Skip to content

README.md

Latest commit

 

History

History
333 lines (257 loc) · 11.3 KB

README.md

File metadata and controls

333 lines (257 loc) · 11.3 KB

Prizm 🔐

Browser-based security scanner for detecting exposed secrets, API keys, and PII in client-side storage

Version License Chrome Manifest V3 Patterns

Prizm reveals hidden secrets in client-side storage through comprehensive scanning, ML-powered detection, live verification, and intelligent pattern matching. Built for security professionals who value clarity, precision, and actionable insights.

Keywords: Prism Security Scanner, Browser Security Extension, Client-Side Secret Detection, API Key Scanner

🎯 The Problem

Modern web applications store sensitive data client-side: API keys in localStorage, tokens in cookies, credentials in IndexedDB. These secrets are often exposed to anyone who opens DevTools.

Most secret scanning tools focus on git repositories—they can't scan live websites.

Prizm fills this gap. It's the only browser extension that scans 7+ storage types, WebSocket traffic, Service Worker caches, GraphQL endpoints, and DOM elements for exposed secrets.

✨ Features

🔍 Comprehensive Storage Scanning

Storage Type What It Catches
localStorage Persistent tokens, API keys, user data
sessionStorage Session tokens, temporary credentials
Cookies Auth tokens, session IDs, tracking data
IndexedDB Structured data, cached credentials
Cache API Service Worker cached responses
Window Objects Global variables, exposed configs
Inline Scripts Hardcoded keys, embedded secrets

🌐 Network & Real-Time Monitoring

  • Fetch/XHR Interception: Monitors all HTTP requests for secrets in headers/bodies
  • WebSocket Scanning: First-of-its-kind—scans bidirectional WebSocket traffic
  • Service Worker Analysis: Scans PWA caches and registered workers
  • GraphQL Introspection: Detects exposed schemas and sensitive fields

🎯 Intelligent Pattern Detection

157 patterns covering modern platforms:

Category Services
Cloud AWS, Google Cloud, Azure, Vercel, Netlify, Railway, Render, Fly.io
AI/ML OpenAI, Anthropic, HuggingFace, Cohere, Replicate, Mistral
Auth Clerk, Auth0, Okta, JWT (with algorithm analysis), Stytch
SaaS GitHub, GitLab, Slack, Discord, SendGrid, Mailgun, Twilio
Databases MongoDB, PostgreSQL, Supabase, PlanetScale, Neon, Turso
Payments Stripe, PayPal, Square, Coinbase, Binance, Lemon Squeezy
Analytics Segment, Amplitude, Mixpanel, PostHog, Datadog
Package npm, PyPI, RubyGems, Docker Hub

🧠 ML-Powered Detection

  • Feature Extraction: Entropy, charset diversity, known prefixes, context keywords
  • Classification: Weighted scoring with 0.4 confidence threshold
  • False Positive Reduction: Learns from 20+ high-confidence prefixes (AKIA, sk-, ghp_, etc.)

⚡ Live Secret Verification

Validates if secrets are actually active (9 providers):

Provider Verification Method
GitHub /user API check
OpenAI List models endpoint
Stripe Charges list
Slack auth.test
SendGrid Scopes check
Discord User info
Telegram getMe
npm User profile
HuggingFace whoami-v2

📊 Risk Scoring & Prioritization

  • Asset-Based Scoring: Prioritizes by what the secret protects (AWS=100, analytics=40)
  • Environment Detection: Production (+30%), Staging (+10%), Development (-30%)
  • Priority Levels: P0 (Immediate) → P4 (Informational)
  • Historical Tracking: Compare scans over time, identify trends

🔔 Monitoring & Alerts

  • Scheduled Scans: Automatic periodic scanning with alarms
  • Badge Alerts: Extension icon shows finding count
  • Browser Notifications: Alerts for new critical findings
  • Auto-scan on Navigation: Optional immediate scan on page load

🔗 Security Platform Integrations

Export findings directly to:

Platform Features
GitHub Issues Auto-create issues with labels, assignees
Jira Create tickets with proper priority mapping
Linear GraphQL-based issue creation
Slack Rich block-formatted messages
Discord Embedded notifications
Webhooks Custom endpoints for any platform

📈 Feedback & Baseline Management

  • Mark as False Positive: Persists across sessions
  • Baseline Allowlist: Domain-specific and global rules
  • Pattern Statistics: Track accuracy per pattern type
  • Export/Import: Share configurations across teams
  • Custom Patterns: Add your own regex patterns

📄 Professional Reporting

Format Use Case
HTML Beautiful, printable reports with 3D prism animation
JSON Integration with other tools
Markdown Documentation and GitHub-friendly
CSV Spreadsheet analysis

🎨 Minimalist Design

  • Clean, unobtrusive interface
  • Dark theme optimized
  • 8px grid system
  • DM Sans typography
  • Functional aesthetics—less, but better

🚀 Quick Start

1. Clone the Repository

git clone https://github.com/fevra-dev/Prizm.git
cd Prizm

2. Load in Chrome

  1. Navigate to chrome://extensions/
  2. Enable Developer mode (toggle in top right)
  3. Click Load unpacked
  4. Select the prizm folder (contains manifest.json)

3. Test It

  1. Open test/test-page.html in a new tab
  2. Click the Prizm extension icon
  3. View detected secrets sorted by risk score

📁 Project Structure

Prizm/
├── manifest.json                    # Chrome Extension Manifest V3
├── README.md                        
├── QUICKSTART.md                    
├── PRIVACY_POLICY.md                # Chrome Web Store requirement
├── CHANGELOG.md                     # Version history
├── LICENSE                          
├── icons/                           
│   ├── icon16.png
│   ├── icon48.png
│   └── icon128.png
├── src/
│   ├── background/
│   │   └── service-worker.js        # Scheduled scans, notifications
│   ├── content/
│   │   ├── patterns.js              # Core 30+ patterns
│   │   ├── patterns-2026.js         # 40+ modern SaaS/AI patterns
│   │   ├── patterns-extended.js     # 50+ additional patterns
│   │   ├── enhanced-scanner.js      # Main orchestrator
│   │   ├── index.js                 # Entry point
│   │   ├── analyzers/
│   │   │   ├── jwt.js               # JWT decode + weakness analysis
│   │   │   ├── entropy.js           # Shannon entropy + PII detection
│   │   │   └── graphql.js           # GraphQL schema introspection
│   │   └── features/
│   │       ├── ml-classifier.js     # ML-powered classification
│   │       ├── active-verifier.js   # Live API validation
│   │       ├── asset-prioritizer.js # Value-based risk scoring
│   │       ├── feedback-loop.js     # FP marking, persistence
│   │       ├── config-manager.js    # Baseline, custom patterns
│   │       ├── history-trends.js    # Persistent history
│   │       ├── integrations.js      # GitHub, Jira, Slack
│   │       ├── browser-scanner.js   # DOM, meta, postMessage
│   │       ├── websocket-monitor.js # WS traffic interception
│   │       ├── network-monitor.js   # Fetch/XHR monitoring
│   │       ├── report-generator.js  # Multi-format exports
│   │       └── false-positive-filter.js
│   └── popup/
│       ├── popup.html               
│       ├── popup.js                 
│       └── popup.css                
└── test/
    └── test-page.html               # Test page with planted secrets

📊 Key Capabilities

Capability Prizm
Browser Extension
Live Website Scanning
WebSocket Traffic
Service Worker Caches
GraphQL Detection
postMessage Scanning
DOM Attribute Scanning
ML Classification
Live Secret Verification
157 Detection Patterns
Asset-Based Prioritization
Risk Scoring (0-100)
Jira/GitHub Integration
Zero Dependencies

Prizm scans live websites, WebSocket traffic, postMessage, and Service Worker caches—areas invisible to source code scanners.

🛠️ Technical Highlights

Vanilla JavaScript

Zero external dependencies. Uses only native browser APIs:

  • Fetch API interception via monkey-patching
  • WebSocket constructor override
  • IndexedDB, Cache API, Storage API
  • MutationObserver for dynamic content
  • postMessage interception

Manifest V3 Compliant

Built for the future of Chrome extensions:

  • Service worker-based background script
  • Proper content script isolation
  • Chrome alarms for scheduling
  • Notification API support

Performance Optimized

  • Async/await throughout
  • Efficient regex compilation
  • Debounced scanning
  • Minimal memory footprint

🔒 Security & Ethics

⚠️ This tool is for authorized security testing only.

  • ✅ Use on websites you own
  • ✅ Use with explicit written permission
  • ✅ Report findings through responsible disclosure
  • ❌ Do not use for unauthorized reconnaissance
  • ❌ Do not use to exploit discovered secrets
  • ❌ Respect privacy laws (GDPR, CCPA)

All scanning happens locally in your browser. No data is sent externally.

🗺️ Roadmap

v0.2.0 ✅

  • ML-powered classification
  • Active secret verification (9 providers)
  • Asset-based prioritization
  • Feedback loop & baseline management
  • GitHub/Jira/Linear integrations
  • Slack/Discord webhooks
  • Scheduled monitoring with badges
  • Browser notifications
  • 157 detection patterns

v0.3.0

  • Chrome Web Store publication
  • Firefox Add-ons support
  • Custom pattern UI editor
  • Team collaboration features

v0.4.0

  • CI/CD integration hooks
  • API endpoint for headless scanning
  • Enterprise features

🤝 Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.

# Fork → Clone → Branch → Commit → Push → PR
git checkout -b feature/amazing-feature
git commit -m 'Add amazing feature'
git push origin feature/amazing-feature

📝 License

MIT License - see LICENSE for details.

👨‍💻 Author

Built by Fevra as a portfolio project demonstrating:

  • Browser extension development (Manifest V3)
  • Security tooling and pattern matching
  • ML classification in browser context
  • Clean architecture and modular design
  • Minimalist UI/UX design principles
  • Full-stack integration (webhooks, APIs)

Version: v0.2.0
Patterns: 157
For authorized testing only. Use responsibly. 🔐