Morgan is an advanced JavaScript security analyzer designed to detect and mitigate sensitive data exposure in client-side JavaScript files.
It is a vital tool for developers, security professionals, and penetration testers aiming to secure web applications against potential vulnerabilities caused by exposed credentials or misconfigurations.
Morgan uses predefined regular expressions to identify sensitive data types, such as:
Users can customize these patterns to suit specific needs, enhancing detection accuracy.
Morgan employs entropy analysis to identify high-entropy strings, which often represent secure tokens or cryptographic keys. This technique uncovers obfuscated secrets that escape traditional pattern matching.
The tool identifies obfuscation techniques used to hide sensitive data in JavaScript files. It detects:
eval()
and Function()
.Morgan evaluates a website’s CSP headers to identify weak configurations, such as the use of unsafe-inline
or unsafe-eval
, which can expose applications to cross-site scripting (XSS) attacks.
Morgan can crawl websites to extract and analyze embedded JavaScript files. It supports downloading files for offline inspection and uses intelligent caching to optimize performance.
Users can configure scan depth, timeout settings, filters for specific findings, and user-agent customization. This flexibility ensures tailored scans for diverse use cases.
Morgan is command-line based and supports multi-threaded processing for efficient analysis of large-scale applications. For example:
python Morgan.py https://example.com --download --timeout 10 --filter "API Key" --entropy 5
This command scans the specified URL, downloads JavaScript files, applies a timeout of 10 seconds per request, filters results for API keys, and sets an entropy threshold of 5.
Morgan is a powerful tool for securing modern web applications by automating the detection of sensitive data exposure in JavaScript files.
Its comprehensive features make it an essential asset for identifying vulnerabilities and preventing unauthorized access.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…