jsdet — JavaScript Detonation Engine
Sandboxed JavaScript execution for security analysis.
What it does
Executes JavaScript in a QuickJS engine compiled to WebAssembly,
running inside wasmtime. Every API call is intercepted, observed,
and controllable. Nothing escapes.
How to use it
use Arc;
use ;
let module = new.unwrap;
let result = module.execute.unwrap;
for obs in &result.observations
Consumers
- Sear (URL detonation): uses
jsdet-browserbridges for document/window/fetch - Soleno (extension analysis): uses
jsdet-chrome-extbridges for chrome.* APIs - Your tool: implement the
Bridgetrait to provide any API surface
Architecture
┌─────────────────────────────────────────────┐
│ Your Rust application │
│ │
│ CompiledModule::execute(scripts, bridge) │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────┐ │
│ │ wasmtime instance │ │
│ │ ┌───────────────────────┐ │ │
│ │ │ QuickJS (WASM) │ │ │
│ │ │ │ │ │
│ │ │ JS calls fetch() ─────┼──────┼──► Bridge::call("fetch", args)
│ │ │ ◄────┼──────┼─── returns fake response
│ │ │ │ │ │
│ │ │ JS calls eval() ──────┼──────┼──► Observation::DynamicCodeExec
│ │ │ │ │ │
│ │ └───────────────────────┘ │ │
│ │ Linear memory: isolated │ │
│ │ Fuel metering: bounded │ │
│ │ Syscalls: zero │ │
│ └─────────────────────────────────┘ │
│ │
│ Vec<Observation> ← what the code DID │
└─────────────────────────────────────────────┘