There are some online tools to find the common security vulnerability in PHP, WordPress, Joomla, etc. and they may not be able to detect if your application is built on Node.js. In the latest finding, more than 80% of Snyk users found their Node.js application vulnerable There could be hundreds of vulnerabilities due to misconfiguration, outdated NPM packages, etc. and the following security scanner should be able to help you in finding the security loopholes. Note: this article focuses on tools to find a vulnerability and for adding security protection check out how to secure node.js from online threats.
Snyk
Snyk checks your node.js GitHub repository for the weaknesses in the dependencies and fixes them continuously. You may install this using NPM. There are four main advantages of using Snyk You can use Snyk for free on your public Node.js application GitHub repository. Along with your application, you can also perform a test on public NPM packages like express, ionic, etc.
You may take a look at the scan results from one of the test applications.
Source Clear
Scan your Node.js application builds automatically with SourceClear and fix the issues before deploying in production. Source Clear helps you to build a secure application and not just Node.js but also support Python, Ruby & Java projects.
A large number of libraries & vulnerability database is managed by Source Clear to detect all types of security risk in your project. With Source Clear, you have the flexibility to integrate with build tools and scan automatically new commits.
You have the complete idea of the libraries used and see if they are vulnerable.
Node Security Platform
Node Security Platform also is known as nsp is one of the most popular solutions to monitor your node app for security. You can add the checks in the GitHub pull request itself, so no vulnerable code is deployed in the production environment. NSP is free for open source and the first private repo.
Acunetix
Acunetix scans your entire website for security vulnerabilities in front-end & server-side applications and gives you actionable results.
Acunetix test for more than 3000 vulnerabilities includes OWASP top 10, XSS, SQLi, etc. You can signup for 14 days trial to see if there is a hole in your bucket.
Retire.js
Retire.js check your code for known public vulnerabilities and let you know if any are detected. Retire.js is a command line scanner and is available as Chrome and Firefox extension.
OWASP Dependency Check
Similar to Retire.js, OWASP dependency check identifies if any publicly disclosed vulnerabilities in Node.js, Python, and Ruby. You can use this as a command line, ant task, Maven, or Jenkins plugin. Additionally, you may consider implementing helmet to secure your apps with necessary HTTP headers. By default, the helmet helps you to apply the following headers.
DNS Prefetch Hide X-Powered-By HTTP Strict Transport Security NoSniff XSS Protections
Once implemented, you may use online tools to verify the HTTP Headers.
NodeJsScan
A static code scanner. NodeJsScan can be integrated with CI/CD pipelines and it is docker ready. Its self-hosted solution with a beautiful dashboard.
You can use NodeJsScan as a web-based, CLI, or Python API. It scans for remote code injection, open redirect, SQL injection, XSS, etc. Conclusion The above tools should be able to help in scanning your node.js application for a security vulnerability so you can secure them. On top of protecting core Node.js applications, you should also consider using WAF to protect from online threats and DDoS attacks.
