SecuriScan - Web Security Analyzer

Lightweight security scanner that analyzes websites for common vulnerabilities and security misconfigurations

SecuriScan is a powerful Chrome extension that performs comprehensive passive security analysis on any website. Built for developers, security professionals, and anyone who wants quick security insights without setting up complex tools like Burp Suite or OWASP ZAP. 🆕 𝗪𝗛𝗔𝗧'𝗦 𝗡𝗘𝗪 𝗜𝗡 𝗩𝟭.𝟯.𝟬 • 👁 Privacy tracker detection — flags 18 third-party trackers including Meta Pixel, TikTok, Hotjar, FullStory, and more • 💾 Browser storage audit — scans localStorage and sessionStorage for exposed tokens, keys, and PII • 📈 Scan history & score trends — tracks your last 10 scans per domain and shows ↑/↓ trend on every result • 📄 JSON export — export results as machine-readable JSON alongside the existing HTML report 🔍 𝗪𝗛𝗔𝗧 𝗜𝗧 𝗗𝗢𝗘𝗦 When you click scan, SecuriScan analyzes the current page for security misconfigurations and vulnerabilities across 12 categories: 🔒 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 (𝟭𝟬 𝗰𝗵𝗲𝗰𝗸𝘀) • Content-Security-Policy (CSP) • Strict-Transport-Security (HSTS) • X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Permissions-Policy • Cross-Origin-Opener-Policy • Cross-Origin-Resource-Policy • Cross-Origin-Embedder-Policy • X-XSS-Protection 🍪 𝗖𝗼𝗼𝗸𝗶𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 • HttpOnly and Secure flag validation • Session token exposure detection • Sensitive cookie pattern matching • SameSite attribute guidance 📚 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝗝𝗮𝘃𝗮𝗦𝗰𝗿𝗶𝗽𝘁 𝗟𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀 (𝟯𝟱+ 𝗹𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀) 🔴 Critical Severity: • Handlebars < 4.7.7 (arbitrary code execution) • Socket.IO < 4.4.1 (CORS bypass) • Minimist < 1.2.6 (prototype pollution) • EJS < 3.1.7 (template injection) 🟠 High Severity: • jQuery < 3.5.0 (CVE-2020-11022, CVE-2020-11023) • AngularJS < 1.8.3 (CVE-2023-26116) • Lodash < 4.17.21 (CVE-2021-23337, CVE-2020-28500) • React < 16.14.0 (CVE-2021-23648) • Vue.js < 2.6.14 (CVE-2021-3766) • Marked < 4.0.10 (ReDoS and XSS) • DOMPurify < 2.3.10 (XSS bypass) • Express < 4.17.3 (open redirect) • Webpack < 5.76.0 (cross-realm access) • Underscore < 1.13.0 (code execution) • Next.js < 12.3.2 (open redirect) • Nuxt.js < 2.15.7 (directory traversal) • Pug < 3.0.1 (code injection) 🟡 Medium Severity: • Bootstrap < 4.3.1 (CVE-2019-8331) • Moment.js < 2.29.4 (CVE-2022-31129) • Axios < 0.21.3 (SSRF) • D3.js, Chart.js, DataTables, and more 🔐 𝗦𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲 (𝟮𝟱+ 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀) 🗝 API Keys & Tokens: • AWS Access/Secret Keys • Google API Keys & OAuth • GitHub Personal Access Tokens • Stripe API Keys (live & test) • Slack Tokens • Twilio, SendGrid, Mailgun API Keys • PayPal Braintree Tokens • Square OAuth Secrets • Shopify Access Tokens & Shared Secrets • Generic API key patterns 🔑 Credentials & Secrets: • Private Keys (RSA, SSH, EC, PGP, OpenSSH) • Database Connection Strings (MongoDB, MySQL, PostgreSQL) • JWT Tokens • Passwords in source code • Firebase URLs 🪪 PII: • Credit Card Patterns • Social Security Numbers • Email Addresses (filtered for false positives) 👁 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗧𝗿𝗮𝗰𝗸𝗲𝗿𝘀 (𝗡𝗘𝗪) Detects 18 third-party tracking scripts that collect and share your users' behavioral data: • 🎥 Session recorders: Hotjar, FullStory, Mouseflow, Crazy Egg • 📢 Ad pixels: Meta/Facebook, TikTok, Twitter/X, LinkedIn Insight • 📊 Analytics: Google Analytics, Google Tag Manager, Mixpanel, Amplitude, Heap, Clarity • 💬 CRM: HubSpot, Intercom, Pardot, Segment Each tracker is rated by severity — session recorders (high) vs. analytics-only (medium) — so you know which ones are most invasive. 💾 𝗕𝗿𝗼𝘄𝘀𝗲𝗿 𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗔𝘂𝗱𝗶𝘁 (𝗡𝗘𝗪) Scans localStorage and sessionStorage for sensitive data that XSS could steal: • Auth tokens, JWT, session IDs stored under sensitive key names • API keys, AWS credentials, private keys in stored values • Credit card numbers and SSNs • Flags risky storage patterns and recommends HttpOnly cookies instead ⚠️ 𝗖𝗼𝗺𝗺𝗼𝗻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 • Mixed content detection (HTTP resources on HTTPS pages) • Forms submitting over insecure connections • Missing CSRF token detection • Password fields on non-HTTPS pages • Credit card/SSN fields without HTTPS • Inline event handlers (onclick, onload, etc.) • JavaScript URLs and data: URLs • eval() and dangerous DOM manipulation • Exposed API keys and credentials in source 🛡 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗵𝗲𝗰𝗸𝘀 • Subresource Integrity (SRI) validation for CDN resources • CORS configuration analysis • Enhanced XSS detection with 10+ event handler types • srcdoc attribute usage in iframes • URL manipulation pattern detection ⚙️ 𝗛𝗢𝗪 𝗜𝗧 𝗪𝗢𝗥𝗞𝗦 All analysis runs locally in your browser. SecuriScan inspects the DOM, checks response headers via fetch, and pattern-matches against a comprehensive vulnerability database with CVE tracking. No data leaves your machine. Results are presented with a 0-100 security score using severity-based weighting (Critical/High/Medium/Low). A trend indicator (↑/↓/→) shows how the score changed since your last scan of that domain. Click any category to see specific findings with remediation guidance and CVE references. Export as a formatted HTML report or machine-readable JSON for CI/CD pipelines and client deliverables. 👥 𝗪𝗛𝗢 𝗜𝗧'𝗦 𝗙𝗢𝗥 • 👨‍💻 Frontend developers checking sites before deployment • 🔍 Security engineers doing quick reconnaissance • 🚀 DevOps teams validating production configurations • 🎯 Penetration testers performing initial assessments • 💼 Freelancers auditing client websites • 🎓 Students learning web security fundamentals • 🌐 Anyone concerned about website security 🔧 𝗧𝗘𝗖𝗛𝗡𝗜𝗖𝗔𝗟 𝗗𝗘𝗧𝗔𝗜𝗟𝗦 Built on Manifest V3 with minimal permissions: • activeTab — access current page when you click scan • scripting — inject analysis code • storage — cache scan results and history locally ✨ New in v1.3.0: • Privacy tracker detection (18 trackers across 6 categories) • Browser storage security audit • Per-domain scan history with score trend tracking • JSON export for CI/CD and tooling integration No background processes. No external API calls. No telemetry. The entire codebase is open source on GitHub if you want to audit it or contribute. 🚫 𝗟𝗜𝗠𝗜𝗧𝗔𝗧𝗜𝗢𝗡𝗦 This is a passive scanner, not a penetration testing tool. It cannot: • Test for server-side vulnerabilities (SQLi, SSRF, RCE, etc.) • Intercept or modify HTTP traffic • Perform authenticated scanning • Detect all possible security issues • Replace a proper security audit by professionals Think of it as a comprehensive health check and reconnaissance tool, not a replacement for professional security testing. 🕵️ 𝗣𝗥𝗜𝗩𝗔𝗖𝗬 Zero data collection. No analytics. No tracking. No external servers. Everything stays on your device. Check the source code yourself — it's all on GitHub. 💻 𝗢𝗣𝗘𝗡 𝗦𝗢𝗨𝗥𝗖𝗘 MIT licensed. PRs welcome. Found a bug or want to add detection for another vulnerable library or tracker? The vulnerability database is modular and easy to extend. Open an issue or submit a pull request. GitHub: https://github.com/ashishjsharda/securiscan Built by developers, for developers. No fluff, just useful security insights with real CVE tracking and actionable remediation guidance.