auto-protect v3.0.4

auto-protect-security-

$ npm install express auto-protect

const express = require('express')
const app = express()
# here pass all are middleware for security 
app.use(nodeMonitor.test)
app.use(nodeMonitor.validateAndSetMiddleware(process.env.SECURTY_KEY))
# here pass your your api middlewares and others also 
app.get('/', function (req, res) {
  res.send('Hello World')
})

app.listen(3000)

Web Application Security Dashboard

This repository contains a collection of security vulnerabilities and attack vectors commonly found in web applications. The data is organized into categories, each containing a list of use cases related to that category.

Categories

Broken Authentication and Session Management

Injection

• Application is vulnerable to Command injection attack
• Application is vulnerable to HTML injection attack
• Application is vulnerable to iframe injection attack
• Application is vulnerable to SQL Injection
• Application is vulnerable to XML injection

SSL

• SSL Information

Error Message

• Server Error Message

Insecure Direct Object References

• Directory listing is enabled on the server
• HTTP parameter pollution
• The remote server contains a 'robots.txt' file

Security Misconfiguration

• Application accepts arbitrary methods
• Dangerous HTTP methods are enabled on the server
• OPTIONS method enabled

Sensitive Data Exposure

• An adversary can fingerprint the web server from the HTTP responses
• Application's server side source code disclosure
• Critical information in URL
• Default web-page present in the server
• Sensitive information revealed in HTTP response
• Cleartext Password returned in login response

Unvalidated Redirects and Forwards

• The application is vulnerable to a URL redirection flaw

Cross-Site Scripting (XSS)

• Application is vulnerable to cross frame scripting
• Application is vulnerable to Cross Site Scripting attack
• Application is vulnerable to stored Cross Site Scripting attack
• Is XSS possible via CSS injection?

Miscellaneous Attacks

• Auto-complete is enabled for sensitive fields
• Captcha is not implemented for publicly available forms
• click jacking
• Developer comments revealed in page source
• Email Flooding
• Vulnerabilities in known components

Sensitive Data stored in local storage

• Is sensitive data or session token stored in local data storage of browser?

Weak Cross domain policy

• Is "allow-access-from domain" in cross-domain.xml policy file set to * or unauthorized domains?
• Is "Origin" header in client request validated at the server?
• Is "Access-Control-Allow-Origin" header in server response is set securely?