Smorgasbord checks the provided endpoint(s) for a variety of served files that should not be exposed. The tool was inspired by a post detailing that 1 in every 600 websites has .git exposed.
SECURITY NOTE: It is generally preferable to favor whitelists over blacklists. Furthermore, it is advised to use a build process or a directory structure that contains files that will be in the webserver root. Avoid serving the entire project root as the webserver root.
The tool may be invoked from the command-line. However, it is intended that overtime, the tool may be used with CI/CD, actions and automated workflows.
npm install -g @vapurrmaid/smorgasbord
npm install @vapurrmaid/smorgasbord
Command Line Interface
Usage: smorgasbord [options] [command] Options: -h, --help output usage information Commands: probe <uri> Probes uri for vulnerable resources.
Usage: smorgasbord probe [options] <uri> Probes uri for vulnerable resources. Options: -c, --config <path> Provide a configuration for a customized probe. The <path> arg should be a path to a JSON file. --config-only Probe will be conducted for the specified --config only. If a --config is not specified, the probe will not be conducted. --dry-run Outputs all endpoints that would be probed without probing them. -f, --filters <list> Probe will be conducted for the specified comma-separated filters only. Filters: docker, git, npm, root -v, --verbosity <level> Set the log level. Levels: none|0, error|1, warn|2, info|3, verbose|4 (default: "info") -h, --help output usage information
smorgasbord probe https://google.com