Using Node.js to Parse a JSON File Generated from WPScan

#node #javascript #pentest

WPScan is a popular tool for performing security assessments on WordPress websites.
It generates a detailed report of any vulnerabilities it finds, including information about the affected plugin, theme, or version of WordPress.
We can generate a report (typically output as a JSON file), which can be difficult to parse and analyze manually.

In this tutorial, we will walk through how to use Node.js to parse a JSON file generated by WPScan and extract meaningful information from it.
We will also use the popular ExcelJS library to create an Excel spreadsheet with a table of all the vulnerabilities found by WPScan.

npm init -y
npm i exceljs

First, we will import the fs module and use the readFileSync function to read the JSON file into a string. Then, we will use JSON.parse to convert the string into a JavaScript object.

import { readFileSync } from "fs";

const file = readFileSync("./wpscan_output.json", "utf8");
const data = JSON.parse(file);

Next, we will extract the vulnerabilities found in the version of WordPress, the main theme, and the plugins.
We will store these vulnerabilities in separate arrays and then combine them into a single array using the spread operator (...).

const version_vulnerabilities = data.version.vulnerabilities;
const main_theme_vulnerabilities = data.main_theme.vulnerabilities;
const plugins_vulnerabilities = Object.values(data.plugins)
  .map((plugin) => plugin.vulnerabilities)
  .flat();
const vulnerabilities = [
  ...version_vulnerabilities,
  ...main_theme_vulnerabilities,
  ...plugins_vulnerabilities,
];

Now that we have all the vulnerabilities in a single array,
we can use ExcelJS to create an Excel spreadsheet with a table of these vulnerabilities.
We start by creating a new workbook and a new worksheet. Then, we define the columns of the table and their corresponding keys in the data.

import exceljs from "exceljs";

const workbook = new exceljs.Workbook();
const worksheet = workbook.addWorksheet("Vulnerabilities");
worksheet.columns = [
  { header: "Title", key: "title", width: 50 },
  { header: "Fixed in", key: "fixed_in", width: 10 },
  { header: "URL", key: "url", width: 50 },
  { header: "WPVulnDB", key: "wpvulndb", width: 50 },
  { header: "CVE", key: "cve", width: 50 },
];

Then, we can iterate through the vulnerabilities array and add a row to the table for each vulnerability.
We create an object for each vulnerability with the appropriate keys and values, and then pass this object to the addRow function.

vulnerabilities.forEach((vulnerability) => {
  let vulObj = {
    title: vulnerability.title,
    fixed_in: vulnerability.fixed_in,
    url: vulnerability.references.url,
    wpvulndb: vulnerability.references.wpvulndb?.join("\n") || "-",
    cve: vulnerability.references.cve?.join("\n") || "-",
  };
  worksheet.addRow(vulObj);
});

// make wrap text (optional)
worksheet.columns.forEach((column) => {
  column.style = { alignment: { wrapText: true } };
});

Finally, we can write the Excel file to disk using the writeFile function.

workbook.xlsx.writeFile("vulnerabilities.xlsx").then(() => {
  console.log("Excel file is written.");
});

Tada! The final code:

import { readFileSync } from "fs";
import exceljs from "exceljs";
const file = readFileSync("./wpscan_output.json", "utf8");
const data = JSON.parse(file);

const interesting_findings = data.interesting_findings;
const version_vulnerabilities = data.version.vulnerabilities;
const main_theme_vulnerabilities = data.main_theme.vulnerabilities;
const plugins_vulnerabilities = Object.values(data.plugins)
  .map((plugin) => plugin.vulnerabilities)
  .flat();
const vulnerabilities = [
  ...version_vulnerabilities,
  ...main_theme_vulnerabilities,
  ...plugins_vulnerabilities,
];
const workbook = new exceljs.Workbook();
const worksheet = workbook.addWorksheet("Vulnerabilities");
worksheet.columns = [
  { header: "Title", key: "title", width: 50 },
  { header: "Fixed in", key: "fixed_in", width: 10 },
  { header: "URL", key: "url", width: 50 },
  { header: "WPVulnDB", key: "wpvulndb", width: 50 },
  { header: "CVE", key: "cve", width: 50 },
];
const vulnerabilities_count = vulnerabilities.length;
console.log(
  `There are ${vulnerabilities_count} vulnerabilities in this website.`
);

vulnerabilities.forEach((vulnerability) => {
  let vulObj = {
    title: vulnerability.title,
    fixed_in: vulnerability.fixed_in,
    url: vulnerability.references.url,
    wpvulndb: vulnerability.references.wpvulndb?.join("\n") || "-",
    cve: vulnerability.references.cve?.join("\n") || "-",
  };
  worksheet.addRow(vulObj);
});

// wrap text
worksheet.columns.forEach((column) => {
  column.style = { alignment: { wrapText: true } };
});

workbook.xlsx.writeFile("vulnerabilities.xlsx").then(() => {
  console.log("Excel file is written.");
});

And that's it!
With just a few lines of code, we were able to parse a WPScan JSON report and create an Excel spreadsheet with a table of all the vulnerabilities found. This can be a useful tool for quickly analyzing the results of a WPScan scan and identifying areas that need to be fixed.

I hope you found this tutorial helpful.