Sign in Subscribe
4 min read

jsmon-cli - Enhanced Security Tooling for JavaScript (jsmon.sh)

jsmon-cli - Enhanced Security Tooling for JavaScript (jsmon.sh)

A fast and convenient tool (API client) for your JS security tasks powered by jsmon.sh.

What is jsmon-cli?

A command-line interface designed to act as an API client for jsmon.sh. Whatever you can do at the webapp, most of these features can be used via jsmon-cli. It calls the same API endpoints which the webapp uses. The public github repo for tool is at https://github.com/rashahacks/jsmon-cli.

What is jsmon.sh?

jsmon.sh is a JS security framework made for security enthusiasts, bugbounty hunters, penetration testers and security-focused enterprises to keep track of secrets, exposures and intel over the javascript files. As input, jsmon.sh can use a JS URL, a file (containing JS URLs), and even a domain name. The services present inside scans JS responses for domains, URLs, API paths, GraphQL operations, client-side vulnerabilites, GUIDs, JWTs, IP addresses, emails, S3 domains, and 100+ api keys. Embedded IP rotation, report generation, JS monitoring, and advanced notification service are also present. Well, this is about jsmon-cli, let's focus on that.

Installation Instructions (jsmon-cli)

git clone https://github.com/rashahacks/jsmon-cli
cd jsmon-cli
go build -o jsmon

The following commands will output a binary by name jsmon.

Authentication (API Key)

In order to authenticate with your account via jsmon-cli. First, get your API key by logging in at the website. Once you are logged in, click on JSMON API in nav bar, and go to API Keys. You can regenerate the API key if it gets expired, by clicking on regenerate icon. Now, there are two methods to authenticate with jsmon-cli.

  1. Add your API key at ~/.jsmon/credentials file. At first line, just paste the API key. No dash, or curly braces are required. Paste the key in first line, that's it.

2. You can provide the API key to -apikey flag present in the CLI tool.

Usage

Usage of ./jsmon:
  ./jsmon [flags]

Flags:
INPUT:
  -scanUrl <jsmonId>         URL or scan ID to rescan
  -uploadUrl <url>       URL to upload for scanning
  -scanFile <fileId>        File ID to scan
  -uploadFile <file.txt>      File to upload (local path)
  -scanDomain <example.com>      Domain to automate scan

AUTHENTICATION:
  -apikey <XXX-XXXX-XXXX-XXX>          API key for authentication

OUTPUT:
  -automationData <example.com>  Get all automation results
  -scannerData            Get scanner results
  -urls                   View all URLs
  -size int               Number of URLs, automationData to fetch (default 10)
  -files                  View all files
  -usage                  View user profile

CRON JOB:
  -cron string            Set, update, or stop cronjob
  -notifications string   Set cronjob notification channel
  -time int               Set cronjob time
  -vulnerabilitiesType    Set type of cronjob (URLs, Analysis, Scanner)
  -domains string         Set domains for cronjob
  -domainsNotify string   Set notify (true/false) for each domain

ADDITIONAL OPTIONS:
  -H string               Custom headers (Key: Value, can be used multiple times)
  -words string           Comma-separated list of words to include in the scan
  -getDomains             Get all domains for the user
  -Emails <example.com>          View all Emails for specified domains
  -S3Domains <example.com>       Get all S3 Domains for specified domains
  -ips <example.com>             Get all IPs for specified domains
  -DomainUrls <example.com>      Get Domain URLs for specified domains
  -api <example.com>             Get the APIs for specified domains
  -compare <example.com>         Compare two JS responses by JSMON_IDs (format: ID1,ID2)

URL Input

jsmon -uploadUrl https://example.com/main.js
jsmon -scanUrl <jsmonId> #change detection

File Input

jsmon -uploadFile jsmon-jsurls.txt
jsmon -scanFile <fileId>

Domain Input

jsmon -scanDomain jsmon.sh

Querying Data

jsmon -usage
jsmon -automationData jsmon.sh -size 10
jsmon -ips jsmon.sh
jsmon -Emails jsmon.sh
jsmon -S3Domains jsmon.sh
jsmon -api jsmon.sh
jsmon -DomainUrls jsmon.sh
jsmon -getDomains
jsmon -urls -urlSize 15
jsmon -scannerData
jsmon -files

Conclusion

jsmon-cli is a powerful and efficient tool that extends the capabilities of the jsmon.sh platform to the command line, making it easier for security professionals to automate and streamline their JS security tasks. With simple installation and flexible authentication methods, it offers a convenient way to leverage the robust features of jsmon.sh, including scanning, monitoring, and reporting, directly from your terminal.

Feedback

If you want to report some bugs, add something inside CLI or webapp, let us know by mailing at support@jsmon.sh for anything.

Thanks,

Inderjeet Singh (Founder, jsmon.sh)

Published by:

Inderjeet Singh