As we look forward to the upcoming Hacker Summer Camp, we’re also marking the anniversary of a couple of events:

- It’s been two years since quitting my job to work on jswzl.

- It’s been a year since we released jswzl to the public.

And what a journey it’s been! It’s been full of victories and challenges. As I recently shared in the blog post titled “The role of manual Javascript source code review”, a key belief that has motivated me on this journey is the belief that even a single person, under the right circumstances, can have an outsized impact and meaningfully make the world a better place. And with jswzl having been in the hands of real users for a year now, I feel very confident that this is true.

Let’s go over some of the highlights  on the journey and the challenges along the way.

Highlights

Weaseling across the globe

One of the things of which I’m especially proud is that we now have paying users of jswzl in 17 different countries and a MUCH higher number of countries with trial users. Seeing how it’s spreading across the globe is such a kick!

Immediate proof of value

I regularly get messages from people using jswzl sharing that they found a vulnerability with its help. It always warms my heart to hear that people are doing excellent work with the assistance of jswzl. Empowering people is what it’s all about!

But I also regularly get messages from bug bounty hunters that they, within 24–48 hours of using jswzl, used it to find a bug that paid for the tool. Sometimes, these are people using a trial license who then end up buying a license immediately or people who bought a license without doing a trial.

Getting messages from users who felt compelled to message me to let me know how much they benefited from using jswzl is absolutely priceless!

Community engagement

It’s been super important to me to engage with both people who use jswzl and the larger hacking community. Seeing how members of our community go out of their way to talk about jswzl and just how welcoming everyone is, even if jswzl is a commercial tool, is really special.

A great example of this is the community of the Critical Thinking podcast, where supporters are offered a full 1-month trial license. The community has also been really helpful in providing feedback and ensuring we effectively prioritize what features and changes to focus on.

Individual members of the community have also really embraced jswzl. For instance, Lupin recently did a talk at #NahamCon2024 and mentioned how using jswzl allowed him to find some cool bugs:

And Jason Haddix features it in the JavaScript section of his The Bug Hunter's Methodology Live Course, which is by far the most extensive and up-to-date resource on modern bug bounty methodology out there.

Challenges

Nightmare bugs

One of the biggest challenges has been dealing with unexpected, obscure bugs to discover and fix. The example that still haunts me is an issue related to how jswzl spawns a subprocess to analyze a file. This is not overly complicated code. But at some point, I started hearing from users on Apple Silicon Macs that jswzl would hang randomly.

As it would turn out, this issue came down to a few factors:

- It only happened on Apple Silicon / Mac OS.

- It only happened while the OS decided it was time to page memory to the swap file.

- It only happened if the OS refused to start a new process during the swapping.

- It only happened if the .NET garbage collector decided to run.

So for the bug to occur, the system had to be under memory pressure, the .NET garbage collector had to kick in during the system call to start a process, and the OS had to refuse allocating memory for the process to start. A crazy, unique race condition that was due to how Mac OS handles memory and a bug in the .NET garbage collector. It was very difficult to reproduce at times, and I spent roughly a week trying to get to the root of it. And some users even reported that it crashed their system, which was really frustrating!

Surprising bugs

As more people started putting jswzl through its paces, other odd issues occasionally popped up. Unique circumstances would expose edge cases that would have been difficult to predict or indeed imagine. Users would test strange applications with code patterns that would trip over the analysis engine. Luckily, jswzl users have been extremely kind in providing the data needed to track down and fix these issues, which I’m always super grateful for!

Looking forward to year 2

Building on the momentum from the past year, there are a lot of opportunities to push the envelope of what jswzl can do to help users be more effective in their jobs. Here are some of the tasks that are high on the priority list for the near future:

- Official Caido integration.

- Better navigation options for large projects.

- Semantic comparison of files.

When jswzl launched, it explored new territory and pushed forward innovation in the field. Others have followed, which is great to see. But there are still many unsolved problems that would meaningfully change the game. With any luck, we’ll see some of that come to fruition over the next 12 months!

‍