pentest-tool-lite 3.9.3 → 3.10.8

package/dist/metadata/Markdown.d.ts

@@ -0,0 +1,6 @@
+import Test, { TestParameters, Result } from '../Test';
+declare class Markdown extends Test {
+    name: string;
+    test({ url }: TestParameters): Promise<Result>;
+}
+export default Markdown;

package/dist/metadata/Markdown.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_html_markdown_1 = require("node-html-markdown");
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class Markdown extends Test_1.default {
+    name = 'Markdown';
+    async test({ url }) {
+        logger_1.default.info(`Starting ${this.constructor.name} test...`);
+        const response = await request_1.default.get(url);
+        const html = response.body;
+        const markdown = node_html_markdown_1.NodeHtmlMarkdown.translate(html);
+        return {
+            status: 'SUCCESS',
+            title: this.constructor.name,
+            description: '',
+            metadata: {
+                markdown,
+            },
+            results: [],
+        };
+    }
+}
+exports.default = Markdown;

package/dist/metadata/ResponseTime.d.ts

@@ -0,0 +1,6 @@
+import Test, { TestParameters, Result } from '../Test';
+declare class ResponseTime extends Test {
+    name: string;
+    test({ url }: TestParameters): Promise<Result>;
+}
+export default ResponseTime;

package/dist/metadata/ResponseTime.js

@@ -0,0 +1,25 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class ResponseTime extends Test_1.default {
+    name = 'ResponseTime';
+    async test({ url }) {
+        logger_1.default.info(`Starting ${this.constructor.name} test...`);
+        const response = await request_1.default.get(url);
+        return {
+            status: 'SUCCESS',
+            title: this.constructor.name,
+            description: '',
+            metadata: {
+                duration: response.duration,
+            },
+            results: [],
+        };
+    }
+}
+exports.default = ResponseTime;

package/dist/metadata/index.d.ts

@@ -0,0 +1,6 @@
+import Test, { TestParameters, Result } from '../Test';
+export default class Metadata extends Test {
+    name: string;
+    constructor();
+    test(params: TestParameters): Promise<Result>;
+}

package/dist/metadata/index.js

@@ -0,0 +1,45 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const HTML_1 = __importDefault(require("./HTML"));
+const Markdown_1 = __importDefault(require("./Markdown"));
+const ResponseTime_1 = __importDefault(require("./ResponseTime"));
+class Metadata extends Test_1.default {
+    name = 'Metadata';
+    constructor() {
+        super();
+        this.tests = [
+            new HTML_1.default(),
+            new Markdown_1.default(),
+            new ResponseTime_1.default(),
+        ];
+    }
+    async test(params) {
+        const tests = this.getTests();
+        const results = [];
+        for (const test of tests) {
+            let result = null;
+            try {
+                result = await test.run(params);
+            }
+            catch {
+                result = {
+                    status: 'ERROR',
+                    title: test.name,
+                    description: 'Test failed or cannot be run!',
+                };
+            }
+            results.push(result);
+        }
+        return {
+            status: this.getStatus(results.map(result => result.status)),
+            title: this.name,
+            description: '',
+            results,
+        };
+    }
+}
+exports.default = Metadata;

package/{src → dist}/request/NodeFetch.d.ts

@@ -1,4 +1,6 @@
 import Request, { Options, Response } from './Request';
 export default class NodeFetch implements Request {
+    protected cache: PentestCache;
+    constructor(cache: PentestCache);
     get(url: string, options?: Options): Promise<Response>;
 }

package/dist/request/NodeFetch.js

@@ -0,0 +1,58 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = __importDefault(require("../config"));
+const getHeaders = (headers) => {
+    const keyValues = {};
+    headers.forEach((value, header) => {
+        if (value.length === 1 && header !== 'set-cookie') {
+            keyValues[header] = value[0];
+        }
+        else {
+            keyValues[header] = value;
+        }
+    });
+    return keyValues;
+};
+class NodeFetch {
+    cache;
+    constructor(cache) {
+        this.cache = cache;
+    }
+    async get(url, options) {
+        if (this.cache.has(url)) {
+            return this.cache.get(url);
+        }
+        const defaultOptions = config_1.default.request.options;
+        const startTime = Date.now();
+        const response = await fetch(url, { ...defaultOptions, ...options });
+        const endTime = Date.now();
+        const body = await response.text();
+        const statusCode = response.status;
+        const statusText = response.statusText;
+        const headers = getHeaders(response.headers);
+        this.cache.add(url, {
+            response,
+            statusCode,
+            statusText,
+            headers,
+            body,
+            url,
+            finalUrl: response.url,
+            duration: (endTime - startTime) / 1000,
+        });
+        return {
+            response,
+            statusCode,
+            statusText,
+            headers,
+            body,
+            url,
+            finalUrl: response.url,
+            duration: (endTime - startTime) / 1000,
+        };
+    }
+}
+exports.default = NodeFetch;

package/{src → dist}/request/Request.d.ts

@@ -5,11 +5,13 @@ export type Options = {
 };
 export type Response = {
     url: string;
+    finalUrl: string;
     body: string;
     statusCode: number;
     statusText: string;
     headers: any;
     response: any;
+    duration: number;
 };
 export default interface Request {
     get(url: string, options?: Options): Promise<Response>;

package/dist/request/cache/BlackHoleCache.d.ts

@@ -0,0 +1,7 @@
+declare class BlackHoleCache implements PentestCache {
+    add(): void;
+    has(): boolean;
+    get(): any;
+    clear(): void;
+}
+export default BlackHoleCache;

package/{src → dist}/request/cache/BlackHoleCache.js

@@ -1,13 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 class BlackHoleCache {
-    add(url, response) {
+    add() {
         return;
     }
-    has(url) {
+    has() {
         return false;
     }
-    get(url) {
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    get() {
         return null;
     }
     clear() {

package/{src → dist}/request/cache/UnlimitedCache.d.ts

@@ -1,5 +1,4 @@
-import Cache from './Cache';
-export default class UnlimitedCache implements Cache {
+export default class UnlimitedCache implements PentestCache {
     protected requests: Record<string, any>;
     constructor();
     add(url: string, response: any): void;

package/{src → dist}/request/cache/UnlimitedCache.js

@@ -1,15 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 class UnlimitedCache {
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    requests;
     constructor() {
         this.requests = {};
     }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
     add(url, response) {
         this.requests[url] = response;
     }
     has(url) {
         return Object.prototype.hasOwnProperty.call(this.requests, url);
     }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
     get(url) {
         if (!this.has(url)) {
             return null;

package/dist/request/index.js

@@ -0,0 +1,11 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const NodeFetch_1 = __importDefault(require("./NodeFetch"));
+const UnlimitedCache_1 = __importDefault(require("./cache/UnlimitedCache"));
+const BlackHoleCache_1 = __importDefault(require("./cache/BlackHoleCache"));
+const config_1 = __importDefault(require("../config"));
+const cache = config_1.default.request.cache.type === 'UNLIMITED' ? new UnlimitedCache_1.default() : new BlackHoleCache_1.default();
+exports.default = new NodeFetch_1.default(cache);

package/dist/security/ContentEncoding.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/content-encoding
+ */
+class ContentEncoding extends Test_1.default {
+    name = 'Content-Encoding';
+    async test({ url }) {
+        logger_1.default.info('Starting content-encoding test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'content-encoding')) {
+            return {
+                status: 'ERROR',
+                title: 'Content-Encoding',
+                description: 'Response headers does not contain content-encoding header!',
+            };
+        }
+        const attributesList = response.headers['content-encoding'];
+        const attributes = attributesList.replace(' ', '').split(',');
+        const ce1 = attributes.indexOf('gzip') > -1;
+        const ce2 = attributes.indexOf('deflate') > -1;
+        const ce3 = attributes.indexOf('br') > -1;
+        if (ce1 || ce2 || ce3) {
+            return {
+                status: 'SUCCESS',
+                title: 'Content-Encoding',
+                description: `The value of content-encoding header is ${attributesList}.`,
+            };
+        }
+        return {
+            status: 'ERROR',
+            title: 'Content-Encoding',
+            description: `The value of content-encoding header is ${attributesList}.`,
+        };
+    }
+}
+exports.default = ContentEncoding;

package/dist/security/ContentSecurityPolicy.js

@@ -0,0 +1,32 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ */
+class ContentSecurityPolicy extends Test_1.default {
+    name = 'Content-Security-Policy';
+    async test({ url }) {
+        logger_1.default.info('Starting ContentSecurityPolicy test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'content-security-policy')) {
+            return {
+                status: 'ERROR',
+                title: 'Content-Security-Policy',
+                description: 'Response headers does not contain content-security-policy header!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'Content-Security-Policy',
+            description: `The value of content-security-policy header is ${response.headers['content-security-policy']}.`,
+        };
+    }
+}
+exports.default = ContentSecurityPolicy;

package/dist/security/Cookies.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+class Cookies extends Test_1.default {
+    name = 'Cookies';
+    async test({ url }) {
+        logger_1.default.info('Starting Cookies test...');
+        const response = await request_1.default.get(url);
+        let subChecks = [];
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'set-cookie')) {
+            const cookies = response.headers['set-cookie'];
+            subChecks = this.checkCookies(cookies);
+        }
+        return {
+            status: subChecks.some(check => check.status === 'WARNING') ? 'WARNING' : 'SUCCESS',
+            title: 'Cookies',
+            description: '',
+            results: subChecks,
+        };
+    }
+    checkCookies(cookies) {
+        const regx = new RegExp('.*(secure; HttpOnly)$', 'i');
+        return cookies.map((cookie) => {
+            if (!regx.test(cookie)) {
+                return {
+                    status: 'WARNING',
+                    title: cookie.substr(0, cookie.indexOf('=')),
+                    description: '',
+                };
+            }
+            return {
+                status: 'SUCCESS',
+                title: cookie.substr(0, cookie.indexOf('=')),
+                description: '',
+            };
+        });
+    }
+}
+exports.default = Cookies;

package/dist/security/FingerPrint.js

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
+ * @see https://www.owasp.org/index.php/Fingerprint_Web_Application_Framework_(OTG-INFO-008)
+ */
+class FingerPrint extends Test_1.default {
+    name = 'FingerPrint';
+    knownHeaders = ['x-powered-by', 'x-generator', 'server'];
+    async test({ url }) {
+        logger_1.default.info('Starting FingerPrint test...');
+        const response = await request_1.default.get(url);
+        if (this.hasFingerPrintHeader(response.headers)) {
+            return {
+                status: 'ERROR',
+                title: 'FingerPrint',
+                description: 'Response headers includes at least one of finger print headers!',
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'FingerPrint',
+            description: `Response headers don't inlcude any of finger print headers.`,
+        };
+    }
+    hasFingerPrintHeader(headers) {
+        return Object.keys(headers).filter((header) => this.knownHeaders.includes(header)).length > 0;
+    }
+}
+exports.default = FingerPrint;

package/dist/security/GoogleWebRisk.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const web_risk_1 = require("@google-cloud/web-risk");
+const Test_1 = __importDefault(require("../Test"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://cloud.google.com/web-risk
+ * @see https://safebrowsing.google.com
+ * @see https://transparencyreport.google.com/safe-browsing/search
+ */
+class GoogleWebRisk extends Test_1.default {
+    name = 'GoogleWebRisk';
+    async test({ url }) {
+        logger_1.default.info('Starting Google Web Risk test...');
+        const client = new web_risk_1.WebRiskServiceClient();
+        const request = {
+            uri: url,
+            threatTypes: [
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.MALWARE,
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.SOCIAL_ENGINEERING,
+                web_risk_1.protos.google.cloud.webrisk.v1.ThreatType.UNWANTED_SOFTWARE,
+            ],
+        };
+        const response = await client.searchUris(request);
+        const { threat } = response[0];
+        if (threat !== null) {
+            return {
+                status: 'ERROR',
+                title: this.name,
+                description: `This url contains ${threat.threatTypes.join(', ').toLowerCase()}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: this.name,
+            description: 'This URL is safe.',
+        };
+    }
+}
+exports.default = GoogleWebRisk;

package/dist/security/HSTS.js

@@ -0,0 +1,48 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ * HTTP Strict Transport Security
+ *
+ * Recommended value is at least one year (31536000).
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ * @see https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+ */
+class HSTS extends Test_1.default {
+    name = 'HSTS';
+    minValue = 31536000;
+    async test({ url }) {
+        logger_1.default.info('Starting HSTS test...');
+        const response = await request_1.default.get(url);
+        if (!Object.prototype.hasOwnProperty.call(response.headers, 'strict-transport-security')) {
+            return {
+                status: 'ERROR',
+                title: 'HSTS',
+                description: 'The strict-transport-security header is not present!',
+            };
+        }
+        const attributes = response.headers['strict-transport-security'].replace(' ', '').split(';');
+        const maxAge = attributes.filter((attribute) => {
+            return attribute.startsWith('max-age');
+        }).shift().replace('max-age=', '');
+        if (parseInt(maxAge, 10) < this.minValue) {
+            return {
+                status: 'ERROR',
+                title: 'HSTS',
+                description: `The value of strict-transport-security header is ${maxAge}. Minimum value is ${this.minValue}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'HSTS',
+            description: `The value of strict-transport-security header is ${maxAge}.`,
+        };
+    }
+}
+exports.default = HSTS;

package/dist/security/HTTPS.js

@@ -0,0 +1,78 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ * Hypertext Transfer Protocol Secure
+ *
+ * The script first transform the url to be unsecure
+ * and then make the request. The answer has to be
+ * redirect to secure version.
+ *
+ * Some sites requires www (or requires version without wwww)
+ * and if the request is not as desired, it first redirects
+ * to desired version (without https) and then again redirects
+ * to version with https. This is also wrong.
+ *
+ * @see https://en.wikipedia.org/wiki/HTTPS
+ */
+class HTTPS extends Test_1.default {
+    name = 'HTTPS';
+    async test({ url }) {
+        logger_1.default.info('Starting HTTPS test...');
+        const unsecureUrl = this.toHttp(url);
+        logger_1.default.debug('Unsecure URL', unsecureUrl);
+        const response = await request_1.default.get(unsecureUrl, { redirect: 'manual' });
+        logger_1.default.debug('Response', { statusCode: response.statusCode, headers: response.headers });
+        if (!this.isRedirect(response)) {
+            return {
+                status: 'ERROR',
+                title: 'HTTPS',
+                metadata: {
+                    statusCode: response.statusCode,
+                    unsecureUrl,
+                    finalUrl: response.finalUrl,
+                },
+                description: `Request to not secure url returned ${response.statusCode}!`,
+            };
+        }
+        if (!this.isRedirectSecure(response)) {
+            return {
+                status: 'ERROR',
+                title: 'HTTPS',
+                metadata: {
+                    statusCode: response.statusCode,
+                    unsecureUrl,
+                    finalUrl: response.finalUrl,
+                },
+                description: `Request to not secure url returned non-secure redirect url ${response.headers.location}!`,
+            };
+        }
+        return {
+            status: 'SUCCESS',
+            title: 'HTTPS',
+            metadata: {
+                statusCode: response.statusCode,
+                unsecureUrl,
+                finalUrl: response.finalUrl,
+            },
+            description: `Request to not secure url responded with status code ${response.statusCode} and redirect url ${response.headers.location}.`,
+        };
+    }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    isRedirect(response) {
+        return Math.floor(response.statusCode / 100) === 3 && 'location' in response.headers;
+    }
+    /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+    isRedirectSecure(response) {
+        return response.headers.location.startsWith('https');
+    }
+    toHttp(url) {
+        return url.replace('https://', 'http://');
+    }
+}
+exports.default = HTTPS;

package/dist/security/HTTPVersion.js

@@ -0,0 +1,50 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const Test_1 = __importDefault(require("../Test"));
+const request_1 = __importDefault(require("../request"));
+const logger_1 = __importDefault(require("../logger"));
+/**
+ *
+ * @see https://en.wikipedia.org/wiki/HTTP/2
+ * @see https://en.wikipedia.org/wiki/HTTP/3
+ */
+class HTTPVersion extends Test_1.default {
+    name = 'HTTP Version';
+    async test({ url }) {
+        logger_1.default.info('Starting HTTPVersion test...');
+        const response = await request_1.default.get(url);
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'upgrade')) {
+            const attributes = response.headers['upgrade'].replace(' ', '').split(',');
+            const h2 = attributes.indexOf('h2') > -1;
+            if (h2) {
+                return {
+                    status: 'WARNING',
+                    title: 'HTTP/2',
+                    description: 'The current HTTP version is 2. Can be upgraded to 3.',
+                };
+            }
+        }
+        if (Object.prototype.hasOwnProperty.call(response.headers, 'alt-svc')) {
+            const attributes = response.headers['alt-svc'].replace(' ', '').split(',');
+            const h3 = attributes.find(a => a.includes('h3'));
+            if (typeof h3 !== 'undefined') {
+                if (h3) {
+                    return {
+                        status: 'SUCCESS',
+                        title: 'HTTP/3',
+                        description: 'The value of HTTP/3 header is present.',
+                    };
+                }
+            }
+        }
+        return {
+            status: 'ERROR',
+            title: 'HTTP/1',
+            description: 'The current HTTP version is 1. Should be upgraded at least to 2!',
+        };
+    }
+}
+exports.default = HTTPVersion;