Source: cirosantilli/cia-2010-covert-communication-websites/js-cdx-scanning

= JS CDX scanning

JAR, SWF and CGI-bin scanning by path only is fine, since there are relatively few of those. But .js scanning by path only is too broad.

One option would be to filter out by size, an information that is contained on the CDX. Let's check typical ones:
``
grep -f <(jq -r '.[]|select(select(.comms)|.comms|test("\\.js"))|.host' ../media/cia-2010-covert-communication-websites/hits.json) out | out.jshits.cdx
sort -n -k7 out.jshits.cdx
``
Ignoring some obvious unrelated non-comms files visually we get a range of about 2732 to 3632:
``
net,hollywoodscreen)/current.js 20110106082232 http://hollywoodscreen.net/current.js text/javascript 200 XY5NHVW7UMFS3WSKPXLOQ5DJA34POXMV 2732
com,amishkanews)/amishkanewss.js 20110208032713 http://amishkanews.com/amishkanewss.js text/javascript 200 S5ZWJ53JFSLUSJVXBBA3NBJXNYLNCI4E 3632
``
This ignores the obviously atypical <JavaScript with SHAs> from iranfootballsource, and the particularly small old menu.js from cutabovenews.com, which we embed into \a[cia-2010-covert-communication-websites/cdx-post-js.sh].

The size helps a bit, but it's not insanely good unfortunately, only about 3x, these are some common JS sizes right there!