Skip to main content

JS recon for pentesters. Finds secrets, endpoints, and infrastructure in JavaScript.

Project description

gerviJS

CI PyPI Python License: MIT

JS recon for pentesters. Crawls targets, pulls every JavaScript file, unpacks source maps, and extracts secrets, API endpoints, infrastructure details, and tech stack. Built for real engagements, not CTFs.

Why

Every modern web app ships JavaScript to the browser. That JS contains API routes your proxy never saw, hardcoded keys the dev forgot to remove, internal IPs that map the network, and enough context to plan an entire engagement. Gervis automates the boring part so you can focus on exploitation.

Built for a low false-positive rate. Every secret pattern is format-validated, entropy-checked, and filtered against known placeholders, so what gets flagged is overwhelmingly real — not the regex noise most JS grep tools drown you in.

Source map unpacking. When gervis finds .map files, it downloads and reverses them to original source code, then runs the full analysis pipeline on the recovered files. Devs leave hardcoded keys, internal routes, and auth bypass notes in source that gets "hidden" by minification — gervis finds all of it.

Install

pipx install gervijs       # recommended: isolated CLI install
# or
pip install gervijs

Installs two equivalent commands: gervijs and the shorter alias gervis.

Run the latest without installing:

pipx run gervijs https://target.com

From source:

git clone https://github.com/Euronii/gervis
cd gervis
pip install -e .

Usage

gervis https://target.com                        # full scan
gervis https://target.com --probe                # scan + validate endpoints
gervis https://target.com --json                 # machine-readable output
gervis https://target.com --markdown -o report.md   # markdown report
gervis https://target.com --endpoints | httpx    # pipe paths to httpx
gervis https://target.com --urls | httpx         # pipe full URLs to httpx
gervis https://target.com --wordlist | ffuf -w -   # JS-derived wordlist
gervis https://target.com --secrets              # secrets only (TSV)
gervis https://target.com -d 3 -v                # deep crawl, verbose
gervis -l targets.txt                            # scan multiple targets
gervis -l targets.txt --json -o results.json     # multi-target JSON

What it finds

Source Map Unpacking

When JS files reference .map files (//# sourceMappingURL= directives or SourceMap/X-SourceMap headers), gervis:

  1. Downloads the .map file
  2. Parses v3 source map format (sources + sourcesContent)
  3. Recovers original unminified source files (skips node_modules/vendor)
  4. Deduplicates by content hash
  5. Runs the full analysis pipeline (secrets, endpoints, infra, tech) on every recovered file

The banner shows srcmap=N when source files are recovered. Findings from source map files are tagged with [map] in the source field.

Secrets

Format-validated detection for 40+ secret types:

Provider Patterns
AWS Access keys, secret keys
Google API keys, OAuth client IDs, GCP service accounts
GitHub PATs, OAuth tokens, app tokens, fine-grained PATs
Slack Bot tokens, user tokens, app tokens, webhooks
Stripe Secret keys, publishable keys, restricted keys, test keys
Firebase API keys, database URLs
Twilio Account SIDs, auth tokens, API keys
SendGrid API keys
Mailgun API keys, domain keys
Auth0 Client secrets
Supabase Anon keys, service keys
Azure Storage keys, connection strings
Cloudinary URLs with credentials
npm/PyPI Tokens
Sentry DSNs
Datadog API keys
Algolia Admin keys
Mapbox Public and secret tokens
Generic High-entropy values in secret-named variables
Crypto Private keys (RSA, EC, DSA, PGP), hardcoded JWTs

Every match passes:

  1. Format validation — provider-specific regex with boundary checks
  2. Entropy filtering — configurable per pattern, kills low-entropy junk
  3. Placeholder detection — catches your_api_key_here, example, test, env references
  4. Comment filtering — skips secrets in JS comments
  5. Severity classification — critical/high/medium/low based on impact

Full secret values in output. No truncation — you see the entire key/token/credential.

Endpoints

  • API paths (/api/, /v1/, /rest/, /rpc/)
  • Auth flows (/oauth/, /token/, /callback/, /sso/)
  • Admin panels (/admin/, /dashboard/admin, /backoffice/)
  • Debug/monitoring (/actuator/, /health/, /metrics/, /profiler/)
  • Internal paths (/internal/, /__, /private/)
  • GraphQL endpoints
  • WebSocket URLs (ws://, wss://)
  • HTTP method detection (GET, POST, PUT, DELETE, PATCH)
  • Smart path normalization (UUIDs, numeric IDs, hashes replaced with {id})
  • CDN/asset filtering (40+ CDN hosts, 30+ asset extensions filtered out)
  • Frontend router extraction (React Router, Vue Router, Angular)

Infrastructure

  • Internal IPs (RFC1918 validated, false-positive filtered)
  • Source maps (both directives and URL references)
  • Debug flags and environment checks (NODE_ENV, debugMode, etc.)
  • Cloud storage (S3 buckets, GCS buckets, Azure Blob containers)
  • Firebase project URLs
  • Email addresses (junk-filtered)
  • Developer comments with sensitive content (TODO, FIXME, HACK, password, etc.)

Tech Stack

90+ technologies detected across 8 categories:

  • Frameworks: React, Angular, Vue, Next.js, Nuxt, Svelte, Remix, Gatsby, Astro, SolidJS
  • Libraries: jQuery, Axios, Apollo, Socket.io, D3, Three.js, Chart.js, tRPC
  • Auth: Auth0, Okta, Cognito, Clerk, NextAuth, Keycloak, Passport.js, Firebase Auth
  • Cloud: Firebase, Supabase, AWS SDK, Amplify, Azure, GCP, Vercel, Netlify, Cloudflare Workers
  • Analytics: GA, GTM, Segment, Mixpanel, Amplitude, Hotjar, PostHog, FullStory
  • Build: Webpack, Vite, Parcel, esbuild, Turbopack
  • Security: Sentry, reCAPTCHA, hCaptcha, Cloudflare Turnstile
  • Payments: Stripe, PayPal, Braintree

Version extraction where possible.

Multi-target mode

Scan a list of URLs from a file:

# targets.txt — one URL per line, # comments skipped
https://app1.example.com
https://app2.example.com
# https://skip-this.com

gervis -l targets.txt                    # scan all targets
gervis -l targets.txt --json -o all.json # combined JSON array
gervis -l targets.txt --endpoints        # endpoints from all targets
gervis -l targets.txt --wordlist         # combined wordlist

Text/markdown output shows each target separated by ===. Pipe modes add # target_url comments between targets.

Output modes

Flag Output Pipe to
(default) Colored text, grouped by category terminal
--json Structured JSON with severity/confidence jq, scripts
--markdown Full report with tables docs, reports
--endpoints One path per line httpx, nuclei, ffuf
--urls Full URLs (base + path) httpx, curl
--secrets TSV: severity, kind, value, source grep, awk
--wordlist Paths, params, keys from JS ffuf, gobuster

Options

  URL                 Target URL (or use -l for file)
  -l, --list FILE     File with target URLs (one per line)
  -d, --depth INT     Crawl depth (default: 2)
  --probe             Probe discovered endpoints (HEAD/GET)
  --json              JSON output
  --markdown          Markdown report
  --endpoints         Endpoints only (pipe-friendly)
  --urls              Full URLs (pipe-friendly)
  --secrets           Secrets only (TSV)
  --wordlist          Generate wordlist from JS
  -o, --output FILE   Write output to file
  -v, --verbose       Show all endpoints + progress
  -q, --quiet         No banner
  -t, --timeout INT   Request timeout in seconds (default: 10)
  -c, --concurrency   Max concurrent requests (default: 20)
  -V, --version       Version
  -h, --help          Help

Examples

Recon pipeline

# Find endpoints, probe them, check for vulns
gervis https://target.com --urls | httpx -silent -mc 200,301,302,403 | nuclei -t exposures/

# Build custom wordlist from JS
gervis https://target.com --wordlist > custom.txt
ffuf -u https://target.com/FUZZ -w custom.txt

# Quick secrets check
gervis https://target.com --secrets | grep -i critical

# Multi-target recon
cat subdomains.txt | httpx -silent | sed 's/$//' > live.txt
gervis -l live.txt --endpoints | sort -u > all_endpoints.txt

Save report

gervis https://target.com --markdown -o report.md
gervis https://target.com --json -o findings.json

Nothing saved to disk

Gervis holds all JS content in memory only. No files are written unless you explicitly use -o FILE. Safe for client engagements.

Development

pip install -e ".[dev]"   # install with dev tooling
pytest -q                 # run the test suite
ruff check .              # lint

CI runs ruff + pytest on Python 3.9–3.13 for every push and pull request.

Legal

Use gervis only against systems you are authorized to test. You are responsible for complying with all applicable laws and the scope of your engagement.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gervijs-3.1.0.tar.gz (39.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gervijs-3.1.0-py3-none-any.whl (40.1 kB view details)

Uploaded Python 3

File details

Details for the file gervijs-3.1.0.tar.gz.

File metadata

  • Download URL: gervijs-3.1.0.tar.gz
  • Upload date:
  • Size: 39.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gervijs-3.1.0.tar.gz
Algorithm Hash digest
SHA256 32fef684fa5eee68b49b03ba9b44c2716f66f5d951b921ab0418a66715a36f09
MD5 0e6c24589910e2141aedd6244c5673f9
BLAKE2b-256 3e582cf60849ed9bd3c207aa8073ab0d85cf21cf9084a5de89ff128d96bf9e1e

See more details on using hashes here.

Provenance

The following attestation bundles were made for gervijs-3.1.0.tar.gz:

Publisher: release.yml on Euronii/gervis

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file gervijs-3.1.0-py3-none-any.whl.

File metadata

  • Download URL: gervijs-3.1.0-py3-none-any.whl
  • Upload date:
  • Size: 40.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gervijs-3.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7888dcba675b9626867a8b71293e87a2602f1a176ed3f99867b088d8960307c1
MD5 996229b828578a5b5c9b6f56dc26c55f
BLAKE2b-256 1fb44372a6ced4c3731a197c219af9af3fd0e9f38e15b5970e7eb379d62b45df

See more details on using hashes here.

Provenance

The following attestation bundles were made for gervijs-3.1.0-py3-none-any.whl:

Publisher: release.yml on Euronii/gervis

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page