NodeJsScan is a static security code scanner (SAST) for Node.js applications.
Install Postgres and configure SQLALCHEMY_DATABASE_URI
in core/settings.py
pip3 install -r requirements.txt
python3 migrate.py # Run once to create database entries required
python3 app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app --workers 3 --timeout 10000 # Production Environment
This will run it on http://0.0.0.0:9090
If you need to debug, set DEBUG = True
in core/settings.py
Also ReadOsmedeus – Automatic Reconnaisance and Scanning in Penetration Testing
The command line interface (CLI) allows you to integrate it with DevSecOps CI/CD pipelines. The results are in JSON format. When you use CLI the results are never stored with it in the backend.
virtualenv venv -p python3
source venv/bin/activate
(venv)pip install nodejsscan
(venv)$ nodejsscan
usage: nodejsscan [-h] [-f FILE [FILE ...]] [-d DIRECTORY [DIRECTORY ...]]
[-o OUTPUT] [-v]
optional arguments:
-h, --help show this help message and exit
-f FILE [FILE ...], --file FILE [FILE ...]
Node.js file(s) to scan
-d DIRECTORY [DIRECTORY ...], --directory DIRECTORY [DIRECTORY ...]
Node.js source code directory/directories to scan
-o OUTPUT, --output OUTPUT
Output file to save JSON report
-v, --version Show nodejsscan version
import core.scanner as njsscan
res_dir = njsscan.scan_dirs(['/Code/Node.Js-Security-Course'])
res_file = njsscan.scan_file(['/Code/Node.Js-Security-Course/deserialization.js'])
print(res_file)
[{'title': 'Deserialization Remote Code Injection', 'description': "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", 'tag': 'rci', 'line': 11, 'lines': 'app.use(cookieParser())\n\napp.get(\'/\', function(req, res) {\n if (req.cookies.profile) {\n var str = new Buffer(req.cookies.profile, \'base64\').toString();\n var obj = serialize.unserialize(str);\n if (obj.username) {\n res.send("Hello " + escape(obj.username));\n }\n } else {', 'filename': 'deserialization.js', 'path': '/Users/ajin/Code/Node.Js-Security-Course/deserialization.js', 'sha2': '06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50'}]
docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan
docker pull opensecurity/nodejsscan
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Tookie-osint has a simple-to-use UI and is really straightforward. The main idea of Tookie-osint is…
Be aware, the installation needs technical skills and is not for beginners. Please do not…
The course is primarily intended for those who are professionally involved in or simply interested…
Embark on a 21-day journey to harness the power of Python for Open Source Intelligence…
I've seen multiple projects out there in GitHub, that are crawlers for the deep web,…
OSINTk.o is a customized Kali Linux-based ISO image with pre-installed packages and scripts. The idea…