Java Script vulnerability scanning tool, to use with Chrome developer console. Scans current site for common vulnerabilities. (Configurable) This is a personal proof-of-concept and my first time working with JavaScript. The project is still a work in progress.
Notes This tool is read only and safe to use it does not modify page data or send requests. It runs entirely in browser and does not require any dependencies. Designed for manual inspection ideal for quick audits, CTFs, bug bounty triage, and dev review.
This tool is a lightweight, JavaScript based cybersecurity scanner designed to be run directly from the DevTools Console in any modern browser. It helps developers and security professionals identify potential security risks and oversights in web applications—quickly and without installing anything.
##What It Does
The scanner performs the following checks on the current webpage:
-
Global Variable Scan
- Detects potentially sensitive variable names like
token,key,password,auth, etc.
- Detects potentially sensitive variable names like
-
Inline Script Comment Check
- Identifies
//and/* */comments in inline<script>tags, which may leak development info or credentials.
- Identifies
-
Dangerous Function Detection
- Flags use of risky JavaScript methods such as:
eval()Function()setTimeout()/setInterval()with string inputdocument.write()
- Flags use of risky JavaScript methods such as:
-
Console Logging Detection
- Finds leftover
console.log(),console.debug(),console.warn()statements that could expose app behavior or user data.
- Finds leftover
-
Sensitive Pattern Detection
- Detects patterns matching:
- JWT tokens
- Base64-encoded data
- IPv4 addresses
- Detects patterns matching:
-
jQuery Version Check
- Identifies loaded jQuery versions and warns if the version is older than
3.5, which may contain known vulnerabilities.
- Identifies loaded jQuery versions and warns if the version is older than
All checks can be toggled on/off via the scanConfig object at the top of the script:
##```javascript const scanConfig = { globalVarScan: true, scriptComments: true, dangerousFunctions: true, consoleLogs: true, detectTokens: true, detectBase64: true, detectIPs: true, checkJQueryVersion: true };
How to Use Open the webpage you want to audit in your browser
Open the DevTools Console:
Press F12 or Ctrl + Shift + I (Windows/Linux)
Press Cmd + Option + I (Mac)
Paste the entire script
Hit Enter and review the grouped results in the console
All findings will be color coded and organized using console.group().
v1.0.3 – Initial Release Console based security scanner All scan types fully configurable Inline and external script analysis No external dependencies
Planned for Future Versions Bookmarklet packaging Chrome extension version JSON/txt report export (if allowed) React/Angular/DOM framework detection CI/CD integration version for pipelines
MIT License © 2025 Use freely, modify respectfully