@sec-tester/runner NPM

@sec-tester/runner

NPM Downloads

Run scanning for vulnerabilities just from your unit tests on CI phase.

Setup

npm i -s @sec-tester/runner

Step-by-step guide

Configure SDK

To start writing tests, first obtain a NeuraLegion token, which is required for the access to NeuraLegion API. More info about setting up an API key.

Then put obtained token into BRIGHT_TOKEN environment variable to make it accessible by default EnvCredentialProvider.

Refer to @sec-tester/core package documentation for the details on alternative ways of configuring credential providers.

Once it is done, create a configuration object. Single required option is NeuraLegion hostname domain you are going to use, e.g. app.neuralegion.com as the main one:

import { Configuration } from '@sec-tester/core';

const configuration = new Configuration({ hostname: 'app.neuralegion.com' });

Setup runner

To set up a runner, create SecRunner instance passing a previously created configuration as follows:

import { Configuration } from '@sec-tester/core';
import { SecRunner } from '@sec-tester/runner';

const configuration = new Configuration({ hostname: 'app.neuralegion.com' });
const runner = new SecRunner(configuration);

// or

const runner2 = new SecRunner({ hostname: 'app.neuralegion.com' });

After that, you have to initialize a SecRunner instance:

await runner.init();

The runner is now ready to perform your tests, but you have to create a scan.

To dispose a runner, you just need to call the clear method:

await runner.clear();

Starting scan

To start scanning your application, first you have to create a SecScan instance, as shown below:

const scan = runner.createScan({ tests: [TestType.XSS] });

Below you will find a list of parameters that can be used to configure a Scan:

Option	Description
`tests`	The list of tests to be performed against the target application. Learn more about tests
`smart`	Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default.
`skipStaticParams`	Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default.
`poolSize`	Sets the maximum concurrent requests for the scan, to control the load on your server. By default, `10`.
`attackParamLocations`	Defines which part of the request to attack. By default, `body`, `query`, and `fragment`.
`slowEpTimeout`	Skip entry-points that take longer to respond than specified ms value. By default, 1000ms.
`targetTimeout`	Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5s.
`name`	The scan name. The method and hostname by default, e.g. `GET example.com`.

Finally, run a scan against your application:

await scan.run({
  method: 'POST',
  url: 'https://localhost:8000/api/orders',
  body: { subject: 'Test', body: "<script>alert('xss')</script>" }
});

The run method takes a single argument (for details, see here), and returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).

If any vulnerabilities are found, they will be pretty printed to stdout or stderr (depending on severity) by reporter.

By default, each found issue will cause the scan to stop. To control this behavior you can set a severity threshold using the threshold method:

scan.threshold(Severity.HIGH);

Now found issues with severity lower than HIGH will not cause the scan to stop.

Sometimes either due to scan configuration issues or target misbehave, the scan might take much more time than you expect. In this case, you can provide a timeout (in milliseconds) for specifying maximum scan running time:

scan.timeout(30000);

In that case after 30 seconds, if the scan isn't finishing or finding any vulnerability, it will throw an error.

Usage sample

import { SecRunner, SecScan } from '@sec-tester/runner';
import { Severity, TestType } from '@sec-tester/scan';

describe('/api', () => {
  let runner!: SecRunner;
  let scan!: SecScan;

  beforeEach(async () => {
    runner = new SecRunner({ hostname: 'app.neuralegion.com' });

    await runner.init();

    scan = runner
      .createScan({ tests: [TestType.XSS] })
      .threshold(Severity.MEDIUM) // i. e. ignore LOW severity issues
      .timeout(300000); // i. e. fail if last longer than 5 minutes
  });

  afterEach(async () => {
    await runner.clear();
  });

  describe('/orders', () => {
    it('should not have persistent xss', async () => {
      await scan.run({
        method: 'POST',
        url: 'https://localhost:8000/api/orders',
        body: { subject: 'Test', body: "<script>alert('xss')</script>" }
      });
    });

    it('should not have reflective xss', async () => {
      await scan.run({
        url: 'https://localhost:8000/api/orders',
        query: {
          q: `<script>alert('xss')</script>`
        }
      });
    });
  });
});