v1.2.3 · JS & Source Map Secret Scanner · by alonebeast002
Terminal-based recon toolkit — hunt exposed secrets, API keys, and sensitive endpoints from live JavaScript files and source maps.
pip install beastcryptRequires Python 3.8+. No external dependencies needed.
beastcrypt # interactive menu (recommended)| Mode | Description |
|---|---|
| 1 | Single Target URL — deep crawl + source map extraction |
| 2 | Subdomain List — scan multiple targets from a .txt file |
| 3 | JS / .map URL List — direct secrets scan on provided URLs |
| Category | Examples |
|---|---|
| Cloud Keys | AWS Access/Secret Key, Azure Storage Key, Azure SAS Token |
| Auth Tokens | JWT, Bearer Token, GitHub Token (ghp_, github_pat_) |
| API Keys | Google API Key, Firebase Key, Generic API Key |
| Payment | Stripe Live/Test Keys |
| Messaging | Slack Token, SendGrid Key |
| Generic | Passwords, Session Tokens, Access Tokens, Private Keys |
| Infrastructure | Firebase URLs, Cloudinary URLs |
| Internal Paths | Webpack paths, API routes, admin/internal endpoints |
| File | Contents |
|---|---|
all_js_urls.txt |
All discovered JS asset URLs |
results.json |
Secrets with type, value, source, and timestamp |
internal_paths.txt |
Extracted internal API paths and routes |
- Fetches target URL and crawls for linked
.jsfiles - For each
.jsfile, attempts to fetch its.mapsource map - Scans all content with 20+ secret patterns using regex
- Extracts internal paths matching sensitive route patterns
- Saves everything to local output files in real time
Supports 15 concurrent threads. SSL verification skipped for self-signed certs. Press Ctrl+C anytime to stop — results are saved on exit.
For authorized security testing and bug bounty research only. Always obtain permission before scanning any target.
alonebeast002 · MIT