There are many tools for website security flaws discovery.. Here’s some simple open source tools for you to adopt to avoid inevitable hackers from all over the world to ruin your work. Retire.js is an awesome simple tool to scan a website and finds any vulnerable JS libraries to fulfill security scan for deployment.. It can be installed via npm in Terminal.
npm install -g retire
You can simply run from the source files directory as simple as
retire
or the build directory “dist” in some cases
retire --path ./dist
However, Retire.js is deprecated and will be removed soon. To move on from here, you can install open source OWASP ZAP or Burp – both are full suite of testing tools. Burp has a community version but some functions are locked for Professional version only while ZAP offers all features and can be installed via brew. To get around the latest macOS Gatekeeper, you’ll want to add “–no-quarantine” flag. Otherwise it won’t install. But be careful of what you install.
brew install --cask owasp-zap --no-quarantine
Once installed, open the app. Create a new Spider from the menu via Tools > Spider… or Command-Option-S. And then put the website URL in the “Starting Point” and press “Start Scan”.
When the scan completes, you can check the Alerts tab at bottom left of the screen. Expand it to see if there’s anything you should be updating. Update the relevant JS libraries. Re-run the spider and there should be no more alerts in Vulnerable JS Library section. As you can see below, there can be a whole bunch of items to address but that would depend on the website settings and platform. Addressing the JS library vulnerability is probably the first thing you can help as web developer.. But for other issues like unsafe-inline, there may not be anything you can do whenever there is third party JS and tracking tools.
