Reversing/decompiling React or other JS apps

[chants]

So I know without jsx files and still having map files, there is an npm package

Quote:

https://www.npmjs.com/package/source-map

otherwise I know about the Chrome devtools Source tab.

Are there any good tools for a generic Javascript reversing workflow. I use the term decompile loosely here but with typescript and so many powerful and ubiquitous frameworks, this is starting to get interesting. Of course there are tools to unminify and reformat Javascript and the browser dev tools are helpful but it seems we haven't seen anything with a more automated and better level of sophistication. Which is really useful when looking for security vulnerabilities which are likely common place in modern web apps.

[NON]

Quote:

Originally Posted by chants

So I know without jsx files and still having map files, there is an npm package otherwise I know about the Chrome devtools Source tab.

Are there any good tools for a generic Javascript reversing workflow. I use the term decompile loosely here but with typescript and so many powerful and ubiquitous frameworks, this is starting to get interesting. Of course there are tools to unminify and reformat Javascript and the browser dev tools are helpful but it seems we haven't seen anything with a more automated and better level of sophistication. Which is really useful when looking for security vulnerabilities which are likely common place in modern web apps.

Tyro... To get you started...
JavaScript Reverse Engineering Toolkit (JSRETK)
https://github.com/SeanPesce/JSRETK

Web Application Reverse Engineering Practical Example
https://medium.com/@nenadborovanin/web-application-reverse-engineering-practical-example-e31836aab472

7 Tips for reverse engineering minified TypeScript/JavaScript
https://dev.to/jurooravec/7-tips-for-reverse-engineering-minified-typescript-javascript-4p64

[chants]

There is a Javascript VMP too:

Quote:

https://jsvmp.com/

though I've not seen much interesting work in this area for devirtualization. Protecting Javascript is difficult snd minifying just makes it harder to read and strips symbols, but doesn't actually solve the security issue.

I'm guessing ECMAScript standard might directly start addressing this at some point possibly even by adding an opcode variant of the language. This will regardless likely become a large reverse engineering area soon as HTML5 has become feature rich, countless advanced frameworks like HTMX and React, Flutter, others have come about. Cloud databases like firebase or mongoDB are everywhere, etc. Meanwhile traditional desktop apps are on the decline and many are moving to the web. All office productivity software is on the web now pretty much.

There is much reason to start thinking about this topic. This area has changed so much and do rapidly in the past 10 years, it's near impossible to keep up with it in detail.