Skip to main content

About pentest tool lite project

I was working in Eset as web developer and it was the first time I met with penetration testing. I knew there are some security things to check and so on but noone before paid attention to it. Every time we wanted to publish new site it had to go through pentesting. We didn't get full results but they informed us what to fix and how.

And that is the time I did first tests by myself. Is the redirect from http to https working correctly? Are there all necesarry headers? Is there something that should not be there?

There are two options how to use this tool: you can use it as command line utility installed as global package through npm or yarn, or you can use web app.

Command line

It is NPM package which you can install globally and run tests from your computer.

yarn global add pentest-tool-lite

# of if you use npm

npm i -g pentest-tool-lite

Run test:

pentest-tool-lite https://juffalow.com

There are additional options like run just specific test, change report type or format, etc.

Web Application

Wrapper over the NPM package. If you install it locally to any project, you can then extract the Pentest class and use it.

import Pentest from 'pentest-tool-lite/src/Pentest';

const pentest = new Pentest();
const result = await pentest.run(test.url);

Because it is running for at least 30 - 60 seconds, the test is using separate process. It is achieved by using queue (Bull). The limit is set to 15 tests in 15 minutes. If anyone will try to add more tests in this period of time, it will return an error.