playbooks

home / skills / transilienceai / communitytools / javascript_dom_analysis

javascript_dom_analysis skill

/projects/techstack_identification/.claude/skills/javascript_dom_analysis

This skill detects frontend frameworks by analyzing global variables, DOM attributes, bundle patterns, and source maps to reveal technologies.

npx playbooks add skill transilienceai/communitytools --skill javascript_dom_analysis

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
7.8 KB
---
name: javascript-dom-analysis
description: Detects frontend frameworks via global variables, DOM attributes, and bundle patterns
tools: Bash, WebFetch
model: inherit
hooks:
  PreToolUse:
    - matcher: "WebFetch"
      hooks:
        - type: command
          command: "../../../hooks/skills/pre_network_skill_hook.sh"
        - type: command
          command: "../../../hooks/skills/pre_rate_limit_hook.sh"
  PostToolUse:
    - matcher: "WebFetch"
      hooks:
        - type: command
          command: "../../../hooks/skills/post_evidence_capture_hook.sh"
---

# JavaScript/DOM Analysis Skill

## Purpose

Detect frontend frameworks and libraries by analyzing JavaScript global variables, DOM attributes, bundle patterns, and source maps.

## Operations

### 1. detect_framework_globals

Check for framework-specific global variables in page context.

**Global Variable Patterns:**
```json
{
  "React": {
    "globals": ["window.React", "window.ReactDOM", "__REACT_DEVTOOLS_GLOBAL_HOOK__"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "Vue.js": {
    "globals": ["window.Vue", "window.__VUE__", "__VUE_DEVTOOLS_GLOBAL_HOOK__"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "Angular": {
    "globals": ["window.getAllAngularRootElements", "window.ng?.coreTokens", "window.ng?.probe"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "Next.js": {
    "globals": ["__NEXT_DATA__", "__NEXT_LOADED_PAGES__", "next/router"],
    "confidence": 95,
    "implies": ["React", "Node.js"],
    "category": "Meta-Framework"
  },
  "Nuxt": {
    "globals": ["window.__NUXT__", "window.$nuxt"],
    "confidence": 95,
    "implies": ["Vue.js", "Node.js"],
    "category": "Meta-Framework"
  },
  "Gatsby": {
    "globals": ["window.___gatsby", "window.___emitter"],
    "confidence": 95,
    "implies": ["React"],
    "category": "Static Site Generator"
  },
  "Svelte": {
    "globals": ["window.__svelte"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "jQuery": {
    "globals": ["window.jQuery", "window.$"],
    "confidence": 85,
    "category": "JavaScript Library"
  },
  "Backbone.js": {
    "globals": ["window.Backbone"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "Ember.js": {
    "globals": ["window.Ember", "window.Em"],
    "confidence": 90,
    "category": "JavaScript Framework"
  },
  "Alpine.js": {
    "globals": ["window.Alpine"],
    "confidence": 90,
    "category": "JavaScript Framework"
  }
}
```

### 2. analyze_dom_attributes

Find framework-specific DOM attributes.

**DOM Attribute Patterns:**
```json
{
  "data-reactroot": {"tech": "React", "confidence": 90},
  "data-reactid": {"tech": "React (legacy)", "confidence": 85},
  "data-react-checksum": {"tech": "React (server-rendered)", "confidence": 90},
  "data-v-": {"tech": "Vue.js (scoped CSS)", "confidence": 90, "note": "Vue SFC"},
  "ng-version": {"tech": "Angular", "confidence": 95, "extract_version": true},
  "ng-app": {"tech": "AngularJS", "confidence": 90},
  "ng-controller": {"tech": "AngularJS", "confidence": 90},
  "_ngcontent-": {"tech": "Angular", "confidence": 90},
  "_nghost-": {"tech": "Angular", "confidence": 90},
  "data-svelte-h": {"tech": "Svelte", "confidence": 90},
  "x-data": {"tech": "Alpine.js", "confidence": 90},
  "x-init": {"tech": "Alpine.js", "confidence": 85},
  "data-ember-action": {"tech": "Ember.js", "confidence": 90},
  "data-turbo": {"tech": "Hotwire/Turbo", "confidence": 90},
  "data-stimulus-controller": {"tech": "Stimulus", "confidence": 90}
}
```

### 3. fingerprint_bundles

Analyze JavaScript file naming patterns and paths.

**Bundle Pattern Detection:**
```json
{
  "/_next/static/": {"tech": "Next.js", "confidence": 95},
  "/_nuxt/": {"tech": "Nuxt.js", "confidence": 95},
  "/static/js/main.": {"tech": "Create React App", "confidence": 85},
  "/static/js/[0-9]+.": {"tech": "Webpack (chunked)", "confidence": 70},
  "/build/": {"tech": "Generic build tool", "confidence": 50},
  "/dist/": {"tech": "Generic bundler", "confidence": 50},
  "/assets/": {"tech": "Rails/Generic", "confidence": 40},
  "/bundle.js": {"tech": "Webpack", "confidence": 60},
  "/vendor.js": {"tech": "Webpack (vendor chunk)", "confidence": 60},
  ".chunk.js": {"tech": "Code splitting", "confidence": 70},
  "/wp-content/": {"tech": "WordPress", "confidence": 95},
  "/wp-includes/": {"tech": "WordPress", "confidence": 95}
}
```

**Version Extraction:**
```
Next.js: /_next/static/chunks/main-[hash].js → Version in __NEXT_DATA__
React: Detect version from React DevTools hook or package
Angular: Extract from ng-version attribute
```

### 4. check_source_maps

Test for exposed source map files.

**Process:**
1. For each JavaScript file found
2. Check for `.map` suffix or `sourceMappingURL` comment
3. If accessible, note as security finding
4. Extract original file names if available

**Source Map URLs:**
```
{script}.js.map
{script}.min.js.map
sourceMappingURL={url}
```

### 5. detect_analytics

Find analytics and tracking libraries.

**Analytics Global Patterns:**
```json
{
  "Google Analytics": {
    "globals": ["gtag", "ga", "dataLayer", "_gaq"],
    "scripts": ["google-analytics.com", "googletagmanager.com"],
    "confidence": 95
  },
  "Facebook Pixel": {
    "globals": ["fbq", "_fbq"],
    "scripts": ["connect.facebook.net/en_US/fbevents.js"],
    "confidence": 95
  },
  "Mixpanel": {
    "globals": ["mixpanel"],
    "scripts": ["cdn.mxpnl.com", "mixpanel.com"],
    "confidence": 95
  },
  "Segment": {
    "globals": ["analytics"],
    "scripts": ["cdn.segment.com", "segment.io"],
    "confidence": 90
  },
  "Amplitude": {
    "globals": ["amplitude"],
    "scripts": ["cdn.amplitude.com"],
    "confidence": 95
  },
  "Heap": {
    "globals": ["heap"],
    "scripts": ["heap-analytics.com", "heapanalytics.com"],
    "confidence": 95
  },
  "Hotjar": {
    "globals": ["hj", "hjSiteSettings"],
    "scripts": ["static.hotjar.com"],
    "confidence": 95
  },
  "FullStory": {
    "globals": ["FS", "_fs_namespace"],
    "scripts": ["fullstory.com"],
    "confidence": 95
  }
}
```

## Output

```json
{
  "skill": "javascript_dom_analysis",
  "domain": "string",
  "results": {
    "pages_analyzed": "number",
    "frameworks_detected": [
      {
        "name": "React",
        "version": "18.2.0 (if detectable)",
        "category": "JavaScript Framework",
        "detection_method": "global_variable",
        "signal": "window.React detected",
        "confidence": 90
      }
    ],
    "dom_signals": [
      {
        "attribute": "data-reactroot",
        "element": "div#root",
        "tech": "React",
        "page": "https://example.com"
      }
    ],
    "bundle_analysis": {
      "bundler": "Webpack",
      "code_splitting": true,
      "meta_framework": "Next.js",
      "paths_found": ["/_next/static/chunks/"]
    },
    "source_maps": {
      "exposed": "boolean",
      "urls": ["array if exposed"],
      "security_note": "Source maps expose original source code"
    },
    "analytics_detected": [
      {
        "name": "Google Analytics",
        "detection_method": "script_url",
        "confidence": 95
      }
    ],
    "third_party_scripts": [
      {
        "domain": "string",
        "purpose": "analytics|ads|widgets|cdn"
      }
    ]
  },
  "evidence": [
    {
      "type": "js_global",
      "url": "string",
      "global": "string",
      "timestamp": "ISO-8601"
    },
    {
      "type": "dom_attribute",
      "url": "string",
      "attribute": "string",
      "element": "string"
    }
  ]
}
```

## Rate Limiting

- Page fetches: 10/minute
- JavaScript analysis: No limit (client-side)

## Error Handling

- JavaScript errors don't block analysis
- Continue with DOM analysis if JS detection fails
- Log parsing errors for debugging

## Security Considerations

- Only fetch and analyze public pages
- Do not execute fetched JavaScript
- Note source map exposure as security finding
- Log all fetches for audit

Overview

This skill detects frontend frameworks, libraries, analytics, and bundling patterns by inspecting page globals, DOM attributes, script paths, and source map references. It produces actionable signals (framework name, confidence, detection method) and highlights security-relevant findings such as exposed source maps. The output is designed for penetration testing, bug bounty triage, and security research workflows.

How this skill works

The skill runs a set of detectors against a page: it queries known global JavaScript variables, scans DOM attributes for framework markers, fingerprints JavaScript bundle paths and filenames, and checks scripts for sourceMappingURL references. It also identifies common analytics and tracking libraries by globals and script hosts. Results combine multiple signals with confidence scores and optional version extraction when available.

When to use it

  • Reconnaissance during web application pentests or bug bounty assessments
  • Rapid technology inventory for a target domain or set of pages
  • Detecting exposed source maps that may leak original source code
  • Verifying presence of analytics and tracking libraries for privacy/security reviews
  • Prioritizing attack surface based on frameworks and bundlers in use

Best practices

  • Only analyze publicly accessible pages and respect robots.txt and rate limits
  • Combine globals, DOM attributes, and bundle patterns to increase confidence
  • Treat source map access as a sensitive security finding and document URLs
  • Log detector errors and continue with remaining checks to maximize coverage
  • Avoid executing fetched JavaScript; use static inspection of scripts and HTML

Example use cases

  • Detect React/Next.js on a target to focus SSR/SSR hydration checks and known CVEs
  • Find ng-version or _ngcontent- attributes to quickly identify Angular apps and extract versions
  • Locate /_next/static/ paths and source maps to recover original file names for threat modeling
  • Identify analytics vendors (Google Analytics, Mixpanel, Hotjar) for privacy assessments
  • Flag exposed .map files as high-priority findings in a bug bounty report

FAQ

Can this detect framework versions?

Yes when available: ng-version attributes, Next.js __NEXT_DATA__, or devtools hooks may yield versions; otherwise the skill reports best-effort or empty.

Does it execute page JavaScript?

No. The analysis relies on static inspection of globals, DOM attributes, script URLs, and sourceMappingURL comments without executing fetched scripts.