Turn JavaScript analysis into a joy

Improve your Web Application Security Testing with rich data from static analysis

01
Discover its secrets
fingerprint

Instantly find relevant code

jswzl instantly analyses code to find the most relevant expressions in the code, and highlights them for you. Instantly get an overview of the code, and dig into most important parts.
1
api/users/1
2
3
/scripts/main.js
4
5
rest/v1/admin/info
6
 
String Expressions
Find paths, secrets, GraphQL queries, and other pertinent text content.
1
const httpOptions = {
2
  method: 'POST',
3
  headers: {
4
   'api-key': 'secret'
5
  }
6
}
Object Schemas
Find objects that match specific schemas, for things like HTTP options, route definitions, and other objects.
1
const resp = await fetch(
2
    url,
3
    httpOptions
4
);
5
  
6
  
Call Patterns
Find method calls to things like HTTP/Ajax requests and other relevant sinks.
1
localStorage.setItem("token", "....");
2
3
document.cookie = "...";
4
5
window.addEventListener("message", ...);
6
 
Client Behavior
Find client-side behavior that that influences the behavior of the application.
02
· Integrates with your existing tools
integration_instructions

Fits in with your existing tools

Leverage your existing experience with tools you love.

01. Integrate with Burp Suite

Ingest data from your testing
A simple Burp Suite extension ensures that requests going through the Proxy is sent to jswzl for analysis.

02. jswzl analysis engine

Advanced analysis of JS code
Ingests HTML and JS code to analyze through static analysis to find code that helps guide your testing.

03. View code in VS Code

Utilize best-in-class code editor
Use your existing VS Code installation, with all your favorite settings and plugins.
03
ANALYSIS ENGINE
share

Analysis Engine overview

Multiple layers of Advanced Static Code Analysis brings work together to improve the results of the analysis, and make review easier.
Pre-analysis
jswzl improves visibility by pre-analyzing code for:

- Detecting & applying sourcemaps
- Detecting & downloading chunked sources
- Extracting packed files
Optimization
Minified, packed code? No problem.

jswzl will optimize the code to undo a lot of code patterns applied by packers, or otherwise makes analysis harder. It also prettifies the code to make it easier to read! 
Analysis
The optimized code is analyzed, extracting descriptors for the code. The static analysis engine finds things like HTTP requests, paths, secrets, routes, and other code relevant to understand the application, assisting your testing efforts.
04
See it in action
integration_instructions

See in action

Dealing with a large amount of JS files

How do you best get an overview of a large amount of JS files during your testing? In this video, you will see how, by combining multiple JS files into one, you can get a great overview at a glance, extract data for brute forcing, and improve your testing efforts.

05
WAIT! THERE'S MORE
share

While also adding extra capabilities

privacy_tip
Pre-fetch lazy-loaded scripts
Tools like Webpack often split code into chunks, and lazy loads them. jswzl will detect and pre-fetch chunks that are dynamically referenced.
loyalty
Unpack packed scripts
Packed scripts can be a pain to work with. But jswzl will unpack packed code into their own logical files, and let you view the original structure of the code.
addchart
Discover & apply source mappings
When a HTTP response contains JavaScript, the jswzl Burp Plugin will attempt to load the `.map` file, if the source map is not in the file directly. It will then apply the source mapping, making the code more readable.
search_off
Prettify code
Most JavaScript served these days is heavily minified, which is impossible to read. But all code analyzed by jswzl is prettified and consistent in formatting.

lock_clock
Optimize code
Transpilers and minifiers often create weird code that makes no sense. Sometimes developers do weird things, that can be greatly simplified. jswzl optimizes certain types of codes to make interpretation easier.
dynamic_form
Resolve code references
The analysis engine in jswzl utilizes static analysis to reference variables, in order to better be able to identify expressions of interest, which may not be easily found without the ability to dereference variables.
loyalty
Framework agnostic
jswzl doesn't care what frameworks the code uses. Thanks to JavaScript being dynamically typed, the analysis engine relies entirely on heuristics. This means it's not tied specific frameworks.
privacy_tip
Supports common frameworks
But we've ALSO enhanced the engine with the ability to understand code patterns from frameworks like Angular, React, Ext JS, and many other frameworks.
06
testimonials

What do users say?

I’ve been using https://jswzl.io for the last month. If you reverse engineer JavaScript this is a must have tool. @CharlieEriksen has done an excellent job.
Jason Haddix
CEO @ Arcanum Information Security
jswzl is becoming one of de-facto tools for javascript analysis for career web app security testers.

Modern frameworks and apps require careful js analysis and jswzl makes life easier in that department. Check it out.
Corben Leo
Co-founder @ boring.co
Finding vulnerabilities got easier.

Pair @WeaselJs + Cursor by @anysphere.

Javascript analysis will never be the same
Abartan Dhakal
Penetration Testing Lead @ StickmanCyber
Did the beta testing, one of the best tool I have used so far. Great work @CharlieEriksen! Can't wait to see what more amazing stuffs you'll implement in the area of easy JS analysis via JSWZL.