Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

LinkFinder – Script to search Endpoints in JavaScript Files

  • Last Updated : 23 Sep, 2021

Hidden endpoints of the website can be used to perform Penetration Testing on the domain. Detection of these endpoints is difficult if we are using a manual way. So we need to have an automated script that can detect the endpoints of JavaScript links. LinkFinder is an automated tool developed in the Python language which detects the endpoints and their parameters on the target domain. The results are displayed in the .html format in the web browser, along with this we can also display the results in the terminal itself. LinkFinder tool is available on the GitHub platform, it’s free and open-source to use. LinkFinder tool also supports deep analysis on the target for more endpoint discovery.

Note: Make Sure You have Python Installed on your System, as this is a python-based tool. Click to check the Installation process – Python Installation Steps on Linux

Installation of LinkFinder Tool on Kali Linux OS

Step 1: Use the following command to install the tool in your Kali Linux operating system.

git clone https://github.com/GerbenJavado/LinkFinder.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd LinkFinder

Step 3: You are in the directory of the LinkFinder. Now you have to install a dependency of the LinkFinder using the following command.

sudo pip3 install -r requirements.txt

Step 4: Run the setup.py file to complete the installation.

sudo python3 setup.py install

Step 5: All the dependencies have been installed in your Kali Linux operating system. Now use the following command to run the tool and check the help section.

python3 linkfinder.py -h

Working with LinkFinder Tool on Kali Linux OS

Example 1: Most basic usage to find endpoints in an online JavaScript file and output the HTML results to results.html

python3 linkfinder.py -i https://geeksforgeeks.org -o results.html

We are displaying the results which were saved in the .html format file.

All the highlighted URLs are the endpoints of JavaScript files.

Example 2: CLI/STDOUT output (doesn’t use jsbeautifier, which makes it very fast)

python3 linkfinder.py -i https://geeksforgeeks.org -o cli

In this example, we are displaying the results or endpoints in the terminal itself.

Example 3: Analyzing an entire domain and its JS files

python3 linkfinder.py -i https://geeksforgeeks.org -d

In this example, we will be performing a deep scan on https://geeksforgeeks.org

Example 4: Burp input (select in target the files you want to save, right-click, Save selected items, feed that file as input)

python3 linkfinder.py -i burp.txt -b

In this example, we are passing input to the tool from the burp.txt file.

We have got the results and the endpoints of the JS files.

Example 5: Enumerating an entire folder for JavaScript files, while looking for endpoints starting with /api/ and finally saving the results to results.html

python3 linkfinder.py -i ‘Desktop/*.js’ -r ^/api/ -o results.html

In this example, we are searching for .js files from the Desktop directory and looking for the endpoint /api/.

Example 6: Ignore certain js files (like external libs) provided by -g –ignore

python3 SecretFinder.py -i https://geeksforgeeks.org/ -e -g ‘jquery;bootstrap;api.google.com’

In this example, we are ignoring certain JS files which are not very important.

Example 7: Process only certain js files provided by -n –only

python3 SecretFinder.py -i https://geeksforgeeks.org/ -e -n ‘d3i4yxtzktqr9n.cloudfront.net;www.myexternaljs.com’

In this example, we are including important js files for searching.

Example 8: Use your regex

python3 SecretFinder.py -i https://example.com/1.js -o cli -r ‘apikey=my.api.key[a-zA-Z]+’

In this example, we are specifying our own custom Regex for searching.

Example 9: Other options: add headers, proxy, and cookies

python3 SecretFinder.py -i https://example.com/ -e -o cli -c ‘mysessionid=111234’ -H ‘x-header:value1\nx-header2:value2’ -p 127.0.0.1:8080 -r ‘apikey=my.api.key[a-zA-Z]+’

In this example, we are adding headers, proxy, and cookies for hiding the identity.

Example 10: Open SecretFinder.py and add your regex

In this example, we are directly inserting the Regex onto the main Python file.


My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!