npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@sectester/runner

v0.33.3

Published

Run scanning for vulnerabilities just from your unit tests on CI phase.

Downloads

809

Readme

@sectester/runner

Maintainability Test Coverage Build Status NPM Downloads

Run scanning for vulnerabilities just from your unit tests on CI phase.

Setup

npm i -s @sectester/runner

Step-by-step guide

Configure SDK

To start writing tests, first obtain a Bright token, which is required for the access to Bright API. More info about setting up an API key.

Then put obtained token into BRIGHT_TOKEN environment variable to make it accessible by default EnvCredentialProvider.

Refer to @sectester/core package documentation for the details on alternative ways of configuring credential providers.

Once it is done, create a configuration object. Single required option is Bright hostname domain you are going to use, e.g. app.neuralegion.com as the main one:

import { Configuration } from '@sectester/core';

const configuration = new Configuration({ hostname: 'app.neuralegion.com' });

Setup runner

To set up a runner, create SecRunner instance passing a previously created configuration as follows:

import { Configuration } from '@sectester/core';
import { SecRunner } from '@sectester/runner';

const configuration = new Configuration({ hostname: 'app.neuralegion.com' });
const runner = new SecRunner(configuration);

// or

const runner2 = new SecRunner({ hostname: 'app.neuralegion.com' });

After that, you have to initialize a SecRunner instance:

await runner.init();

The runner is now ready to perform your tests, but you have to create a scan.

To dispose a runner, you just need to call the clear method:

await runner.clear();

Starting scan

To start scanning your application, first you have to create a SecScan instance, as shown below:

const scan = runner.createScan({ tests: [TestType.XSS] });

Below you will find a list of parameters that can be used to configure a Scan:

| Option | Description | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | tests | The list of tests to be performed against the target application. Learn more about tests | | smart | Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default. | | skipStaticParams | Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default. | | poolSize | Sets the maximum concurrent requests for the scan, to control the load on your server. By default, 10. | | attackParamLocations | Defines which part of the request to attack. By default, body, query, and fragment. | | slowEpTimeout | Skip entry-points that take longer to respond than specified ms value. By default, 1000ms. | | targetTimeout | Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min. | | name | The scan name. The method and hostname by default, e.g. GET example.com. |

Endpoint scan

To scan an existing endpoint in your application, invoke the run method with a TargetOptions argument. For TargetOptions details, please refer to this link.

Example:

await scan.run({
  method: 'POST',
  url: 'https://localhost:8000/api/orders',
  body: { subject: 'Test', body: "<script>alert('xss')</script>" }
});

Function scan

To focus on the security aspects of a particular function in your application, you can perform a function-specific scan. This automatically creates an auxiliary target with a POST endpoint under the hood.

Example:

const inputSample = {
  from: '2022-11-30',
  to: '2024-06-21'
};
// assuming `calculateWeekdays` is your function under test
const fn = ({ from, to }) => calculateWeekdays(from, to);

const scan = runner.createScan({ tests: [TestType.DATE_MANIPULATION] });
await scan.run({ inputSample, fn });

Scan execution details

The run method returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).

If any vulnerabilities are found, they will be pretty printed to stdout or stderr (depending on severity) by reporter.

By default, each found issue will cause the scan to stop. To control this behavior you can set a severity threshold using the threshold method:

scan.threshold(Severity.HIGH);

Now found issues with severity lower than HIGH will not cause the scan to stop.

Sometimes either due to scan configuration issues or target misbehave, the scan might take much more time than you expect. In this case, you can provide a timeout (in milliseconds) for specifying maximum scan running time:

scan.timeout(30000);

In that case after 30 seconds, if the scan isn't finishing or finding any vulnerability, it will throw an error. The default timeout value for SecScan is 10 minutes.

Usage sample

import { SecRunner, SecScan } from '@sectester/runner';
import { Severity, TestType } from '@sectester/scan';

describe('/api', () => {
  let runner!: SecRunner;
  let scan!: SecScan;

  beforeEach(async () => {
    runner = new SecRunner({ hostname: 'app.neuralegion.com' });

    await runner.init();

    scan = runner
      .createScan({ tests: [TestType.XSS] })
      .threshold(Severity.MEDIUM) // i. e. ignore LOW severity issues
      .timeout(300000); // i. e. fail if last longer than 5 minutes
  });

  afterEach(async () => {
    await runner.clear();
  });

  describe('/orders', () => {
    it('should not have persistent xss', async () => {
      await scan.run({
        method: 'POST',
        url: 'https://localhost:8000/api/orders',
        body: { subject: 'Test', body: "<script>alert('xss')</script>" }
      });
    });

    it('should not have reflective xss', async () => {
      await scan.run({
        url: 'https://localhost:8000/api/orders',
        query: {
          q: `<script>alert('xss')</script>`
        }
      });
    });
  });
});

License

Copyright © 2024 Bright Security.

This project is licensed under the MIT License - see the LICENSE file for details.