pentest-tool-lite 3.10.6 → 3.10.8

package/dist/security/Cookies.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class Cookies extends Test_1.default {
+    name = 'Cookies';
+    async test({ url }) {
+        logger_1.default.info('Starting Cookies test...');
+        const response = await request_1.default.get(url);
+        let subChecks = [];
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'set-cookie')) {
+            const cookies = response.headers['set-cookie'];
+            subChecks = this.checkCookies(cookies);
+        }
+        return {
+            status: subChecks.some(check => check.status === 'WARNING') ? 'WARNING' : 'SUCCESS',
+            title: 'Cookies',
+            description: '',
+            results: subChecks,
+        };
+    }
+    checkCookies(cookies) {
+        const regx = new RegExp('.*(secure; HttpOnly)$', 'i');
+        return cookies.map((cookie) => {
+            if (!regx.test(cookie)) {
+                return {
+                    status: 'WARNING',
+                    title: cookie.substr(0, cookie.indexOf('=')),
+                    description: '',
+                };
+            }
+            return {
+                status: 'SUCCESS',
+                title: cookie.substr(0, cookie.indexOf('=')),
+                description: '',
+            };
+        });
+    }
+}
+exports.default = Cookies;

package/dist/security/FingerPrint.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
+ * @see https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)
+ */
+class FingerPrint extends Test_1.default {
+    name = 'FingerPrint';
+    knownHeaders = ['x-powered-by', 'x-generator', 'server'];
+    async test({ url }) {
+        logger_1.default.info('Starting FingerPrint test...');
+        const response = await request_1.default.get(url);
+        if (this.hasFingerPrintHeader(response.headers)) {
+            return {
+                status: 'ERROR',
+                title: 'FingerPrint',
+                description: 'Response headers includes at least one of finger print headers!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'FingerPrint',
+            description: `Response headers don't inlcude any of finger print headers.`,
+        };
+    }
+    hasFingerPrintHeader(headers) {
+        return Object.keys(headers).filter((header) => this.knownHeaders.includes(header)).length > 0;
+    }
+}
+exports.default = FingerPrint;

package/dist/security/GoogleWebRisk.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const web_risk_1 = require("@google-cloud/web-risk");
+const Test_1 = __importDefault(require("../Test"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://cloud.google.com/web-risk
+ * @see https://safebrowsing.google.com
+ * @see https://transparencyreport.google.com/safe-browsing/search
+ */
+class GoogleWebRisk extends Test_1.default {
+    name = 'GoogleWebRisk';
+    async test({ url }) {
+        logger_1.default.info('Starting Google Web Risk test...');
+        const client = new web_risk_1.WebRiskServiceClient();
+        const request = {
+            uri: url,
+            threatTypes: [
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.MALWARE,
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.SOCIAL_ENGINEERING,
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.UNWANTED_SOFTWARE,
+            ],
+        };
+        const response = await client.searchUris(request);
+        const { threat } = response[0];
+        if (threat !== null) {
+            return {
+                status: 'ERROR',
+                title: this.name,
+                description: `This url contains ${threat.threatTypes.join(', ').toLowerCase()}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: this.name,
+            description: 'This URL is safe.',
+        };
+    }
+}
+exports.default = GoogleWebRisk;

package/dist/security/HSTS.js

@@ -0,0 +1,48 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ * HTTP Strict Transport Security
+ *
+ * Recommended value is at least one year (31536000).
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ * @see https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+ */
+class HSTS extends Test_1.default {
+    name = 'HSTS';
+    minValue = 31536000;
+    async test({ url }) {
+        logger_1.default.info('Starting HSTS test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'strict-transport-security')) {
+            return {
+                status: 'ERROR',
+                title: 'HSTS',
+                description: 'The strict-transport-security header is not present!',
+            };
+        }
+        const attributes = response.headers['strict-transport-security'].replace(' ', '').split(';');
+        const maxAge = attributes.filter((attribute) => {
+            return attribute.startsWith('max-age');
+        }).shift().replace('max-age=', '');
+        if (parseInt(maxAge, 10) < this.minValue) {
+            return {
+                status: 'ERROR',
+                title: 'HSTS',
+                description: `The value of strict-transport-security header is ${maxAge}. Minimum value is ${this.minValue}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'HSTS',
+            description: `The value of strict-transport-security header is ${maxAge}.`,
+        };
+    }
+}
+exports.default = HSTS;

package/dist/security/HTTPS.js

@@ -0,0 +1,78 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ * Hypertext Transfer Protocol Secure
+ *
+ * The script first transform the url to be unsecure
+ * and then make the request. The answer has to be
+ * redirect to secure version.
+ *
+ * Some sites requires www (or requires version without wwww)
+ * and if the request is not as desired, it first redirects
+ * to desired version (without https) and then again redirects
+ * to version with https. This is also wrong.
+ *
+ * @see https://en.wikipedia.org/wiki/HTTPS
+ */
+class HTTPS extends Test_1.default {
+    name = 'HTTPS';
+    async test({ url }) {
+        logger_1.default.info('Starting HTTPS test...');
+        const unsecureUrl = this.toHttp(url);
+        logger_1.default.debug('Unsecure URL', unsecureUrl);
+        const response = await request_1.default.get(unsecureUrl, { redirect: 'manual' });
+        logger_1.default.debug('Response', { statusCode: response.statusCode, headers: response.headers });
+        if (!this.isRedirect(response)) {
+            return {
+                status: 'ERROR',
+                title: 'HTTPS',
+                metadata: {
+                    statusCode: response.statusCode,
+                    unsecureUrl,
+                    finalUrl: response.finalUrl,
+                },
+                description: `Request to not secure url returned ${response.statusCode}!`,
+            };
+        }
+        if (!this.isRedirectSecure(response)) {
+            return {
+                status: 'ERROR',
+                title: 'HTTPS',
+                metadata: {
+                    statusCode: response.statusCode,
+                    unsecureUrl,
+                    finalUrl: response.finalUrl,
+                },
+                description: `Request to not secure url returned non-secure redirect url ${response.headers.location}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'HTTPS',
+            metadata: {
+                statusCode: response.statusCode,
+                unsecureUrl,
+                finalUrl: response.finalUrl,
+            },
+            description: `Request to not secure url responded with status code ${response.statusCode} and redirect url ${response.headers.location}.`,
+        };
+    }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    isRedirect(response) {
+        return Math.floor(response.statusCode / 100) === 3 && 'location' in response.headers;
+    }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    isRedirectSecure(response) {
+        return response.headers.location.startsWith('https');
+    }
+    toHttp(url) {
+        return url.replace('https://', 'http://');
+    }
+}
+exports.default = HTTPS;

package/dist/security/HTTPVersion.js

@@ -0,0 +1,50 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://en.wikipedia.org/wiki/HTTP/2
+ * @see https://en.wikipedia.org/wiki/HTTP/3
+ */
+class HTTPVersion extends Test_1.default {
+    name = 'HTTP Version';
+    async test({ url }) {
+        logger_1.default.info('Starting HTTPVersion test...');
+        const response = await request_1.default.get(url);
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'upgrade')) {
+            const attributes = response.headers['upgrade'].replace(' ', '').split(',');
+            const h2 = attributes.indexOf('h2') > -1;
+            if (h2) {
+                return {
+                    status: 'WARNING',
+                    title: 'HTTP/2',
+                    description: 'The current HTTP version is 2. Can be upgraded to 3.',
+                };
+            }
+        }
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'alt-svc')) {
+            const attributes = response.headers['alt-svc'].replace(' ', '').split(',');
+            const h3 = attributes.find(a => a.includes('h3'));
+            if (typeof h3 !== 'undefined') {
+                if (h3) {
+                    return {
+                        status: 'SUCCESS',
+                        title: 'HTTP/3',
+                        description: 'The value of HTTP/3 header is present.',
+                    };
+                }
+            }
+        }
+        return {
+            status: 'ERROR',
+            title: 'HTTP/1',
+            description: 'The current HTTP version is 1. Should be upgraded at least to 2!',
+        };
+    }
+}
+exports.default = HTTPVersion;

package/dist/security/PermissionsPolicy.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+ */
+class PermissionsPolicy extends Test_1.default {
+    name = 'Permissions-Policy';
+    async test({ url }) {
+        logger_1.default.info('Starting PermissionsPolicy test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'permissions-policy')) {
+            return {
+                status: 'ERROR',
+                title: 'Permissions-Policy',
+                description: 'Response headers does not contain permissions-policy header!',
+            };
+        }
+        const permissionsArray = ['accelerometer', 'geolocation', 'midi', 'notifications', 'push', 'sync-xhr',
+            'microphone', 'camera', 'magnetometer', 'gyroscope', 'speaker', 'vibrate', 'fullscreen', 'payment', 'usb'];
+        const attributesList = response.headers['permissions-policy'];
+        const subChecks = this.checkPermissions(permissionsArray, attributesList);
+        return {
+            status: subChecks.some(check => check.status === 'WARNING') ? 'WARNING' : 'SUCCESS',
+            title: 'Permissions-Policy',
+            description: '',
+            results: subChecks,
+        };
+    }
+    checkPermissions(permissions, attributes) {
+        return permissions.map((permission) => {
+            if (!attributes.includes(permission)) {
+                return {
+                    status: 'WARNING',
+                    title: permission,
+                    description: `Permission ${permission} is missing.`,
+                };
+            }
+            return {
+                status: 'SUCCESS',
+                title: permission,
+                description: `Permission ${permission} is present.`,
+            };
+        });
+    }
+}
+exports.default = PermissionsPolicy;

package/dist/security/Redirect.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class Redirect extends Test_1.default {
+    name = 'Redirect';
+    async test({ url }) {
+        logger_1.default.info('Starting Redirect test...');
+        const response = await request_1.default.get(url, { redirect: 'follow' });
+        if (response.response.redirected) {
+            const originalUrl = new URL(url);
+            const finalUrl = new URL(response.response.url);
+            if (originalUrl.hostname !== finalUrl.hostname) {
+                return {
+                    status: 'ERROR',
+                    title: this.name,
+                    description: 'URL redirects to different hostname!',
+                };
+            }
+            return {
+                status: 'SUCCESS',
+                title: this.name,
+                description: 'Request was redirected but to the same hostname.',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: this.name,
+            description: 'Request was not redirected.',
+        };
+    }
+}
+exports.default = Redirect;

package/dist/security/ReferrerPolicy.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ */
+class ReferrerPolicy extends Test_1.default {
+    name = 'Referrer-Policy';
+    async test({ url }) {
+        logger_1.default.info('Starting ReferrerPolicy test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'referrer-policy')) {
+            return {
+                status: 'WARNING',
+                title: 'Referrer-Policy',
+                description: 'Response headers does not contain referrer-policy header!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'Referrer-Policy',
+            description: `The value of referrer-policy header is ${response.headers['referrer-policy']}.`,
+        };
+    }
+}
+exports.default = ReferrerPolicy;

package/dist/security/RobotsTXT.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class RobotsTXT extends Test_1.default {
+    name = 'Robots.txt';
+    async test({ url }) {
+        logger_1.default.info('Starting robotstxt test...');
+        const response = await request_1.default.get(url + '/robots.txt');
+        if (response !== null && response.statusCode === 200) {
+            return {
+                status: 'SUCCESS',
+                title: 'Robots.txt',
+                description: 'Site does contain robots.txt',
+            };
+        }
+        return {
+            status: 'ERROR',
+            title: 'Robots.txt',
+            description: 'Site does not contain robots.txt',
+        };
+    }
+}
+exports.default = RobotsTXT;

package/dist/security/SSL.js

@@ -0,0 +1,36 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ssl_checker_1 = __importDefault(require("ssl-checker"));
+const Test_1 = __importDefault(require("../Test"));
+const logger_1 = __importDefault(require("../logger"));
+class SSL extends Test_1.default {
+    name = 'SSL';
+    async test({ url }) {
+        logger_1.default.info('Starting SSL test...');
+        const hostname = (new URL(url)).hostname;
+        const sslDetails = await (0, ssl_checker_1.default)(hostname);
+        if (!sslDetails.valid) {
+            return {
+                status: 'ERROR',
+                title: this.name,
+                description: 'SSL certificate is not valid!',
+            };
+        }
+        if (sslDetails.daysRemaining <= 7) {
+            return {
+                status: 'WARNING',
+                title: this.name,
+                description: 'SSL certificate is valid for 7 or less days!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: this.name,
+            description: `SSL certificate is valid until ${sslDetails.validTo}.`,
+        };
+    }
+}
+exports.default = SSL;

package/dist/security/XFrameOptions.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ */
+class XFrameOptions extends Test_1.default {
+    name = 'X-Frame-Options';
+    async test({ url }) {
+        logger_1.default.info('Starting X-Frame-Options test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'x-frame-options')) {
+            return {
+                status: 'ERROR',
+                title: 'X-Frame-Options',
+                description: 'Response headers does not contain x-frame-options header!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'X-Frame-Options',
+            description: `The value of x-frame-options header is ${response.headers['x-frame-options']}.`,
+        };
+    }
+}
+exports.default = XFrameOptions;

package/dist/security/XXSSProtection.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+ */
+class XXSSProtection extends Test_1.default {
+    name = 'X-XSS-Protection';
+    async test({ url }) {
+        logger_1.default.info('Starting X-XSS-Protection test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'x-xss-protection')) {
+            return {
+                status: 'ERROR',
+                title: 'X-XSS-Protection',
+                description: 'Response headers does not contain x-xss-protection header!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'X-XSS-Protection',
+            description: `The value of x-xss-protection header is ${response.headers['x-xss-protection']}.`,
+        };
+    }
+}
+exports.default = XXSSProtection;

package/dist/{src/security → security}/__TESTS__/ContentSecurityPolicy.test.js

@@ -1,23 +1,14 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ContentSecurityPolicy_1 = __importDefault(require("../ContentSecurityPolicy"));
 const request_1 = __importDefault(require("../../request"));
-test('Content-Security-Policy test with correct header', () => __awaiter(void 0, void 0, void 0, function* () {
+test('Content-Security-Policy test with correct header', async () => {
     const pentest = new ContentSecurityPolicy_1.default();
     /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
-    const mock = jest.spyOn(request_1.default, 'get').mockImplementation(() => __awaiter(void 0, void 0, void 0, function* () {
+    const mock = jest.spyOn(request_1.default, 'get').mockImplementation(async () => {
         return new Promise((resolve) => {
             resolve({
                 headers: {
@@ -25,22 +16,22 @@ test('Content-Security-Policy test with correct header', () => __awaiter(void 0,
                 },
             });
         });
-    }));
-    const result = yield pentest.run({ url: 'https://juffalow.com' });
+    });
+    const result = await pentest.run({ url: 'https://juffalow.com' });
     expect(result.status).toEqual('SUCCESS');
     mock.mockRestore();
-}));
-test('Content-Security-Policy test with missing Content-Security-Policy header', () => __awaiter(void 0, void 0, void 0, function* () {
+});
+test('Content-Security-Policy test with missing Content-Security-Policy header', async () => {
     const pentest = new ContentSecurityPolicy_1.default();
     /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
-    const mock = jest.spyOn(request_1.default, 'get').mockImplementation(() => __awaiter(void 0, void 0, void 0, function* () {
+    const mock = jest.spyOn(request_1.default, 'get').mockImplementation(async () => {
         return new Promise((resolve) => {
             resolve({
                 headers: {}
             });
         });
-    }));
-    const result = yield pentest.run({ url: 'https://juffalow.com' });
+    });
+    const result = await pentest.run({ url: 'https://juffalow.com' });
     expect(result.status).toEqual('ERROR');
     mock.mockRestore();
-}));
+});