A Firefox browser extension for extracting secrets, endpoints, and custom regex matches from JavaScript sources on any web page.
JS Extractor scans all JavaScript sources on the current page — both inline <script> blocks and external .js files — and runs your regex patterns against them to extract matches. It's built for bug bounty hunters, penetration testers, and security researchers who need to quickly find:
- 🔗 API endpoints & URLs — REST paths, relative paths, full URLs, files with extensions
- 🔑 Secrets & API keys — AWS, Google, Stripe, GitHub, Slack, Firebase, JWT, and 80+ more
- 🔍 Anything custom — add your own regex patterns in organized groups
- Pattern Groups — Organize regex patterns into logical groups (e.g. "Endpoints", "Secrets")
- 90+ Built-in Secret Patterns — Covering Google, AWS, Facebook, Stripe, GitHub, GitLab, Slack, Discord, database connection strings, private keys, JWTs, bearer tokens, and many more
- 5 Built-in Endpoint Patterns — Full URLs, relative paths, REST APIs, file extensions, standalone files
- Inline + External JS — Extracts from both inline scripts and fetched external
.jsfiles - Search & Filter — Search through results instantly
- Copy Anywhere — Copy individual values, source URLs, or all results at once
- Collapsible Results — Results grouped by pattern with expand/collapse
- Paginated Results — Handles 1000+ matches smoothly with "Show more" pagination
- Saved Notes — Bookmark matches directly to a persistent Notes tab for later review
- Import / Export Groups — Share and backup your pattern groups easily using YAML
- Fully Customizable — Create, edit, and delete your own groups and patterns
- Dark Theme — Premium dark UI built for long sessions
- Clone or download this repository
- Open Firefox and navigate to
about:debugging - Click "This Firefox" → "Load Temporary Add-on..."
- Select the
manifest.jsonfile from the project directory - The extension icon will appear in your toolbar
- Navigate to any web page you want to analyze
- Click the JS Extractor icon in the toolbar
- Select a pattern group (Endpoints / URLs or Secret Text) or create your own
- Click "Extract from page"
- Browse the results — search, copy values, copy source URLs
- Save to Notes — click the bookmark icon next to any interesting match to automatically save it to your persistent Notes tab
- Click the + button in the header to create a new group
- Click "+ Add pattern" to add a regex pattern to the active group
- Enter your regex and a description
- Patterns are saved locally and persist across sessions
You can backup or share your custom pattern groups using the Import and Export buttons located in the popup header next to the "New Group" button.
- Export: Generates a
.ymlfile backup of your active group. - Import: Opens a modal where you can directly paste your YAML string to securely import a group.
The extension uses a simple, readable YAML format for groups:
js-extractor:
name: Group Name
patterns:
- regex: 'apiKey_[A-Za-z0-9]+'
description: 'Example pattern description'Want to explore more patterns for specific frameworks, vulnerabilities, or technologies? Check out js-extractor-groups — a community-driven collection of pattern groups that you can seamlessly import into JS Extractor. Contributions are highly encouraged!
| Pattern | Description |
|---|---|
| Full URLs | URLs with scheme (http://, https://) or protocol-relative (//) |
| Relative paths | Paths starting with /, ../, or ./ |
| File extensions | Endpoints ending in .php, .asp, .json, .js, etc. |
| REST API | REST-style multi-segment paths |
| Standalone files | Common server-side files with extensions |
| Category | Examples |
|---|---|
| API Keys, OAuth tokens, reCAPTCHA keys, Cloud Platform | |
| AWS | Access Key IDs, MWS tokens, S3 buckets, CloudFront URLs |
| Access tokens, OAuth secrets | |
| GitHub / GitLab | PATs, App tokens, Refresh tokens |
| Stripe / PayPal / Square | Live keys, sandbox tokens, OAuth secrets |
| Slack / Discord / Telegram | Bot tokens, webhooks |
| Twilio / SendGrid / Mailgun | API keys, Account SIDs |
| Database | MySQL, PostgreSQL, MongoDB, MSSQL, Redis connection strings |
| Cloud | Azure, Heroku, DigitalOcean, Firebase |
| Crypto Keys | RSA, DSA, EC, PGP, OpenSSH, PKCS8 private keys |
| Tokens | JWT, Bearer tokens, NPM/PyPI tokens |
| Credentials | Passwords, basic auth URLs, username/password pairs |
| Other | Mapbox, Algolia, Datadog, Shopify, New Relic, Dynatrace |
js-extractor/
├── manifest.json # Extension manifest (v2)
├── background.js # Seeds default pattern groups on install
├── content.js # Injected script — extracts matches from page JS
├── popup.html # Extension popup UI structure
├── popup.css # Dark theme styles
├── popup.js # Popup logic — groups, patterns, results, search
└── icons/ # Extension icons (48px, 96px)
- Content Script (
content.js) is injected into every page atdocument_idle - When you click "Extract", the popup sends a message with the active group's patterns
- The content script collects all JS sources:
- Inline
<script>blocks → reads.textContent - External
<script src="...">→ fetches viafetch()with cache
- Inline
- Each regex pattern is run against each source using
new RegExp(pattern, 'gm') - Matches (with captured groups, source labels, and positions) are returned to the popup
- Results are rendered with pagination (50 per batch) for performance
Contributions are welcome! Here are some ways you can help:
- 🐛 Report bugs — Open an issue if something doesn't work
- 📝 Add patterns — Submit PRs with new secret detection patterns
- ✨ New features — Suggest or implement new features
- 🎨 UI improvements — Help make the interface even better
- Clone the repo
- Load as a temporary add-on in Firefox (
about:debugging) - Make changes — the popup reloads automatically when reopened
- For
content.jsorbackground.jschanges, reload the extension
This project is licensed under the MIT License.
Made for the security research community 🔐