Why?
You want to review JavaScript for vulnerabilities outside of the browser.
When?
This can be done when .js.map
files are available. The hint will be unofusicated code in the browser debugger, and //# sourceMappingURL=
lines on the end of obfusicated .js
files.
How?
unpack
failed on some content for me and consumed the first character of filenames. source-map-unpacker worked well:
npm install source-map-unpacker
node ./node_modules/source-map-unpacker/unmap.js \
-p code.js.map -o code
Art licensed under Creative Commons by gforsythe
Top comments (0)