Skip to content

fefortunato/unmapper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Unmapper

JavaScript Source Map Reverser — Extract original source code from .js.map files for security testing and bug bounty reconnaissance.

  ╦ ╦╔╗╔╔╦╗╔═╗╔═╗╔═╗╔═╗╦═╗
  ║ ║║║║║║║╠═╣╠═╝╠═╝║╣ ╠╦╝
  ╚═╝╝╚╝╩ ╩╩ ╩╩  ╩  ╚═╝╩╚═

npm version License: MIT

Install

npm install -g unmapper

Features

Feature Description
Local File Extraction Extract from local .map files
Directory Scanning Process all .map files in a directory
Remote URL Fetch Download and extract from remote .map URLs
JS Probing Probe .js files to find and extract their source maps
Page Spider Spider HTML pages to find all scripts with source maps
Colored Output Visual status indicators with ANSI colors

Usage

Local Files

# Extract from local file
unmapper app.js.map -o ./extracted

# Scan directory for all .map files
unmapper -s ./js/ -o ./sources

# Deep scan (recursive)
unmapper -s ./target/ -D -o ./sources

Remote URLs

# Fetch and extract from .map URL directly
unmapper -u https://target.com/app.js.map -o ./out

# Probe a .js file for its source map
unmapper -P https://target.com/bundle.js -o ./out

# Spider a page and find all source maps
unmapper -S https://target.com/ -o ./out

Options

Local Options

Option Description
-s, --scan <path> Scan directory for .map files
-D, --deep Scan directories recursively

Remote Options

Option Description
-u, --url <url> Fetch and extract from .map URL directly
-P, --probe <url> Probe a .js URL for its source map
-S, --spider <url> Spider HTML page for all scripts

General Options

Option Description
-h, --help Show help message
-V, --version Show version
-o, --out <path> Output directory (default: current)
-q, --silent Suppress banner and progress
-p, --prefix <path> Override sourceRoot field

How It Works

Probe Mode (-P)

  1. Fetches the JavaScript file
  2. Looks for //# sourceMappingURL= comment
  3. Falls back to common patterns (app.jsapp.js.map)
  4. Downloads and extracts the source map

Spider Mode (-S)

  1. Fetches the HTML page
  2. Extracts all <script src="..."> tags
  3. Probes each script for source maps
  4. Extracts all found source maps

Example Output

  ╦ ╦╔╗╔╔╦╗╔═╗╔═╗╔═╗╔═╗╦═╗
  ║ ║║║║║║║╠═╣╠═╝╠═╝║╣ ╠╦╝
  ╚═╝╝╚╝╩ ╩╩ ╩╩  ╩  ╚═╝╩╚═ v1.2.0
  ─────────────────────────────────────
  JavaScript Source Map Reverser
  Extract source code from .js.map files
  For authorized security testing only

[*] Probing JS file: https://target.com/app.js
[+] Found source map: https://target.com/app.js.map
[*] Detection method: sourceMappingURL
[*] Extracting to: ./out
═══════════════════════════════════════════════════════
  ✓ Extracted 156 source files
═══════════════════════════════════════════════════════

  SUMMARY
  ├─ JS URL: app.js
  ├─ Map URL: app.js.map
  ├─ Files extracted: 156
  └─ Output: ./out

API

const { 
  extractFromFile, 
  extractFromUrl,
  probeJsUrl, 
  spiderPage 
} = require('unmapper')

// Extract from local file
const result = await extractFromFile('app.js.map', './output')

// Extract from remote URL
const result = await extractFromUrl('https://target.com/app.js.map', './output')

// Probe a JS file for its source map
const probe = await probeJsUrl('https://target.com/app.js')
if (probe.ok && probe.hasSourcesContent) {
  console.log('Map URL:', probe.mapUrl)
}

// Spider a page for all source maps
const spider = await spiderPage('https://target.com/')
console.log('Found maps:', spider.found.length)

Why?

Developers sometimes accidentally deploy source maps to production. This tool helps security researchers:

Use Case Description
Reconnaissance Understand the application's internal structure
Code Review Find vulnerabilities in the original source
Secret Discovery Locate hardcoded API keys, endpoints, etc.

License

MIT License - Felipe Fortunato

About

JavaScript Source Map Reverser - Extract original source code for pentest/bounty reconnaissance

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors