# Website Security Auditor (`zyrox/website-security-auditor`) Actor A powerful security tool to scan websites for exposed API keys and XSS vulnerabilities. - **URL**: https://apify.com/zyrox/website-security-auditor.md - **Developed by:** [HIDDEN GHOST](https://apify.com/zyrox) (community) - **Categories:** Automation, Developer tools, Other - **Stats:** 11 total users, 0 monthly users, 0.0% runs succeeded, 1 bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ```markdown ## 🔍 JS Hunter - Advanced JavaScript Security Scanner **Automatically discovers and scans ALL JavaScript files on a website for security issues.** ### 🎯 What It Does This actor automatically: - ✅ Crawls your target website(s) - ✅ Finds ALL JavaScript files (external, inline, hidden) - ✅ Scans for exposed secrets, API keys, and credentials - ✅ Detects security vulnerabilities (XSS, eval, etc.) - ✅ Provides actionable recommendations ### 🚀 Features #### Automatic Discovery - External JavaScript files (``) - Hidden JS files found in HTML source - Dynamic imports and lazy-loaded scripts - Optional CDN scanning #### What It Finds **CRITICAL Issues:** - AWS Access Keys & Secret Keys - Google API Keys - Firebase Configurations - Slack Tokens - Stripe API Keys (Live & Test) - GitHub Personal Access Tokens - Private Keys (RSA, DSA, EC) - JWT Tokens - Generic API Keys **HIGH Priority:** - Internal IP Addresses - Database Connection Strings - S3 Bucket URLs - Hardcoded Passwords **MEDIUM Priority:** - API Endpoints - Admin Panel URLs - Sensitive URL Parameters **VULNERABILITIES:** - DOM XSS Sinks - Dangerous eval() usage - SQL Injection patterns **INFO:** - Email Addresses - Internal/Development Domains ### 📊 Input Configuration ```json { "startUrls": [ {"url": "https://yourwebsite.com"} ], "maxDepth": 2, "includeCdn": false, "filterCommonLibraries": true, "minConfidence": "MEDIUM" } ```` #### Parameters Explained - **startUrls**: Target website(s) to scan - **maxDepth**: How deep to crawl (1-5) - 1 = Only scan the start URL - 2 = Scan start URL + all linked pages (recommended) - 3+ = Deep crawl (slower) - **includeCdn**: Scan CDN-hosted libraries (usually not needed) - **filterCommonLibraries**: Skip jQuery, Bootstrap, etc. (recommended: true) - **minConfidence**: Result filtering - HIGH = Fewer false positives, high accuracy - MEDIUM = Balanced (recommended) - LOW = More results, may include false positives ### 📤 Output Format Each finding includes: ```json { "severity": "CRITICAL", "type": "AWS Access Key", "description": "AWS Access Key ID detected", "match": "AKIAIOSFODNN7EXAMPLE", "source_file": "https://example.com/config.js", "line_number": 45, "context": "const config = { awsKey: 'AKIAIOSFODNN7EXAMPLE' }", "recommendation": "🚨 Rotate AWS credentials immediately via IAM console.", "confidence": "HIGH", "timestamp": "2025-11-27T12:30:45" } ``` #### Summary Report The last entry in the dataset is a summary: ```json { "type": "SCAN_SUMMARY", "data": { "scan_info": { "target_url": "https://example.com", "scan_completed": "2025-11-27T12:35:00" }, "statistics": { "scan_duration_seconds": 45.67, "urls_crawled": 25, "js_files_analyzed": 42, "total_findings": 15 }, "summary": { "critical_findings": 2, "high_findings": 5, "total_findings": 15 } } } ``` ### 🎯 How It Works 1. **Crawling**: Starts from your target URL and crawls links up to specified depth 2. **JS Discovery**: Finds all JavaScript resources: - Parses HTML for `