NodeJsScan

Licenses/retire.js.md

@@ -0,0 +1,13 @@
+Copyright 2013 Bekk Consulting AS
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

NodeJsScan.py

@@ -0,0 +1,133 @@
+import re,os,platform,webbrowser,subprocess,xml.dom.minidom
+from optparse import OptionParser
+from xml.dom.minidom import parse
+
+def NodeJSStaticAnalyzer(path):
+    rules, rx, seccode,desc=ReadRules()
+    regex_flag={}
+    sec=''
+    final=''
+    for init0 in seccode.iterkeys():
+        regex_flag[init0]='0'      
+    print "Running Static Analyzer Running on - "+ path + "\n"
+    for dirName, subDir, files in os.walk(path):
+        for jfile in files:
+            jfile_path=os.path.join(path,dirName,jfile)
+            if jfile.endswith('.js'):
+                '''
+                try:
+                '''
+                line_no=0
+                data=''
+
+                with open(jfile_path,'r') as f:
+                    for line in f:
+                        line=line.decode('utf8', 'ignore')
+                        line_no+=1
+                        for key in rules.iterkeys():
+
+                            if rules[key] in line:
+                                data+= '<tr><td>'+ key + '</td><td>' + desc[key] + '</td><td>'+ str(line_no)+ '</td><td>'+ jfile + '</td><td><a href="' + jfile_path + '">'+jfile_path+'</a></td></tr>'
+                        for regex in rx.iterkeys():
+                            if re.search(rx[regex],line,re.I):
+                                data+= '<tr><td>'+regex + '</td><td>'  + desc[regex] + '</td><td>' + str(line_no)+ '</td><td>' + jfile + '</td><td><a href="'  + jfile_path + '">'+jfile_path+'</a></td></tr>'
+                        for scode in seccode.iterkeys():
+                            if re.search(seccode[scode],line,re.I):
+                                regex_flag[scode]='1'
+                final+=data
+    #After Every Files are done.  
+    for rflag in regex_flag.iterkeys():
+        if '0' in regex_flag[rflag]:
+            sec+= '<tr><td>'+rflag + '</td><td>' + desc[rflag] + '</td></tr>'     
+    outdated=RunRetire(path)
+    return final, sec, outdated
+
+    '''
+                except Exception as e:
+                    print "ERROR - " + str(e)
+                    pass
+                '''
+def ReadRules():
+    #Load Rules
+    rx={}
+    rules={}
+    sec_code={}
+    desc={}
+    DOMTree = xml.dom.minidom.parse("rules.xml")
+    collection = DOMTree.documentElement
+    rules_collection = collection.getElementsByTagName("rule")
+    for rule in rules_collection:
+        if rule.hasAttribute("name"):
+            signature = rule.getElementsByTagName('signature')[0]
+            rules[rule.getAttribute("name")] = signature.childNodes[0].data
+            description= rule.getElementsByTagName('description')[0]
+            desc[rule.getAttribute("name")] = description.childNodes[0].data
+    regexs=collection.getElementsByTagName("regex")
+    for regex in regexs:
+        if regex.hasAttribute("name"):
+            signature = regex.getElementsByTagName('signature')[0]
+            rx[regex.getAttribute("name")] = signature.childNodes[0].data
+            description= regex.getElementsByTagName('description')[0]
+            desc[regex.getAttribute("name")] = description.childNodes[0].data
+    seccodes=collection.getElementsByTagName("notpresent")
+    for scode in seccodes:
+        if scode.hasAttribute("name"):
+            signature = scode.getElementsByTagName('signature')[0]
+            sec_code[scode.getAttribute("name")] = signature.childNodes[0].data
+            description= scode.getElementsByTagName('description')[0]
+            desc[scode.getAttribute("name")] = description.childNodes[0].data
+
+    return rules, rx, sec_code, desc
+def Report(data,sec,out):
+    path = os.path.join(os.getcwd() + '/template/template.html')
+    with open(path,'r') as f:
+        dat=f.read()
+    report_path= os.path.join(os.getcwd() + '/Report.html')
+    with open(report_path,'w') as f:
+        f.write(dat.replace('{{DATA}}',data).replace('{{SEC}}',sec).replace('{{LIB}}',out))
+    print "Report generated.\nOpening Report.html"
+    if platform.system()=="Darwin":
+        os.system("open "+report_path)
+    else:
+        webbrowser.open_new_tab(report_path)
+
+
+def RunRetire(path):
+    args=[]
+    retirepath=os.path.join(os.path.curdir, 'node','bin','retire')
+    if platform.system()=="Windows":
+        args=['node.exe',retirepath, '--nodepath', path]
+    else:
+        args=['node',retirepath, '--nodepath', path]
+    x=''
+    err=''
+    try:
+        x, err = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
+        x+=err
+    except Exception as e:
+        print "ERROR - Install node.js > 0.8" 
+        pass
+    if '<tr>' in x:
+        return x
+    else:
+        return ''
+
+
+
+def main():
+    nodeonly=False
+    usage = "usage: %prog -d <dir>"
+    parser = OptionParser(usage=usage)
+    parser.add_option("-d", "--dir", dest="dir")
+    (options, args) = parser.parse_args()
+    if options.dir is not None:
+        print '\nNodeJsScan is a node.js Static Analysis Tool that can detect possible security issues, insecure code and outdated libraries (using retire.js).\n\n'
+        dat,sec, out=NodeJSStaticAnalyzer(options.dir)
+        Report(dat,sec,out)
+    else:
+        print "Usage: NodeJsScan.py -d <dir>"
+
+
+
+if __name__ == '__main__':
+    main()

Report.html

@@ -0,0 +1,150 @@
+<!doctype html>
+<html>
+<head>
+<title>NodeJsScan</title>
+ <link href="template/css/bootstrap.min.css" rel="stylesheet">
+ <link rel="icon" 
+      type="image/png" 
+      href="template/nodejs.png">
+<script>
+function f()
+{
+var d = new Date();
+var n = 'NodeJsScan - Copyright &copy; ' + d.getFullYear() +'. All rights reserved. | <a href="https://twitter.com/ajinabraham">Ajin Abraham</a> | <a href="http://opensecurity.in">OpenSecurity</a>';
+document.getElementById("foot").innerHTML=n;
+} 
+</script>
+</head>
+<body onload="f()">
+<div class="panel panel-default">
+  <!-- Default panel contents -->
+  <div class="panel-heading"><center><h2><img src="template/nodejs.png" width="40px" height="40px">   NodeJsScan </h2></center></div>
+  <div class="panel-body">
+    <p>NodeJsScan is a node.js Static Analysis Tool that can detect possible security issues, insecure code and outdated libraries (using retire.js).</p>
+  </div>
+
+
+ <nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand">
+       <strong><span class="label label-danger">Possible Security Issues</span> </strong>
+      </a>
+    </div>
+  </div>
+</nav>
+  <!-- Table -->
+  <div class="panel panel-default">
+  <div class="panel-body">
+
+  <table class="table table-striped">
+     <thead>
+          <tr>
+            <th>Issue</th>
+            <th>Descriptiom</th>
+            <th>Line</th>
+            <th>File</th>
+            <th>Location</th>
+          </tr>
+        </thead>
+
+		<tbody>
+
+		 <tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>6</td><td>CM insecure.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/CM insecure.js">/Users/aabraham/Desktop/node_exploits/CM insecure.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>7</td><td>CM insecure.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/CM insecure.js">/Users/aabraham/Desktop/node_exploits/CM insecure.js</a></td></tr><tr><td>Accept Self Signed Certificates</td><td>'Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not an secure behaviour.</td><td>7</td><td>CM md5.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/CM md5.js">/Users/aabraham/Desktop/node_exploits/CM md5.js</a></td></tr><tr><td>node-curl SSL Verification is Disabled</td><td>SSL Certificate verification for node-curl is disabled.</td><td>8</td><td>CM md5.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/CM md5.js">/Users/aabraham/Desktop/node_exploits/CM md5.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>4</td><td>eval.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/eval.js">/Users/aabraham/Desktop/node_exploits/eval.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>42</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>94</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>123</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>201</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Server Side Injection(SSI) - eval()</td><td>User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>226</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>800</td><td>helpers.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/helpers.js">/Users/aabraham/Desktop/node_exploits/libraries/helpers.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>235</td><td>ybase.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ybase.js">/Users/aabraham/Desktop/node_exploits/libraries/ybase.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>415</td><td>ybase.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ybase.js">/Users/aabraham/Desktop/node_exploits/libraries/ybase.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>430</td><td>ybase.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ybase.js">/Users/aabraham/Desktop/node_exploits/libraries/ybase.js</a></td></tr><tr><td>Server Side Injection(SSI) - setTimeout()</td><td>User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>524</td><td>ybase.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ybase.js">/Users/aabraham/Desktop/node_exploits/libraries/ybase.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>233</td><td>ycontext.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js">/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js</a></td></tr><tr><td>Key Hardcoded</td><td>A hardcoded key in plain text was identified.</td><td>234</td><td>ycontext.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js">/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js</a></td></tr><tr><td>Weak Hash used - MD5</td><td>MD5 is a a weak hash which is known to have collision. Use a strong hashing function.</td><td>408</td><td>ycontext.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js">/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js</a></td></tr><tr><td>Server Side Injection(SSI) - setTimeout()</td><td>User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).</td><td>530</td><td>ycontext.js</td><td><a href="/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js">/Users/aabraham/Desktop/node_exploits/libraries/ycontext.js</a></td></tr>
+
+        </tbody>
+
+
+  </table>
+  </div>
+</div>
+
+
+<nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand">
+       <strong><span class="label label-success">Missing Security Features</span> </strong>
+      </a>
+    </div>
+  </div>
+</nav>
+ <div class="panel panel-default">
+  <div class="panel-body">
+    <table class="table table-striped">
+     <thead>
+          <tr>
+            <th>Issue</th>
+            <th>Descriptiom</th>
+
+          </tr>
+        </thead>
+
+    <tbody>
+
+     <tr><td>Missing Security Header - Content-Security-Policy (CSP)</td><td>Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.</td></tr><tr><td>Missing Security Header - Strict-Transport-Security (HSTS)</td><td>Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.</td></tr><tr><td>Missing 'httpOnly' in Cookie</td><td>JavaScript can access Cookies if they are not marked httpOnly.</td></tr><tr><td>Infromation Disclosure - X-Powered-By</td><td>Remove the X-Powered-By header to prevent information gathering.</td></tr><tr><td>Missing Security Header - Public-Key-Pins (HKPK)</td><td>Public-Key-Pins (HKPK) ensures that certificate is Pinned.</td></tr><tr><td>Missing Security Header - X-Content-Type-Options</td><td>X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.</td></tr><tr><td>Missing Security Header - X-Download-Options: noopen</td><td>X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.</td></tr>
+
+        </tbody>
+  </table>
+   </div>
+  </div>
+
+
+ <nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand">
+       <strong><span class="label label-warning">Outdated Libraries</span> </strong>
+      </a>
+    </div>
+  </div>
+</nav>
+  <!-- Table -->
+  <div class="panel panel-default">
+  <div class="panel-body">
+
+  <table class="table table-striped">
+     <thead>
+          <tr>
+            <th>File</th>
+            <th>Library</th>
+            <th>Reference</th>
+          </tr>
+        </thead>
+
+    <tbody>
+
+     <tr><td>/Users/aabraham/Desktop/node/spec/tests/contentscan.spec.js</td><td>
+jquery 1.8.1
+</td><td>http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/</td>
+</tr>
+<tr><td>/Users/aabraham/Desktop/Android /Tools/app-debug/assets/www/js/core.js</td><td>
+jquery 1.11.1
+backbone.js 1.1.2
+handlebars.js 1.0.beta.5
+</td><td>https://github.com/wycats/handlebars.js/pull/68</td>
+</tr>
+
+
+        </tbody>
+
+
+  </table>
+  </div>
+  </div>
+
+</div>
+<div class="panel panel-default">
+
+  <div id="foot" class="panel-body">
+ x
+  </div>
+
+</div>
+    <!-- Placed at the end of the document so the pages load faster -->
+
+    <script src="template/js/bootstrap.min.js"></script>
+
+    <script src="template/js/ie10-viewport-bug-workaround.js"></script>
+</body>
+</html>

node/.npmignore

@@ -0,0 +1,2 @@
+spec
+test

node/README.md

@@ -0,0 +1,38 @@
+Command line scanner looking for use of known vulnerable js files and node modules in web projects and/or node projects.
+
+Install
+-------
+
+    npm install -g retire
+
+
+Usage
+-----
+
+````
+Usage: retire [options]
+
+Options:
+
+-h, --help              output usage information
+-V, --version           output the version number
+
+-p, --package           limit node scan to packages where parent is mentioned in package.json (ignore node_modules)
+-n, --node              Run node dependency scan only
+-j, --js                Run scan of JavaScript files only
+-v, --verbose           Show identified files (by default only vulnerable files are shown)
+
+--jspath <path>         Folder to scan for javascript files
+--nodepath <path>       Folder to scan for node files
+--path <path>           Folder to scan for both
+--jsrepo <path>         Local version of repo
+--noderepo <path>       Local version of repo
+--proxy <url>           Proxy url (http://some.sever:8080)
+--ignore <paths>        Comma delimited list of paths to ignore
+--ignorefile <path>     Custom .retireignore file, defaults to .retireignore
+````
+
+
+Source code / Reporting an issue
+--------------------------------
+The source code and issue tracker can be found at [https://github.com/bekk/retire.js](https://github.com/bekk/retire.js)