Release Notes

jswzl 2024.4.4
December 20, 2024

This release contains a few new features:

  • When viewing combined sources, you can now right-click to get a list of the related URLs under the cursor.
  • You can now hide descriptor types from the tree.

It also contains some big performance improvements for loading projects. The time it takes to load a project and the peak memory usage of the server has been greatly reduced.

Server

No changes


Burp Extension

No changes


VS Code Extension
Performance
  • Reduced over-fetching for loading HTML sources, reducing memory usage of the server significantly.
  • Reduced the risk of making requests that causes too large HTTP responses to be sent.

Hiding descriptors
  • You can now right-click a descriptor type or subtype and hide it.
  • When you have hidden a descriptor (sub)type, a new icon appears in the menu to show hidden ones.

Combined sources
  • When viewing combined sources, you can now view the URLs for the source by right-clicking in the editor.

Known issues

jswzl 2024.4.2
October 20, 2024

Thanks to user feedback, we found a number of performance bottlenecks, especially on Mac OS. Here are the highlights:

  • When ingesting files, the request list will update much more smoothly and evenly.
  • The delay between ingesting a file and it showing up is smaller, especially for large files.
  • Significant reduction in CPU and memory usage.

Server
Performance
  • Changed to using a more optimized approach for insert analysis results into the project.
  • Reduced a database roundtrip when inserting prettified source code.
  • (Mac OS only) Analysis tasks are now run on the thread pool rather than synchronously.
  • Improved the ingest pipeline so that it can defer tasks that aren't time-sensitive.
  • Fixed a bug where the pipeline was waiting for asynchronous notifications to have fully processed before proceeding.
  • Reduced memory usage of the string classifier by reducing intermediate lists in memory.
  • Improved descriptor extraction performance by using source generated regex.
Descriptors
  • Made the secret extractor a bit more conservative again.
  • SHA hashes are now filtered out.
General
  • (Mac OS only) Fixed a case where failed tasks could cause a dead lock.

Burp Extension

No changes


VS Code Extension

No changes


Known issues

jswzl 2024.4.1
October 17, 2024

This update has a lot of quality of life improvements, bug fixes, and other improvements. Here are the highlights:

  • Performance improvement, especially in the VS Code extension.
  • The secret detection has been dramatically improved.
  • Fixed a number of issues with unpacked sources.
Server
Classifiers
  • The hostname classifier no longer detects time formats as hostnames.
  • Added filters for Timezone strings.
  • Added filters for HTML tags.
Secret Detection
  • Now, ensure that variable declarations are also analyzed.
  • Added some more naming patterns for variable names to look for.
Unpacking & Sourcemaps
  • Fixed an issue where unpacked and sourcemap files were not analyzed.
  • Fixed an issue where files packed as a string inside an eval statement was not fully unpacked.
  • Fixed an issue where unpacked files were not correctly linked to the parent source.

Burp Extension

No changes.


VS Code Extension
Descriptor Tree
  • Rewrote the logic for rending the Descriptors tree to make much faster.
  • Improved rendering performance by not recalculating the location of the icon for ever tree item.
  • Descriptors groups are now sorted alphabetically.
  • Angular provider calls now have icons.
  • Improved performance by not sending the descriptors twice.
Host Tree
  • Fixed a bug that made the tree re-render every few seconds.
  • Virtual source directories with only 1 child node are now expanded automatically.
General improvement
  • The name of the editor when opening a virtual file now includes the full path.
  • When combining sources, it now includes the full virtual path of the file.
  • Reduced memory usage when using the Combine Sources feature.

Known issues

jswzl 2024.3.2
September 23, 2024

This release contains a big refactoring of the ingest pipeline to improve chunk pre-fetching:

  • Pre-fetching requests are now linked to the request that caused the pre-fetch to occur.
  • JavaScript in in-line HTML is now analyzed for chunks to pre-fetch.

It also contains a new detector for cryptographic material, and a number of bug fixes and other small improvements.

Server
Chunk pre-fetching

The logic for chunk pre-fetching has been overhauled once again, as it did not consider the case where chunk pre-fetching was happening from inline JavaScript in HTML, as opposed to JavaScript file loaded through a Script tag.

In order to be able to track which request caused certain chunks to be pre-fetched, the chunk analysis results are now also saved with the code. In addition, when the Burp extension pre-fetches source, it now sends the Id of the request that

Cryptographic material

Cryptographic material is now detected by jswzl. This includes:

  • Certificates
  • Public/private keys
  • Encrypted private keys
  • EC private keys
  • OpenSSH private keys
  • Certificate requests
  • PGP public/private key blocks
Ingest API

A new ingest API was introduced in 2024.3.1 as a beta. It would return a lot more information about the saved data. But in refactoring the ingest pipeline to improve chunk pre-fetching, it became clear that this approach was not going to be good in the long run. Rather, a simple ID (Either SourceRequestId, or HtmlPageRequestId) is returned if the requested is stored.

This reduces memory consumption in the ingest pipeline and reduces data transferred between the server and client. The client can still get the information that it needs through the GraphQL API directly, only selecting the data it actually needs.

Other improvements
  • Fixed two bugs in the string optimizer that would generate invalid template literals.
  • Made the API Version detector more strict to prevent false positives.
  • Made the Ascending/Descending detector not case sensitive.
  • Disabled OpenTelemetry tracing in release builds, which improves performance.

Burp Extension
Chunk pre-fetching
  • Added a bail-out condition for chunk pre-fetching to avoid sending a lot of bad requests.

VS Code Extension
Request list
  • Source requests that were made as a soure pre-fetch are now marked with an icon.

Known issues

jswzl 2024.3.1
July 18, 2024

This release contains a new Ingest API in a beta state, and some performance and reliability issues. This lays the foundations for other improvements coming up.

Server
Ingest API [Beta]

A new Ingest API has been introduced in a beta state. This allows you to send your own HTTP traffic to jswzl, and have it be analyzed. The documentation is available through Swagger/OpenAPI on http://localhost:37232/swagger when jswzl is running.

The documentation for ingest 

The reason for calling this a beta, is that there are some major changes that will happen to this in upcoming releases, especially around:

  • Better indicating whether a request was a pre-fetch request, and from which request it originated.
  • Add better return data

Burp Extension
General
  • Now uses the new Ingest API.
  • Fixed an issue where prefetched chunks were not sent for analysis.

VS Code Extension
Request list
  • Fixed a race condition where only new data was shown in the list.
  • Reduced initialization time.
  • Fixed an issue where the findings weren't updated in the list once analysis was done.
Startup
  • Loading a project with a lot of HTML requests loads faster now, and memory usage is cut in half.

Known issues

jswzl 2024.2.3
June 3, 2024

This is another release with mostly just bug fixes, performance improvements, and small quality of life improvements. Here are the highlights:

  • The Burp plugin now only forwards request where the "ToolSource" is "Proxy".
  • Fixed an issue where database connections were leaking, and could degrade performance over time.
  • Addressed some issues where the VS Code extension was attempting to select too big data sets at once.
  • The requests list had a number of bug fixes and improvements.
Server
General
  • Suppressed the error when an error is raised due to a client closing the connection.
  • Fixed an instance where the GraphQL schema had incorrect nullability.
  • Fixed a memory leak from unused database connections.
  • Added source hash to the error message when a subprocess fails.

Burp Extension
Changes
  • Only requests coming from the Proxy are now analyzed by jswzl.

VS Code Extension
Request list
  • Fixed a bug where the sorting gets reset when new requests are added.
  • Fixed a bug where the descriptor overview is rendered incorrectly.
  • You can now sort the list by the number of descriptors found.
  • Disabled debouncing the scrolling, making scrolling smoother.
General
  • Reduced over-fetching of data from the API.
  • Reduced batch size when loading from the API.

Known issues

jswzl 2024.2.2
May 15, 2024

This release is a hotfix to address a couple of issues reported by customers. Here are the highlights:

  • Chunk Pre-Fetcher/Extractor now normalizes paths on the server more intelligently.
  • The ingestion engine will now ignore responses with code shouldn't be parsed.
  • Mac OS memory management has been improved.
Server
Chunk Extractor
  • Path normalization logic has been added on the server.
Ingestion
  • Any code marked as Flow code will not be processed anymore.
  • Any HTML response to a Sec-Fetch-Dest: script request will now be ignored.
Mac OS
  • Changed the Garbage Collector to run concurrently, rather than batch mode.

This will reduce memory usage after jswzl has been running for a while and reduce stalls/hangs from the GC running.


Burp Extension
Chunk Pre-Fetcher
  • The logic for determining the path has now been moved to the server.

VS Code Extension
General
  • Remove the "Show Source Diff" option for sources, as it was intended for internal debugging.

Known issues

jswzl 2024.2.1
April 25, 2024

This release has a few highlights:

  • Disabled compression of source code in the project files, reducing memory usage a lot.
  • Search is now quite a lot faster.
  • A new Email address extractor.
  • Webpack chunk extractor has been rewritten

This is in addition to a lot of little quality of life improvements.

Server
Chunk extractor
  • Rewritten almost from scratch! 
  • It now supports a lot more variations of chunk types.
  • Added extra protections to avoid fetching invalid chunks.
Email Extractor
  • Added an extractor for email addresses.
Search
  • Searching without regex is now significantly faster
Project file

The project file used to store the raw source with compression to reduce file size. This release changes that. When you open an old project with the new version, it will migrate the database.

Why?

  • It makes search faster
  • It makes combining multiple sources much faster
  • It reduces memory usage A LOT

The only real downside to this is that the size of a project file is about 50% larger.

Improvements
  • Added a number of reserved/local TLDs to the hostname detector.
  • No error is printed when the license cache is refreshed anymore.

Burp Extension
Fixes
  • Fixed an issue where the option to send to jswzl wouldn't be shown if a request without a response was selected.

VS Code Extension
Improvements
  • Source Tree
    • Better indicated when a source reference couldn't be resolved for script references.
    • URLs for script references are now simplified in the tree to reduce clutter.
  • Search
    • Improved the performance of loading search results.
  • Changed the retrying logic for API requests to the server to be less aggressive.

Known issues
  • Combining files, or search results exceeding 50mb can't be loaded due to a limitation in VS Code

jswzl 2024.1.4
March 11, 2024

This is a small release to add a features based on customer feedback.

  • Added a `--no-ssl` flag for environments which proxies TLS connections, such that it can connect to the jswzl API to validate its license.
  • Added an extractor for hostnames.
  • Fixed a bug with the path extractor.
Server
New Features
  • Added an extractor for hostnames
  • Added a `--no-ssl` flag to be able to connect to the jswzl API behind
Fixes
  • The Path extractor now works better when the path has a query string

Burp Extension
Fixes
  • The chunk extractor now has extra protection against recursive loops

VS Code Extension

No changes.


Known issues

jswzl 2024.1.3
March 1, 2024

By popular request, jswzl now makes it much easier to navigate and review code in complex packed sources. Rather than show a flat list of extracted sources, it now builds a proper directory structure with the sources! 

Image
Nicely organized source tree to navigate

This is a first step towards providing a much better experience when you are reviewing large, complex SPAs. Future releases will hopefully take this concept further, getting MUCH closer to the experience in Chrome Dev Tools with packed sources!

Besides this, the release improves performance again. The loading time for a project has been reduced in the realm of 50-75% compared to last release. And the behavior observed on loading is more consistent now.

Server

New features

  • Source map and unpacked sources are now exposed as a virtual directory structure

Fixes

  • Improved performance when loading the Source Tree
  • Prevented logging of errors when a request is cancelled
  • Fixed a bug where source unpacking would fail when encountering a certain type of arrow function

Burp Extension

VS Code Extension

New features

  • Source map and unpacked sources now get rendered as a source tree

Fixes

  • Made initial project load faster
  • Improved data polling behavior
  • Updating the Source Tree now batches updates
  • Improved descriptor mappings and names

Known issues

jswzl 2024.1.2
February 15, 2024

This release contains a bunch of bug fixes and quality of life improvements. One area that's received a lot of work is the Host Tree, while there are also bug fixes in other parsing logic.

Host Tree

Major improvements were made to the Host Tree:

  • The resolution of elements from HTML pages has been made much more reliable
  • Fixed a number of timing/race condition issues that lead to showing incomplete data
  • The tree can now refresh itself when it notices data has become stale
Server
  • Fixed a bug in the source unpacker when presented with certain types of arrow functions
  • Fixed a bug in the string optimizer when a spread operator is passed as an argument to Array.prototype.concat
  • Fixed a bug in the Client Behavior descriptor extraction when invalid calls to addEventListener without invalid arguments were parsed
  • Fixed a bug in the resolution of a HTML script reference to a source request, where it'd only allow one reference to be matched to a request
  • Fixed a race condition between saving a HTML page and its inline and referenced sources
  • Fixed an issue where script references in HTML pages would get assigned an invalid source hash
  • Fixed an issue where code with a UTF-8 BOM would fail to parse

Burp Extension

No changes!


VS Code Extension
  • Fixed some race conditions where items in the Host Tree would show incorrect data
  • Improved the presentation of script references from HTML pages in the Host Tree.
  • You can now copy values of a group of descriptors in the Expression Tree by selecting a group, without selecting each individual value
  • Added a notification to indicate when jswzl is fetching project data on startup

Known issues

jswzl 2024.1.1
January 23, 2024

Here's the highlights of this release:

  • This upgrades from .NET 6 to .NET 8, which brings a host of improvements to performance.
  • Performance improvements! The memory usage of the server has dropped significantly, and load time for data gone down to match. It's a night and day difference.
  • Refactored Object Schemas to be structured similar to other descriptors.
  • Expanded on Client Behavior descriptors. Adding a whole host of new ones!
  • Native ARM64 build for Apple Silicon (M1/2/3) for OS X! 

And of course, there's a bunch of quality of life improvements and small bug fixes.

Server
Performance

This one is huge. The memory usage of the GraphQL API has been reduced by orders of magnitude in some cases. Load times of data has gone way up as a result.

Object schemas

Object Schemas have had a big overhaul. Previously the results would be a "flat" hierarchy. This has been changed to be a proper grouped hierarchy like all other descriptors.

Client Behaviors

As promised in the last release, this feature has been extended!

React

  • dangerouslySetInnerHTML

Angular

  • bypassSecurityTrustHtml
  • bypassSecurityTrustStyle
  • bypassSecurityTrustScript
  • bypassSecurityTrustUrl
  • bypassSecurityTrustResourceUrl

jQuery

  • html

JS

  • innerHTML
  • document.write

Improvements
  • Fixed a couple of issues in GraphQL parser

Burp Extension
Improvements
  • Fixed an issue in "Send to jswzl", where it'd fail if any request was selected without a response

VS Code Extension
Improvements
  • Added progress indicator when combining sources
  • Improved reliability of combining sources by chunking the requests
  • Fixed a bug where combining sources under a host wouldn't include the first-level items
  • Fixed a race condition in the loading of the request list
  • Added icons for a bunch of descriptors that didn't previously have

Known issues

jswzl 2023.4.7
December 26, 2023

This release is a game changer for the many of you I've heard from that like to hunt for client-side bugs. It introduces a new type of descriptor: Client Behavior.

It's just a first version for now. Expect more being added in January/February. And if you have any code patterns you would like to see integrated, please do reach out to support@jswzl.io and let me know. It's immensely helpful. This initial release was very much shaped by those that did, which include:

  • @nmdhkr
  • BloodHound
Server
Client behavior

jswzl now has a new type of descriptor: Client Behavior. The initial version catches these code patterns:

  • document.cookie
  • Local / Session Storage (Get, Set, Remove item)
  • Messages (addEventListener, onmessage, postMessage)

Burp Extension

VS Code Extension
Improvements
  • The source tree is now collapsed by default
  • The source tree now has a description label with a count of how many children each node has
  • The navigation actions of the source tree have been cleaned up by removing functions that weren't useful
  • When you "Combine Sources" on a Host node, it now automatically recurses all children

Known issues

jswzl 2023.4.6
December 15, 2023

This release contains two important fixes. First one is for the analysis engine where strings with escaped quotes weren't handled correctly, and the other being the chunk prefetcher which could spin out of control.

It's recommended to update as soon as possible.

Server
Fixes
  • Fixed an issue where strings with escaped quotes were not correctly analyzed

Burp Extension
Fixes
  • Fixed an issue where the chunk prefetcher could infitiely recurse and generate a lot of requests under very specific circumstances

VS Code Extension
Fixes
  • You can now sort the requests grid

Known issues

jswzl 2023.4.5
December 11, 2023
Server

Burp Extension
New features
  • You can now right-click on a request(s), and send them directly to jswzl

VS Code Extension
New features
  • You can now delete a host from the source tree, deleting all data within it
Fixes
  • When you click the requests list, it now highlights that request
  • Fixed an issue where requests weren't updated once analysis results were completed
  • When opening code, it no longer drags focus to the descriptors list
  • Improved handling of paging of sources
  • The requests list now sort ascendingly on the timestamp
  • Fixed loading of HTML sources
  • You can now select text in the requests grid
  • Combining sources will now only combine a single source once

Known issues

jswzl 2023.4.4
November 26, 2023

This release contains a handful of bug fixes in parsing and UI issues.

Server
Parser upgrade

esprima has been upgraded to 3.0.2, which contains fixes for two issues:

  • Fixed an issue with prettifying code with a lot of parenthesis/nested logical expressions
  • Fixed an issue with parsing code with export default statements
Chunk Extractor
  • Ensure that the same result is only returned once
  • Fixed an issue where a dictionary contains string literal keys
Other
  • Improved license handling when changing license key

Burp Extension

VS Code Extension
  • Fixed rendering of decorators in code
  • Fixed issue where the requests list didn't show any results

Known issues

jswzl 2023.4.3
November 3, 2023

This release contains a few major highlights:

  • Fixes wordlist generation.
  • Detect package.json files embedded in JS.
  • Detect React Router routes.
Server
Extractors
  • Added extractor for package.json files.
  • Added extractor for React Router routes.
Performance
  • Improved performance of the Object Schema validator by adding a type cache.
  • Prevent storing of invalid sourcemaps.

Burp Extension

No changes


VS Code Extension
  • Fixed wordlist generation not working.
  • Improved error message when unable to load sources.

Known issues

jswzl 2023.4.2
October 4, 2023

This release addresses some issues introduced in 2023.4.1, mostly covering performance and the chunk pre-fetching.

Server
Improvements
  • Fixed a database overfetching issue that impacted performance when first starting up a VS Code client.

Burp Extension
Improvements
  • Fixed an issue where chunks would not be prefetched even if detected by the server.

VS Code Extension
Improvements
  • Reduced the amount of requests being loaded at a time on startup to improve responsiveness.
  • If you try to load a file that has not yet been processed, you'll now get the non-processed source rather than an error message.

Known issues

jswzl 2023.4.1
October 3, 2023

This release contains first iterations of the top 3 most commonly requested features! 

Search

You can now search all sources from the Search panel.

It also supports regex! 
Combine files

You can now combine multiple files into a single view.

You can use this to take all paths from sources of a host, for instance.
Only send in-scope requests

You can now opt to only send in-scope requests for analysis.

Configured from the jswzl tab
Webpack chunk extraction

Webpack chunk detection and prefetching has had a dramatic overhaul. On top of upgrading the version of Jint to fix a bug, the heuristics for detection of webpack chunks has been dramatically improved. This was possible thanks to creating a test corpus of real-life Webpack runtime files for automatic testing consisting of just over 1000 files.

The initial testing showed a ~10% success rate of detecting the chunks. The fixes in this release brings that success rate up to 90%. In coming releases the goal is to get this number way up.

Server
Webpack chunks
  • Upgraded to latest Jint release, fixing an issue in the Webpack chunk extraction runtime.
  • Added a few more heuristics for finding chunks.
Improvements
  • Added icon to the binary for Windows.


Burp Extension
New features
  • You can now configure the extension to only forward requests that are in scope.

VS Code Extension
New features
  • You can now combine multiple files into one by right-clicking them in the Source Tree.
  • You can now search across all sources from the Search panel in the Source Tree.
Improvements
  • Improved polling behavior to be more consistent for new data.
  • Decrease batching behavior of requests list.
  • Improved the Descriptors Tree to better stay in sync with the active document.


Known issues
  • Code with optional chaining may fail to parse.

jswzl 2023.3.7 (Hotfix)
September 18, 2023

This is a minor hotfix, fixing an issue that lead to a lot of JS not being processed and logged.

Server
  • Fixed an issue where some JS would not be processed if it contained valid HTML also.

Burp Extension

VS Code Extension

Known issues

jswzl 2023.3.6
September 11, 2023

This release brings improvements to commonly requested features. Here are the highlights!

Scope information

This has been a popular request. And I want to take a minute to explain how this was implemented. When the Burp extension processes a request, it tests two things:

  1. Is the requested URL in scope?
  2. Is the referer (If present) in scope?

It includes this information in the data submitted to the jswzl server. Why this approach? Because the Burp Suite "Montoya" API only provides a single function for our purposes, which is to check if a URL is in scope or not.

This places some limitations on how this could be implemented. The biggest limitation being that if you change your scope in Burp Suite, it will NOT be reflected in jswzl for historical data. It also means that all existing data you have will have all requests marked as out of scope.

Having said that, with this data now stored, you can filter the data in the VS Code extension! 

Filtering the request list by scope.
Filtering the source tree by scope.

Source maps

Previously, the Burp Suite extension would take any `.js` file requested, and request it again with `.map` as a suffix to discover any source map. This has been improved a few ways:

  • The Burp Suite extension now checks if there's any sourceMappingUrl comment either on the first or last line of the source
  • If there is a path, it will resolve that path (It will NOT resolve if it's an absolute URL though for safety reasons)
  • If there's an inline source map, it extracts that

There's still one technical limitation: Any packed/nested code with their own source map is not applied indepdently. This is a slightly more complex case to handle, and will hopefully be addressed later this year.

Server
New features
  • Scope information is now stored with JS and HTML requests.
  • Script tags stored for HTML pages now contains their `type` value.
  • It now finds and applies inline source maps.
Performance
  • Improved performance by no longer trying to parse non-tolerantly first.
  • Improved performance from upgrading to esprima-dotnet v3.0.1.
Fixes
  • Fixed the timestamp stored with sources.
  • Fixed pretty printing of JSX.
Dependencies

We upgraded to the final release of esprima-dotnet (v3.0.1), thanks to the team, especially lahma and adam85. This has a number of important improvements:

  • Performance improvements!
  • Fixes an issue with parsing import expressions inside a yield expression.
  • Fixes an issue with parsing empty JSX elements.
  • Fixes an issue with parsing legacy octal escapes in string literals.
  • Fixes an issue with parsing some invalid JS, making it error gracefully.
  • Fixes parsing strict code when the code is a Expression, rather than Script/Module.

Burp Extension
New features
  • Source map URLs are now discovered and fetched.
  • If no source map URL is found, it will still try to fetch any `.js` file with a `.map` extension also as previous.

VS Code Extension
New features
  • You can now filter the Source Tree by whether the request was in scope or not.
  • You can now filter the Request List by whether the request was in scope or not.

Known issues

jswzl 2023.3.5
September 4, 2023

This is a double-hotfix for 2023.3.4 fixing two issues. It also happens to contain improvements to the request list!

Note: A version of 2023.3.5 was released on September 3rd originally. Another version of 2023.3.5 was released on September 4th which also fixes the wordlist generator.

  • MacOS deadlock has been fixed
  • Wordlist generation has been fixed
  • You can now filter the request list table
Server
  • MacOS deadlock has been fixed
  • Wordlist generation has been fixed


Burp Extension

VS Code Extension
  • You can now filter the request list table

Known issues

jswzl 2023.3.4
August 31, 2023

This release has been a while in the making now, and contains really big improvements to the tool. Before we get to all the good news, first the bad news:

Breaking changes

You can not use your old project database anymore, as the database schema was changed so dramatically that it was impossible to remain backwards compatible.

But it'll be worth it

I'm pretty confident that those of you who have used the tool for a while will find that the changes and improvements contained make it well worth it! Here's highlights:

  • Really big performance improvements.
  • Improved VS Code responsiveness.
  • Support for JSX.
  • Improved secret detection, including base64 values, JWTs and GUIDs.
  • Request list UI has been dramatically improved, and has more information.
  • You can now see HTML requests in the Host Tree and Requests List.
  • You can now see HTML pages, all pretty printed, when clicking on a HTML page/request in the Host tree and requests list.
  • In-line HTML is now shown in the Host Tree.
  • References to JavaScript sources from HTML pages are now extracted, and any corresponding request is linked.
What's next? 

First of all, thanks to everybody who's provided feedback on jswzl, and sent in feature requests. This release addresses a number of common requests I've received, and enables for more easily addressing others in releases to come! 

Because this release included a major refactoring of the Database and API schema, it took a while to get out the door. With this out of the way, I hope to be able to achieve a faster cadence of releases for the rest of the year.

Server
New features
  • JSX support.
  • HTML responses are now prettified and stored.
  • JavaScript inside HTML <script> tags is now stored and analyzed.
  • References to JavaScript files in <script> tags are now stored.
  • Base64 encoded JSON strings are now identified as potential secrets
  • JWTs are now detected as secrets
  • GUIDs are now detected as secrets
Performance
  • Switched to a faster HTML parsing library (From HtmlAgilityPack to AngleSharp).
  • Improved database performance by refactoring the database schema to rely less on updates to large rows.
  • Improved database performance by using bulk inserting.
  • Upgraded to latest esprima-dotnet which contained some nice performance improvements. Thanks to the esprima-dotnet team for their hard work.
  • Switched from Json.NET to System.Text.Json, which improves performance.
  • Analysis result statistics are now cached, improving load times.
  • Reduced expensive duplicate work, improving performance on ingestion.

Burp Extension
  • Improved performance by not base64 encoding response bodies before transmitting them to the server.
  • Include the request timestamp when sending to the server.

VS Code Extension
New features
  • The UI of the Requests list has been dramatically improved.
  • Greatly improved performance.
  • Data is now loaded in batches, improving responsiveness and initial load time.
  • The Host Tree now shows HTML pages also, including all inline and JS references.
  • You can now view HTML pages, and inline sources.
  • The Requests List now shows HTML pages loaded.

Known issues

jswzl 2023.3.3
July 27, 2023

Highlights:

Improved GraphQL classification. Now most types of GraphQL entities are extracted into their own category.

GraphQL descriptors are now labeled according to their actual type

Wordlist generation. You can now generate a wordlist from the source tree, or the editor.

You can now generate wordlists, either from the source tree or right-clicking in the editor.
You can also right-click the editor

You can now configure which IP and port the VS Code extension should connect to from the settings.

You can now configure the IP and port to the analysis server that VS Code should connect to.
Server

New features

  • Added ability to extract a wordlist from JavaScript code.
  • Added a /health endpoint to check if the server is alive.

Improvements

  • Improve detection of GraphQL. The findings are now split into Query, Mutation, Subscription, Fragment, Type, etc.
  • Increased the max assignment depth of the JavaScript parser.
  • Improved license handling.
  • Upgraded to latest esprima-dotnet version, which had some nice performance improvements!

Fixes

  • Fixed extraction of packed sources
  • You no longer get a console error when the analysis of a file doesn't contain any descriptors.

Burp Extension
  • Improved performance during heavy load
  • You can now see how many requests are queued in the jswzl tab
  • Added timestamps to error logs

VS Code Extension

New features

  • Added the ability to generate wordlists from sources or text editor through the right-click menu. Multiple items can be selected.
  • Added indicator to status bar if the jswzl Server is no longer heart beating.
  • You can now change the IP and port to connect to in extension settings.

Improvements

  • When selecting a descriptor it is now briefly highlighted in the editor.
  • Improved the icon/decorator handling to be more consistent between the editor and descriptor tree.

Performance

  • Improved responsiveness when new sources and analysis results are available.

Known issues

None


jswzl 2023.3.2
July 22, 2023

I launched jswzl a week ago now. And in the time since, I've been hard at work fixing issues reported. Thank you to everybody who's provided feedback and let me know of bugs. Please continue to reach out if you encounter any issues, or have suggestions for improvements.

The highlights of this release is:

  • Improved performance and reliability across the board
  • Improved GraphQL and Secret detection
  • Fixed bugs

Server

Analysis

  • Improved detection for secrets: Added detection for AWS key names.
  • Improved detection for GraphQL queries: Some GraphQL queries were not detected due to being filtered by a CSS filter.

Performance

  • Improved concurrency limiter to better prevent system overloading, while still being responsive to real-time events.
  • Added a `-t/--threads` flag. This sets how many analysis processes can run at any given time. The default is half of the total cores.
  • [Mac OS] Improved reliability in under memory pressure.

System

  • [Linux/Mac OS] Fixed the ability to open a browser window with download links for latest release.

Burp Extension
  • Changed the executor poll size to be limited to prevent making too many requests to the jswzl at a time.

VS Code Extension
  • Utilize multiple connections to jswzl Server for improved responsiveness and error handling
  • Prevented retries to jswzl Server in cases where a request fail

Known issues
  • [Apple Silicon] When the machine is under memory pressure, it may cause the jswzl server to hang. This release contains a handful of mitigations to this issue and the ability to reduce the number of analysis processes with `-t`.

jswzl 2024.4.3
November 16, 2024

This release, 2024.4.3, introduces a big change to the database schema for improved performance. But to achieve that, it also has to migrate any existing project database when first loaded. This can take a bit of time (About 1 minute per gigabyte of the project). And then project can no longer be opened by older versions of jswzl.

In addition to that, it also has a few big things:

  • Fixed some detection issues around this. and variable declarators.
  • No longer analyzing regex strings, as they were very noisy.
  • Improved websocket reliability in the VS Code extension.
  • Made the loading indicators in VS Code less obtrusive.
Server
Performance - Project schema

While working on version 2024.4.2, we noticed that the performance of inserting large amounts of descriptors into the project database was a lot slower than expected. The issue discovered to be in the database schema for storing expressions and descriptors, which made use of a GUID as its primary key. This severely hurt performance, making inserts 2-3x slower than using an integer as the primary key. This release changes that. Here are the benefits:

  • Especially for larger files, the time it takes for analysis results to show up has been reduced by more than 50%.
  • Project files are about 9% smaller.

The only downside is that for existing project files, they will need to be migrated. This is done when you start up jswzl. What you need to know is:

  • It takes about 30-60 seconds per gigabyte.
  • It takes up memory worth the size of your project, as it needs to load the full project into memory.
  • And while rebuilding the project, it takes up twice the project size on disk temporarily.
  • If you are using the GraphQL API, the SourceExpressionIds will change from a GUID to an Integer.
Performance
  • Tweaked how many expressions are inserted per batch. For larger files, this reduces the time it takes to save the results by 50-60%., and peak memory usage is reduced.
Descriptors
  • Descriptors are no longer generated for literals inside of a new RegExp call or in a regex literal, as it was found to be very noisy.
  • Fixed an issue where secrets were not detected in this. expressions.
  • Fixed an issue where descriptors for variable declerators didn't contain any value.

Burp Extension

No changes


VS Code Extension
General
  • Added an option to combine sources non-recursively.
  • Changed the "Loading Project" notification to a status indicator, and only start showing it once data starts to be loaded.
  • Improved loading indicators for source tree and request list.
  • Fixed an issue where WebSockets couldn't be opened on startup.

Known issues