dest1ny-sec/desjsfinder — explained in plain English
Analysis updated 2026-06-24
Passively collect hidden API endpoints from any website you browse during a security assessment without writing any scripts.
Fuzz a Spring Boot or Laravel application for exposed admin or debug paths using an auto-generated dictionary tailored to that framework.
Detect high-risk responses like leaked database error messages or exposed credential pages during a red-team engagement by checking fingerprint labels.
| dest1ny-sec/desjsfinder | aburousan/typsteditor | gordensun/cad-power-animations | |
|---|---|---|---|
| Stars | 19 | 19 | 19 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 3/5 | 3/5 |
| Audience | developer | researcher | designer |
Figures from each repo's GitHub metadata at analysis time.
Load via Chrome developer mode, not available on the Chrome Web Store. Intended for authorized security testing only.
This is a Chrome browser extension designed for security researchers and red-team testers who want to discover hidden API endpoints in web applications. The README is written in Chinese. The extension works in two modes. In passive mode, it runs automatically while you browse: it intercepts every JavaScript file the page loads, including scripts embedded directly in the page, and extracts any API paths it finds using pattern matching. A badge on the extension icon updates in real time to show how many endpoints have been discovered. Results are sorted by risk level, with the highest-risk items shown first. In active mode, called Fuzz, the extension generates a dictionary of paths to test based on which web framework it detected on the site. It recognizes ten frameworks including Spring Boot, ThinkPHP, and Laravel, and tailors the path list accordingly. It then sends concurrent requests to each candidate path, filters out 404 responses, and shows only the ones that returned something. You can expand any result row to preview the response body, with JSON automatically formatted for readability. If the target requires authentication, you can paste custom headers including tokens into the extension before fuzzing, and every request will carry them automatically. The extension also classifies responses by fingerprint. It recognizes sixteen patterns that security testers look for, such as exposed diagnostic endpoints, database error messages containing connection strings, leaked credentials, and framework debug pages. Each matched fingerprint is labeled with a risk rating. Installation is done through Chrome's developer mode extension loader rather than the Chrome Web Store. The extension is released under the MIT License.
A Chrome extension for security testers that passively extracts hidden API endpoints from JavaScript files while browsing, and actively fuzzes paths based on detected web frameworks.
Mainly JavaScript. The stack also includes JavaScript, Chrome Extension.
MIT License, use freely for any purpose including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.