{"id":27507,"date":"2022-10-25T10:04:15","date_gmt":"2022-10-25T10:04:15","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=27507"},"modified":"2022-10-25T10:04:17","modified_gmt":"2022-10-25T10:04:17","slug":"jsubfinder","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/jsubfinder\/","title":{"rendered":"JSubFinder : Searches Webpages For Javascript To Find Hidden Subdomains & Secrets"},"content":{"rendered":"\n

JSubFinder<\/strong> is a tool writtin in golang to search webpages & javascript for hidden subdomains and secrets in the given URL. Developed with BugBounty hunters in mind JSubFinder takes advantage of Go’s amazing performance allowing it to utilize large data sets & be easily chained with other tools.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Install<\/h2>\n\n\n\n

Install the application and download the signatures needed to find secrets<\/p>\n\n\n\n

Using GO:<\/strong><\/h4>\n\n\n\n
go get github.com\/ThreatUnkown\/jsubfinder\nwget https:\/\/raw.githubusercontent.com\/ThreatUnkown\/jsubfinder\/master\/.jsf_signatures.yaml && mv .jsf_signatu<\/pre>\n\n\n\n
Or<\/p>\n\n\n\n
Downloads Page<\/a><\/p>\n\n\n\n
Basic Usage<\/strong><\/h2>\n\n\n\n
Search<\/h3>\n\n\n\n
Search the given url’s for subdomains and secrets<\/p>\n\n\n\n
$ jsubfinder search -h\n\nExecute the command specified\n\nUsage:\n  JSubFinder search [flags]\n\nFlags:\n  -c, --crawl              Enable crawling\n  -g, --greedy             Check all files for URL's not just Javascript\n  -h, --help               help for search\n  -f, --inputFile string   File containing domains\n  -t, --threads int        Ammount of threads to be used (default 5)\n  -u, --url strings        Url to check\n\nGlobal Flags:\n  -d, --debug               Enable debug mode. Logs are stored in log.info\n  -K, --nossl               Skip SSL cert verification (default true)\n  -o, --outputFile string   name\/location to store the file\n  -s, --secrets             Check results for secrets e.g api keys\n      --sig string          Location of signatures for finding secrets\n  -S, --silent              Disable printing to the console\n<\/pre>\n\n\n\n
Examples (results are the same in this case):<\/p>\n\n\n\n
$ jsubfinder search -u www.google.com\n$ jsubfinder search -f file.txt\n$ echo www.google.com | jsubfinder search\n$ echo www.google.com | httpx --silent | jsubfinder search$\n\napis.google.com\nogs.google.com\nstore.google.com\nmail.google.com\naccounts.google.com\nwww.google.com\npolicies.google.com\nsupport.google.com\nadservice.google.com\nplay.google.com<\/pre>\n\n\n\n
<\/a>With Secrets Enabled<\/h4>\n\n\n\n
note --secrets=\"\"<\/code> will save the secret results in a secrets.txt file<\/em><\/p>\n\n\n\n
$ echo www.youtube.com | jsubfinder search --secrets=\"\"\nwww.youtube.com\nyoutubei.youtube.com\npayments.youtube.com\n2Fwww.youtube.com\n252Fwww.youtube.com\nm.youtube.com\ntv.youtube.com\nmusic.youtube.com\ncreatoracademy.youtube.com\nartists.youtube.com\n\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com\nGoogle Cloud API Key <redacted> found in content of https:\/\/www.youtube.com<\/pre>\n\n\n\n
<\/a>Advanced examples<\/h4>\n\n\n\n
$ echo www.google.com | jsubfinder search -crawl -s \"google_secrets.txt\" -S -o jsf_google.txt -t 10 -g<\/pre>\n\n\n\n