npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

etuovi

v0.9.3

Published

Security scanner which probes the front door of your web applications.

Downloads

35

Readme

Etuovi

Security scanner which probes the front door of your web applications.

Why Etuovi?

I needed to scan some webapps at work using the usual suspects (nmap, ssllabs, securityheaders) and I figured a cmd line thingy to tie all those together would be pretty quick to write. Hope it's useful to you too.

Why is it called Etuovi?

Well I wanted to call this front-door but that npm package already exists. And given the limited imagination I have, I just used Google Translate until I found a translation of front door that sounded cool. Hence, Etuovi. Which Google reliably informs me is the Finnish for front door (if it's not, please tell me).

Table of Contents generated with DocToc

Getting Started

Etuovi is designed to run as a global package:

$ npm install -g etuovi 

Now you probably want to make a directory to hold your scan configuration and output reports.

$ mkdir etuovi-config && cd etuovi-config

Now create a starter configuration file which we'll need to edit later:

$ etuovi new-config

You'll get a config file with a name like this etuovi-config-20170708-233728.json with contents like this:

{
    "hosts": [
        {
            "host": "www.example.com",
            "scanners": {
                "nmap": {
                    "expect": "443"
                },
                "port": {
                    "expect": "443"
                },
                "securityheaders": {
                    "expect": "A"
                },
                "ssllabs": {
                    "expect": "A"
                },
                "statuscodes": {
                    "paths": [
                        {
                            "path": "/",
                            "method": "GET",
                            "expect": 200
                        }
                    ]
                }
            }
        }
    ],
    "outputs": {
        "file": {
            "reportsDir": "reports"
        },
        "slack": {
            "slackWebhook": ""
        }
    }
}

In essence, you configure multiple hosts with multple scanners per host.

Note that the expect properties are not currently used. They will be the basis of alerting in the future.

Configuring Scanners

Nmap

This scanner is a convenience wrapper around nmap. Consequently, in order for this scanner to work, nmap must be on the path.

The options property can be omitted and a default nmap port scan will be performed.

...
"scanners": {
    "nmap": {
        "options": "-sn",
        "expect": "443" 
    }
}

Port

This scanner uses the Evilscan module and is provided for situations where installing nmap is not possible.

The ports property can be omitted and a default the port scan will be performed for the top 1000 ports as per nmap.

...
"scanners": {
    "port": {
        "ports": "22,44-55,80,443",
        "expect": "443" 
    }
}

securityheaders.io

This scanner will perform a scan for security headers using securityheaders.io. It supports multiple paths under the host to handle the scenario where you have multiple web apps under a host.

The paths property can be omitted and a default of "/" will be used.

...
"scanners": {
    "securityheaders": {
        "paths": [
            "/appA",
            "/appB"
        ]
        "expect": "A" 
    }
}

SSL Labs

This scanner will check the SSL configuration using the Qualys SSL Labs API. Please go read the terms and conditions of the API usage.

By default, the scan will use a maxAge of 23 hours and allow the results to come fromCache. Tweak the values below to your liking, or omit them if they suit. See here for more details. https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md

...
"scanners": {
    "ssllabs": {
        "fromCache": true,
        "maxAge": 23
        "expect": "A" 
    }
}

Headers

This scanner will inspect an array of paths, reporting on the http status codes it encounters. You can use this to check that redirects are working etc. It will also check for the presence of header values on the response. When checking for headers, the headers inspected are the amalgamation of the headers specified at the path level and the those specified at the root. I.e. the path and root headers are merged with the path headers overriding the root headers.

...
"scanners": {
    "headers": {
        "headers": {
            "X-Content-Type-Options": "nosniff",
            "strict-transport-security": ".*"
        },
        "paths": [
            {
                "path": "/",
                "method": "GET",
                "headers": {
                    "Content-Security-policy": ".*",
                    "strict-transport-security": "max-age=\\d+; includeSubDomains"
                },
                "expect": 200
            }
        ]
    }
}

Status codes

Deprecated, use the headers scanner above

This scanner will inspect an array of paths, reporting on the http status codes it encounters. You can use this to check that redirects are working etc.

...
"scanners": {
    "statuscodes": {
        "paths": [
            {
                "path": "/",
                "method": "GET",
                "expect": 200
            }
        ]
    }
}

Configuring Outputs

By default, Etuovi writes to the console. However, there are other outputs available when scanning.

File output

 "outputs": {
    "file": {
        "reportsDir": "reports"
    }
}

If you enable the file output, the full detailed reports of the scans are written, by default, to the reports directory of the current working directory. The file name will look something like etuovi__scan__report__20170707__221954.json. To change the output directory, change the reportsDir property in the file output configuration.

Slack output

Etuovi can post a message to slack containing the summaries of all the scans of all the hosts in your config file.

 "outputs": {
    "slack": {
        "slackWebhook": "https://hooks.slack.com/services/XXX/XXX"
    }
}

Actually Running a scan using Etuovi

$ etuovi scan etuovi-config-20170708-233728.json

Logging

The log output of Etuovi can be controlled via the --log-level argument:

$ etuovi scan my-config.json --log-level=verbose