Njsscan is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from libsast and syntax-aware semantic code pattern search tool semgrep.
pip install njsscan
Requires Python 3.6+ and supports only Mac and Linux
$ njsscan
usage: njsscan [-h] [–json] [–sarif] [–sonarqube] [–html] [-o OUTPUT] [-c CONFIG] [–missing-controls] [-w] [-v] [path …]
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, –help show this help message and exit
–json set output format as JSON
–sarif set output format as SARIF 2.1.0
–sonarqube set output format compatible with SonarQube
–html set output format as HTML
-o OUTPUT, –output OUTPUT
output filename to save the result
-c CONFIG, –config CONFIG
Location to .njsscan config file
–missing-controls enable missing security controls check
-w, –exit-warning non zero exit code on warning
-v, –version show njsscan version
$ njsscan test.js
Pattern Match ████████████████████████████████████████████████████████████ 1
Semantic Grep ███████████████████████████ 160
njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
═══════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ express_xss │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP │ A1: Injection │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │
│ │ │ File │ test.js │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match Position │ 5 – 46 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Line Number(s) │ 7: 8 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match String │ const { name } = req.query; │ │
│ │ │ │ res.send(‘Hello :’ + name + “”) │ │
│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛
nodejsscan, built on top of njsscan provides a full fledged vulnerability management user interface along with other nifty integrations.
from njsscan.njsscan import NJSScan
node_source = ‘/node_source/true_positives/sqli_node.js’
scanner = NJSScan([node_source], json=True, check_controls=False)
scanner.scan()
{
‘templates’: {},
‘nodejs’: {
‘node_sqli_injection’: {
‘files’: [{
‘file_path’: ‘/node_source/true_positives/sqli_node.js’,
‘match_position’: (1, 24),
‘match_lines’: (4, 11),
‘match_string’: ‘var employeeId = req.foo;\n\nvar sql = “SELECT * FROM trn_employee WHERE employee_id = ” + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n if (error) {\n\n throw error;\n\n }\n\n console.log(results);’
}],
‘metadata’: {
‘owasp’: ‘A1: Injection’,
‘cwe’: “CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)”,
‘description’: ‘Untrusted input concatinated with raw SQL query can result in SQL Injection.’,
‘severity’: ‘ERROR’
}
}
},
‘errors’: []
}
A .njsscan file in the root of the source code directory allows you to configure njsscan. You can also use a custom .njsscan file using --config argument.
nodejs-extensions:
.js
template-extensions:
.new
.hbs
”
ignore-filenames:
skip.js
ignore-paths:
__MACOSX
skip_dir
node_modules
ignore-extensions:
.jsx
ignore-rules:
regex_injection_dos
pug_jade_template
severity-filter:
WARNING
ERROR
You can suppress findings from javascript source files by adding the comment // njsscan-ignore: rule_id1, rule_id2 to the line that trigger the findings.
Example:
app.get(‘/some/redirect’, function (req, res) {
var target = req.param(“target”);
res.redirect(target); // njsscan-ignore: express_open_redirect
});
You can enable njsscan in your CI/CD or DevSecOps pipelines.
Add the following to the file .github/workflows/njsscan.yml.
name: njsscan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan check
steps:
– name: Checkout the code
uses: actions/checkout@v2
– name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: ‘.’
Add the following to the file .github/workflows/njsscan_sarif.yml.
name: njsscan sarif
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
– name: Checkout the code
uses: actions/checkout@v2
– name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: ‘. –sarif –output results.sarif || true’
– name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
Add the following to the file .gitlab-ci.yml.
stages:
– test
njsscan:
image: python
before_script:
– pip3 install –upgrade njsscan
script:
– njsscan .
Example: dvna with njsscan gitlab
Add the following to the file .travis.yml.
language: python
install:
– pip3 install –upgrade njsscan
script:
– njsscan .
Add the following to the file .circleci/config.yaml
version: 2.1
jobs:
njsscan:
docker:
– image: cimg/python:3.9.6
steps:
– checkout
– run:
name: Install njsscan
command: pip install –upgrade njsscan
– run:
name: njsscan check
command: njsscan .
docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src
docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…