-
Input: https://example.com
-
Output:
- Sensitive API detected
- Parameters auto-identified
- AI risk analysis (e.g. HARD-CODED TOKEN → exploitable)
Traditional JavaScript security scanning tools have clear limitations:
- ❌ Only extract API paths (no parameter awareness)
- ❌ Require manual fuzzing to find vulnerabilities
- ❌ Cannot understand business logic
- ❌ Hardcoded secrets lack exploit context
JScanner2 combines AST parsing + AI analysis to enable real-world vulnerability discovery:
- Parse JS using AST
- Extract API endpoints AND parameters
- AI infers parameter structure and meaning
👉 No more blind fuzzing
- Detect tokens, keys, credentials
- AI explains how to exploit them
👉 Not just detection, but exploitation guidance
In real-world SRC testing:
- APIs alone may seem safe
- BUT become vulnerable when combined with valid parameters
👉 JScanner2 bridges this gap
git clone https://github.com/hmx222/JScanner2.git
# [Optional] Edit `run_scan.sh` to configure the `FEISHU_WEBHOOK`.
# Replace the default URL with your own Feishu (Lark) bot webhook.
vim run_scan.sh
# [REQUIRED] You must configure the LLM API Key in this file.
# You can also configure the Feishu bot token here (optional).
# Note: If the Feishu token is not set, error messages and task completion notifications
# will not be pushed to Feishu. You won't receive timely alerts or know when the task finishes.
vim config/config.py
# [REQUIRED] Strictly configure the model parameters in this JSON file.
vim config/models_config.json
# [Optional] You can customize the scanner rules according to your own needs.
vim config/scanner_rules.py
# [Optional] Configure the whitelist. Add the specific domains that are allowed to be crawled by the spider.
vim config/whiteList.txt
docker compose run --rm scanner run_scan.sh urls.txt- API endpoints
- Parameters (auto-generated)
- Sensitive data findings
- Exploit suggestions (AI)
👉 Results are stored for analysis
For authorized security testing only.
- Obtain permission
- Follow laws
- No illegal usage
- Playwright
- LinkFinder
- NLTK
- 阿里云