Smorgasbord

Smorgasbord checks the provided endpoint(s) for a variety of served files that should not be exposed. The tool was inspired by a post detailing that 1 in every 600 websites has .git exposed.

SECURITY NOTE: It is generally preferable to favor whitelists over blacklists. Furthermore, it is advised to use a build process or a directory structure that contains files that will be in the webserver root. Avoid serving the entire project root as the webserver root.

Usage

The tool may be invoked from the command-line. However, it is intended that overtime, the tool may be used with CI/CD, actions and automated workflows.

Install Globally

npm install -g @vapurrmaid/smorgasbord

Install Locally

npm install @vapurrmaid/smorgasbord

Command Line Interface

Usage: smorgasbord [options] [command]

Options:
  -h, --help   output usage information

Commands:
  probe <uri>  Probes uri for vulnerable resources.

Commands

Probe

Usage: smorgasbord probe [options] <uri>

Probes uri for vulnerable resources.

Options:
  -c, --config <path>      Provide a configuration for a customized probe.
                           The <path> arg should be a path to a JSON file.
  --config-only            Probe will be conducted for the specified --config only.
                           If a --config is not specified, the probe will not be conducted.
  --dry-run                Outputs all endpoints that would be probed without probing them.
  -f, --filters <list>     Probe will be conducted for the specified comma-separated filters only.
                           Filters: docker, git, npm, root
  -v, --verbosity <level>  Set the log level.
                           Levels: none|0, error|1, warn|2, info|3, verbose|4 (default: "info")
  -h, --help               output usage information

Example

smorgasbord probe https://google.com