NodeJS Security Vulnerability Egrep Cheatsheet

These are a set of “suspicious” nodejs patterns that might reveal vulnerabilities.

# this command will return instances where the child_process module is loaded.  
# that module is generally a good signal that the application is shelling out
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "require(\s*)\((\s*)'child_process'(\s*))" .

# this command will return instances where code is dynamically executed.  
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "eval(\s*)\(" .

# this command will check common dangerous functions and report when strings are arguments
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "(setInterval|setTimeout|new(\s*)Function)(\s*)\((\s*)\".*\"" .

# same as above but will catch variables passed as arguments
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "(setInterval|setTimeout|new(\s*)Function)(\s*)\((\s*)" .

# this command can be used to gauge whether or not CSRF protections are in place in libraries such as express
# if no results are returned, that can mean no CSRF protections exist at the framework level.  
# will vary based on application framework.
grep -r --exclude-dir "node_modules" --include "*.js" --include "*.json" --exclude "*.min.*" -e "csrf" .

# NODE-ORM, Sequelize: find places where potential unsafe SQL queries are executed:
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "\.(execQuery|query)(\s*)\((\s*)\".*\".*\+" .

# mongoose: database connect functions (look for hard-coded credentials)
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "\.(createConnection|connect)(\s*)\(" .

# hard coded port values in JSON documents:
egrep -r --exclude-dir "node_modules" --include "*.js" --include "*.json" --exclude "*.min.*" -e "\"port\.*\"(\s*):(\s*)\d+" .

# look for username / password strings for json keys:
egrep -r --exclude-dir "node_modules" --include "*.js" --include "*.json" --exclude "*.min.*" -e "\"(username|user|password|pass)\"(\s*):(\s*)\".*\"" .

# look for places with possible dom-based XSS
egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "(window.)?location((\s*)|\.)(href)?\=" .