低提取指标

Category	Required Extraction
API surface	method + path hints + caller context
Secrets	key/token candidates with confidence tag
Sinks	sink type + source controllability
Hidden features	flag name + activation condition

分类	要求提取内容
API面	请求方法 + 路径提示 + 调用方上下文
敏感信息	带置信度标签的密钥/令牌候选
Sink	sink类型 + 源可控性
隐藏功能	开关名称 + 激活条件

Output Contract

输出规范

json

{
  "script_inventory": [],
  "endpoint_candidates": [],
  "secret_candidates": [],
  "sink_map": [],
  "hidden_features": [],
  "follow_up_tests": []
}

json

{
  "script_inventory": [],
  "endpoint_candidates": [],
  "secret_candidates": [],
  "sink_map": [],
  "hidden_features": [],
  "follow_up_tests": []
}

Constraints

约束条件

Treat secret candidates as sensitive.
Mark uncertainty for heavily obfuscated code.

将敏感信息候选视为机密数据。
对高度混淆的代码标记不确定性。

Quality Checklist

质量检查清单

Dynamic script loading is covered.
Sink report includes controllability.
Follow-up tests are concrete and scoped.

覆盖动态脚本加载场景。
Sink报告包含可控性信息。
后续测试具体且范围明确。

Detailed Operator Notes

详细操作说明

Static + Runtime Correlation

静态+运行时关联

Correlate bundled route constants with observed network calls.
Correlate feature flags with guarded code branches.
Correlate secret candidates with call-site usage.

将打包后的路由常量与观测到的网络请求关联。
将功能开关与受保护的代码分支关联。
将敏感信息候选与调用位置的使用情况关联。

Sink Prioritization Heuristics

Sink优先级判定规则

Prioritize sinks fed by URL, query string, postMessage, or storage.
Prioritize sinks reachable pre-auth and in shared pages.
Prioritize sinks with partial sanitization or legacy wrappers.

优先处理由URL、查询字符串、postMessage或存储提供数据的sink。
优先处理授权前可访问、公共页面中存在的sink。
优先处理仅有部分消毒逻辑或使用了旧封装的sink。

Obfuscation Strategy

混淆代码处理策略

Start with string table recovery and call-graph sketch.
Identify decoder/dispatcher stubs before deep tracing.
Mark unresolved obfuscated segments as explicit unknowns.

从字符串表恢复和调用图绘制开始处理。
在深度追踪前先识别解码器/调度器存根。
将未解析的混淆片段明确标记为未知项。

Reporting Rules

报告规则

Include
```
controllable_source
```
for each sink candidate.
Include
```
execution_context
```
(HTML, attribute, JS string, URL).
Include follow-up payload family per sink.

为每个sink候选添加
```
controllable_source
```
（可控源）信息。
包含
```
execution_context
```
（执行上下文：HTML、属性、JS字符串、URL）。
为每个sink匹配对应的后续payload类型。

Quick Scenarios

快速场景

Scenario A: Authorization Drift

场景A：权限漂移

Baseline with owned resource.
Replay with foreign resource identifier.
Repeat with role shift and fresh session.
Confirm read/write/delete differences.

使用自有资源生成基准结果。
使用外部资源标识符重放请求。
切换角色并使用新会话重复请求。
确认读/写/删除操作的权限差异。

Scenario B: Input Handling Weakness

场景B：输入处理缺陷

Send syntactically valid control payload.
Send semantically malicious variant.
Verify parser or execution side effect.
Re-test with content-type variation.

发送语法合法的控制payload。
发送语义恶意的变体payload。
验证解析器或执行的副作用。
更换Content-Type重新测试。

Scenario C: Workflow Bypass

场景C：工作流绕过

Execute expected state sequence.
Attempt out-of-order transition.
Attempt repeated action replay.
Confirm server-side state enforcement.

执行预期的状态流转序列。
尝试乱序状态跳转。
尝试重复重放操作。
确认服务端是否做了状态强制校验。

Conditional Decision Matrix

条件决策矩阵

Condition	Action	Evidence Requirement
Endpoint found in code but not traffic	create targeted trigger path for invocation	call-site + trigger proof
Secret candidate appears in multiple bundles	map runtime use and scope	usage map with confidence
Sink appears sanitized	verify context-specific sanitizer match	sink-context trace
Obfuscated dispatcher controls routes	recover dispatcher map before sink triage	dispatcher mapping artifact
Feature flag gates privileged behavior	test activation constraints and fallback paths	flag-state behavior diff

条件	操作	证据要求
代码中存在但流量中未出现的端点	创建针对性的触发路径调用该端点	调用位置 + 触发证明
多个打包产物中都出现的敏感信息候选	映射运行时使用场景和范围	带置信度的使用地图
看起来经过消毒的sink	验证消毒逻辑是否匹配上下文	sink上下文追踪记录
混淆调度器控制路由	在sink分类前先恢复调度器映射表	调度器映射构件
功能开关管控高权限行为	测试激活约束和降级路径	开关状态行为差异记录

Advanced Coverage Extensions

高级覆盖扩展

Correlate source-map names with production minified call sites.
Extract hidden API capabilities from autogenerated client stubs.
Detect unsafe postMessage listeners and origin validation gaps.
Detect dynamic import paths controlled by user data.
Detect insecure local storage coupling to auth flows.

将source map中的名称与生产环境压缩后的调用位置关联。
从自动生成的客户端存根中提取隐藏的API能力。
检测不安全的postMessage监听器和来源校验漏洞。
检测由用户数据控制的动态import路径。
检测授权流程耦合本地存储的不安全场景。