SecuriScan - Web Security Analyzer

Lightweight security scanner that analyzes websites for common vulnerabilities and security misconfigurations

SecuriScan is a powerful Chrome extension that performs comprehensive passive security analysis on any website. Built for developers, security professionals, and anyone who wants quick security insights without setting up complex tools like Burp Suite or OWASP ZAP. 𝗪𝗛𝗔𝗧'𝗦 𝗡𝗘𝗪 𝗜𝗡 𝗩𝟭.𝟮.𝟬 • 6x more vulnerability coverage - now detects 35+ JavaScript libraries • Enhanced sensitive data detection - 25+ patterns including cloud API keys • New security checks: Subresource Integrity (SRI) and CORS validation • Severity-based scoring system (Critical/High/Medium/Low) • Dynamic vulnerability database for easy updates 𝗪𝗛𝗔𝗧 𝗜𝗧 𝗗𝗢𝗘𝗦 When you click scan, SecuriScan analyzes the current page for security misconfigurations and vulnerabilities: 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 (𝟭𝟬 𝗰𝗵𝗲𝗰𝗸𝘀) • Content-Security-Policy (CSP) • Strict-Transport-Security (HSTS) • X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Permissions-Policy • Cross-Origin-Opener-Policy • Cross-Origin-Resource-Policy • Cross-Origin-Embedder-Policy • X-XSS-Protection 𝗖𝗼𝗼𝗸𝗶𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 • HttpOnly and Secure flag validation • Session token exposure detection • Sensitive cookie pattern matching • SameSite attribute guidance 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗹𝗲 𝗝𝗮𝘃𝗮𝗦𝗰𝗿𝗶𝗽𝘁 𝗟𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀 (𝟯𝟱+ 𝗹𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀) 𝘊𝘳𝘪𝘵𝘪𝘤𝘢𝘭 𝘚𝘦𝘷𝘦𝘳𝘪𝘵𝘺: • Handlebars < 4.7.7 (arbitrary code execution) • Socket.IO < 4.4.1 (CORS bypass) • Minimist < 1.2.6 (prototype pollution) • EJS < 3.1.7 (template injection) 𝘏𝘪𝘨𝘩 𝘚𝘦𝘷𝘦𝘳𝘪𝘵𝘺: • jQuery < 3.5.0 (CVE-2020-11022, CVE-2020-11023) • AngularJS < 1.8.3 (CVE-2023-26116) • Lodash < 4.17.21 (CVE-2021-23337, CVE-2020-28500) • React < 16.14.0 (CVE-2021-23648) • Vue.js < 2.6.14 (CVE-2021-3766) • Marked < 4.0.10 (ReDoS and XSS) • DOMPurify < 2.3.10 (XSS bypass) • Express < 4.17.3 (open redirect) • Webpack < 5.76.0 (cross-realm access) • Underscore < 1.13.0 (code execution) • Next.js < 12.3.2 (open redirect) • Nuxt.js < 2.15.7 (directory traversal) • Pug < 3.0.1 (code injection) 𝘔𝘦𝘥𝘪𝘶𝘮 𝘚𝘦𝘷𝘦𝘳𝘪𝘵𝘺: • Bootstrap < 4.3.1 (CVE-2019-8331) • Moment.js < 2.29.4 (CVE-2022-31129) • Axios < 0.21.3 (SSRF) • D3.js, Chart.js, DataTables, and more 𝗦𝗲𝗻𝘀𝗶𝘁𝗶𝘃𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲 (𝟮𝟱+ 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀) 𝘈𝘗𝘐 𝘒𝘦𝘺𝘴 & 𝘛𝘰𝘬𝘦𝘯𝘴: • AWS Access/Secret Keys • Google API Keys & OAuth • GitHub Personal Access Tokens • Stripe API Keys (live & test) • Slack Tokens • Twilio, SendGrid, Mailgun API Keys • PayPal Braintree Tokens • Square OAuth Secrets • Shopify Access Tokens & Shared Secrets • Generic API key patterns 𝘊𝘳𝘦𝘥𝘦𝘯𝘵𝘪𝘢𝘭𝘴 & 𝘚𝘦𝘤𝘳𝘦𝘵𝘴: • Private Keys (RSA, SSH, EC, PGP, OpenSSH) • Database Connection Strings (MongoDB, MySQL, PostgreSQL) • JWT Tokens • Passwords in source code • Firebase URLs 𝘗𝘐𝘐: • Credit Card Patterns • Social Security Numbers • Email Addresses (filtered for false positives) 𝗖𝗼𝗺𝗺𝗼𝗻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 • Mixed content detection (HTTP resources on HTTPS pages) • Forms submitting over insecure connections • Missing CSRF token detection • Password fields on non-HTTPS pages • Credit card/SSN fields without HTTPS • Inline event handlers (onclick, onload, etc.) • JavaScript URLs and data: URLs • eval() and dangerous DOM manipulation • Exposed API keys and credentials in source 𝗡𝗲𝘄 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗵𝗲𝗰𝗸𝘀 • Subresource Integrity (SRI) validation for CDN resources • CORS configuration analysis • Enhanced XSS detection with 10+ event handler types • srcdoc attribute usage in iframes • URL manipulation pattern detection 𝗛𝗢𝗪 𝗜𝗧 𝗪𝗢𝗥𝗞𝗦 All analysis runs locally in your browser. SecuriScan inspects the DOM, checks response headers via fetch, and pattern-matches against a comprehensive vulnerability database with CVE tracking. No data leaves your machine. Results are presented with a 0-100 security score using severity-based weighting (Critical/High/Medium/Low). Click any category to see specific findings with remediation guidance and CVE references. Export everything as a beautifully formatted HTML report for documentation or client deliverables. 𝗪𝗛𝗢 𝗜𝗧'𝗦 𝗙𝗢𝗥 • Frontend developers checking sites before deployment • Security engineers doing quick reconnaissance • DevOps teams validating production configurations • Penetration testers performing initial assessments • Freelancers auditing client websites • Students learning web security fundamentals • Anyone concerned about website security 𝗧𝗘𝗖𝗛𝗡𝗜𝗖𝗔𝗟 𝗗𝗘𝗧𝗔𝗜𝗟𝗦 Built on Manifest V3 with minimal permissions: • activeTab - access current page when you click scan • scripting - inject analysis code • storage - cache last scan result locally 𝗡𝗲𝘄 𝗶𝗻 𝘃𝟭.𝟮.𝟬: • Modular vulnerability database architecture • Dynamic configuration for easy updates • Severity-based scoring algorithm • Enhanced pattern matching with regex optimization • Improved error handling and CORS fallbacks No background processes. No external API calls. No telemetry. The entire codebase is open source on GitHub if you want to audit it or contribute. 𝗟𝗜𝗠𝗜𝗧𝗔𝗧𝗜𝗢𝗡𝗦 This is a passive scanner, not a penetration testing tool. It cannot: • Test for server-side vulnerabilities (SQLi, SSRF, RCE, etc.) • Intercept or modify HTTP traffic • Perform authenticated scanning • Detect all possible security issues • Replace a proper security audit by professionals Think of it as a comprehensive health check and reconnaissance tool, not a replacement for professional security testing. 𝗣𝗥𝗜𝗩𝗔𝗖𝗬 Zero data collection. No analytics. No tracking. No external servers. Everything stays on your device. Check the source code yourself - it's all on GitHub. 𝗢𝗣𝗘𝗡 𝗦𝗢𝗨𝗥𝗖𝗘 MIT licensed. PRs welcome. Found a bug or want to add detection for another vulnerable library? The vulnerability database is now modular and easy to extend. Open an issue or submit a pull request. GitHub: https://github.com/ashishjsharda/securiscan Built by developers, for developers. No fluff, just useful security insights with real CVE tracking and actionable remediation guidance.