What is JavaScript Analysis in Bug Bounty?
Web applications load JavaScript files that contain security-relevant information: API endpoints, hidden parameters, feature flags, API keys, and application logic. Traditional tools like LinkFinder use regex patterns to extract URLs from JS files. They find endpoints but miss context.
AI-assisted analysis differs. Instead of pattern matching, Claude reads and understands what the JavaScript code actually does. It identifies authenticated endpoints, accepted parameters, hidden features, and exploitable secrets.
What regex-based tools miss:
Context about authentication requirements
Parameter validation rules
Feature flags that enable admin functions
API keys with scope and expiration details
Application logic flows
What AI provides:
Understanding of code structure
Identification of relationships between endpoints
Detection of hidden or beta features
Analysis of authentication and authorization patterns
Prioritization based on exploitability
♻ Result: 1 prompt replaces 10+ manual steps
Prerequisites & Setup
You'll need the Burp MCP setup first. If you haven't configured Claude Code with Burp Suite, start here:
Required Reading: AI-Assisted Web Pentesting Using Claude Code + Burp MCP
CLAUDE.md Template for JS Analysis
Create a file
CLAUDE.md
Then copy below content
# JavaScript Security Analysis
## Target
- **Domain:** vulnerable-app.com
- **Scope:** *.vulnerable-app.com
## Analysis Priorities
Focus on finding:
1. Admin/internal/debug endpoints not linked in UI
2. API keys, tokens, or credentials with production scope
3. Feature flags that enable hidden functionality
4. Parameters that bypass security controls (debug, test_mode, bypass_*)
5. Undocumented API endpoints with sensitive data access
## Known Context
- **Auth:** JWT-based, tokens expire in 1 hour
- **Stack:** React frontend, Node.js backend, MongoDB
- **Interesting Paths:** /api/v1/ (legacy), /api/v2/ (current)
## Output Requirements
- Save findings to ./findings/YYYY-MM-DD_target.md
- Include: file path, line number, code snippet, severity, next steps
- Format: markdown tables with copy-pasteable proof of concept
## Validation Rules
- Never report secrets without testing them first
- Confirm endpoints accept documented parameters
- Check if feature flags change server-side behaviorJavaScript Analysis Methodology
JavaScript files contain different categories of security-relevant information. Each has different analysis techniques and security impact.
Category | Examples | Security Impact |
|---|---|---|
Endpoints |
| Discover hidden entry points |
Hidden Parameters |
| Bypass access controls |
Hidden Features | Feature flags, beta endpoints, admin panels | Access unauthorized functionality |
API Keys |
| Account takeover, data exfiltration |
Developer Comments | TODOs, debug code, password hints | Information disclosure |
Application Logic | Auth flows, permission checks, validation rules | Logic bypass, privilege escalation |
Step-by-Step
Step 1: Filter JavaScript from Burp HTTP History
What you're trying to do: Extract all JavaScript files that Burp has captured during browsing. This gives Claude the raw material for analysis.
Prompt: Send below prompt to Claude Code
Task: Extract JavaScript files from Burp Suite Proxy history via Burp MCP
Target domain: vulnerable-app.com
Process:
1. Query the Burp MCP proxy history
2. Filter requests belonging to vulnerable-app.com
3. Identify URLs ending with ".js"
4. Extract the full URL & file size of each JavaScript file
5. Deduplicate results
Output: List of JavaScript file URLsWhat happens: Claude queries Burp proxy history, filters for .js file extensions and application/javascript MIME types, then returns a structured list with URLs and response sizes.
Example output:
Filtered JS file
Step 2: Perform Deep Analysis
What you're trying to do: Run a security analysis on all JavaScript files from target vulnerable-app.com. Claude reads each file, extracts security-relevant information, and categorizes findings.
Prompt: Send below prompt to Claude Code
Analyze all JavaScript files from above for security-relevant
information
Look for:
1. API endpoints (especially admin, internal, debug, test endpoints)
2. Hidden parameters (debug, test, admin, role, bypass flags)
3. Hardcoded secrets (API keys, tokens, passwords, private keys)
4. Feature flags that enable hidden functionality
5. Developer comments with sensitive information
6. Authentication and authorization logic
For each finding, provide:
- The specific file and approximate location
- The exact string or code snippet
- Why it's security-relevant
- Suggested next steps for testingWhat happens: Claude reads each JavaScript file from Burp history, parses code structure, identifies patterns, extracts security-relevant findings, and provides actionable recommendations.
Example output:
Findings found during JS analysis
Step 3: Review Findings Summary
What you're trying to do: Get a prioritized summary of all findings from the vulnerable-app.com analysis with severity ratings and recommended actions.
Prompt: Send below prompt to Claude Code
Create a prioritized summary of all JavaScript analysis findings.
Rate each finding by severity (Critical/High/Medium/Low) and
provide specific next steps for testing.Example output:
Finding review
Findings Summary
# | Finding | Severity | File | Next Steps |
|---|---|---|---|---|
1 | Client-side auth bypass via window.userRole | Critical | dashboard.js | Test server-side authorization |
2 | Hidden admin endpoints in JS | High | dashboard.js | Direct access as regular user |
3 | User enumeration via /api/v2/users | High | dashboard.js | Fetch as non-admin user |
4 | IDOR in inventory API (id parameter) | High | dashboard.js | Modify other users' items |
5 | Undocumented delete user function | Medium | dashboard.js | Test DELETE /api/v2/users/{id} |
6 | Legacy /api/v1/ may exist | Low | login.js | Fuzz v1 endpoints |
Follow Up Prompts
After the initial analysis, use these prompts to validate and expand findings:
Validate Findings Automatically
Test the hidden admin endpoints directly. Use my current session cookie and report if access is granted or denied
Endpoints to test:
- /backend/admin/users-management
- /backend/admin/audit-logsGenerate Burp Repeater Tabs
Create Burp Repeater tabs for all high-severity findings from the analysis
Include the full HTTP request with my current session cookieTest IDOR Vulnerability
Test the IDOR in /api/v2/inventory by:
Getting the inventory list
Attempting to modify an item with a different id
Report whether the modification succeeds.What Could Be Better
Custom Skill for JavaScript Analysis
Build a dedicated Claude Code skill that standardizes JS analysis:
# js-analysis skill
## Purpose
Analyze JavaScript files from Burp history for security findings.
## Workflow
1. Filter JS files from proxy history
2. Extract and categorize findings
3. Prioritize by exploitability
4. Generate Burp Repeater tabs for validation
5. Create findings report
## Output Format
- Markdown tables for findings
- Severity ratings (Critical/High/Medium/Low)
- Copy-pasteable proof of conceptWordlist Integration
Connect external resources for better analysis:
SecLists - Common parameter names, API patterns
PayloadsAllTheThings - Known vulnerable patterns
Custom wordlists - Project-specific sensitive strings
Automated Validation
Cut down manual verification:
Auto-test discovered API keys against known endpoints
Generate Repeater tabs for each finding
Run parameter fuzzing on discovered endpoints
Check secret validity with API calls
Historical Comparison
Track changes across sessions:
Diff JavaScript files between visits
Alert on new secrets or endpoints
Detect removed security controls
Monitor for newly exposed functionality
Conclusion
JavaScript analysis with Claude Code goes beyond regex pattern matching. Traditional tools find endpoints. AI understands what those endpoints do, how they're protected, and whether they're worth testing.
The workflow: capture JS files during browsing, run an analysis prompt, review prioritized findings, and validate manually. This approach has found hardcoded credentials, hidden admin panels, and undocumented APIs in production applications.
Subscribe for more security automation content: https://labs.secengai.com/
Further Reading
MCP Servers:
Skills & Agents:
Config Management:
Config Reference:
