JavaScript Source Maps (.js.map)

Overview

Source maps (.js.map) map minified/bundled JavaScript back to original source code. When exposed in production, they reveal the full unminified codebase — variable names, comments, API endpoints, hardcoded secrets, and internal logic.

Finding Source Maps

Check HTTP Headers

curl -s http://TARGET/app.js | grep -i "sourceMappingURL"

Look for:

//# sourceMappingURL=app.js.map
//# sourceMappingURL=data:application/json;base64,...

Direct Access

curl -s http://TARGET/static/js/main.chunk.js.map -o main.chunk.js.map
curl -s http://TARGET/assets/app.js.map -o app.js.map

Common Paths

/static/js/*.js.map
/assets/*.js.map
/dist/*.js.map
/build/*.js.map
/js/*.js.map
/bundle.js.map
/main.js.map
/app.js.map
/vendor.js.map

Enumerate with Wordlist

ffuf -u http://TARGET/static/js/FUZZ.js.map -w js-files.txt -mc 200

Browser DevTools

Open DevTools → Sources tab
If source maps load, original source tree is visible
Check Network tab for .map requests

Extracting Source Code

unwebpack-sourcemap

pip install unwebpack-sourcemap
unwebpack-sourcemap main.chunk.js.map -o ./extracted

Reconstructs full directory tree with original source files.

smap

# https://github.com/nickcano/smap
go install github.com/nickcano/smap@latest
smap main.chunk.js.map -o ./extracted

source-map-cli (Node)

npm install -g source-map-cli
source-map show main.chunk.js.map

Manual with jq

cat main.chunk.js.map | jq '.sources'          # List original file paths
cat main.chunk.js.map | jq '.sourcesContent[0]' # First file content

What to Look For

API Keys & Secrets

grep -rni "api_key\|apikey\|secret\|token\|password\|auth" ./extracted/
grep -rni "REACT_APP_\|VUE_APP_\|NEXT_PUBLIC_" ./extracted/

API Endpoints

grep -rni "/api/\|/v1/\|/v2/\|/graphql\|/rest/" ./extracted/
grep -rni "fetch(\|axios\.\|\.get(\|\.post(" ./extracted/

Hidden Routes & Admin Panels

grep -rni "admin\|dashboard\|internal\|debug\|/hidden" ./extracted/
grep -rni "route\|path:\|component:" ./extracted/

Comments with Sensitive Info

grep -rni "TODO\|FIXME\|HACK\|XXX\|TEMP\|password" ./extracted/

Internal Hostnames & IPs

grep -rniE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" ./extracted/
grep -rni "internal\|staging\|dev\.\|localhost" ./extracted/

Frameworks & Common Locations

Framework	Default Source Map Path
React (CRA)	`/static/js/main.*.chunk.js.map`
Next.js	`/_next/static/chunks/*.js.map`
Vue.js	`/js/app.*.js.map`
Angular	`/main.*.js.map`
Webpack	`/dist/*.js.map`

Automation — Full Pipeline

# 1. Find JS files
curl -s http://TARGET/ | grep -oP 'src="[^"]*\.js"' | sed 's/src="//;s/"//'

# 2. Check for source maps
for js in $(curl -s http://TARGET/ | grep -oP 'src="[^"]*\.js"' | sed 's/src="//;s/"//'); do
    map_url="http://TARGET${js}.map"
    status=$(curl -s -o /dev/null -w "%{http_code}" "$map_url")
    if [ "$status" = "200" ]; then
        echo "[+] Found: $map_url"
        curl -s "$map_url" -o "$(basename $map_url)"
    fi
done

# 3. Extract
for map in *.js.map; do
    unwebpack-sourcemap "$map" -o "./extracted_$(basename $map .js.map)"
done

# 4. Hunt secrets
grep -rni "api_key\|secret\|token\|password" ./extracted_*/

Quick Reference

Task	Command
Check for map	`curl -s TARGET/app.js \| grep sourceMappingURL`
Download	`curl -s TARGET/app.js.map -o app.js.map`
Extract	`unwebpack-sourcemap app.js.map -o ./extracted`
List files	`jq '.sources' app.js.map`
Hunt secrets	`grep -rni "api_key\|secret\|token" ./extracted/`

Documentation Index

​Overview

​Finding Source Maps

​Check HTTP Headers

​Direct Access

​Common Paths

​Enumerate with Wordlist

​Browser DevTools

​Extracting Source Code

​unwebpack-sourcemap

​smap

​source-map-cli (Node)

​Manual with jq

​What to Look For

​API Keys & Secrets

​API Endpoints

​Hidden Routes & Admin Panels

​Comments with Sensitive Info

​Internal Hostnames & IPs

​Frameworks & Common Locations

​Automation — Full Pipeline

​Quick Reference

​Sources