jxscout-relationships

jxscout Asset Relationships

jxscout tracks how web assets relate to each other: which JS files an HTML page loads, which iframes it embeds, which chunks were discovered from a script, and which source maps were reversed. Use these commands to map the attack surface of a specific page or trace how assets are connected.

Prerequisites

The JXSCOUT_PROJECT_NAME environment variable must be set. All commands use jxscout-pro-v2 -c (client mode).

Commands

Get JS files loaded by a page

jxscout-pro-v2 -c get-loaded-js-files <url_or_path> [--include-reversed-sources] [--json]

Lists all JS files loaded by an HTML page. Pass either the URL or the local file path.

• --include-reversed-sources -- also include file paths of reversed source map files
• --json -- structured output with js_files and optionally reversed_sources arrays

This is useful for scoping your analysis to the JS that actually runs on a specific page, rather than searching the entire project.

Get loader page for a JS file

jxscout-pro-v2 -c get-js-file-loader-page <url_or_path> [--json]

Returns the HTML page(s) that load a given JS file. This is the reverse of get-loaded-js-files. Pass either the URL or the local file path of the JS file.

Also works with reversed source files -- it follows the chain (reversed source -> source map -> JS file) to find the pages that load the original JS file the reversed source was extracted from.

• --json -- structured output with a loader_pages array

This is useful for impact assessment: given a JS file with a vulnerability or interesting code, find which pages are affected.

Get iframes loaded by a page

jxscout-pro-v2 -c get-loaded-iframes <url_or_path> [--json]

Lists all iframes embedded by an HTML page. Relevant for:

• postMessage analysis: iframes are common postMessage targets and sources
• Cross-origin interactions: understanding which origins are framed
• Clickjacking assessment: identifying framed content

Workflow

1. Start with a page: use get-loaded-js-files to see what JS runs on a specific page
2. Check iframes: use get-loaded-iframes to understand cross-origin framing
3. Follow the chain: reversed sources often have more readable code -- check those for sensitive logic
4. Trace back to pages: use get-js-file-loader-page to find which pages load a specific JS file or reversed source -- useful when you find something interesting and need to know the affected pages

Use cases

• Scoping analysis to a page: instead of searching the entire project, find exactly which JS files power a specific page and focus your review there
• Finding hidden code: lazy-loaded chunks often contain admin panels, internal tools, or feature-flagged code that isn't loaded by default
• postMessage research: mapping which iframes a page loads helps identify cross-origin messaging patterns
• Understanding dependencies: tracing which pages load a vulnerable script helps assess impact
• Impact assessment: given a JS file or reversed source with a finding, use get-js-file-loader-page to determine which pages are affected and prioritize accordingly