Overview
Source maps (.js.map) map minified/bundled JavaScript back to original source code. When exposed in production, they reveal the full unminified codebase — variable names, comments, API endpoints, hardcoded secrets, and internal logic.
Finding Source Maps
Check HTTP Headers
Direct Access
Common Paths
Enumerate with Wordlist
Browser DevTools
- Open DevTools → Sources tab
- If source maps load, original source tree is visible
- Check Network tab for
.maprequests
Extracting Source Code
unwebpack-sourcemap
smap
source-map-cli (Node)
Manual with jq
What to Look For
API Keys & Secrets
API Endpoints
Hidden Routes & Admin Panels
Comments with Sensitive Info
Internal Hostnames & IPs
Frameworks & Common Locations
| Framework | Default Source Map Path |
|---|---|
| React (CRA) | /static/js/main.*.chunk.js.map |
| Next.js | /_next/static/chunks/*.js.map |
| Vue.js | /js/app.*.js.map |
| Angular | /main.*.js.map |
| Webpack | /dist/*.js.map |
Automation — Full Pipeline
Quick Reference
| Task | Command |
|---|---|
| Check for map | curl -s TARGET/app.js | grep sourceMappingURL |
| Download | curl -s TARGET/app.js.map -o app.js.map |
| Extract | unwebpack-sourcemap app.js.map -o ./extracted |
| List files | jq '.sources' app.js.map |
| Hunt secrets | grep -rni "api_key|secret|token" ./extracted/ |