ScanJS uses Acorn to convert sources to AST, then walks AST looking for source patterns. Use the rules file supplied, or load your own rules.
Rules are specified in JSON format - for an example see
At a minimum, each must have rule is made up of 2 attributes:
- name: the name of the rule
Optionally a rule may have the following attirbutes:
- testmiss: the rule should not match any of these statements
- desc: description of the rule
- threat: for catgorizing rules by threat
source attribute, the following basic statements are supported:
foo: matches any identifier , "foo"
$_any.foo: $_any is wildcard, matches anything.foo
foo.bar: matches object and property, i.e. foo.bar
You can also matches function calls based on the same syntax:
foo(): matches function calls with this name
$_any.foo: matches anything.foo() but not foo()
foo.bar(): matches foo.bar() only
You can also search for functions with matching literal arguments:
foo('test',ignored,42): matches a function called foo, with 'test' as the first argument, anything as the second argument, and the number 42 as the third argument (i.e. matches ONLY literal arguments).
$_any.foo('test',ignored,42): same as above, but function has to be a property.
foo.bar('test',ignored,42): same as above, but matches both object and property
You can also search for assignment to a specifically named identifier:
foo=$_any: matches when foo is assigned to something
$_any.foo=$_any: matches when anything.foo is assigned to something
foo.bar=$_any: matches when foo.bar is assigned to something
If you specify
$_unsafe on the right hand side (e.g. foo.innerHTML=$_unsafe), it will only match if the RHS contains at least one identifier.
- One simple statement per rule, not complex statements (yet)!
- 'foo' does NOT match 'this.foo', if you are looking for something in global (e.g. 'alert()' ), you need to add two rules: 'alert.()' and '$_any.alert()'
- Try the rule out in the experiment tab to test what it matches
Examples: See /common/template_rules.json and /common/rules.json
Run ScanJS in the browser
Run ScanJS from the command line
- Install node.js
scanner.js -t DIRECTORY_PATH
Tests use the mocha testing framework.
- or in the browser:
- testhit: The rule should match each of these statements individualy.
- testmiss: The rule should not match all of these statements.