Regex › JavaScript Bundle Analysis
Mining minified and obfuscated bundles
A production JavaScript bundle is one giant minified line, but it still contains endpoints, secrets, routes, and config. Regex extracts all of it without needing to understand the mangled code. This lesson is regex applied to the hardest-to-read but highest-value recon source.
You'll learn to
- Extract value from minified code
- Combine multiple patterns in one pass
- Handle obfuscation's limits
Minification doesn’t hide strings
Minifiers shorten variable names and remove whitespace, but they leave string literals intact — and strings are where endpoints, keys, and URLs live.
Even in minified code, these survive and are extractable:
URLs: https?://[^\s"'`]+
API paths: ["'`](/[a-z0-9_/-]+)["'`]
Secrets: AKIA[0-9A-Z]{16} ghp_[0-9A-Za-z]{36} eyJ[\w-]+\.[\w-]+\.[\w-]*
Other hosts: [a-z0-9-]+\.(?:amazonaws|herokuapp|firebaseio)\.com
Minification mangles names but not string contents, so a battery of patterns pulls the valuable data straight out of even an unreadable bundle. You don’t need to follow the logic — you need to extract the strings.
One pass, many patterns
# Run the whole battery over a fetched bundle:
curl -s https://site.com/app.min.js > b.js
grep -oE 'https?://[^"'"'"'` ]+' b.js | sort -u # URLs
grep -oE '"(/[a-z0-9_/-]+)"' b.js | sort -u # paths
grep -oE '(AKIA[0-9A-Z]{16}|ghp_[0-9A-Za-z]{36})' b.js | sort -u # secrets
Checkpoint
Why does regex still extract endpoints and secrets from minified JavaScript, even though the code is unreadable?
Because minification shortens variable and function names and strips whitespace, but it leaves string literals — like URLs, API paths, and keys — intact. Those strings are exactly where endpoints, secrets, and third-party hosts live. So you don't need to understand the mangled logic; you just extract the surviving strings with patterns. Minification is not obfuscation and doesn't protect the string contents.
Try it yourself
List the battery of patterns you’d run over a minified bundle: full URLs, quoted API paths, AWS and GitHub key shapes, and third-party cloud hostnames. For one of them, explain what a hit would tell you and what you’d do with it next.
Key takeaways
- Minification mangles names but leaves string literals intact.
- A battery of patterns extracts URLs, paths, secrets, and third-party hosts.
- The bundle is the app’s own backend map — highest-yield recon.
- Real obfuscation hides strings at runtime — switch to dynamic analysis then.
Quick quiz
Next, using regex to discover DOM XSS by locating sources and sinks in code.