joi-security

Release 0.4.0

Detect security flaws in Joi validation schemas

Homepage Repository npm TypeScript Download

Keywords
audits, hapi, joi, js, security, sql-injection, typescript, validation, web-security, xss
License
AGPL-3.0
Install
npm install joi-security@0.4.0

Documentation

Joi security 🔥

This project provides a CLI for offensive and defensive security assesments on the Joi validator library. The goal is to ensure that a given Joi validation shema can resist against known security attacks such as SQL injections, path traversal and SSRF attempts.

Getting started

Install the latest joi-security CLI tool using NPM.

npm install -g joi-security

Create a sample JavaScript file containing the Joi schema below and name it schema.js.

// A sample Joi schema used for login validation
Joi.object().keys({
    username: Joi.string().required(),
    password: Joi.string().required()
});

Scan the JS file using the joi-security scan command.

joi-security scan ./schema.js

Do not include require or return statements in the provided JS file, an export named Joi will be provided. Keep the Joi schema to analyze as last statement in your file, as it will be otherwise ignored.

Web attacks

The joi-security CLI includes by default a wide range of attacks that will be used to test your Joi schemas :

  • XSS including Markdown bypass
  • SQL injections
  • NoSQL injections
  • RCE (Remote Code Execution)
  • LFI (Local File Inclusion)
  • Overflow
  • SSRF
  • Suspicious IP addresses
  • Homograph attacks on domains & emails

Joi security will also attempt to detect the input content based on key names and perform targeted attacks. For example, when matching with potential phone numbers the CLI will try to perform phone-related attacks against the Joi schema.

Credits to the awesome PayloadAllTheThings repository for the advanced attacks.

Options & advanced usage

Changing the output format to HTML, defaults to console output.

joi-security scan ./schema.js --output=web

Each attack may be linked to a set of tags that are displayed below below the payloads (#xss,advanced). Ignore a set of malicious payload tags with the ignore option, which may provide more accurate results.

joi-security scan ./schema.js --ignore=sql,markdown,overflow,aws

Contributing

Clone this project and make sure to have a complete Node installation (including NPM) on your workstation. Please note that this project has currently been tested with Node LTS 12.

# Go inside the Joi security project folder
cd joi-security

# Install all project dependencies
npm install

# Run a first development scan against a Joi schema
npm run dev scan ./sandbox/blogpost-schema.js

Copyright and license

"Joi security" is released under the GNU Affero General Public License. Feel free to suggest a feature, report a bug, or ask something: https://github.com/Saluki/joi-security/issues

Stats

Dependencies
5
Dependent packages
2
Dependent repositories
0
Total releases
11
Latest release
First release
Stars
41
Forks
1
Watchers
1
Contributors
2
Repository size
805 KB
SourceRank
8

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.4.0
0.3.3
0.3.2
0.3.1
0.3.0
0.2.4
0.2.3
0.2.2
0.2.1
0.2.0
See all 11 releases

Contributors

Corentin B. dependabot[bot]


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-04-25 06:46:09 UTC

Login to resync this project