Halo Security detects secrets and API keys exposed in JavaScript

Web properties increasingly rely on third-party JavaScript for enhanced functionality, but this also comes with its own risks.

A Source Defense report that scanned the 4,300 most trafficked websites worldwide found an average of 4 third-party scripts per page. These tags are often added without proper security controls or oversight by security teams, making it easy for attackers to find exposed API keys and violating sites.

Halo Security has announced a new feature to help security teams detect unintended exposure. Its agentless solution identifies the secrets of scripts used across the attack surface, regardless of how the scripts were added, so security teams know what’s dangerous and what’s not.

These tags are often added by developers and marketers through tag management systems without understanding the risks. According to Invicti’s research, 6.3% of the top sites on the internet expose his keys and secrets.

Halo Security’s new feature detects and alerts customers to over 700 sensitive information across scanned websites. potential, such as Amazon keys that unlock the site’s entire infrastructure, or proprietary backdoors to third-party features such as image carousels, where attackers can upload or delete images to damage their reputation. found devastating exposure to

“Our pentesters have been flagging this issue more and more lately, and it’s an issue that most clients don’t know about,” said Nick Merritt, vice president of security products at Halo Security. “Our new JavaScript secret detection perfectly complements our existing script monitoring and analysis solutions.”

Halo Security customers can now access new reports highlighting secrets exposed in JavaScript at no additional cost or additional configuration. For companies looking to improve the security of their external attack surface, Halo Security offers his 7-day free trial to detect existing public keys.