A powerful Burp Suite extension that automatically detects JavaScript URLs from HTTP traffic, scans them using TruffleHog for secrets detection, and sends findings to Discord webhooks in real-time.
- Automatic JavaScript URL Detection: Monitors HTTP traffic and automatically identifies JavaScript files
- TruffleHog Integration: Scans JavaScript files for secrets using the powerful TruffleHog tool
- Discord Webhook Support: Sends findings directly to Discord channels for real-time notifications
- Live Results Display: Shows scan results and findings in a clean, organized interface
- Configurable Settings: Customize TruffleHog path, Discord webhook, and scanning behavior
- Verified vs Unverified Secrets: Distinguishes between verified and unverified findings
- Persistent Settings: Settings are saved across Burp Suite sessions
- Adjustable UI: Resizable panels for better workflow
- File Browser: Easy TruffleHog binary path selection
- Automatic Cleanup: Temporary files are automatically cleaned up after scanning
- Burp Suite monitors HTTP traffic and detects JavaScript URLs
- TruffleHog scans the JavaScript files for secrets and vulnerabilities
- Discord receives real-time alerts about discovered secrets
graph TD
A[HTTP Traffic] --> B{Contains JS URL?}
B -->|Yes| C[Download JS File]
B -->|No| D[Continue Monitoring]
C --> E[Save to Temp File]
E --> F[Run TruffleHog Scan]
F --> G{Secrets Found?}
G -->|Yes| H[Add to Burp Findings]
G -->|No| I[Clean Up Temp File]
H --> J{Discord Enabled?}
J -->|Yes| K[Send to Discord Webhook]
J -->|No| L[Display in UI]
K --> L
I --> D
L --> D
- Burp Suite: Professional or Community Edition
- Python: Python 2.7 (comes with Burp Suite's Jython)
- TruffleHog: TruffleHog binary installed and accessible
brew install trufflehog# Download the latest release
curl -L https://github.com/trufflesecurity/trufflehog/releases/latest/download/trufflehog_3.63.7_linux_amd64.tar.gz | tar -xz
sudo mv trufflehog /usr/local/bin/# Using Chocolatey
choco install trufflehog
# Or download from GitHub releases- Download the Extension: Get
jshunter_extension.pyfrom this repository - Open Burp Suite: Launch Burp Suite Professional or Community
- Go to Extensions: Navigate to Extensions → Extensions
- Add Extension: Click Add → Extension type: Python
- Select File: Choose
jshunter_extension.py - Install: Click Next and the extension will be loaded
-
Clone the repository:
git clone https://github.com/iamunixtz/jshunter-burp.git cd jshunter-burp -
Install in Burp Suite:
- Open Burp Suite
- Go to Extensions → Extensions
- Click Add → Extension type: Python
- Select
jshunter_extension.py
- Open JSHunter Tab: Navigate to the JSHunter tab in Burp Suite
- Configure TruffleHog Path: Set the path to your TruffleHog binary (default:
/usr/local/bin/trufflehog) - Set Discord Webhook: Add your Discord webhook URL for notifications
- Enable Features: Toggle auto-scanning and Discord notifications as needed
- Test Configuration: Use the "Test TruffleHog" and "Test Discord" buttons to verify setup
- Start Monitoring: The extension automatically monitors HTTP traffic when enabled
- View Results: Scan results appear in the JSHunter interface
- Review Findings: Click on findings to see details including secret type, line number, and verification status
- Discord Notifications: Verified and unverified secrets are sent to Discord with different formatting
| Setting | Description | Default |
|---|---|---|
| TruffleHog Path | Path to TruffleHog executable | /usr/local/bin/trufflehog |
| Discord Webhook URL | Discord webhook for notifications | Empty |
| Auto-scan JavaScript URLs | Automatically scan detected JS files | Enabled |
| Send Findings to Discord | Send findings to Discord webhook | Enabled |
- Scan Results Panel: Shows all scanned JavaScript URLs with status
- Findings Details Panel: Displays detailed information about detected secrets
- Resizable Panels: Adjust panel sizes for better workflow
- TruffleHog Path: Text field with browse button for easy path selection
- Discord Webhook URL: Input field for Discord webhook configuration
- Auto-scan Toggle: Enable/disable automatic JavaScript URL scanning
- Discord Notifications Toggle: Enable/disable Discord webhook notifications
- Test Buttons: Test TruffleHog and Discord webhook configurations
- Type: Type of secret detected (API Key, Token, etc.)
- Secret: The actual secret value (redacted for security)
- URL: Source JavaScript URL
- Line: Line number where the secret was found
- Verified: Whether TruffleHog verified the secret
- Copy Secret: Button to copy the secret to clipboard
- Clear Findings: Button to clear all findings
The extension sends formatted messages to Discord when secrets are found:
**[VERIFIED] Verified Secrets** found in https://example.com/script.js
**GitHub Token**
ghp_REDACTED
Line: 42
**[UNVERIFIED] Unverified Secrets** found in https://example.com/script.js
**API Key**
api_key: "REDACTED"
Line: 15
- Verify TruffleHog is installed:
trufflehog --version - Check the path in extension settings
- Use the "Test TruffleHog" button to verify
- Verify the webhook URL is correct
- Test with the "Test Discord" button
- Check Discord server permissions
- Ensure you're browsing websites with JavaScript files
- Check that auto-scanning is enabled in settings
- Look for
.jsfiles in HTTP traffic
- Ensure you're using Python extension type in Burp Suite
- Check that the file path is correct
- Verify Burp Suite has permission to read the file
- Burp Suite Professional or Community
- Python 2.7 (Jython)
- TruffleHog binary
jshunter-burp/
├── jshunter_extension.py # Main extension file
├── README.md # This file
└── LICENSE # MIT License
- IBurpExtender: Main extension interface
- IHttpListener: HTTP traffic monitoring
- ITab: Custom UI tab
- TruffleHog Integration: External binary execution
- Discord Webhook: HTTP POST requests
- Java Swing UI: User interface components
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Burp Suite: PortSwigger Documentation
- PortSwigger for the amazing Burp Suite platform
- TruffleHog for the powerful secrets scanner
- Burp Suite Community for extension development resources
- Initial release
- Automatic JavaScript URL detection
- TruffleHog integration
- Discord webhook support
- Resizable UI panels
- Persistent settings
- Automatic file cleanup
- Comprehensive error handling