Centos版的Nodejsscan安裝

前期準備：

=================

這邊跟windows的準備工作基本一樣：

1. 下載源碼：https://github.com/ajinabraham/NodeJsScan
2.下載CentOS版docker toolbox: 
3.下載PostgreSQL安裝詳細步驟
https://www.enterprisedb.com/downloads/postgres-postgresql-downloads
https://www.pgadmin.org/
user:postgres,pw:admin,port:5432

=================

將源碼減壓保存如下：

[root@localhost src]# ls
debug  kernels  nodejsscan  Python-3.8.0b3  pyvulhunter
[root@localhost src]# cd nodejsscan/
[root@localhost nodejsscan]# pwd
/usr/src/nodejsscan

先升級pip
python -m pip install --upgrade pip
安裝依賴包
pip3 install -r requirements.txt
執行命令
python migrate.py # Run once to create database entries required
python app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app # Production Environment
-----------------

[root@localhost nodejsscan]# python app.py

* Serving Flask app "app" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: off
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

===========================
pip install nodejsscan
-----------------
Docker
docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan
-------------------

[root@localhost nodejsscan]# docker run -it -p 9090:9090 nodejsscan
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... sh: locale: not found
No usable system locales were found.
Use the option "--debug" to see details.
ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

****************************************************
WARNING: No password has been set for the database.
         This will allow anyone with access to the
         Postgres port to access your database. In
         Docker's default configuration, this is
         effectively any other container on the same
         system.

         Use "-e POSTGRES_PASSWORD=password" to set
         it in "docker run".
****************************************************
waiting for server to start....LOG:  could not bind IPv6 socket: Address not available
HINT:  Is another postmaster already running on port 5432? If not, wait a few seconds and retry.
LOG:  database system was shut down at 2020-06-24 03:06:39 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
 done
server started
CREATE DATABASE

CREATE ROLE


/usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*

waiting for server to shut down....LOG:  received fast shutdown request
LOG:  aborting any active transactions
LOG:  autovacuum launcher shutting down
LOG:  shutting down
LOG:  database system is shut down
 done
server stopped

PostgreSQL init process complete; ready for start up.

LOG:  database system was shut down at 2020-06-24 03:06:41 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
[INFO] Table entries created!
[2020-06-24 03:06:49 +0000] [57] [INFO] Starting gunicorn 20.0.4
[2020-06-24 03:06:49 +0000] [57] [INFO] Listening at: http://0.0.0.0:9090 (57)
[2020-06-24 03:06:49 +0000] [57] [INFO] Using worker: sync
[2020-06-24 03:06:49 +0000] [60] [INFO] Booting worker with pid: 60
[2020-06-24 03:06:49 +0000] [61] [INFO] Booting worker with pid: 61
[2020-06-24 03:06:49 +0000] [62] [INFO] Booting worker with pid: 62

=========================
在另外一個控制檯，進入到對應js文件目錄下執行nodejsscan -d 文件夾名稱

[root@localhost nodejsscan]# nodejsscan -d yourjsdir

[INFO] Running Static Analyzer on - yourjsdir

{
    "files": [],
    "good_finding": {},
    "missing_sec_header": {
        "Web Security": [
            {
                "description": "Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.",
                "tag": "web",
                "title": "Missing Security Header - Content-Security-Policy (CSP)"
            },
            {
                "description": "X-Frame-Options (XFO) header provides protection against Clickjacking attacks.",
                "tag": "web",
                "title": "Missing Security Header - X-Frame-Options (XFO)"
            },
            {
                "description": "Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.",
                "tag": "web",
                "title": "Missing Security Header - Strict-Transport-Security (HSTS)"
            },
            {
                "description": "Public-Key-Pins (HPKP) ensures that certificate is Pinned.",
                "tag": "web",
                "title": "Missing Security Header - Public-Key-Pins (HPKP)"
            },
            {
                "description": "X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.",
                "tag": "web",
                "title": "Missing Security Header - X-XSS-Protection:1"
            },
            {
                "description": "X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.",
                "tag": "web",
                "title": "Missing Security Header - X-Content-Type-Options"
            },
            {
                "description": "X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.",
                "tag": "web",
                "title": "Missing Security Header - X-Download-Options: noopen"
            },
            {
                "description": "JavaScript can access Cookies if they are not marked httpOnly.",
                "tag": "web",
                "title": "Missing 'httpOnly' in Cookie"
            },
            {
                "description": "Remove the X-Powered-By header to prevent information gathering.",
                "tag": "web",
                "title": "Information Disclosure - X-Powered-By"
            }
        ]
    },
    "sec_issues": {},
    "total_count": {
        "good": 0,
        "mis": 9,
        "sec": 0
    },
    "vuln_count": {}
}
[root@localhost nodejsscan]# 

---

網頁版查看使用如下：

將要審計的js代碼拖到上面，結果如下面：

.================

參考Windows版的鏈接如下：https://blog.csdn.net/weixin_34102807/article/details/86263310