Pentest Tool Lite

Check your website ( or any other website ) for common vulnerabilities.

Installation

$ yarn global add pentest-tool-lite

Or if you use npm :

$ npm install -g pentest-tool-lite

Security checks

  • http => https - if the server is returning proper headers to redirect user on HTTPS
  • cookies - if cookies are set with secure, httpOnly flags
  • X-Frame-Options- if this header is set to prevent Clickjacking
  • X-XSS-Protection - if this header is set
  • fingerprint - if the server is returing its fingerprint - vendor or version of the web server

HTML checks

  • CSS
    • check if all CSS files are minified
    • check if all CSS files are cached
    • check if all CSS files have X-Content-Type-Options header
  • JavaScript
    • check if all JavaScript files are minified
    • check if all JavaScript files are cached
    • check if all JavaScript files have X-Content-Type-Options header
    • check if any JavaScript files contains conole logs
  • Links
    • check if all links are accessible
    • check if links are not redirected to some other URL

WordPress checks

  • wp-admin - check if admin page is accessible
  • generator - check if there is any clue what version of WordPress it is

Usage

For example let's test my own site :

$ pentest-tool-lite https://juffalow.com

Or if some help is needed :

$ pentest-tool-lite --help

Example output

Good X-XSS-Protection header is set! https://juffalow.com/
X-XSS-Protection: 1; mode=block

Good X-Frame-Options header is set! https://juffalow.com/
X-Frame-Options: DENY

Medium Server header is present! https://juffalow.com/
There is a header in the HTTP response that disclose the type of a running web server ( and its version ).
For more informations visit [see this page](https://github.com/juffalow/pentest-tool-lite/tree/master/src/security#server-fingerprint).

High HTTPS is not set properly! http://www.juffalow.com/
The page is available only ( or also ) over HTTP. This means it doesn't have any ssl certificate or if it has one, it doesn't force the user to use it.
For more informations visit [see this page](https://github.com/juffalow/pentest-tool-lite/tree/master/src/security#https).

Good JavaScript is cached! https://www.juffalow.com/somejsfile.js
Cache-Control: max-age=604800, public