I was working in Eset as web developer and it was the first time I met with penetration testing. I knew there are some security things to check and so on but noone before paid attention to it. Every time we wanted to publish new site it had to go through pentesting. We didn't get full results but they informed us what to fix and how.
And that is the time I did first tests by myself. Is the redirect from http to https working correctly? Are there all necesarry headers? Is there something that should not be there?
It is NPM package which you can install globally and run tests from your computer.
yarn global add pentest-tool-lite
# of if you use npm
npm i -g pentest-tool-lite
There are additional options like run just specific test, change report type or format, etc.
Wrapper over the NPM package. If you install it locally to any project, you can then extract the
Pentest class and use it.
import Pentest from 'pentest-tool-lite/src/Pentest';
const pentest = new Pentest();
const result = await pentest.run(test.url);
Because it is running for at least 30 - 60 seconds, the test is using separate process. It is achieved by using queue (Bull). The limit is set to 15 tests in 15 minutes. If anyone will try to add more tests in this period of time, it will return an error.