Chrome Extension
Jsmon Chrome Extension Guide: Automated JS Reconnaissance
The Jsmon Chrome Extension is your personal, passive reconnaissance tool, designed for security researchers and penetration testers. It automatically captures JavaScript (JS) URLs as you browse and submits them to your Jsmon workspace for real-time analysis, including checking for secrets, API paths, and more.
1. Installation
Go to Jsmon Chrome Extension link and click on Add to Chrome button.
Prerequisites
A Google Chrome or Chromium-based browser (e.g., Brave, Edge).
A Jsmon account at
https://jsmon.sh(to obtain your API Key and Workspace ID).
Step-by-Step Installation
Navigate to the Chrome Web Store: Open your browser and go to the extension link:
https://chromewebstore.google.com/detail/jsmon-chrome-extension/bhkfnhmplfhhecndkdhinlliibjecfdk.Add the Extension: Click the "Add to Chrome" or "Install" button.
Confirm Installation: Review the required permissions and click "Add extension".
Pin the Extension: Click the puzzle piece icon (Extensions menu) in your toolbar, and then click the Pin icon next to the Jsmon Extension entry for easy access.
2. Configuration and Authentication
The extension needs your credentials to link to your personal workspace.
Step 1: Obtain Your API Key and Workspace ID
Log into your account on the Jsmon web application at
https://jsmon.sh.Navigate to the Settings > JSMON API section.
Generate and copy your personal API Key.
Step 2: Configure the Extension
Click the Jsmon Extension Icon in your Chrome toolbar.
Enter API Key: Paste the API key into the prompt.
Select Workspace: The extension will prompt you to select an existing workspace from your account. Choose the workspace where you want the collected JS URLs to be stored.
Click "Start Scanning" (or a similar button) to save the settings and initialize the connection.
3. Usage: Automated JS URL Collection
Once configured, the extension passively monitors your browsing activity.
Automated Scanning
Turn On: Click the "Turn on" button (or toggle) inside the extension popup to begin monitoring.
Browse: As you browse websites, the extension will automatically intercept requests for
.jsfiles and any file matching Content-Type containingjavascriptand send those URLs to the Jsmon API.Important Note: The extension initially captures traffic from every tab—including background traffic from sites like Google, YouTube, and analytics beacons. This is why the Domain Scope Filter is a critical next step.
CRITICAL: Using the Domain Scope Filter
The Domains in scope feature is essential for two reasons:
API Consumption: It prevents you from wasting API calls on irrelevant domains (e.g., Netflix, Amazon) that you are not actively hacking.
Data Cleanliness: It ensures your workspace is only populated with data relevant to your target domains.
How to Set the Scope:
In the extension popup, locate the "Domains in scope" input field.
Add Target Domains: Enter the domains you are actively targeting for security research (e.g.,
acmecorp.com).Delimiter: Use a comma (
,) to separate multiple domains (e.g.,support.acmecorp.com, videos.acmecorp.com).Activation: The extension will now only submit JS URLs that match the specified domains, drastically reducing noise and saving API usage.
4. Viewing and Querying Results (On the Web App)
All data collected by the Chrome Extension is sent to your chosen Jsmon workspace dashboard for detailed analysis.
View URLs: Navigate to the JS URLs section on the Jsmon web app to see the list of collected JavaScript files.
Analysis: The platform automatically performs reconnaissance on these files and provides results under:
JS Intelligence
Keys & Secrets
By properly setting up the scope, the Jsmon Chrome Extension becomes a highly efficient tool for passive JS reconnaissance, ensuring you capture all relevant JS assets without exceeding your API limits.
Last updated