Web Exploit Detector: NPM module

Introduction

As a follow-up to the previous article about my Web Exploit Detector, I am happy to announce that I have just made the project available as an NPM module. This allows the application to be installed, used and updated much more easily than before.

This article is intended to be a brief introduction to the Web Exploit Detector as an NPM module, as well as a brief introduction to NPM itself for those that are unfamiliar with it.

NPM

NPM is the package-management system used by Node.js. NPM consists of an online registry of modules, a command-line client (the npm command) and a package format (as described by the “package.json” file), however NPM is more than just the sum of these parts. NPM provides a complete system for managing packages used both as libraries for other Node.js applications and as applications themselves, as well as their dependencies. Installing an NPM package has become a very simple process, with users not having to worry about installing other dependencies or compiling code from source.

As the Web Exploit Detector is written to be run with Node.js, it’s only natural that it be made available as an NPM module. By building it as an NPM module, it automatically gains all of the advantages given via the NPM system. Installing, running and updating it is now a lot simpler than it was before.

Installation

Many web servers will already have Node.js and the NPM CLI installed by default, but even those that don’t should allow easy installation from their own package management systems. For example, on Ubuntu a simple sudo apt-get install node will install both.

Once Node.js and NPM are installed, then installing the Web Exploit Detector is as simple as installing any other NPM module: -

sudo npm install -g web_exploit_detector

The -g option tells NPM to install the module globally, which is important if you want to be able to run the commands listed below. sudo causes the command to run with root privileges; this is needed when installing any NPM module globally, but is not needed to run the application afterwards.

This command installs all of the necessary dependencies (other libraries) needed by the Web Exploit Detector, and makes the following commands available: -

  • wed-scanner: the main scanning engine
  • wed-rules-to-exceptions: a script which takes results from a previous scan and allows specific files to be excluded from future tests.

More details on these commands can be found in my previous post and below.

Updating

It’s important to keep the Web Exploit Detector up-to-date so that fixes can be applied and so that new rules can be used. With NPM, updating is very simple: -

sudo npm update -g web_exploit_detector

Running

Main scanner

To run the main scanner, simply use the following command: -

wed-scanner --web-root=/var/www/html

Remember to replace the "/var/www/html" path with one that is applicable to your own server.

To get more information about how to use the scanner, use the --help option: -

wed-scanner --help

Results-to-exceptions

To run the tool to create an exceptions file based on previous results, run the following command: -

wed-results-to-exceptions --results=results.json

…where "results.json" should be an output file generated from wed-scanner using the --output option. Exceptions are written to your user’s home directory in a file called wed-exceptions.json. This is a plain text file, so you are free to open it in a text editor and make changes if necessary. Also deleting this file will simply reset all rules to their defaults so that no files are excluded.

Removing

If you no longer want to have the Web Exploit Detector installed on your server then removing it is as simple as installing it: -

sudo npm uninstall -g web_exploit_detector

Please note that the application can create a file called wed-exceptions.json in your home directory. This file will not be removed if you uninstall the module as it might be useful to keep. You can of course delete this file if you want, but that choice is left up to you.

Conclusion

If you choose to use the Web Exploit Detector then I hope it is useful. I would be very happy to hear about any experiences you have with it, as well as any problems or suggestions for improvements. Remember too that this project is open source, so you can also help to improve it by submitting your own rules, or providing information about an exploit that will help to create new detection rules in future versions.



Links