# 🔍 JS Hunter - Advanced JavaScript Security Scanner

**Automatically discovers and scans ALL JavaScript files on a website for security issues.**

## 🎯 What It Does

This actor automatically:
- ✅ Crawls your target website(s)
- ✅ Finds ALL JavaScript files (external, inline, hidden)
- ✅ Scans for exposed secrets, API keys, and credentials
- ✅ Detects security vulnerabilities (XSS, eval, etc.)
- ✅ Provides actionable recommendations

## 🚀 Features

### Automatic Discovery
- External JavaScript files (`<script src="...">`)
- Inline JavaScript (`<script>...</script>`)
- Hidden JS files found in HTML source
- Dynamic imports and lazy-loaded scripts
- Optional CDN scanning

### What It Finds

**CRITICAL Issues:**
- AWS Access Keys & Secret Keys
- Google API Keys
- Firebase Configurations
- Slack Tokens
- Stripe API Keys (Live & Test)
- GitHub Personal Access Tokens
- Private Keys (RSA, DSA, EC)
- JWT Tokens
- Generic API Keys

**HIGH Priority:**
- Internal IP Addresses
- Database Connection Strings
- S3 Bucket URLs
- Hardcoded Passwords

**MEDIUM Priority:**
- API Endpoints
- Admin Panel URLs
- Sensitive URL Parameters

**VULNERABILITIES:**
- DOM XSS Sinks
- Dangerous eval() usage
- SQL Injection patterns

**INFO:**
- Email Addresses
- Internal/Development Domains

## 📊 Input Configuration

```json
{
  "startUrls": [
    {"url": "https://yourwebsite.com"}
  ],
  "maxDepth": 2,
  "includeCdn": false,
  "filterCommonLibraries": true,
  "minConfidence": "MEDIUM"
}

Parameters Explained

startUrls: Target website(s) to scan
maxDepth: How deep to crawl (1-5)
- 1 = Only scan the start URL
- 2 = Scan start URL + all linked pages (recommended)
- 3+ = Deep crawl (slower)
includeCdn: Scan CDN-hosted libraries (usually not needed)
filterCommonLibraries: Skip jQuery, Bootstrap, etc. (recommended: true)
minConfidence: Result filtering
- HIGH = Fewer false positives, high accuracy
- MEDIUM = Balanced (recommended)
- LOW = More results, may include false positives

📤 Output Format

Each finding includes:

{
  "severity": "CRITICAL",
  "type": "AWS Access Key",
  "description": "AWS Access Key ID detected",
  "match": "AKIAIOSFODNN7EXAMPLE",
  "source_file": "https://example.com/config.js",
  "line_number": 45,
  "context": "const config = { awsKey: 'AKIAIOSFODNN7EXAMPLE' }",
  "recommendation": "🚨 Rotate AWS credentials immediately via IAM console.",
  "confidence": "HIGH",
  "timestamp": "2025-11-27T12:30:45"
}

Summary Report

The last entry in the dataset is a summary:

{
  "type": "SCAN_SUMMARY",
  "data": {
    "scan_info": {
      "target_url": "https://example.com",
      "scan_completed": "2025-11-27T12:35:00"
    },
    "statistics": {
      "scan_duration_seconds": 45.67,
      "urls_crawled": 25,
      "js_files_analyzed": 42,
      "total_findings": 15
    },
    "summary": {
      "critical_findings": 2,
      "high_findings": 5,
      "total_findings": 15
    }
  }
}

🎯 How It Works

Crawling: Starts from your target URL and crawls links up to specified depth
JS Discovery: Finds all JavaScript resources:
- Parses HTML for <script> tags
- Extracts inline JavaScript
- Discovers hidden JS files via regex
Smart Filtering: Skips common libraries (jQuery, Bootstrap, etc.)
Pattern Matching: Scans code with 30+ regex patterns
Validation: Each finding is validated to reduce false positives
Confidence Scoring: Assigns HIGH/MEDIUM/LOW confidence
Reporting: Outputs clean JSON with actionable recommendations

💡 Best Practices

Start with depth 2 - Good balance of coverage vs speed
Enable library filtering - Reduces noise from third-party code
Use MEDIUM confidence - Best accuracy/coverage balance
Review CRITICAL findings first - Immediate security risks
Check context - Verify findings aren't false positives

⚠️ Important Notes

This tool is for security research and authorized testing only
Only scan websites you own or have permission to test
Some findings may be false positives - always verify
Large websites may take several minutes to scan
Rate limiting may occur on some websites

🔧 Troubleshooting

No results found?

Check if website blocks automated tools
Try increasing maxDepth
Verify URLs are accessible

Too many false positives?

Set minConfidence to "HIGH"
Enable filterCommonLibraries
Disable includeCdn

Scan taking too long?

Reduce maxDepth to 1
Enable filterCommonLibraries
Scan specific pages instead of entire site

Website Security & Vulnerability Audit

smart-digital/website-security-vulnerability-audit

Automated security and vulnerability audit for websites. Detects WordPress plugin vulnerabilities, checks for updates, analyzes SSL/TLS, security headers, and CMS security

My Smart Digital

5.0

Security Vulnerability Database - Free Scanner

ntriqpro/nist-cve-vulnerability-scanner

Search for known security vulnerabilities in software. Get detailed risk information and fixes.

daehwan kim

AI Repository Security Scanner

optimus-fulcria/ai-repo-security-scanner

Scan AI/ML repositories for vulnerabilities: sandbox escapes, code injection, path traversal. For security teams.

Fulcria Labs

Security Headers Checker

pillowy_travel/security-headers-checker

Analyze HTTP security headers of websites and generate a security score. Detect missing headers like CSP, HSTS, X-Frame-Options, and more. Perfect for web security audits, vulnerability checks, learning, and automated monitoring.

SAHIL KUMAR

Security.txt Checker

automation-lab/security-txt-checker

This actor checks websites for a security.txt file as defined by RFC 9116. It looks in `/.well-known/security.txt` and `/security.txt`, parses contact information, encryption keys, expiration dates, and validates compliance with the standard.

Stas Persiianenko

Security Headers Checker - HTTP Security Audit

pink_comic/security-headers-checker

HTTP security header audit for HSTS, CSP, X-Frame-Options, and more. Grade your website security posture against best practices. For penetration testing, compliance checks, and web hardening. No API key required.

Ava Torres

Kali Security Tools Actor

syntellect_ai/kali-security-tools-actor

The **Kali Security Tools Actor** Run penetration testing, vulnerability assessments, and security research directly in the cloud - 🛡️ 600+ Security Tools - 🤖 AI Integration - ☁️ Cloud-Native - 📊 Structured Output - 🎯 Multiple Scan Modes - 📈 Comprehensive Reporting - 🔒 Built-in Safeguards**

christopher athans crow

Kali Security Tools Actor ppe

syntellect_ai/kali-security-tools-actorv2

christopher athans crow

Domain Security Scanner

trovevault/domain-security-scanner

Scan any domain for active threats like malware hosting, phishing, botnet command-and-control, and security vendor blacklisting using multiple open threat intelligence sources in parallel. No API keys required. Designed for security teams, researchers, and sysadmins who need to do threat assessment.

Trove Vault

HTTP Headers Security Checker

automation-lab/http-headers-security-checker

This actor checks 12 HTTP security headers for any list of websites and produces a security grade with actionable findings. It identifies missing headers, weak configurations, and provides specific recommendations. Use it for security audits, compliance checks, or monitoring your web...

Stas Persiianenko