SecuriScan - Web Security Analyzer

Lightweight security scanner that analyzes websites for common vulnerabilities, trackers, and security misconfigurations

SecuriScan is a powerful Chrome extension that performs comprehensive passive security analysis on any website. Built for developers, security professionals, and anyone who wants quick security insights without setting up complex tools like Burp Suite or OWASP ZAP. 🆕 𝗪𝗛𝗔𝗧'𝗦 𝗡𝗘𝗪 𝗜𝗡 𝗩𝟭.𝟰.𝟬 • 🛡 OWASP Top 10 view — maps every finding to the OWASP Top 10 (2021) with PASS/WARN/FAIL badges • 🤖 AI Explain & Fix — one-click explanations and copy-paste code fixes for every vulnerability found • 📊 Side Panel mode — persistent scanning panel that stays open alongside your browsing (Alt+Shift+P) • 🔢 Toolbar badge — live issue count on the extension icon, colour-coded by severity • 📡 Network security scan — detects insecure WebSockets (ws://), WebRTC IP leakage, unsafe postMessage usage, hardcoded private IPs, and dynamic script injection • ⚙ SARIF 2.1.0 export — export results in industry-standard SARIF format for CI/CD pipeline integration • ⌨ Keyboard shortcuts — Alt+Shift+S to scan, Alt+Shift+P to open the side panel • 🖱 Right-click context menu — scan any page directly from the right-click menu • ⚙ Settings tab — toggle auto-scan (opt-in, off by default), desktop notifications, and badge display • 📈 Score sparklines — visual score history chart per domain in the History tab 🆕 𝗪𝗛𝗔𝗧'𝗦 𝗡𝗘𝗪 𝗜𝗡 𝗩𝟭.𝟯.𝟬 • 👁 Privacy tracker detection — flags 18 third-party trackers including Meta Pixel, TikTok, Hotjar, FullStory, and more • 💾 Browser storage audit — scans localStorage and sessionStorage for exposed tokens, keys, and PII • 📈 Scan history & score trends — tracks your last 10 scans per domain and shows ↑/↓ trend on every result • 📄 JSON export — export results as machine-readable JSON alongside the existing HTML report 🔍 𝗪𝗛𝗔𝗧 𝗜𝗧 𝗗𝗢𝗘𝗦 When you click scan, SecuriScan analyzes the current page for security misconfigurations and vulnerabilities across 13 categories: 🔒 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 (𝟭𝟬 𝗰𝗵𝗲𝗰𝗸𝘀) • Content-Security-Policy (CSP) • Strict-Transport-Security (HSTS) • X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Permissions-Policy • Cross-Origin-Opener-Policy • Cross-Origin-Resource-Policy • Cross-Origin-Embedder-Policy • X-XSS-Protection 🍪 𝗖𝗼𝗼𝗸𝗶𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 • HttpOnly and Secure flag validation • Session token exposure detection • Sensitive cookie pattern matching • SameSite attribute guidance 📚 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝗝𝗮𝘃𝗮𝗦𝗰𝗿𝗶𝗽𝘁 𝗟𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀 (𝟯𝟱+ 𝗹𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀) 🔴 Critical Severity: • Handlebars < 4.7.7 (arbitrary code execution) • Socket.IO < 4.4.1 (CORS bypass) • Minimist < 1.2.6 (prototype pollution) • EJS < 3.1.7 (template injection) 🟠 High Severity: • jQuery < 3.5.0 (CVE-2020-11022, CVE-2020-11023) • AngularJS < 1.8.3 (CVE-2023-26116) • Lodash < 4.17.21 (CVE-2021-23337, CVE-2020-28500) • React < 16.14.0 (CVE-2021-23648) • Vue.js < 2.6.14 (CVE-2021-3766) • Marked < 4.0.10 (ReDoS and XSS) • DOMPurify < 2.3.10 (XSS bypass) • Express < 4.17.3 (open redirect) • Webpack < 5.76.0 (cross-realm access) • Underscore < 1.13.0 (code execution) • Next.js < 12.3.2 (open redirect) • Nuxt.js < 2.15.7 (directory traversal) • Pug < 3.0.1 (code injection) 🟡 Medium Severity: • Bootstrap < 4.3.1 (CVE-2019-8331) • Moment.js < 2.29.4 (CVE-2022-31129) • Axios < 0.21.3 (SSRF) • D3.js, Chart.js, DataTables, and more 🔐 𝗦𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲 (𝟮𝟱+ 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀) 🗝 API Keys & Tokens: • AWS Access/Secret Keys • Google API Keys & OAuth • GitHub Personal Access Tokens • Stripe API Keys (live & test) • Slack Tokens • Twilio, SendGrid, Mailgun API Keys • PayPal Braintree Tokens • Square OAuth Secrets • Shopify Access Tokens & Shared Secrets • Generic API key patterns 🔑 Credentials & Secrets: • Private Keys (RSA, SSH, EC, PGP, OpenSSH) • Database Connection Strings (MongoDB, MySQL, PostgreSQL) • JWT Tokens • Passwords in source code • Firebase URLs 🪪 PII: • Credit Card Patterns • Social Security Numbers • Email Addresses (filtered for false positives) 👁 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗧𝗿𝗮𝗰𝗸𝗲𝗿𝘀 Detects 18 third-party tracking scripts that collect and share your users' behavioral data: • 🎥 Session recorders: Hotjar, FullStory, Mouseflow, Crazy Egg • 📢 Ad pixels: Meta/Facebook, TikTok, Twitter/X, LinkedIn Insight • 📊 Analytics: Google Analytics, Google Tag Manager, Mixpanel, Amplitude, Heap, Clarity • 💬 CRM: HubSpot, Intercom, Pardot, Segment Each tracker is rated by severity — session recorders (high) vs. analytics-only (medium) — so you know which ones are most invasive. 💾 𝗕𝗿𝗼𝘄𝘀𝗲𝗿 𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗔𝘂𝗱𝗶𝘁 Scans localStorage and sessionStorage for sensitive data that XSS could steal: • Auth tokens, JWT, session IDs stored under sensitive key names • API keys, AWS credentials, private keys in stored values • Credit card numbers and SSNs • Flags risky storage patterns and recommends HttpOnly cookies instead 📡 𝗡𝗲𝘁𝘄𝗼𝗿𝗸 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝗡𝗘𝗪 𝗶𝗻 𝘃𝟭.𝟰.𝟬) Passively inspects inline scripts for risky network patterns: • Insecure WebSocket connections using ws:// instead of wss:// • WebRTC usage that can leak real IP addresses through VPNs • postMessage() calls without event.origin validation • Hardcoded private/internal IP addresses (192.168.x, 10.x, 127.0.0.1) • Dynamic <script> element injection • Hardcoded cross-origin fetch endpoints ⚠️ 𝗖𝗼𝗺𝗺𝗼𝗻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 • Mixed content detection (HTTP resources on HTTPS pages) • Forms submitting over insecure connections • Missing CSRF token detection • Password fields on non-HTTPS pages • Credit card/SSN fields without HTTPS • Inline event handlers (onclick, onload, etc.) • JavaScript URLs and data: URLs • eval() and dangerous DOM manipulation • Exposed API keys and credentials in source 🛡 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗵𝗲𝗰𝗸𝘀 • Subresource Integrity (SRI) validation for CDN resources • CORS configuration analysis • Enhanced XSS detection with 10+ event handler types • srcdoc attribute usage in iframes • URL manipulation pattern detection ⚙️ 𝗛𝗢𝗪 𝗜𝗧 𝗪𝗢𝗥𝗞𝗦 All analysis runs locally in your browser. SecuriScan inspects the DOM, checks response headers via fetch, and pattern-matches against a comprehensive vulnerability database with CVE tracking. No data leaves your machine. Results are presented with a 0–100 security score using severity-based weighting (Critical/High/Medium/Low). A trend indicator (↑/↓/→) shows how the score changed since your last scan of that domain. The OWASP tab maps every finding to the OWASP Top 10 (2021) so you can communicate risk in a language your team understands. Click any category to see specific findings with remediation guidance and CVE references. Every vulnerability includes a 🤖 Explain & Fix button with a plain-English explanation and a copy-paste code fix. Export as a formatted HTML report, machine-readable JSON, or SARIF 2.1.0 for CI/CD pipelines and client deliverables. 👥 𝗪𝗛𝗢 𝗜𝗧'𝗦 𝗙𝗢𝗥 • 👨‍💻 Frontend developers checking sites before deployment • 🔍 Security engineers doing quick reconnaissance • 🚀 DevOps teams validating production configurations • 🎯 Penetration testers performing initial assessments • 💼 Freelancers auditing client websites • 🎓 Students learning web security fundamentals • 🌐 Anyone concerned about website security 🔧 𝗧𝗘𝗖𝗛𝗡𝗜𝗖𝗔𝗟 𝗗𝗘𝗧𝗔𝗜𝗟𝗦 Built on Manifest V3 with minimal permissions: • activeTab — access current page when you click scan • scripting — inject analysis code into the page • storage — cache scan results and history locally • tabs — read current tab URL for history tracking • sidePanel — enable the persistent side panel (v1.4.0) • contextMenus — add right-click scan option (v1.4.0) • notifications — optional alerts for critical findings (v1.4.0, opt-in) ✨ New in v1.4.0: • OWASP Top 10 (2021) compliance view • AI-powered Explain & Fix for every finding • Persistent side panel mode • Toolbar badge with live issue count • Network & API security scanning • SARIF 2.1.0 export • Keyboard shortcuts (Alt+Shift+S / Alt+Shift+P) • Right-click context menu integration • Configurable auto-scan (opt-in, off by default) • Settings tab with notification and badge controls No telemetry. No external API calls. The entire codebase is open source if you want to audit it or contribute. 🚫 𝗟𝗜𝗠𝗜𝗧𝗔𝗧𝗜𝗢𝗡𝗦 This is a passive scanner, not a penetration testing tool. It cannot: • Test for server-side vulnerabilities (SQLi, SSRF, RCE, etc.) • Intercept or modify HTTP traffic • Perform authenticated scanning • Detect all possible security issues • Replace a proper security audit by professionals Think of it as a comprehensive health check and reconnaissance tool, not a replacement for professional security testing. 🕵️ 𝗣𝗥𝗜𝗩𝗔𝗖𝗬 Zero data collection. No analytics. No tracking. No external servers. Everything stays on your device. Built by developers, for developers. No fluff, just useful security insights with real CVE tracking, OWASP mapping, and actionable remediation guidance.