XowiaScan
Tools
Recon & Discovery15 tools Web Security Audit8 tools Exploitation & OOB3 tools Payloads & Wordlists3 tools Crypto & Generators3 tools Encoders & Converters5 tools Reference & Reports4 tools
Browse the full catalogue Open /explore →
Free Tools
Recon & Discovery
SiteMapper ProTurn a URL list into 4 views: hierarchical host/path tree, sortable fl… URL & Endpoint ExtractorMine URLs, JS endpoints, domains and parameters from pasted source cod… CIDR / IP CalculatorIPv4 and IPv6 subnet math. Expand CIDRs, parse ranges and netmasks, ag…
Web Security Audit
Cookie / JWT AuditorAudit cookie flags (Secure, HttpOnly, SameSite, __Host- / __Secure- pr…
Crypto & Generators
Hash ToolkitGenerate (MD5, NTLM, SHA) and identify 60+ hash types with ranked cand… Test Data GeneratorRealistic-looking test data across 22 countries: names, emails, phone … Code / Password / Token GeneratorCustom-charset strings (1-512 chars, up to 5000 at a time), passwords …
Encoders & Converters
Encoder / Decoder4-tab workbench: 20+ encodings (URL, double-URL, percent-all, Base64, … HTTP Request ConverterConvert HTTP requests between 6 formats: Raw HTTP (Burp), curl, fetch(… JSON WorkbenchFormat, validate (with line / col error), minify, sort keys, unescape … Text Suite7-tab text workbench: regex find/replace, sort/dedupe/sample, keep-dro… Text Comparer4-tab diff workbench: true LCS line / word / char diff, side-by-side, …
See all 12 free tools on /explore →
Pricing
Resources
ChangelogWhat's shipped lately API DocsAutomate scans from your CLI About Xowia LabsWho's behind this ContactBug reports, ideas, just say hi Terms & PrivacyAcceptable-use policy + privacy
Sign in Get started
← All tools

JS Secrets Scanner

Web Security Audit

Crawl a target URL, harvest its JavaScript bundles, inline scripts and source maps, and scan all of it for ~40 curated secret patterns (AWS, GCP, Stripe, Razorpay, Slack, GitHub, GitLab, SendGrid, Mailgun, Twilio, Discord, Telegram, npm, PyPI, DigitalOcean, Cloudflare, Linear, Square, PEM private keys, JWTs, internal URLs and more) plus a Shannon-entropy heuristic for unclassified high-entropy strings. Findings grouped by severity, masked by default, with snippet context, source-map awareness, JSON / CSV / Markdown export and Burp handoff. Pro tier server-side; hard caps keep scans under 60s and 12MB.

What it does

JS Secrets Scanner is part of the XowiaScan Web Security Audit toolset. It runs server-side: submit a target and the suite performs the lookup/scan, returning structured results saved to your private scan history.

Access

Free tier: included via a 6-hour token allowance and rate limits. Paid tiers: unmetered. Also available through the scoped API.

Use JS Secrets Scanner

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryWeb Security Audit
RunsServer-side
Token cost 4 / run (free tier)
Access Pro
Status● Live
Explore more tools →