This release contains a few new features:
It also contains some big performance improvements for loading projects. The time it takes to load a project and the peak memory usage of the server has been greatly reduced.
No changes
No changes
Thanks to user feedback, we found a number of performance bottlenecks, especially on Mac OS. Here are the highlights:
No changes
No changes
This update has a lot of quality of life improvements, bug fixes, and other improvements. Here are the highlights:
No changes.
Combine Sources
feature. This release contains a big refactoring of the ingest pipeline to improve chunk pre-fetching:
It also contains a new detector for cryptographic material, and a number of bug fixes and other small improvements.
The logic for chunk pre-fetching has been overhauled once again, as it did not consider the case where chunk pre-fetching was happening from inline JavaScript in HTML, as opposed to JavaScript file loaded through a Script tag.
In order to be able to track which request caused certain chunks to be pre-fetched, the chunk analysis results are now also saved with the code. In addition, when the Burp extension pre-fetches source, it now sends the Id of the request that
Cryptographic material is now detected by jswzl. This includes:
A new ingest API was introduced in 2024.3.1 as a beta. It would return a lot more information about the saved data. But in refactoring the ingest pipeline to improve chunk pre-fetching, it became clear that this approach was not going to be good in the long run. Rather, a simple ID (Either SourceRequestId, or HtmlPageRequestId) is returned if the requested is stored.
This reduces memory consumption in the ingest pipeline and reduces data transferred between the server and client. The client can still get the information that it needs through the GraphQL API directly, only selecting the data it actually needs.
This release contains a new Ingest API in a beta state, and some performance and reliability issues. This lays the foundations for other improvements coming up.
A new Ingest API has been introduced in a beta state. This allows you to send your own HTTP traffic to jswzl, and have it be analyzed. The documentation is available through Swagger/OpenAPI on http://localhost:37232/swagger when jswzl is running.
The reason for calling this a beta, is that there are some major changes that will happen to this in upcoming releases, especially around:
This is another release with mostly just bug fixes, performance improvements, and small quality of life improvements. Here are the highlights:
This release is a hotfix to address a couple of issues reported by customers. Here are the highlights:
Sec-Fetch-Dest: script
request will now be ignored.This will reduce memory usage after jswzl has been running for a while and reduce stalls/hangs from the GC running.
This release has a few highlights:
This is in addition to a lot of little quality of life improvements.
The project file used to store the raw source with compression to reduce file size. This release changes that. When you open an old project with the new version, it will migrate the database.
Why?
The only real downside to this is that the size of a project file is about 50% larger.
This is a small release to add a features based on customer feedback.
No changes.
By popular request, jswzl now makes it much easier to navigate and review code in complex packed sources. Rather than show a flat list of extracted sources, it now builds a proper directory structure with the sources!
This is a first step towards providing a much better experience when you are reviewing large, complex SPAs. Future releases will hopefully take this concept further, getting MUCH closer to the experience in Chrome Dev Tools with packed sources!
Besides this, the release improves performance again. The loading time for a project has been reduced in the realm of 50-75% compared to last release. And the behavior observed on loading is more consistent now.
New features
Fixes
New features
Fixes
This release contains a bunch of bug fixes and quality of life improvements. One area that's received a lot of work is the Host Tree, while there are also bug fixes in other parsing logic.
Major improvements were made to the Host Tree:
No changes!
Here's the highlights of this release:
And of course, there's a bunch of quality of life improvements and small bug fixes.
This one is huge. The memory usage of the GraphQL API has been reduced by orders of magnitude in some cases. Load times of data has gone way up as a result.
Object Schemas have had a big overhaul. Previously the results would be a "flat" hierarchy. This has been changed to be a proper grouped hierarchy like all other descriptors.
As promised in the last release, this feature has been extended!
React
Angular
jQuery
JS
This release is a game changer for the many of you I've heard from that like to hunt for client-side bugs. It introduces a new type of descriptor: Client Behavior.
It's just a first version for now. Expect more being added in January/February. And if you have any code patterns you would like to see integrated, please do reach out to support@jswzl.io and let me know. It's immensely helpful. This initial release was very much shaped by those that did, which include:
jswzl now has a new type of descriptor: Client Behavior. The initial version catches these code patterns:
This release contains two important fixes. First one is for the analysis engine where strings with escaped quotes weren't handled correctly, and the other being the chunk prefetcher which could spin out of control.
It's recommended to update as soon as possible.
This release contains a handful of bug fixes in parsing and UI issues.
esprima has been upgraded to 3.0.2, which contains fixes for two issues:
This release contains a few major highlights:
No changes
This release addresses some issues introduced in 2023.4.1, mostly covering performance and the chunk pre-fetching.
This release contains first iterations of the top 3 most commonly requested features!
You can now search all sources from the Search panel.
You can now combine multiple files into a single view.
You can now opt to only send in-scope requests for analysis.
Webpack chunk detection and prefetching has had a dramatic overhaul. On top of upgrading the version of Jint to fix a bug, the heuristics for detection of webpack chunks has been dramatically improved. This was possible thanks to creating a test corpus of real-life Webpack runtime files for automatic testing consisting of just over 1000 files.
The initial testing showed a ~10% success rate of detecting the chunks. The fixes in this release brings that success rate up to 90%. In coming releases the goal is to get this number way up.
This is a minor hotfix, fixing an issue that lead to a lot of JS not being processed and logged.
This release brings improvements to commonly requested features. Here are the highlights!
This has been a popular request. And I want to take a minute to explain how this was implemented. When the Burp extension processes a request, it tests two things:
It includes this information in the data submitted to the jswzl server. Why this approach? Because the Burp Suite "Montoya" API only provides a single function for our purposes, which is to check if a URL is in scope or not.
This places some limitations on how this could be implemented. The biggest limitation being that if you change your scope in Burp Suite, it will NOT be reflected in jswzl for historical data. It also means that all existing data you have will have all requests marked as out of scope.
Having said that, with this data now stored, you can filter the data in the VS Code extension!
Previously, the Burp Suite extension would take any `.js` file requested, and request it again with `.map` as a suffix to discover any source map. This has been improved a few ways:
There's still one technical limitation: Any packed/nested code with their own source map is not applied indepdently. This is a slightly more complex case to handle, and will hopefully be addressed later this year.
We upgraded to the final release of esprima-dotnet (v3.0.1), thanks to the team, especially lahma and adam85. This has a number of important improvements:
This is a double-hotfix for 2023.3.4 fixing two issues. It also happens to contain improvements to the request list!
Note: A version of 2023.3.5 was released on September 3rd originally. Another version of 2023.3.5 was released on September 4th which also fixes the wordlist generator.
This release has been a while in the making now, and contains really big improvements to the tool. Before we get to all the good news, first the bad news:
You can not use your old project database anymore, as the database schema was changed so dramatically that it was impossible to remain backwards compatible.
I'm pretty confident that those of you who have used the tool for a while will find that the changes and improvements contained make it well worth it! Here's highlights:
First of all, thanks to everybody who's provided feedback on jswzl, and sent in feature requests. This release addresses a number of common requests I've received, and enables for more easily addressing others in releases to come!
Because this release included a major refactoring of the Database and API schema, it took a while to get out the door. With this out of the way, I hope to be able to achieve a faster cadence of releases for the rest of the year.
Highlights:
Improved GraphQL classification. Now most types of GraphQL entities are extracted into their own category.
Wordlist generation. You can now generate a wordlist from the source tree, or the editor.
You can now configure which IP and port the VS Code extension should connect to from the settings.
New features
Improvements
Fixes
New features
Improvements
Performance
None
I launched jswzl a week ago now. And in the time since, I've been hard at work fixing issues reported. Thank you to everybody who's provided feedback and let me know of bugs. Please continue to reach out if you encounter any issues, or have suggestions for improvements.
The highlights of this release is:
Analysis
Performance
System
This release, 2024.4.3, introduces a big change to the database schema for improved performance. But to achieve that, it also has to migrate any existing project database when first loaded. This can take a bit of time (About 1 minute per gigabyte of the project). And then project can no longer be opened by older versions of jswzl.
In addition to that, it also has a few big things:
this.
and variable declarators.While working on version 2024.4.2, we noticed that the performance of inserting large amounts of descriptors into the project database was a lot slower than expected. The issue discovered to be in the database schema for storing expressions and descriptors, which made use of a GUID as its primary key. This severely hurt performance, making inserts 2-3x slower than using an integer as the primary key. This release changes that. Here are the benefits:
The only downside is that for existing project files, they will need to be migrated. This is done when you start up jswzl. What you need to know is:
SourceExpressionIds
will change from a GUID to an Integer.new RegExp
call or in a regex literal, as it was found to be very noisy. this.
expressions.No changes