JS recon for pentesters. Finds secrets, endpoints, and infrastructure in JavaScript.
Project description
gerviJS
JS recon for pentesters. Crawls targets, pulls every JavaScript file, unpacks source maps, and extracts secrets, API endpoints, infrastructure details, and tech stack. Built for real engagements, not CTFs.
Why
Every modern web app ships JavaScript to the browser. That JS contains API routes your proxy never saw, hardcoded keys the dev forgot to remove, internal IPs that map the network, and enough context to plan an entire engagement. Gervis automates the boring part so you can focus on exploitation.
Built for a low false-positive rate. Every secret pattern is format-validated, entropy-checked, and filtered against known placeholders, so what gets flagged is overwhelmingly real — not the regex noise most JS grep tools drown you in.
Source map unpacking. When gervis finds .map files, it downloads and reverses them to original source code, then runs the full analysis pipeline on the recovered files. Devs leave hardcoded keys, internal routes, and auth bypass notes in source that gets "hidden" by minification — gervis finds all of it.
Install
pipx install gervijs # recommended: isolated CLI install
# or
pip install gervijs
Installs two equivalent commands: gervijs and the shorter alias gervis.
Run the latest without installing:
pipx run gervijs https://target.com
From source:
git clone https://github.com/Euronii/gervis
cd gervis
pip install -e .
Usage
gervis https://target.com # full scan
gervis https://target.com --probe # scan + validate endpoints
gervis https://target.com --json # machine-readable output
gervis https://target.com --markdown -o report.md # markdown report
gervis https://target.com --endpoints | httpx # pipe paths to httpx
gervis https://target.com --urls | httpx # pipe full URLs to httpx
gervis https://target.com --wordlist | ffuf -w - # JS-derived wordlist
gervis https://target.com --secrets # secrets only (TSV)
gervis https://target.com -d 3 -v # deep crawl, verbose
gervis -l targets.txt # scan multiple targets
gervis -l targets.txt --json -o results.json # multi-target JSON
What it finds
Source Map Unpacking
When JS files reference .map files (//# sourceMappingURL= directives or SourceMap/X-SourceMap headers), gervis:
- Downloads the
.mapfile - Parses v3 source map format (
sources+sourcesContent) - Recovers original unminified source files (skips
node_modules/vendor) - Deduplicates by content hash
- Runs the full analysis pipeline (secrets, endpoints, infra, tech) on every recovered file
The banner shows srcmap=N when source files are recovered. Findings from source map files are tagged with [map] in the source field.
Secrets
Format-validated detection for 40+ secret types:
| Provider | Patterns |
|---|---|
| AWS | Access keys, secret keys |
| API keys, OAuth client IDs, GCP service accounts | |
| GitHub | PATs, OAuth tokens, app tokens, fine-grained PATs |
| Slack | Bot tokens, user tokens, app tokens, webhooks |
| Stripe | Secret keys, publishable keys, restricted keys, test keys |
| Firebase | API keys, database URLs |
| Twilio | Account SIDs, auth tokens, API keys |
| SendGrid | API keys |
| Mailgun | API keys, domain keys |
| Auth0 | Client secrets |
| Supabase | Anon keys, service keys |
| Azure | Storage keys, connection strings |
| Cloudinary | URLs with credentials |
| npm/PyPI | Tokens |
| Sentry | DSNs |
| Datadog | API keys |
| Algolia | Admin keys |
| Mapbox | Public and secret tokens |
| Generic | High-entropy values in secret-named variables |
| Crypto | Private keys (RSA, EC, DSA, PGP), hardcoded JWTs |
Every match passes:
- Format validation — provider-specific regex with boundary checks
- Entropy filtering — configurable per pattern, kills low-entropy junk
- Placeholder detection — catches
your_api_key_here,example,test, env references - Comment filtering — skips secrets in JS comments
- Severity classification — critical/high/medium/low based on impact
Full secret values in output. No truncation — you see the entire key/token/credential.
Endpoints
- API paths (
/api/,/v1/,/rest/,/rpc/) - Auth flows (
/oauth/,/token/,/callback/,/sso/) - Admin panels (
/admin/,/dashboard/admin,/backoffice/) - Debug/monitoring (
/actuator/,/health/,/metrics/,/profiler/) - Internal paths (
/internal/,/__,/private/) - GraphQL endpoints
- WebSocket URLs (
ws://,wss://) - HTTP method detection (GET, POST, PUT, DELETE, PATCH)
- Smart path normalization (UUIDs, numeric IDs, hashes replaced with
{id}) - CDN/asset filtering (40+ CDN hosts, 30+ asset extensions filtered out)
- Frontend router extraction (React Router, Vue Router, Angular)
Infrastructure
- Internal IPs (RFC1918 validated, false-positive filtered)
- Source maps (both directives and URL references)
- Debug flags and environment checks (
NODE_ENV,debugMode, etc.) - Cloud storage (S3 buckets, GCS buckets, Azure Blob containers)
- Firebase project URLs
- Email addresses (junk-filtered)
- Developer comments with sensitive content (TODO, FIXME, HACK, password, etc.)
Tech Stack
90+ technologies detected across 8 categories:
- Frameworks: React, Angular, Vue, Next.js, Nuxt, Svelte, Remix, Gatsby, Astro, SolidJS
- Libraries: jQuery, Axios, Apollo, Socket.io, D3, Three.js, Chart.js, tRPC
- Auth: Auth0, Okta, Cognito, Clerk, NextAuth, Keycloak, Passport.js, Firebase Auth
- Cloud: Firebase, Supabase, AWS SDK, Amplify, Azure, GCP, Vercel, Netlify, Cloudflare Workers
- Analytics: GA, GTM, Segment, Mixpanel, Amplitude, Hotjar, PostHog, FullStory
- Build: Webpack, Vite, Parcel, esbuild, Turbopack
- Security: Sentry, reCAPTCHA, hCaptcha, Cloudflare Turnstile
- Payments: Stripe, PayPal, Braintree
Version extraction where possible.
Multi-target mode
Scan a list of URLs from a file:
# targets.txt — one URL per line, # comments skipped
https://app1.example.com
https://app2.example.com
# https://skip-this.com
gervis -l targets.txt # scan all targets
gervis -l targets.txt --json -o all.json # combined JSON array
gervis -l targets.txt --endpoints # endpoints from all targets
gervis -l targets.txt --wordlist # combined wordlist
Text/markdown output shows each target separated by ===. Pipe modes add # target_url comments between targets.
Output modes
| Flag | Output | Pipe to |
|---|---|---|
| (default) | Colored text, grouped by category | terminal |
--json |
Structured JSON with severity/confidence | jq, scripts |
--markdown |
Full report with tables | docs, reports |
--endpoints |
One path per line | httpx, nuclei, ffuf |
--urls |
Full URLs (base + path) | httpx, curl |
--secrets |
TSV: severity, kind, value, source | grep, awk |
--wordlist |
Paths, params, keys from JS | ffuf, gobuster |
Options
URL Target URL (or use -l for file)
-l, --list FILE File with target URLs (one per line)
-d, --depth INT Crawl depth (default: 2)
--probe Probe discovered endpoints (HEAD/GET)
--json JSON output
--markdown Markdown report
--endpoints Endpoints only (pipe-friendly)
--urls Full URLs (pipe-friendly)
--secrets Secrets only (TSV)
--wordlist Generate wordlist from JS
-o, --output FILE Write output to file
-v, --verbose Show all endpoints + progress
-q, --quiet No banner
-t, --timeout INT Request timeout in seconds (default: 10)
-c, --concurrency Max concurrent requests (default: 20)
-V, --version Version
-h, --help Help
Examples
Recon pipeline
# Find endpoints, probe them, check for vulns
gervis https://target.com --urls | httpx -silent -mc 200,301,302,403 | nuclei -t exposures/
# Build custom wordlist from JS
gervis https://target.com --wordlist > custom.txt
ffuf -u https://target.com/FUZZ -w custom.txt
# Quick secrets check
gervis https://target.com --secrets | grep -i critical
# Multi-target recon
cat subdomains.txt | httpx -silent | sed 's/$//' > live.txt
gervis -l live.txt --endpoints | sort -u > all_endpoints.txt
Save report
gervis https://target.com --markdown -o report.md
gervis https://target.com --json -o findings.json
Nothing saved to disk
Gervis holds all JS content in memory only. No files are written unless you explicitly use -o FILE. Safe for client engagements.
Development
pip install -e ".[dev]" # install with dev tooling
pytest -q # run the test suite
ruff check . # lint
CI runs ruff + pytest on Python 3.9–3.13 for every push and pull request.
- docs/ARCHITECTURE.md — how the pipeline works and the design decisions behind it
- CONTRIBUTING.md — dev setup and conventions
- CHANGELOG.md — release history
Legal
Use gervis only against systems you are authorized to test. You are responsible for complying with all applicable laws and the scope of your engagement.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gervijs-3.1.0.tar.gz.
File metadata
- Download URL: gervijs-3.1.0.tar.gz
- Upload date:
- Size: 39.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
32fef684fa5eee68b49b03ba9b44c2716f66f5d951b921ab0418a66715a36f09
|
|
| MD5 |
0e6c24589910e2141aedd6244c5673f9
|
|
| BLAKE2b-256 |
3e582cf60849ed9bd3c207aa8073ab0d85cf21cf9084a5de89ff128d96bf9e1e
|
Provenance
The following attestation bundles were made for gervijs-3.1.0.tar.gz:
Publisher:
release.yml on Euronii/gervis
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gervijs-3.1.0.tar.gz -
Subject digest:
32fef684fa5eee68b49b03ba9b44c2716f66f5d951b921ab0418a66715a36f09 - Sigstore transparency entry: 2021766304
- Sigstore integration time:
-
Permalink:
Euronii/gervis@32a94bf5452358848e92cd36e8aa1cd22e1a3dcd -
Branch / Tag:
refs/tags/v3.1.0 - Owner: https://github.com/Euronii
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@32a94bf5452358848e92cd36e8aa1cd22e1a3dcd -
Trigger Event:
push
-
Statement type:
File details
Details for the file gervijs-3.1.0-py3-none-any.whl.
File metadata
- Download URL: gervijs-3.1.0-py3-none-any.whl
- Upload date:
- Size: 40.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7888dcba675b9626867a8b71293e87a2602f1a176ed3f99867b088d8960307c1
|
|
| MD5 |
996229b828578a5b5c9b6f56dc26c55f
|
|
| BLAKE2b-256 |
1fb44372a6ced4c3731a197c219af9af3fd0e9f38e15b5970e7eb379d62b45df
|
Provenance
The following attestation bundles were made for gervijs-3.1.0-py3-none-any.whl:
Publisher:
release.yml on Euronii/gervis
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gervijs-3.1.0-py3-none-any.whl -
Subject digest:
7888dcba675b9626867a8b71293e87a2602f1a176ed3f99867b088d8960307c1 - Sigstore transparency entry: 2021766370
- Sigstore integration time:
-
Permalink:
Euronii/gervis@32a94bf5452358848e92cd36e8aa1cd22e1a3dcd -
Branch / Tag:
refs/tags/v3.1.0 - Owner: https://github.com/Euronii
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@32a94bf5452358848e92cd36e8aa1cd22e1a3dcd -
Trigger Event:
push
-
Statement type: