Baseera Security Scanner

Passive web security scanner — detects XSS, SQL injection, leaked API keys, missing headers, and 24 more vulnerabilities.

Baseera is a passive web security scanner built into your browser. Click the extension icon on any page and within seconds you get a prioritized list of vulnerabilities, from cross-site scripting and SQL injection patterns to exposed API keys, missing security headers, weak Content Security Policies, insecure cookies, and many other classes of bug. No setup, no proxy configuration, no command-line tools. Just open the page and click Scan. It is designed for developers who want a second opinion on their own sites, for security learners who want to understand what real vulnerabilities look like in the wild, and for everyone in between who wants to know whether a site they are about to trust with their data is doing the basics right. Baseera ships with detection rules for over thirty vulnerability classes drawn from the OWASP Top 10, real-world bug bounty reports, and the Mozilla Observatory checklist. It detects cross-site scripting in its reflected, stored, and DOM-based forms, including inline event handlers, javascript URIs, and eval or innerHTML code smells. It flags SQL injection patterns in URL parameters and form fields, cross-site request forgery on state-changing forms with missing tokens, and exposed API keys or secrets from common providers like AWS, Stripe, GitHub, Slack, and JWTs. It checks cookies for missing Secure, HttpOnly, and SameSite flags, and audits security headers including Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy. It also catches mixed content, CORS misconfigurations with wildcard origins, clickjacking risks, open redirects, DOM-based XSS sinks like document.write and innerHTML wired to URL fragments, insecure postMessage handlers, session tokens leaking in URLs, insecure WebSocket connections on HTTPS pages, sensitive files exposed like .env or .git, source map exposure in production builds, server banner version disclosure, vulnerable and outdated JavaScript libraries with known CVEs, forms posting passwords over HTTP, missing Subresource Integrity on third-party scripts, excessive third-party tracker count, cloud storage misconfigurations like public S3 buckets, exposed admin endpoints in client-side code, sensitive information left in HTML comments, debug pages and stack traces exposed in production, insecure client-side storage, authentication bypass patterns, directory traversal indicators, and pattern-based hints for LFI, RFI, SSRF, and RCE for further investigation. Each finding includes the vulnerability name, severity rated Critical, High, Medium, or Low, a plain-English explanation of what it means, and a concrete fix recommendation. Most browser security scanners either show you a paywall or send everything you scan back to a remote server. Baseera does neither. All detection runs entirely in your browser using your own page DOM and response headers. Nothing about the page you are scanning leaves your machine unless you choose to save the scan to your account. Baseera is built for humans, not just for security professionals. Every finding has a short explanation written in normal language, and Baseera includes an integrated AI assistant that can answer follow-up questions like "What is CSRF?" or "How do I fix the missing CSP header?" in the same window. The AI is focused on web security topics and will not try to recommend a recipe or write you a love poem. The risk scoring is honest. Baseera weighs Critical findings at 25 points each, High at 15, Medium at 8, and Low at 3, capped at 100. No marketing-driven score without context. A Critical alone bumps you to 25. A single missing X-Content-Type-Options header does not tank your overall score the way some scanners pretend. It is important to be honest about what a passive scanner can and cannot detect. Baseera does NOT fuzz inputs, brute-force endpoints, or send any actively malicious traffic. Everything is read-only. Baseera does NOT replace a full pentest, a SAST tool, or a dedicated DAST scanner like Burp Suite or OWASP ZAP. It catches the obvious, frequently shipped class of mistakes that often go unnoticed because nobody ran the basics. Baseera does NOT detect server-side bugs that are not visible from the client. SQL injection detection is pattern-based on URL parameters, so it can flag suspicious endpoints but cannot prove exploitability. Baseera will produce false positives. Every scanner does. Each finding is a hint to investigate, not a confirmed exploit. Use Baseera on sites you own, sites you have written permission to test, public sites for educational research, or your own personal accounts to check the security posture of services you use. Do not use Baseera on systems where you do not have authorization. Passive scanning is legally lower-risk than active scanning, but legality varies by jurisdiction. When in doubt, get permission. You can use Baseera entirely without signing in. Scan a page, see results, close the popup, done. Creating a free account at the Baseera web app unlocks persistent scan history across devices, branded PDF and HTML report export, per-vulnerability risk breakdown with charts, the AI security assistant with full multi-turn chat and conversation history, and profile preferences. Account creation is email and password with email verification. No social login, no third-party tracking embedded in the auth flow. Baseera is built privacy-first. Page content stays on your device. Detection runs locally in the extension. We do not send the DOM of pages you scan to any server unless you are logged in AND you click Save Scan, at which point the findings (not the original page source) are stored in your account. No advertising network requests. No third-party analytics SDKs. No fingerprinting. Your auth token, scan history, and Options-page settings are stored in chrome.storage.local on your device. They are not synced to your Google account. The only outbound network traffic Baseera makes by default is to its own backend at baseera-api.runasp.net for authenticated account features, and to the Baseera AI service at huggingface.co spaces when you ask the assistant a question. Full privacy policy is available at https://0xmarvul.github.io/Baseera/privacy-policy.html. We ask for these permissions and only these, and each one is necessary for a specific feature. Host permission for all URLs is needed because the entire point of Baseera is to scan whatever site you have open, and the extension cannot know in advance which site you will want to scan, so it must be permitted to read any tab you visit. Reading only happens when you click the Scan button. The activeTab permission lets the extension look at the current tab's content only when you explicitly click the extension icon. The scripting permission is required to inject the detection code into the page you are scanning. The tabs permission lets the popup display the URL of the page being scanned. The storage permission stores your local Options settings, auth token if you sign in, and your scan history. We do NOT request webRequest, cookies, history, downloads, bookmarks, or any permission Baseera does not directly need. Baseera is built by a small team that cares about web security education. We respond to feedback. If you find a false positive, a vulnerability we should detect but don't, or a bug in the extension itself, please open an issue at our GitHub repo linked from the web app, or send us a note through the Contact form at baseera-three.vercel.app/contact. If you are a security researcher and you find a vulnerability IN Baseera itself, we want to hear from you first before disclosure. Email 0xbaseera at gmail. Baseera uses Manifest V3 service worker architecture with no deprecated background pages. Pure JavaScript, no remote code execution, no external script loading. All scanner logic is human-readable JavaScript in the extension package, open and inspectable. The scan itself works offline; only account features like history and AI chat require connectivity. Baseera is compatible with Chrome 108 and later, Edge, Brave, Opera, and other Chromium-based browsers. Coming next: a per-vulnerability "Ask Baseera how to fix this" button that opens the AI assistant pre-prompted with the finding type, diff between scans of the same URL so you can see what changed since last time, the ability to mark findings as Resolved or False Positive that persists across re-scans, notifications when a Critical-severity finding is detected on a site, and custom rule sets for power users. Web security is full of jargon and intimidation. Baseera tries to be the opposite, a friendly and honest tool that tells you what is actually wrong, why it matters, and how to fix it, in language you can read. If you build websites, run a small business with a customer-facing app, or just want to know whether the bank site you use is doing the basics right, Baseera is for you. Install it, click Scan on any site, and see what your web is hiding.