The ultimate client-side reconnaissance tool for security researchers. Extract hidden API routes, sensitive parameters, and hardcoded secrets instantly from any website.
Built for recon - Fast, lightweight and 100% client-side.
👉 Try JSpider V2.1 now:
https://iamshafayat.github.io/JSpider/
JSpider V2.1 expands secret detection and refines the reconnaissance suite with broader pattern coverage and enhanced filtering.
- Sensitive Path Prober: Automated checks for 500+ critical paths including
.env,.git/config,phpinfo.php, backups, and cloud configurations. Features live response length filtering, instantaneous stop controls, and one-click inspection for 200/403 responses. - Parameter Discovery: Dedicated extraction and grouping of URL parameters to identify potential injection points.
- Recursive Discovery Engine: Full website crawling capability (Depth 1) with deep script analysis to find hidden routes.
- Precision Secret Detection: High-fidelity regex for 40 patterns including AWS, Google Cloud, Stripe, Slack/Discord Webhooks, JWT, Telegram, Twilio, and more.
- High-Fidelity Mapping: Captures raw file paths and absolute URLs without truncation, preserving double slashes and complex structures.
- Authentication Headers: Crawl behind login pages inject session cookies or Bearer tokens to scan authenticated dashboards, admin panels, and internal tools that general scanners miss.
- Parameters Dashboard: Live tracking, filtering, and sorting of URL parameters alongside Endpoints, Secrets, and Files.
JSpider is a powerful security reconnaissance tool designed for:
- 🔍 Endpoint Discovery: Find hidden routes and API calls.
- 🔑 Secret Detection: Automatically identify API keys, tokens, and sensitive data.
- 🕷️ Recursive Crawling: Deeper discovery by following same-domain links.
- 🧩 Reverse Engineering: Analyze client-side behavior and dynamic URLs.
It extracts data from external JS files, inline scripts, and HTML source code - instantly and completely in your browser.
| Feature | Description |
|---|---|
| 🔑 Secret Detection | High-fidelity detection for 40 patterns including AWS, Google, Stripe, Slack/Discord Webhooks, JWT, Telegram, Twilio, and more. |
| 🕷️ Recursive Scan | Depth-limited (V2.1: Depth 1) crawling of internal links. |
| 📊 Real-time Stats | Live dashboard tracking Scanned URLs, Endpoints, Parameters, Secrets, and Files. |
| 🛡️ Path Prober | Automated check for 500+ paths with live response lengths, status filters, include/exclude length filtering, and stop controls. |
| 🎯 Result Filtering | Instantly sort findings into Endpoints, Parameters, Secrets, and Files with a global search filter. |
| 🔐 Auth Headers | Crawl dashboard panels & authenticated pages that general scanners miss. Inject session cookies or Bearer tokens to access protected endpoints - just paste your Cookie or Authorization header value. |
| 📄 Advanced Export | Export to .txt, .json, .csv, and professional .md reports. |
| ✅ 100% Client-Side | No backend, no data leakage - privacy-focused by design. |
General scanners can't see past login pages. JSpider's Authentication Header Injection lets you scan authenticated dashboards, admin panels, and internal tools — the places where real endpoints live.
How it works:
- 🍪 Cookie: Grab your session cookie from the browser (e.g.,
PHPSESSID=abc123; token=xyz) and paste it into the Cookie field. JSpider sends it with every request, just like a logged-in browser. - 🔑 Bearer Token: Copy your
Authorization: Bearer <token>value and paste it into the Authorization field. JSpider attaches it to all scan and probe requests automatically.
Available for both Smart Crawler and Sensitive Path Prober — click the Authentication / Custom Headers toggle to expand the fields before scanning.
JSpider automatically excludes architectural noise to focus on valuable recon:
- Static Assets: Blocks
*.png,*.css,*.woff,*.svg, etc. - Social & Analytics: Filters LinkedIn, Facebook, Google Analytics, GTM, etc.
- Known CDNs: Ignores common libraries from jsDelivr, cdnjs, unpkg, etc.
- Invalid Prefixes: Excludes
data:,blob:,mailto:,tel:, etc.
- Visit https://iamshafayat.github.io/JSpider/
- Enter a target URL (e.g.,
https://example.com). - Click Scan Page for a quick analysis or Full Scan for recursive domain discovery.
- Monitor the Dashboard to see live extractions of Endpoints, Parameters, Secrets, and Files.
- Use the Category Tabs to filter results and the Global Search for specific keywords.
- Export your findings in
.txt,.json,.csv, or.mdformats.
- Switch to the Sensitive Path Prober tab from the header menu.
- Enter the target domain (e.g.,
https://example.com). - Click Check Paths to start probing 500+ critical paths (e.g.,
.env,.git,phpinfo.php). - Watch the Progress Bar and live Status Counters (200, 403, 404).
- Use the Status Filters (Found, Forbidden, Missing) to analyze the detected paths live.
- Advanced Filtering: Use the Include/Exclude Lengths inputs to filter out standard WAF block pages by their byte size (e.g., exclude
127, 403). - 🔗 Use the OPEN🔗 buttons to instantly verify 200 and 403 leaks in a new tab.
- Structure: HTML5 & CSS3 (Advanced Glassmorphism UI)
- Logic: Vanilla JavaScript (ES6+ / Async-Await)
- Engine: High-Precision Regex Engine (40 secret patterns)
- Proxy: Cloudflare Workers (Lightweight Proxy for CORS bypass)
This project is licensed under the Apache License 2.0.
Made with ❤️ by Shafayat Ahmed Alif & Kazi Sabbir for Security Researchers.
Feel free to connect or suggest improvements.