A high-performance, concurrent JavaScript security scanner designed to extract endpoints, API paths, and detect sensitive information from JavaScript files.
KODOK is a command-line tool that recursively crawls JavaScript files to discover:
- API endpoints and URL paths
- Hardcoded secrets and credentials
- Internal service URLs
- Configuration endpoints
Built with Go for speed and efficiency, KODOK uses concurrent workers, intelligent caching, and advanced pattern matching to scan large codebases quickly.
- Concurrent Scanning: Configurable worker pool for parallel processing
- Recursive Discovery: Deep scanning of JavaScript dependencies
- Smart Deduplication: LRU cache prevents redundant processing
- Domain Filtering: Wildcard support for scoping scans to specific domains
- Secret Detection: Pattern-based identification of 30+ credential types
- SSRF Protection: Built-in validation against internal/private addresses
- Single URL via
-uflag - File input via
-fflag - Pipeline support via stdin
- JSON: Detailed results with metadata
- TXT: Clean list of discovered URLs
# Clone the repository
git clone https://github.com/rhyru9/kodok.git
cd kodok
# Build the binary
go build -o kodok cmd/kodok/main.go
# Optional: Install to PATH
go install ./cmd/kodokScan a single JavaScript file:
kodok -u https://example.com/app.jsScan multiple URLs from a file:
kodok -f urls.txtRead URLs from stdin:
cat urls.txt | kodok -o resultsEnable deep scanning with custom depth:
kodok -f urls.txt -deep -depth 5 -workers 20Scope scan to specific domains:
kodok -u https://target.com -ad "target.com,*.api.target.com"Use custom headers for authentication:
kodok -u https://api.example.com/app.js \
-H "Authorization:Bearer token123,X-Custom-Header:value"Combine multiple options:
cat urls.txt | kodok \
-deep \
-depth 3 \
-workers 15 \
-ad "*.example.xy.z,*.domains.xy.z" \
-timeout 45 \
-o university_scan| Flag | Default | Description |
|---|---|---|
-u |
- | Single URL to scan |
-f |
- | File containing URLs (one per line) |
-o |
kodok_results |
Output base filename |
-workers |
10 |
Number of concurrent workers (1-100) |
-depth |
3 |
Maximum recursion depth (0-10) |
-cache |
10000 |
LRU cache size for deduplication |
-timeout |
30 |
Request timeout in seconds |
-retries |
3 |
Number of retry attempts |
-deep |
false |
Enable deep scanning of JS dependencies |
-ad |
- | Allowed domains (comma-separated, supports wildcards) |
-H |
- | Custom headers (format: Header1:Value1,Header2:Value2) |
-v |
false |
Verbose output |
KODOK supports flexible domain filtering with wildcard patterns:
kodok -u https://example.com/app.js -ad "example.com"Matches: example.com only
kodok -u https://api.example.com/app.js -ad "*.example.com"Matches: api.example.com, sub.example.com, a.b.example.com
kodok -f urls.txt -ad "*.example.xy.z,*.domains.xy.z,example.com"Matches: All subdomains of example.xy.z and domains.xy.z, plus example.com
- Wildcard
*.example.comalso matches the base domainexample.com - Domain matching is case-insensitive
- The scanner normalizes domains by removing
www.prefix
KODOK detects 30+ types of sensitive information:
- AWS Access Keys (AKIA*, ASIA*, etc.)
- Google API Keys
- Azure credentials
- Stripe API keys
- Square tokens
- Midtrans server keys
- Braintree tokens
- GitHub tokens (personal, OAuth, app)
- GitLab tokens
- NPM tokens
- Slack tokens and webhooks
- Discord bot tokens
- Telegram bot tokens
- SendGrid API keys
- Twilio credentials
- Connection strings with embedded passwords
- Hardcoded database credentials
- JWT tokens
- Bearer tokens
- Basic authentication credentials
- Private keys (RSA, SSH, PGP)
{
"type": "AWS Access Key ID",
"value": "AKIA****WXYZ",
"context": "const key = 'AKIAIOSFODNN7EXAMPLE'",
"line": 42
}KODOK uses multiple extraction methods to discover endpoints:
Detects paths in:
- String literals (
',") - Template literals (backticks)
- Object properties (
path:,url:,endpoint:) - Function calls (
fetch(),axios.get()) - Concatenated strings
Automatically identifies common API patterns:
/api/v1/users
/graphql/query
/oauth/token
/auth/login
/admin/config// From: const api = '/api/v1/users?limit=10';
Output: /api/v1/users?limit=10
// From: fetch(baseURL + '/config');
Output: /config
// From: { endpoint: 'https://api.example.com/data' }
Output: https://api.example.com/dataKODOK includes built-in protection against Server-Side Request Forgery:
- Loopback addresses:
127.0.0.1,::1,localhost - Private networks:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - Link-local:
169.254.169.254(AWS metadata) - Cloud metadata services
- Kubernetes internal APIs
# These will be rejected:
kodok -u http://localhost/app.js
kodok -u http://169.254.169.254/latest/meta-data/
kodok -u http://metadata.google.internal/Worker Pool (internal/core/workerpool.go)
- Manages concurrent goroutines
- Buffered task queue
- Graceful shutdown support
Processor (internal/core/processor.go)
- Orchestrates scanning workflow
- Handles recursive discovery
- Aggregates results
Fetcher (internal/fetch/fetcher.go)
- HTTP client with retry logic
- SSRF validation
- Content filtering
Extractor (internal/parse/extractor.go)
- Multi-method path extraction
- Regex-based pattern matching
- URL validation and normalization
Secret Scanner (internal/scan/secrets.go)
- Pattern-based detection
- Entropy analysis
- False positive filtering
Deduplicator (internal/cache/dedup.go)
- LRU cache implementation
- Thread-safe operations
- Prevents redundant scanning
{
"summary": {
"total_urls": 50,
"success_count": 48,
"failed_count": 2,
"total_paths": 342,
"total_secrets": 5,
"total_time": "45.2s"
},
"results": [
{
"url": "https://example.com/app.js",
"paths": ["/api/users", "/api/config"],
"secrets": [...],
"path_count": 2,
"secret_count": 0,
"depth": 0,
"duration": "1.2s",
"status_code": 200
}
]
}https://example.com/api/users
https://example.com/api/config
https://example.com/static/vendor.js
...
-
Adjust worker count based on network bandwidth:
kodok -f urls.txt -workers 20 # For high-bandwidth kodok -f urls.txt -workers 5 # For rate-limited targets
-
Set appropriate depth to balance coverage and time:
kodok -u https://example.com -deep -depth 2 # Faster kodok -u https://example.com -deep -depth 5 # More thorough
-
Use domain filtering to reduce scope:
kodok -f urls.txt -ad "*.target.com" # Only scan target domain
- Memory: ~50-100MB base + (cache_size × 100 bytes)
- Network: Concurrent connections = worker count
- CPU: Minimal (I/O bound)
-
Dynamic Path Construction: Cannot resolve runtime-evaluated paths
// Not detected: const endpoint = "/api/" + resource + "/" + id;
-
Obfuscated Code: Limited support for minified/obfuscated JavaScript
-
Template Literals: Partial support for complex template expressions
-
JavaScript Execution: No runtime evaluation (static analysis only)
- Use verbose mode (
-v) to see intermediate results - Increase depth for better coverage
- Manually review complex JavaScript files
No URLs found
# Check input format:
cat urls.txt | kodok -vRate limiting
# Reduce workers and add delay:
kodok -f urls.txt -workers 3 -timeout 60Connection timeouts
# Increase timeout:
kodok -u https://slow-site.com -timeout 120Memory usage
# Reduce cache size:
kodok -f large_list.txt -cache 5000Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License. See LICENSE file for details.
Built with:
- fatih/color - Terminal colors
- hashicorp/golang-lru - LRU cache
KODOK is designed for authorized security testing only. Users are responsible for:
- Obtaining proper authorization before scanning
- Complying with applicable laws and regulations
- Respecting rate limits and terms of service
- Using findings responsibly
Do not use this tool for unauthorized access or malicious purposes.