dest1ny-sec/desjsfinder

This is a Chrome browser extension designed for security researchers and red-team testers who want to discover hidden API endpoints in web applications. The README is written in Chinese. The extension works in two modes. In passive mode, it runs automatically while you browse: it intercepts every JavaScript file the page loads, including scripts embedded directly in the page, and extracts any API paths it finds using pattern matching. A badge on the extension icon updates in real time to show how many endpoints have been discovered. Results are sorted by risk level, with the highest-risk items shown first. In active mode, called Fuzz, the extension generates a dictionary of paths to test based on which web framework it detected on the site. It recognizes ten frameworks including Spring Boot, ThinkPHP, and Laravel, and tailors the path list accordingly. It then sends concurrent requests to each candidate path, filters out 404 responses, and shows only the ones that returned something. You can expand any result row to preview the response body, with JSON automatically formatted for readability. If the target requires authentication, you can paste custom headers including tokens into the extension before fuzzing, and every request will carry them automatically. The extension also classifies responses by fingerprint. It recognizes sixteen patterns that security testers look for, such as exposed diagnostic endpoints, database error messages containing connection strings, leaked credentials, and framework debug pages. Each matched fingerprint is labeled with a risk rating. Installation is done through Chrome's developer mode extension loader rather than the Chrome Web Store. The extension is released under the MIT License.