Website Security Auditor

Pricing

Rating

Developer

Actor stats

Categories

Share

# 🔍 JS Hunter - Advanced JavaScript Security Scanner
**Automatically discovers and scans ALL JavaScript files on a website for security issues.**
## 🎯 What It Does
This actor automatically:
- ✅ Crawls your target website(s)
- ✅ Finds ALL JavaScript files (external, inline, hidden)
- ✅ Scans for exposed secrets, API keys, and credentials
- ✅ Detects security vulnerabilities (XSS, eval, etc.)
- ✅ Provides actionable recommendations
## 🚀 Features
### Automatic Discovery
- External JavaScript files (`<script src="...">`)
- Inline JavaScript (`<script>...</script>`)
- Hidden JS files found in HTML source
- Dynamic imports and lazy-loaded scripts
- Optional CDN scanning
### What It Finds
**CRITICAL Issues:**
- AWS Access Keys & Secret Keys
- Google API Keys
- Firebase Configurations
- Slack Tokens
- Stripe API Keys (Live & Test)
- GitHub Personal Access Tokens
- Private Keys (RSA, DSA, EC)
- JWT Tokens
- Generic API Keys
**HIGH Priority:**
- Internal IP Addresses
- Database Connection Strings
- S3 Bucket URLs
- Hardcoded Passwords
**MEDIUM Priority:**
- API Endpoints
- Admin Panel URLs
- Sensitive URL Parameters
**VULNERABILITIES:**
- DOM XSS Sinks
- Dangerous eval() usage
- SQL Injection patterns
**INFO:**
- Email Addresses
- Internal/Development Domains
## 📊 Input Configuration
```json
{
 "startUrls": [
 {"url": "https://yourwebsite.com"}
 ],
 "maxDepth": 2,
 "includeCdn": false,
 "filterCommonLibraries": true,
 "minConfidence": "MEDIUM"
}

Parameters Explained

• startUrls: Target website(s) to scan
• maxDepth: How deep to crawl (1-5)
  • 1 = Only scan the start URL
  • 2 = Scan start URL + all linked pages (recommended)
  • 3+ = Deep crawl (slower)
• includeCdn: Scan CDN-hosted libraries (usually not needed)
• filterCommonLibraries: Skip jQuery, Bootstrap, etc. (recommended: true)
• minConfidence: Result filtering
  • HIGH = Fewer false positives, high accuracy
  • MEDIUM = Balanced (recommended)
  • LOW = More results, may include false positives

📤 Output Format

Each finding includes:

{
"severity":"CRITICAL",
"type":"AWS Access Key",
"description":"AWS Access Key ID detected",
"match":"AKIAIOSFODNN7EXAMPLE",
"source_file":"https://example.com/config.js",
"line_number":45,
"context":"const config = { awsKey: 'AKIAIOSFODNN7EXAMPLE' }",
"recommendation":"🚨 Rotate AWS credentials immediately via IAM console.",
"confidence":"HIGH",
"timestamp":"2025-11-27T12:30:45"
}

Summary Report

The last entry in the dataset is a summary:

{
"type":"SCAN_SUMMARY",
"data":{
"scan_info":{
"target_url":"https://example.com",
"scan_completed":"2025-11-27T12:35:00"
},
"statistics":{
"scan_duration_seconds":45.67,
"urls_crawled":25,
"js_files_analyzed":42,
"total_findings":15
},
"summary":{
"critical_findings":2,
"high_findings":5,
"total_findings":15
}
}
}

🎯 How It Works

1. Crawling: Starts from your target URL and crawls links up to specified depth
2. JS Discovery: Finds all JavaScript resources:
   • Parses HTML for <script> tags
   • Extracts inline JavaScript
   • Discovers hidden JS files via regex
3. Smart Filtering: Skips common libraries (jQuery, Bootstrap, etc.)
4. Pattern Matching: Scans code with 30+ regex patterns
5. Validation: Each finding is validated to reduce false positives
6. Confidence Scoring: Assigns HIGH/MEDIUM/LOW confidence
7. Reporting: Outputs clean JSON with actionable recommendations

💡 Best Practices

1. Start with depth 2 - Good balance of coverage vs speed
2. Enable library filtering - Reduces noise from third-party code
3. Use MEDIUM confidence - Best accuracy/coverage balance
4. Review CRITICAL findings first - Immediate security risks
5. Check context - Verify findings aren't false positives

⚠️ Important Notes

• This tool is for security research and authorized testing only
• Only scan websites you own or have permission to test
• Some findings may be false positives - always verify
• Large websites may take several minutes to scan
• Rate limiting may occur on some websites

🔧 Troubleshooting

No results found?

• Check if website blocks automated tools
• Try increasing maxDepth
• Verify URLs are accessible

Too many false positives?

• Set minConfidence to "HIGH"
• Enable filterCommonLibraries
• Disable includeCdn

Scan taking too long?

• Reduce maxDepth to 1
• Enable filterCommonLibraries
• Scan specific pages instead of entire site