npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

esflow

v0.1.31

Published

Elegant, Fast JavaScript static security analyzer for finding issues like DOM XSS.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

skepticfxskepticfx

Keywords

domxssstatic analysisscannersecurityesflowanalysisdomxssestraverse

Readme

esflow

Elegant, Fast JavaScript static security analyzer for finding issues like DOM XSS.

Codeship Status for skepticfx/esflow

Installation

Install esflow as a command line tool (might require sudo permission):

npm install -g esflow

Usage

   esflow -v                     : Prints the current version
   esflow https://example.com    : Scans for all embedded js code in example.com
   esflow https://example.com -a : Scans for all embedded js code in example.com and all included js files
   esflow ./                     : Scans all the JS files in the current directory
   esflow ./test.js              : Scans a specific JS file
   esflow -h                     : Show this help menu

Analyzing your source code

You can scan a website for its JavaScript code like this:

$ esflow https://public-firing-range.appspot.com/dom/toxicdom/window/name/innerHtml

If you want to scan all the script files in the webpage, just add -a at the end.

$ esflow http://damnvulnerable.me/domxss/cookie_to_innerhtml -a

You can also use esflow on a specific file or a directory

esflow fileName.js

or

esflow ./

Extending esflow to write your own sources and sinks

git clone https://github.com/skepticfx/esflow.git
cd esflow
npm install

And then use it like this:

var esflow = require('./index.js');

// The code to analyze./bin
var code = require('fs').readFileSync('./inputs/basic.js', 'utf8');

// Define sources and sinks
var sources = ['document.cookie', 'location.href', 'location.hash', 'window.name'];
var sinks = ['.innerHTML', '.outerHTML', '$', 'jQuery', 'eval', 'setTimeout', 'document.write'];
var specialSinks = [{'calleeName': '.setAttribute', 'argumentPosition': 1, 'argumentValue': ['onclick', 'href']}];
var filters = ['escape', 'encodeURI', 'encodeHTML', 'clean'];

var result = esflow.analyze(code, {sources: sources, sinks: sinks, specialSinks: specialSinks});

console.log(result.assignmentPairs);
console.log(result.functionCallPairs);

You can try,

node runner.js fileName.js to run an analysis on the ./fileName.js file.

Testing

npm test
npm run testAll

All tests are under ./test/. Take a look at ./test/assignments.test.js & ./test/functionCalls.test.js and their respective fixtures to get an idea.

Running benchmarks

npm run testFiringRange

Goals

  • Find DOM XSS for usual coding patterns.
  • Should be easily extensible to any framework like NodeJS, AngularJS, or any X-Library.
  • Should have an approach to specify filters like escape(), encodeURIComponent and custom filter functions. In these cases, do not flag as a vulnerable flow. (TODO)
  • False positives and negatives are common, we try to focus on coding patterns for given frameworks and focus on improving detection for that.
  • Should always complete to end. Do not get stuck in a infinite recursion / stack call, Tail Code Optimize when possible.

Warning!

Static analyzers are usually dumb and easily miss a valid vulnerability or report an invalid issue as a vulnerability. Its a island full of false positives and negatives.

Please file an issue when you see any insanely unexpected results and we can work towards fixing that ASAP, if the issue makes sense.