scan_node is a zero-dependency, defensive SQL injection scanner for Node.js. It crawls a target web application, discovers input vectors, and evaluates responses for signs of SQLi vulnerabilities — all whilst remaining within the boundaries of authorised security testing.
- Overview
- Features
- Prerequisites
- Installation
- Usage
- Output Format
- Detection Methodology
- OWASP Top 10:2025 Mapping
- Legality and Authorised Use
- Disclaimer and Limitations
- Contributing
- Licence
scan_node is a command-line security tool written in pure JavaScript (ES Modules) that operates atop the Node.js runtime. It has been developed for penetration testers, security researchers, and application developers who require a lightweight, auditable instrument for identifying SQL injection flaws in web applications they own or are explicitly authorised to test.
The scanner functions in two distinct phases:
- Crawling — Starting from a supplied URL, it traverses up to N pages (configurable), extracting URL query parameters and HTML form inputs.
- Active Testing — For each discovered input vector, it dispatches baseline and payload-bearing HTTP requests, then evaluates the responses using heuristic analysis (error signature matching, boolean differential analysis, and HTTP status code comparison).
The current stable version is v3.0 (scanner_v3.js), which introduces safe mode, passive security header checks, extended payload sets, and OWASP-categorised findings.
| Feature | Description |
|---|---|
| Zero Dependencies | Utilises exclusively Node.js built-in modules; no npm install required. |
| Safe Mode by Default | Active SQLi payloads are disabled unless explicitly opted in (--safe=false). |
| Passive Security Checks | Evaluates HTTP security headers (HSTS, CSP, X-Content-Type-Options) and cookie attributes. |
| Extended Payloads | Optional UNION-based and time-based SQLi probes (--extended-payloads=true). |
| Boolean Differential Analysis | Compares responses for true/false boolean payloads to detect blind SQLi. |
| Multi-DBMS Error Detection | Recognises error signatures from MySQL, PostgreSQL, SQLite, MSSQL, and Oracle. |
| OWASP Top 10:2025 Tagging | Each finding is classified under the relevant OWASP category. |
| JSON Report Output | Structured, machine-readable report suitable for integration into CI/CD pipelines. |
| Custom Authentication | Supports cookies and arbitrary HTTP headers for authenticated scanning. |
- Node.js ≥ 18.x (required for native
fetch()andAbortSignal.timeout()) - Network access to the target application
- Written authorisation to test the target (see Legality and Authorised Use)
No installation step is necessary. Clone or download the repository and execute the scanner directly:
git clone https://github.com/adalbertobrant/scan_node.git
cd scan_node
node scanner_v3.js --helpnode scanner_v3.js <target-url>This initiates a crawl of the target URL (up to 20 pages by default), restricted to the same origin, in safe mode (passive checks only; no active SQLi payloads are dispatched).
Safe mode is the default operating mode. In this mode, the scanner performs only passive assessments:
- Crawls the target application and enumerates input vectors.
- Evaluates HTTP response headers for security misconfigurations.
- Inspects
Set-Cookieattributes for missingHttpOnly,Secure, andSameSiteflags. - Detects forms that use the
GETmethod (informational).
node scanner_v3.js https://example.comTo enable active SQL injection testing, set --safe=false:
node scanner_v3.js https://example.com --safe=falseThis instructs the scanner to dispatch SQLi-specific payloads (single quote, semicolons, boolean true/false probes) against each discovered input vector.
For comprehensive testing, enable extended payloads alongside active mode:
node scanner_v3.js https://example.com --safe=false --extended-payloads=trueExtended payloads include:
- UNION-based:
' UNION SELECT NULL-- - Time-based:
' OR SLEEP(3)-- - Comment-close:
')--
For scanning authenticated pages, supply cookies and/or custom headers:
# Cookie-based authentication
node scanner_v3.js https://example.com --cookie="session=abc123"
# Custom headers (repeatable)
node scanner_v3.js https://example.com --header="Authorization: Bearer token123" --header="X-Custom: value"| Flag | Default | Description |
|---|---|---|
--max-pages=N |
20 |
Maximum number of pages to crawl. |
--timeout=N |
8000 |
HTTP request timeout in milliseconds. |
--delay=N |
250 |
Delay between consecutive requests in milliseconds. |
--same-origin=true|false |
true |
Restrict crawling to the same origin as the target URL. |
--out=FILENAME |
report.json |
Path to the output report file. |
--cookie=VALUE |
— | Cookie header value to include in requests. |
--header="K: V" |
— | Custom HTTP header (may be repeated). |
--safe=true|false |
true |
When false, enables active SQLi payload testing. |
--extended-payloads=true|false |
false |
Include UNION and time-based payloads (requires --safe=false). |
--allow-http-fallback=true|false |
false |
Fall back to HTTP if HTTPS connection fails. |
--user-agent=STRING |
scan-node/3.0 |
Custom User-Agent header value. |
--concurrency=N |
1 |
Number of concurrent requests (experimental). |
The scanner produces a structured JSON report. The default output file is report.json.
The scanner employs the following heuristic techniques:
- Error-Based Detection — Matches response body content against 15 known SQL error signature patterns (MySQL, PostgreSQL, SQLite, MSSQL, Oracle).
- Boolean Differential Analysis — Sends paired
true/falseboolean payloads and compares responses using character-level similarity scoring. A similarity below 0.90 between paired responses indicates a likely SQLi. - HTTP Status Code Analysis — Detects unexpected status code changes between baseline and payload responses.
- Response Body Delta — Flags significant body size differences (>15% or >120 characters) between baseline and payload responses.
The v3 scanner additionally evaluates:
- Strict-Transport-Security presence on HTTPS endpoints.
- Content-Security-Policy header presence.
- X-Content-Type-Options header presence.
- Set-Cookie attributes (
HttpOnly,Secure,SameSite). - Form method (GET vs POST, informational).
| Finding Category | OWASP Classification |
|---|---|
| SQL Injection (Boolean, Error, UNION, Time-based) | A05:2025 — Injection |
| Missing Security Headers | A02:2025 — Security Misconfiguration |
| Insecure Cookie Attributes | A07:2025 — Identification and Authentication Failures |
This tool is designed and intended exclusively for:
- Authorised penetration testing of applications you own or have written permission to test.
- Security research conducted within legal and ethical boundaries.
- Educational purposes in controlled laboratory environments.
- Bug bounty programmes where the target falls within the defined scope.
The use of scan_node for the following purposes is strictly prohibited:
- Scanning, probing, or testing any system without explicit written authorisation from the system owner.
- Any activity that violates applicable local, national, or international laws or regulations.
- Unauthorised access to or interference with computer systems, networks, or data.
- Any form of malicious, disruptive, or unethical activity.
The user assumes full legal responsibility for all actions performed with this tool. The authors and contributors of scan_node bear no liability for misuse, damage, or legal consequences arising from the use of this software. It is the user's sole obligation to ensure that all testing activities comply with applicable legislation, including but not limited to:
- The Computer Misuse Act 1990 (United Kingdom)
- The Computer Fraud and Abuse Act (United States)
- The Lei Geral de Proteção de Dados (LGPD) (Brazil)
- The General Data Protection Regulation (GDPR) (European Union)
- Any other applicable computer crime or data protection legislation in the user's jurisdiction
IMPORTANT: This software is provided "as is", without warranty of any kind, express or implied. See the LICENCE file for full details.
- scan_node is not a substitute for professional security auditing or a comprehensive vulnerability scanner.
- It detects a subset of SQL injection vectors; it does not guarantee the discovery of all SQLi vulnerabilities.
- False positives may occur. All findings should be manually verified by a qualified security professional.
- The tool may cause side effects on the target application (e.g., error log entries, rate limiting, data modification via
INSERT/UPDATEpayloads). Users should exercise caution and employ test environments where possible. - Extended payloads (particularly
SLEEP()) may degrade target application performance. Use with discretion.
Contributions are welcome. Please ensure that all contributions:
- Maintain the zero-dependency philosophy.
- Include appropriate test cases.
- Follow the existing code style (ES Modules, no transpilation).
- Are accompanied by clear documentation of the change.
This project is licensed under the MIT Licence — the most permissive widely-recognised open-source licence. You may freely use, modify, and distribute this software for any purpose, including commercial use, provided the original copyright notice and licence notice are included.
See the LICENCE file for the full text, or visit opensource.org/licenses/MIT.
Developed for defensive security purposes. Use responsibly and lawfully.
{ "target": "https://example.com", "started_at": "2025-07-14T10:30:00.000Z", "scanner": "scan-node/3.0", "pages_crawled": 12, "pages_scanned": 8, "findings": [ { "type": "SQLi-Boolean", "confidence": "high", "url": "https://example.com/search?q=", "param": "q", "evidence": "SQL error pattern matched: mysql.*server version", "owasp": "A05:2025-Injection" } ], "passive_findings": [ { "type": "Missing-HSTS", "url": "https://example.com/", "severity": "medium", "description": "Strict-Transport-Security header is absent.", "owasp": "A02:2025-Security-Misconfiguration" } ], "interesting_headers": [ { "url": "https://example.com/", "server": "nginx/1.18.0" } ] }