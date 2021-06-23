finds publicly known security vulnerabilities in a website's frontend JavaScript libraries

Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.

Command line

Using Node.js's npx to run a one-off scan of a website:

npx is-website-vulnerable https://example.com [--json] [--js-lib] [--mobile|--desktop] [--chromePath] [--cookie] [--token]

The CLI will gracefully handle cases where the URL to scan is missing by prompting you to enter it:

$ npx is-website-vulnerable Woops! You forgot to provide a URL of a website to scan. ? Please provide a URL to scan: › https://example.com ...

Exit codes

If the CLI detects an error, it will terminate with an exit code different from 0.

Exit Code 0: Everything is fine. No vulnerabilities found.

Exit Code 1: An error happened during the execution. Check the logs for details.

Exit Code 2: Vulnerabilities were found. Check the logs for details.

Docker

To build and run the container locally:

git clone https://github.com/lirantal/is-website-vulnerable.git cd is-website-vulnerable docker build --no-cache -t lirantal/is-website-vulnerable:latest . docker run --rm -e SCAN_URL= "https://www.google.com/" lirantal/is-website-vulnerable:latest

SCAN_URL is an environment variable and its value must be replaced with the desired URL during Docker run. Docker container will exit once the scan has been completed.

If you wish to provide command line arguments to is-website-vulnerable and customize the run, such as providing --json or other supported arguments, you should omit the environment variable and provide the full command. Here is an example:

docker run --rm lirantal / is-website-vulnerable :latest https :

⚠️ A modern version of Chrome is assumed to be available when using is-website-vulnerable . It may not be safe to assume that this is satisfied automatically on some CI services. For example, additional configuration is necessary for Travis CI.

GitHub Action

Create .github/workflows/is-website-vulnerable.yml with the url that you want scanned:

name: Test site for publicly known js vulnerabilities on: push jobs: security: runs-on: ubuntu-latest steps: - name: Test for public javascript library vulnerabilities uses: lirantal/is-website-vulnerable@master with: scan-url: "https://yoursite.com"

Install

You can install globally via:

npm install -g is-website-vulnerable

Author

is-website-vulnerable © Liran Tal, Released under the Apache-2.0 License.