> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# JavaScript Source Maps (.js.map)

> Exploiting exposed JavaScript source map files to recover original source code, API keys, and internal logic.

## Overview

Source maps (`.js.map`) map minified/bundled JavaScript back to original source code. When exposed in production, they reveal the full unminified codebase — variable names, comments, API endpoints, hardcoded secrets, and internal logic.

***

## Finding Source Maps

### Check HTTP Headers

```bash theme={"dark"}
curl -s http://TARGET/app.js | grep -i "sourceMappingURL"
```

Look for:

```
//# sourceMappingURL=app.js.map
//# sourceMappingURL=data:application/json;base64,...
```

### Direct Access

```bash theme={"dark"}
curl -s http://TARGET/static/js/main.chunk.js.map -o main.chunk.js.map
curl -s http://TARGET/assets/app.js.map -o app.js.map
```

### Common Paths

```
/static/js/*.js.map
/assets/*.js.map
/dist/*.js.map
/build/*.js.map
/js/*.js.map
/bundle.js.map
/main.js.map
/app.js.map
/vendor.js.map
```

### Enumerate with Wordlist

```bash theme={"dark"}
ffuf -u http://TARGET/static/js/FUZZ.js.map -w js-files.txt -mc 200
```

### Browser DevTools

1. Open DevTools → Sources tab
2. If source maps load, original source tree is visible
3. Check Network tab for `.map` requests

***

## Extracting Source Code

### unwebpack-sourcemap

```bash theme={"dark"}
pip install unwebpack-sourcemap
unwebpack-sourcemap main.chunk.js.map -o ./extracted
```

Reconstructs full directory tree with original source files.

### smap

```bash theme={"dark"}
# https://github.com/nickcano/smap
go install github.com/nickcano/smap@latest
smap main.chunk.js.map -o ./extracted
```

### source-map-cli (Node)

```bash theme={"dark"}
npm install -g source-map-cli
source-map show main.chunk.js.map
```

### Manual with jq

```bash theme={"dark"}
cat main.chunk.js.map | jq '.sources'          # List original file paths
cat main.chunk.js.map | jq '.sourcesContent[0]' # First file content
```

***

## What to Look For

### API Keys & Secrets

```bash theme={"dark"}
grep -rni "api_key\|apikey\|secret\|token\|password\|auth" ./extracted/
grep -rni "REACT_APP_\|VUE_APP_\|NEXT_PUBLIC_" ./extracted/
```

### API Endpoints

```bash theme={"dark"}
grep -rni "/api/\|/v1/\|/v2/\|/graphql\|/rest/" ./extracted/
grep -rni "fetch(\|axios\.\|\.get(\|\.post(" ./extracted/
```

### Hidden Routes & Admin Panels

```bash theme={"dark"}
grep -rni "admin\|dashboard\|internal\|debug\|/hidden" ./extracted/
grep -rni "route\|path:\|component:" ./extracted/
```

### Comments with Sensitive Info

```bash theme={"dark"}
grep -rni "TODO\|FIXME\|HACK\|XXX\|TEMP\|password" ./extracted/
```

### Internal Hostnames & IPs

```bash theme={"dark"}
grep -rniE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" ./extracted/
grep -rni "internal\|staging\|dev\.\|localhost" ./extracted/
```

***

## Frameworks & Common Locations

| Framework   | Default Source Map Path          |
| ----------- | -------------------------------- |
| React (CRA) | `/static/js/main.*.chunk.js.map` |
| Next.js     | `/_next/static/chunks/*.js.map`  |
| Vue.js      | `/js/app.*.js.map`               |
| Angular     | `/main.*.js.map`                 |
| Webpack     | `/dist/*.js.map`                 |

***

## Automation — Full Pipeline

```bash theme={"dark"}
# 1. Find JS files
curl -s http://TARGET/ | grep -oP 'src="[^"]*\.js"' | sed 's/src="//;s/"//'

# 2. Check for source maps
for js in $(curl -s http://TARGET/ | grep -oP 'src="[^"]*\.js"' | sed 's/src="//;s/"//'); do
    map_url="http://TARGET${js}.map"
    status=$(curl -s -o /dev/null -w "%{http_code}" "$map_url")
    if [ "$status" = "200" ]; then
        echo "[+] Found: $map_url"
        curl -s "$map_url" -o "$(basename $map_url)"
    fi
done

# 3. Extract
for map in *.js.map; do
    unwebpack-sourcemap "$map" -o "./extracted_$(basename $map .js.map)"
done

# 4. Hunt secrets
grep -rni "api_key\|secret\|token\|password" ./extracted_*/
```

***

## Quick Reference

| Task          | Command                                           |
| ------------- | ------------------------------------------------- |
| Check for map | `curl -s TARGET/app.js \| grep sourceMappingURL`  |
| Download      | `curl -s TARGET/app.js.map -o app.js.map`         |
| Extract       | `unwebpack-sourcemap app.js.map -o ./extracted`   |
| List files    | `jq '.sources' app.js.map`                        |
| Hunt secrets  | `grep -rni "api_key\|secret\|token" ./extracted/` |

***

## Sources

* [MDN — Use a Source Map](https://developer.mozilla.org/en-US/docs/Tools/Debugger/How_to/Use_a_source_map)
* [PortSwigger — Information Disclosure via Source Maps](https://portswigger.net/kb/issues/00600600_javascript-source-map-detected)
* [Webpack — Devtool Source Maps](https://webpack.js.org/configuration/devtool/)
