Web Application Analysis

Morgan : Advanced JavaScript Security Analyzer

Morgan is an advanced JavaScript security analyzer designed to detect and mitigate sensitive data exposure in client-side JavaScript files.

It is a vital tool for developers, security professionals, and penetration testers aiming to secure web applications against potential vulnerabilities caused by exposed credentials or misconfigurations.

Key Features Of Morgan

Pattern-Based Detection

Morgan uses predefined regular expressions to identify sensitive data types, such as:

  • API Keys & Tokens: Detects keys for services like AWS, GitHub, and Stripe.
  • Private Keys: Identifies SSH, RSA, and EC private keys.
  • Credentials: Finds usernames, passwords, and session IDs.
  • URLs & IP Addresses: Highlights exposed internal resources or endpoints.

Users can customize these patterns to suit specific needs, enhancing detection accuracy.

Morgan employs entropy analysis to identify high-entropy strings, which often represent secure tokens or cryptographic keys. This technique uncovers obfuscated secrets that escape traditional pattern matching.

The tool identifies obfuscation techniques used to hide sensitive data in JavaScript files. It detects:

  • Dynamic execution methods like eval() and Function().
  • Encoded strings using Base64 or hexadecimal formats.
  • Complex string concatenation patterns.

Morgan evaluates a website’s CSP headers to identify weak configurations, such as the use of unsafe-inline or unsafe-eval, which can expose applications to cross-site scripting (XSS) attacks.

JavaScript File Crawling And Analysis

Morgan can crawl websites to extract and analyze embedded JavaScript files. It supports downloading files for offline inspection and uses intelligent caching to optimize performance.

Users can configure scan depth, timeout settings, filters for specific findings, and user-agent customization. This flexibility ensures tailored scans for diverse use cases.

Morgan is command-line based and supports multi-threaded processing for efficient analysis of large-scale applications. For example:

python Morgan.py https://example.com --download --timeout 10 --filter "API Key" --entropy 5

This command scans the specified URL, downloads JavaScript files, applies a timeout of 10 seconds per request, filters results for API keys, and sets an entropy threshold of 5.

Morgan is a powerful tool for securing modern web applications by automating the detection of sensitive data exposure in JavaScript files.

Its comprehensive features make it an essential asset for identifying vulnerabilities and preventing unauthorized access.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsMorgan
2 days ago

Recent Posts

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

8 hours ago

Modern Network Fingerprinting : HASSH And JA4+SSH Tools

Network fingerprinting is a critical technique for identifying and analyzing network traffic patterns, particularly in…

8 hours ago

HowToHunt : Unleashing The Power Of Advanced Hunting Tools

"HowToHunt" is a platform designed to assist hunters in improving their skills, planning their expeditions,…

8 hours ago

SkyFall-Pack : Infrastructure Automation For C2 Operations

SkyFall-Pack is an advanced infrastructure automation toolkit designed for Command and Control (C2) operations. It…

8 hours ago

LummaC2 Stealer : Unpacking The Threats Of A Marketed ‘Premium’ Malware

LummaC2 is a commodity malware designed as an information stealer, targeting browsers, cryptocurrency wallets, and…

8 hours ago

RustOwl : A Visualization Tool For Ownership And Lifetime

RustOwl is an innovative tool designed to enhance the Rust programming experience by visualizing ownership…

8 hours ago