Bookmarklet Deep Dive: Harvest Every JavaScript URL on a Page with a Single Line

We distilled a single‑line JavaScript bookmarklet that, when clicked, sweeps the current web‑page for every .js file—both from <script src="…"> tags and inline references—deduplicates the list, and replaces the page with a slick black‑console read‑out of the URLs. The post breaks down how the one‑liner works (Sets for de‑duping, a lightweight regex, DOM‑replacement for output), shows performance & security considerations, and offers easy extensions like copying to clipboard or filtering by hostname. In under 200 characters, you get an instant asset‑inventory tool for audits, bug‑bounty recon, or plain curiosity.

April 10, 2025
Victor Nthuli
Security Best Practices
5 min read

🕸️ URL Treasure Hunter: Unearth Every JavaScript Asset with One Magic Bookmark

TL;DR: This tiny snippet transforms any website into a treasure map of its JavaScript architecture - no tools, no extensions, just pure hacking elegance.

✨ The Magic Spell

javascript:(()=>{const r=new Set;Array.from(document.scripts).forEach(s=>s.src&&r.add(s.src));(document.documentElement.outerHTML.match(/\/[\w\-./?&%]+\.js\b/g)||[]).forEach(u=>r.add(u));document.body.innerHTML='<pre style="color:#0f0;background:#000;padding:1em;white-space:pre-wrap">'+[...r].join('\n')+'</pre>'})();

Copy this spell (starting with javascript:) into a new bookmark, and you’ve crafted a powerful tool for frontend exploration.

🔍 What This Sorcery Actually Does

When activated, this bookmarklet:

  1. Hunts down every JavaScript file the page depends on
  2. Captures both external <script src="..."> files and sneaky inline references
  3. Transforms your current page into a Matrix-style terminal showing all JS assets
  4. Deduplicates everything automatically, leaving you with a clean manifest

⚙️ Under the Hood: How the Magic Works

Code Chunk What It’s Doing Why It’s Clever
const r = new Set; Creates a magic bag that automatically rejects duplicates No manual filtering needed - instant deduplication
Array.from(document.scripts) Transforms the DOM’s script collection into something we can manipulate Browser collections are weird - this makes them behave
s.src && r.add(s.src) Only grabs external scripts with actual source URLs Ignores inline code that would clutter our results
document.documentElement.outerHTML.match(/\/[\w\-./?&%]+\.js\b/g) Scans the entire HTML for anything ending in .js Catches those sneaky script references hiding in attributes and strings
document.body.innerHTML='<pre style="color:#0f0;background:#000;... Replaces the page with a hacker-aesthetic output Instant gratification without pop-ups or console-diving

Pro tip: The green-on-black output isn’t just for show - it creates high contrast for readability and makes you feel like you’re in a 90s hacker movie. Win-win!

🛠️ Customize Your Tool

📋 Copy to Clipboard Instead

navigator.clipboard.writeText([...r].join('\n'));
alert('Heist complete! ' + r.size + ' JavaScript assets copied to clipboard');

🏠 Only Show Scripts from Current Domain

const host = location.host;
if (new URL(u, location).host === host) r.add(u);

🎯 Hunt Different Asset Types

Replace the regex to target CSS, images, or fonts:

/\.(css|png|jpg|svg|woff2?)\b/g

📊 Send to Your Dashboard

fetch('https://your-api.example/log', {
  method: 'POST',
  body: JSON.stringify([...r])
});

⚡ Performance Magic

  • Lightning fast on most pages (sub-200ms)
  • The regex is optimized for speed - no fancy look-behinds or complex assertions
  • Memory efficient using Set for automatic deduplication
  • Interrupts network activity when it rewrites the body - perfect for quick reconnaissance

🔒 Ethical Considerations

  • White hat only - This tool reads what’s already in your browser, not server-side secrets
  • Client-side only - No extra network requests or sneaky tracking
  • Permission matters - Use on your own sites or with explicit permission for testing
  • Respect the robots - While robots.txt doesn’t apply here, always honor a site’s terms

🚀 30-Second Setup

  1. Create a new bookmark (Ctrl/Cmd+D)
  2. Name it something cool like “JS Asset Hunter” or “Script Detector”
  3. Paste the one-liner into the URL field
  4. Click it on any page to see the magic happen

💎 Why This Matters

This isn’t just a neat trick—it’s a practical tool for:

  • Security auditors reviewing third-party script inclusion
  • Bug bounty hunters mapping attack surfaces
  • Developers learning how complex sites organize their code
  • Performance optimizers identifying script bloat
  • Curious minds peeking behind the curtain of web technology

🔮 Level Up Your Web Exploration

In under 200 characters of code, you now have a digital skeleton key to unlock the JavaScript architecture of any website. Take it for a spin on your favorite sites—you might be surprised at what you find lurking beneath the surface.

Happy hacking! 💻✨

Tags

Security Cybersecurity Information Security

Victor Nthuli

Security Operations Engineer specializing in incident response, threat hunting, and compliance alignment for regulated industries.

Related Posts

April 22, 2025

My Terminal is My Happy Place: A Tour of My CLI Setup

Read More
April 19, 2025

Comprehensive Network Traffic Monitoring: A Deep Dive into Zeek, MySQL, and Grafana Integration

This project provides a comprehensive solution for capturing network traffic, processing it with Zeek (formerly Bro), and storing the enriched logs into a MySQL database for further analysis and visualization. It includes scripts and configurations to enhance Zeek's capabilities with GeoIP, ASN data, and JA3/JA4 fingerprinting, enabling detailed network security monitoring and analysis.

Read More

Table of Contents

Recent Posts

  • My Terminal is My Happy Place: A Tour of My CLI Setup

    April 22, 2025

    Read Post

  • Comprehensive Network Traffic Monitoring: A Deep Dive into Zeek, MySQL, and Grafana Integration

    April 19, 2025

    Read Post

  • Bookmarklet Deep Dive: Harvest Every JavaScript URL on a Page with a Single Line

    April 10, 2025

    Current Post

  • Ultimate Command Arsenal: Master Wireshark, Linux, and Windows CLI

    April 07, 2025

    Read Post

  • ZeroDay Odyssey: A Cyberpunk Framework for Web Application Penetration Testing

    April 05, 2025

    Read Post

  • Mastering Cybersecurity: A Complete Roadmap from Beginner to Expert

    April 02, 2025

    Read Post

  • Responsible Disclosure: Browser DevTools and Direct File Access in SlidesGPT

    April 01, 2025

    Read Post

  • Bluewave vs Uptime Kuma: A Real-World Comparison for Monitoring Uptime and Beyond

    March 26, 2025

    Read Post

  • Nextcloud

    March 25, 2025

    Read Post

  • 🔍 Keeping Your Linux Services in Check: How I Use Monit for Bulletproof Monitoring 🚨

    February 03, 2025

    Read Post

About the Author

Victor Nthuli is a Security Operations Engineer with expertise in incident response, SIEM implementation, and threat hunting. With a background in cybersecurity and a passion for Linux systems, he provides insights based on real-world experience.

Learn More

Share This Post

Twitter LinkedIn Email

Subscribe for Security Updates

Get notified when new security articles and insights are published.

Need Enterprise Security Solutions?

Visit SocDev Africa for comprehensive security services and software development solutions for your organization.

Visit SocDev.Africa