⚠Active mode performs real offensive tests. Use exclusively on systems you own or have explicit written authorization to test. Unauthorized use against third-party systems may constitute a crime under local law. KR Riley Soluções is not responsible for misuse.
Static Mode
Analyzes your source code without making any network requests. Safe for any environment including production CI/CD pipelines.
configTypeScript
pentester: {
enabled: true,
mode: 'static',
static: {
owasp: true,
secrets: true,
dependencies: true,
injections: true,
headers: true,
},
severity: 'medium',
}| Check | What it detects |
|---|
| OWASP Top 10 | Broken auth, XSS, injections, misconfiguration, A01–A10 |
| Exposed secrets | AWS keys, API keys, passwords, JWT secrets hardcoded in source |
| Vulnerable deps | CVE database check + npm audit + OSV database lookup |
| Injection patterns | SQL (string concatenation), command injection, path traversal |
| Insecure headers | Missing CSP, X-Frame-Options, HSTS, X-Content-Type-Options |
Active Mode
Real attack testing against your running application. Requires pentester.target pointing to a running server.
configTypeScript
pentester: {
enabled: true,
mode: 'active',
target: 'http://localhost:3000',
realtime: true,
bruteforce: {
enabled: true,
endpoints: ['/auth/login', '/admin'],
wordlist: 'built-in',
detectRateLimit: true,
jwtWeak: true,
},
firewall: {
enabled: true,
portScan: true,
cors: true,
ssl: true,
hsts: true,
xFrameOptions:true,
},
active: {
sqlInjection: true,
xssReflected: true,
idor: true,
directoryTraversal: true,
hiddenRoutes: true,
},
severity: 'low',
}Brute Force
| Test | What it does |
|---|
| endpoints | Tests common passwords against your auth endpoints |
| detectRateLimit | Verifies if the API blocks repeated failed attempts |
| jwtWeak | Tests JWT tokens signed with predictable/common secrets |
| sessionExpiry | Verifies session expiration and invalidation |
Network & Firewall
| Test | What it does |
|---|
| portScan | Detects unnecessarily exposed ports (DB ports, Redis, etc.) |
| cors | Detects overly permissive cross-origin policies |
| ssl | Verifies SSL/TLS versions and cipher suites |
| hsts | Checks for HTTP Strict Transport Security header |
| xFrameOptions | Checks for clickjacking protection |
Active Endpoint Tests
| Test | What it does |
|---|
| sqlInjection | Injects real payloads into endpoints (not just code analysis) |
| xssReflected | Tests real XSS payloads against routes |
| idor | Attempts to access resources belonging to other users |
| directoryTraversal | Attempts to access files outside permitted scope |
| hiddenRoutes | Discovers undocumented but accessible endpoints |
Severity levels
Set severity to filter which findings get logged. Only findings at or above the threshold are written to .timoro/log.md.
| Level | Examples |
|---|
| critical | SQL injection, hardcoded secrets, active exploit confirmed |
| high | Missing rate limiting, XSS, brute force exposure |
| medium | Open ports, CORS misconfiguration, missing CSP |
| low | Missing security headers, outdated deps with low-risk CVEs |
Log output example
.timoro/log.md
## [14:23:10] 🔐 Pentester — SQL Injection
**Mode:** Active
**Endpoint:** `GET /api/users?id=1`
**Severity:** `CRITICAL`
**Payload:** `1' OR '1'='1`
**Result:** Endpoint vulnerable. Returned all table records.
**File:** `src/controllers/user.controller.ts`
**Line:** 28
**Recommendation:** Use parameterized queries or an ORM.
---
## [14:22:10] 🔐 Pentester — Brute Force
**Mode:** Active
**Endpoint:** `POST /auth/login`
**Severity:** `HIGH`
**Result:** No rate limiting. 50 attempts in 5s — not blocked.
**Recommendation:** Implement express-rate-limit.
Block IP after 5 failures within 60 seconds.