SecuriScan - Web Security Analyzer

Lightweight security scanner that analyzes websites for common vulnerabilities and security misconfigurations

SecuriScan is a lightweight Chrome extension that performs passive security analysis on any website. Built for developers who want quick security insights without setting up complex tools like Burp Suite or OWASP ZAP. 𝗪𝗛𝗔𝗧 𝗜𝗧 𝗗𝗢𝗘𝗦 When you click scan, SecuriScan analyzes the current page for common security misconfigurations: 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 • Content-Security-Policy (CSP) • Strict-Transport-Security (HSTS) • X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Permissions-Policy 𝗖𝗼𝗼𝗸𝗶𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 • HttpOnly and Secure flag validation • Session token exposure detection • SameSite attribute checking 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝗝𝗮𝘃𝗮𝗦𝗰𝗿𝗶𝗽𝘁 𝗟𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀 • jQuery < 3.5.0 (CVE-2020-11022, CVE-2020-11023) • AngularJS < 1.8.0 (CVE-2022-25869) • Lodash < 4.17.21 (CVE-2021-23337) • Bootstrap < 4.3.1 (CVE-2019-8331) • Moment.js < 2.29.4 (CVE-2022-31129) 𝗖𝗼𝗺𝗺𝗼𝗻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 • Mixed content (HTTP resources on HTTPS pages) • Forms submitting over insecure connections • Missing CSRF tokens • Inline event handlers and eval() usage • Exposed API keys, AWS credentials, JWT tokens in source 𝗛𝗢𝗪 𝗜𝗧 𝗪𝗢𝗥𝗞𝗦 All analysis runs locally in your browser. SecuriScan inspects the DOM, checks response headers via fetch, and pattern-matches against known vulnerability signatures. No data leaves your machine. Results are presented with a 0-100 security score, broken down by category. Click any category to see specific findings with remediation guidance. Export everything as a formatted HTML report for documentation or client deliverables. 𝗪𝗛𝗢 𝗜𝗧'𝗦 𝗙𝗢𝗥 • Frontend developers checking sites before deployment • Security engineers doing quick recon • DevOps teams validating production configurations • Freelancers auditing client websites • Students learning web security fundamentals 𝗧𝗘𝗖𝗛𝗡𝗜𝗖𝗔𝗟 𝗗𝗘𝗧𝗔𝗜𝗟𝗦 Built on Manifest V3 with minimal permissions: • activeTab - access current page when you click scan • scripting - inject analysis code • storage - cache last scan result locally No background processes. No external API calls. No telemetry. The entire codebase is open source on GitHub if you want to audit it or contribute. 𝗟𝗜𝗠𝗜𝗧𝗔𝗧𝗜𝗢𝗡𝗦 This is a passive scanner, not a penetration testing tool. It cannot: • Test for server-side vulnerabilities (SQLi, SSRF, etc.) • Intercept or modify HTTP traffic • Perform authenticated scanning • Replace a proper security audit Think of it as a quick health check, not a comprehensive security assessment. 𝗣𝗥𝗜𝗩𝗔𝗖𝗬 Zero data collection. No analytics. No tracking. Everything stays on your device. Check the source code yourself - it's all on GitHub. 𝗢𝗣𝗘𝗡 𝗦𝗢𝗨𝗥𝗖𝗘 MIT licensed. PRs welcome. Found a bug or want to add detection for another vulnerable library? Open an issue or submit a pull request. GitHub: https://github.com/ashishjsharda/securiscan Built by developers, for developers. No fluff, just useful security insights.