Skip to content

add js-audit preset, streamline trufflehog HTTP ingestion#3297

Draft
liquidsec wants to merge 3 commits into
devfrom
js-audit
Draft

add js-audit preset, streamline trufflehog HTTP ingestion#3297
liquidsec wants to merge 3 commits into
devfrom
js-audit

Conversation

@liquidsec

Copy link
Copy Markdown
Collaborator

Summary

  • New bbot/presets/web/js-audit.yml (invoked as -p js-audit) for hunting leaked credentials and vulnerable libraries in client-side JavaScript. Enables http, trufflehog, badsecrets, retirejs, robots, wayback.
  • Trufflehog now streams HTTP_RESPONSE and RAW_TEXT bodies to trufflehog stdin instead of writing them to a tempfile.
  • Trufflehog FINDINGs from HTTP_RESPONSE parents now carry the source URL in data["url"], so an operator can trace a leaked secret back to the exact JS bundle.

Why

BBOT has no native workflow for hunting secrets in client-side JavaScript. Trufflehog already watches HTTP_RESPONSE but it's code-enum-flagged and doesn't get pulled in by any web-focused preset. Building js-audit surfaced two latent issues in the trufflehog module that made the output unusable for this workflow:

  1. Every HTTP_RESPONSE body was written to ~/.bbot/temp/xxx before scanning. Wasted disk I/O per response, doubles up with body-spill in configs that use it, and the tempfile path leaked into source_metadata in the FINDING description.
  2. The FINDING did not carry the URL of the response the secret came from. Operators saw Details: [{'Data': {'Filesystem': {'file': '/home/liquid/.bbot/temp/2av150lh9hz23qxjpr6r', 'line': 13}}}] with no way to correlate that to the specific JS file.

What changed

trufflehog module

  • For HTTP_RESPONSE and RAW_TEXT: switched from trufflehog filesystem <tempfile> to trufflehog stdin, piped via run_process_live(..., input=body). No tempfile. Details: field now shows Stdin: {} instead of a tempfile path.
  • For HTTP_RESPONSE parents: FINDING now includes data["url"] from the parent HTTP_RESPONSE.
  • Switched self.helpers.run_live to self.run_process_live so the trufflehog subprocess is tracked in _proc_tracker and cleaned up on scan shutdown, matching the pattern used by fingerprintx, gowitness, and nuclei.
  • Dropped the stale comment referencing trufflehog issue ASN module rewrite #162 (stdin has been supported for years).

Preset

  • bbot/presets/web/js-audit.yml. Config: trufflehog.only_verified: false (broad detection), robots.include_sitemap: true (sitemaps often enumerate JS bundle paths), wayback.urls: true + archive: true (secrets in deprecated/archived JS is a classic hunting ground).

@liquidsec liquidsec added this to the BBOT 3.1 - violent_barbara milestone Jul 10, 2026
@liquidsec
liquidsec marked this pull request as draft July 10, 2026 17:20
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

📊 Performance Benchmark Report

Comparing dev (baseline) vs js-audit (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 4.28ms 4.41ms +2.8%
Bloom Filter Large Scale Dns Brute Force 17.95ms 17.94ms -0.1%
Large Closest Match Lookup 375.27ms 349.12ms -7.0%
Realistic Closest Match Workload 193.63ms 195.14ms +0.8%
Event Memory Medium Scan 1402 B/event 1402 B/event +0.0%
Event Memory Large Scan 1527 B/event 1527 B/event +0.0%
Event Validation Full Scan Startup Small Batch 405.18ms 405.67ms +0.1%
Event Validation Full Scan Startup Large Batch 546.39ms 542.45ms -0.7%
Make Event Autodetection Small 26.03ms 26.25ms +0.9%
Make Event Autodetection Large 267.71ms 269.08ms +0.5%
Make Event Explicit Types 11.65ms 11.71ms +0.5%
Excavate Single Thread Small 4.457s 4.204s -5.7%
Excavate Single Thread Large 10.313s 9.875s -4.3%
Excavate Parallel Tasks Small 4.639s 4.371s -5.8%
Excavate Parallel Tasks Large 6.955s 6.516s -6.3%
Intercept Throughput Small 889.00ms 884.16ms -0.5%
Intercept Throughput Medium 872.06ms 943.30ms +8.2%
Dns Throughput Quiet 2.803s 2.820s +0.6%
Dns Throughput Loaded 1.852s 1.968s +6.3%
Dns Throughput Inherited 2.537s 2.321s -8.5%
Is Ip Performance 2.33ms 2.32ms -0.8%
Make Ip Type Performance 233.41µs 247.29µs +5.9%
Mixed Ip Operations 2.46ms 2.46ms -0.1%
Memory Use Web Crawl 1.0 MB 1.0 MB +0.0%
Memory Use Subdomain Enum 28.3 MB 28.3 MB +0.0%
Memory Use Deep Chain 5.0 MB 5.0 MB +0.0%
Memory Use Parallel Chains 12.5 MB 12.4 MB -0.9%
Scan Throughput 100 2.980s 2.795s -6.2%
Scan Throughput 1000 20.526s 20.705s +0.9%
Typical Queue Shuffle 5.36µs 5.45µs +1.7%
Priority Queue Shuffle 26.18µs 26.03µs -0.6%

🎯 Performance Summary

No significant performance changes detected (all changes <10%)


🐍 Python Version 3.11.15

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90%. Comparing base (6f62e97) to head (e0f1e97).

Additional details and impacted files
@@          Coverage Diff          @@
##             dev   #3297   +/-   ##
=====================================
+ Coverage     90%     90%   +1%     
=====================================
  Files        450     450           
  Lines      46229   46251   +22     
=====================================
+ Hits       41484   41509   +25     
+ Misses      4745    4742    -3     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant