@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/.agentic-security/findings.json +320 -9
- package/bin/.agentic-security/last-scan.json +320 -9
- package/bin/.agentic-security/last-scan.json.sig +1 -1
- package/bin/.agentic-security/scan-history.json +17 -377
- package/bin/.agentic-security/streak.json +11 -16
- package/bin/agentic-security.js +33 -2
- package/dist/178.index.js +1 -1
- package/dist/384.index.js +1 -1
- package/dist/637.index.js +1 -1
- package/dist/718.index.js +106 -0
- package/dist/824.index.js +126 -0
- package/dist/838.index.js +1 -1
- package/dist/agentic-security.mjs +32 -32
- package/dist/agentic-security.mjs.sha256 +1 -1
- package/package.json +7 -7
- package/src/.agentic-security/findings.json +5731 -3933
- package/src/.agentic-security/last-scan.json +5731 -3933
- package/src/.agentic-security/last-scan.json.sig +1 -1
- package/src/.agentic-security/scan-history.json +2533 -887
- package/src/.agentic-security/streak.json +11 -16
- package/src/dataflow/.agentic-security/findings.json +52 -24
- package/src/dataflow/.agentic-security/last-scan.json +52 -24
- package/src/dataflow/.agentic-security/last-scan.json.sig +1 -1
- package/src/dataflow/.agentic-security/scan-history.json +101 -134
- package/src/dataflow/.agentic-security/streak.json +8 -10
- package/src/dataflow/async-sequencing.js +16 -7
- package/src/dataflow/builtin-summaries.js +131 -0
- package/src/dataflow/catalog.js +107 -0
- package/src/dataflow/cross-repo.js +75 -1
- package/src/dataflow/engine.js +129 -0
- package/src/dataflow/implicit-flow.js +24 -6
- package/src/dataflow/stub-aware-filter.js +69 -11
- package/src/dataflow/summaries.js +28 -3
- package/src/engine-parallel.js +70 -0
- package/src/engine.js +165 -15
- package/src/ir/.agentic-security/findings.json +757 -16
- package/src/ir/.agentic-security/last-scan.json +757 -16
- package/src/ir/.agentic-security/last-scan.json.sig +1 -1
- package/src/ir/.agentic-security/scan-history.json +545 -138
- package/src/ir/.agentic-security/streak.json +11 -13
- package/src/ir/index.js +22 -1
- package/src/ir/parser-go.js +403 -0
- package/src/ir/parser-js.js +2 -0
- package/src/ir/parser-php.js +330 -0
- package/src/ir/parser-py.helper.py +137 -11
- package/src/ir/parser-rb.js +309 -0
- package/src/posture/.agentic-security/findings.json +407 -84
- package/src/posture/.agentic-security/last-scan.json +407 -84
- package/src/posture/.agentic-security/last-scan.json.sig +1 -1
- package/src/posture/.agentic-security/scan-history.json +16 -4923
- package/src/posture/.agentic-security/streak.json +10 -14
- package/src/posture/calibration.js +14 -0
- package/src/posture/triage.js +13 -0
- package/src/report/.agentic-security/findings.json +6 -5
- package/src/report/.agentic-security/last-scan.json +6 -5
- package/src/report/.agentic-security/last-scan.json.sig +1 -1
- package/src/report/.agentic-security/scan-history.json +3 -300
- package/src/report/.agentic-security/streak.json +7 -8
- package/src/report/index.js +23 -2
- package/src/sast/.agentic-security/findings.json +195 -56
- package/src/sast/.agentic-security/last-scan.json +195 -56
- package/src/sast/.agentic-security/last-scan.json.sig +1 -1
- package/src/sast/.agentic-security/scan-history.json +14 -394
- package/src/sast/.agentic-security/streak.json +10 -13
- package/src/sast/cache-poisoning.js +77 -0
- package/src/sast/comparison-safety.js +73 -0
- package/src/sast/db-taint.js +54 -0
- package/src/sast/graphql.js +127 -0
- package/src/sast/llm-stored-prompt.js +57 -0
- package/src/sast/mutation-xss.js +43 -0
- package/src/sast/nosql-injection.js +5 -0
- package/src/sast/null-byte-injection.js +76 -0
- package/src/sast/redos-nfa.js +338 -0
- package/src/sast/sensitive-data-logging.js +73 -0
- package/src/sast/weak-password-hash.js +77 -0
- package/src/sast/weak-randomness.js +100 -0
- package/src/sca/.agentic-security/findings.json +502 -11
- package/src/sca/.agentic-security/last-scan.json +502 -11
- package/src/sca/.agentic-security/last-scan.json.sig +1 -1
- package/src/sca/.agentic-security/scan-history.json +19 -1
- package/src/sca/.agentic-security/streak.json +6 -6
- package/src/sca/llm-function-extract.js +107 -0
- package/src/sca/vendor-detect.js +91 -0
- package/dist/218.index.js +0 -793
- package/dist/601.index.js +0 -1038
- package/dist/634.index.js +0 -1892
- package/src/integrations/.agentic-security/findings.json +0 -1504
- package/src/integrations/.agentic-security/last-scan.json +0 -1504
- package/src/integrations/.agentic-security/scan-history.json +0 -40
- package/src/integrations/.agentic-security/streak.json +0 -21
- package/src/llm-validator/.agentic-security/findings.json +0 -1891
- package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
- package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
- package/src/llm-validator/.agentic-security/scan-history.json +0 -168
- package/src/llm-validator/.agentic-security/streak.json +0 -20
- package/src/lsp/.agentic-security/findings.json +0 -28
- package/src/lsp/.agentic-security/last-scan.json +0 -28
- package/src/lsp/.agentic-security/scan-history.json +0 -79
- package/src/lsp/.agentic-security/streak.json +0 -22
- package/src/mcp/.agentic-security/findings.json +0 -8403
- package/src/mcp/.agentic-security/last-scan.json +0 -8403
- package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
- package/src/mcp/.agentic-security/scan-history.json +0 -1182
- package/src/mcp/.agentic-security/streak.json +0 -22
- package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
- package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
- package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
- package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
{
|
|
2
|
-
"scanId": "
|
|
3
|
-
"startedAt": "2026-05-
|
|
4
|
-
"durationMs":
|
|
2
|
+
"scanId": "ea560b58-b8fa-4f5e-9e91-bdcd30277723",
|
|
3
|
+
"startedAt": "2026-05-27T09:43:27.404Z",
|
|
4
|
+
"durationMs": 2801,
|
|
5
5
|
"scanned": {
|
|
6
|
-
"files":
|
|
6
|
+
"files": 79,
|
|
7
7
|
"lines": 0
|
|
8
8
|
},
|
|
9
9
|
"findings": [
|
|
@@ -86,7 +86,9 @@
|
|
|
86
86
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
87
87
|
"confidence": "low",
|
|
88
88
|
"narrative": "Always-True Authorization Clause on `logic.js:14` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
89
|
-
}
|
|
89
|
+
},
|
|
90
|
+
"parser": "LOGIC",
|
|
91
|
+
"family": null
|
|
90
92
|
},
|
|
91
93
|
{
|
|
92
94
|
"id": "logic:logic.js:15:Always-True_Authorization_Clause",
|
|
@@ -167,7 +169,9 @@
|
|
|
167
169
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
168
170
|
"confidence": "low",
|
|
169
171
|
"narrative": "Always-True Authorization Clause on `logic.js:15` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
170
|
-
}
|
|
172
|
+
},
|
|
173
|
+
"parser": "LOGIC",
|
|
174
|
+
"family": null
|
|
171
175
|
},
|
|
172
176
|
{
|
|
173
177
|
"id": "spec-drift:rate-limit-impl:rate-limit.js:34",
|
|
@@ -273,6 +277,7 @@
|
|
|
273
277
|
"unvalidated": true,
|
|
274
278
|
"cross_language": false,
|
|
275
279
|
"family": "spec-drift",
|
|
280
|
+
"parser": null,
|
|
276
281
|
"_unsigned": false,
|
|
277
282
|
"_passThroughSigning": false,
|
|
278
283
|
"signatureStatus": "verified",
|
|
@@ -456,6 +461,7 @@
|
|
|
456
461
|
"unvalidated": true,
|
|
457
462
|
"cross_language": false,
|
|
458
463
|
"family": "spec-drift",
|
|
464
|
+
"parser": null,
|
|
459
465
|
"_unsigned": false,
|
|
460
466
|
"_passThroughSigning": false,
|
|
461
467
|
"signatureStatus": "verified",
|
|
@@ -614,7 +620,9 @@
|
|
|
614
620
|
"comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
|
|
615
621
|
"confidence": "low",
|
|
616
622
|
"narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `claude-settings.js:40` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
|
|
617
|
-
}
|
|
623
|
+
},
|
|
624
|
+
"parser": "LOGIC",
|
|
625
|
+
"family": null
|
|
618
626
|
},
|
|
619
627
|
{
|
|
620
628
|
"id": "8fd4ef61e2c21a32",
|
|
@@ -695,7 +703,9 @@
|
|
|
695
703
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
696
704
|
"confidence": "low",
|
|
697
705
|
"narrative": "Known-Broken Code Marker Near Security-Sensitive Logic on `fastapi-hardening.js:115` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
698
|
-
}
|
|
706
|
+
},
|
|
707
|
+
"parser": "LOGIC",
|
|
708
|
+
"family": null
|
|
699
709
|
},
|
|
700
710
|
{
|
|
701
711
|
"id": "16b8a05bc091da14",
|
|
@@ -776,7 +786,9 @@
|
|
|
776
786
|
"comparable": "ReDoS in Express: single regex pin a Node process for 100% CPU",
|
|
777
787
|
"confidence": "low",
|
|
778
788
|
"narrative": "Regex ReDoS — Catastrophic Backtracking on `java-bench-extras.js:670` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: ReDoS in Express: single regex pin a Node process for 100% CPU."
|
|
779
|
-
}
|
|
789
|
+
},
|
|
790
|
+
"parser": "LOGIC",
|
|
791
|
+
"family": null
|
|
780
792
|
},
|
|
781
793
|
{
|
|
782
794
|
"id": "3757a4bc8b71e6d6",
|
|
@@ -857,7 +869,9 @@
|
|
|
857
869
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
858
870
|
"confidence": "low",
|
|
859
871
|
"narrative": "Known-Broken Code Marker Near Security-Sensitive Logic on `java-bench-extras.js:256` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
860
|
-
}
|
|
872
|
+
},
|
|
873
|
+
"parser": "LOGIC",
|
|
874
|
+
"family": null
|
|
861
875
|
},
|
|
862
876
|
{
|
|
863
877
|
"id": "84929b548bd6ce4d",
|
|
@@ -938,7 +952,9 @@
|
|
|
938
952
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
939
953
|
"confidence": "low",
|
|
940
954
|
"narrative": "Known-Broken Code Marker Near Security-Sensitive Logic on `java-bench-extras.js:257` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
941
|
-
}
|
|
955
|
+
},
|
|
956
|
+
"parser": "LOGIC",
|
|
957
|
+
"family": null
|
|
942
958
|
},
|
|
943
959
|
{
|
|
944
960
|
"id": "5ca3008c9142f65a",
|
|
@@ -1019,7 +1035,9 @@
|
|
|
1019
1035
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
1020
1036
|
"confidence": "low",
|
|
1021
1037
|
"narrative": "Coupon/Discount Reuse Risk on `llm-owasp.js:37` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
1022
|
-
}
|
|
1038
|
+
},
|
|
1039
|
+
"parser": "LOGIC",
|
|
1040
|
+
"family": null
|
|
1023
1041
|
},
|
|
1024
1042
|
{
|
|
1025
1043
|
"id": "5ca3008c9142f65a",
|
|
@@ -1100,7 +1118,9 @@
|
|
|
1100
1118
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
1101
1119
|
"confidence": "low",
|
|
1102
1120
|
"narrative": "Coupon/Discount Reuse Risk on `llm-owasp.js:37` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
1103
|
-
}
|
|
1121
|
+
},
|
|
1122
|
+
"parser": "LOGIC",
|
|
1123
|
+
"family": null
|
|
1104
1124
|
},
|
|
1105
1125
|
{
|
|
1106
1126
|
"id": "logic:logic.js:34:Client-Controlled_Discount/Coupon",
|
|
@@ -1181,7 +1201,92 @@
|
|
|
1181
1201
|
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
1182
1202
|
"confidence": "low",
|
|
1183
1203
|
"narrative": "Client-Controlled Discount/Coupon on `logic.js:34` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
1184
|
-
}
|
|
1204
|
+
},
|
|
1205
|
+
"parser": "LOGIC",
|
|
1206
|
+
"family": null
|
|
1207
|
+
},
|
|
1208
|
+
{
|
|
1209
|
+
"id": "d681e919e5fdd8db",
|
|
1210
|
+
"kind": "logic",
|
|
1211
|
+
"severity": "medium",
|
|
1212
|
+
"vuln": "Weak Randomness",
|
|
1213
|
+
"cwe": "CWE-330",
|
|
1214
|
+
"stride": "Spoofing",
|
|
1215
|
+
"file": "weak-randomness.js",
|
|
1216
|
+
"line": 23,
|
|
1217
|
+
"snippet": "{ re: /\\bMath\\.random\\s*\\(\\s*\\)/g, label: 'Math.random()' },",
|
|
1218
|
+
"fix": {
|
|
1219
|
+
"description": "Use crypto.randomBytes or crypto.randomUUID for security-sensitive values.",
|
|
1220
|
+
"code": "// BEFORE\nconst token = Math.random().toString(36);\n\n// AFTER\nconst token = crypto.randomBytes(32).toString('hex');"
|
|
1221
|
+
},
|
|
1222
|
+
"blastRadius": {
|
|
1223
|
+
"scope": "all-users",
|
|
1224
|
+
"dataAtRisk": [
|
|
1225
|
+
"config"
|
|
1226
|
+
],
|
|
1227
|
+
"userCount": 50,
|
|
1228
|
+
"industry": "generic",
|
|
1229
|
+
"jurisdictions": [],
|
|
1230
|
+
"controlsApplied": [],
|
|
1231
|
+
"dollarBest": 23250,
|
|
1232
|
+
"dollarLikely": 136250,
|
|
1233
|
+
"dollarWorst": 775000,
|
|
1234
|
+
"dollarLow": 23250,
|
|
1235
|
+
"dollarHigh": 775000,
|
|
1236
|
+
"components": {
|
|
1237
|
+
"incidentResponse": {
|
|
1238
|
+
"low": 8000,
|
|
1239
|
+
"likely": 50000,
|
|
1240
|
+
"high": 250000
|
|
1241
|
+
},
|
|
1242
|
+
"legal": {
|
|
1243
|
+
"low": 10000,
|
|
1244
|
+
"likely": 75000,
|
|
1245
|
+
"high": 500000
|
|
1246
|
+
},
|
|
1247
|
+
"crisisPR": {
|
|
1248
|
+
"low": 0,
|
|
1249
|
+
"likely": 0,
|
|
1250
|
+
"high": 0
|
|
1251
|
+
},
|
|
1252
|
+
"notification": {
|
|
1253
|
+
"low": 5000,
|
|
1254
|
+
"likely": 10000,
|
|
1255
|
+
"high": 15000
|
|
1256
|
+
},
|
|
1257
|
+
"creditMonitoring": {
|
|
1258
|
+
"low": 0,
|
|
1259
|
+
"likely": 0,
|
|
1260
|
+
"high": 0
|
|
1261
|
+
},
|
|
1262
|
+
"regulatoryFines": {
|
|
1263
|
+
"low": 0,
|
|
1264
|
+
"likely": 0,
|
|
1265
|
+
"high": 0
|
|
1266
|
+
},
|
|
1267
|
+
"directDamage": {
|
|
1268
|
+
"low": 250,
|
|
1269
|
+
"likely": 1250,
|
|
1270
|
+
"high": 10000
|
|
1271
|
+
},
|
|
1272
|
+
"classAction": {
|
|
1273
|
+
"low": 0,
|
|
1274
|
+
"likely": 0,
|
|
1275
|
+
"high": 0
|
|
1276
|
+
},
|
|
1277
|
+
"lostBusiness": {
|
|
1278
|
+
"low": 0,
|
|
1279
|
+
"likely": 0,
|
|
1280
|
+
"high": 0
|
|
1281
|
+
}
|
|
1282
|
+
},
|
|
1283
|
+
"dominantDriver": "legal counsel",
|
|
1284
|
+
"comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
|
|
1285
|
+
"confidence": "low",
|
|
1286
|
+
"narrative": "Weak Randomness on `weak-randomness.js:23` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
|
|
1287
|
+
},
|
|
1288
|
+
"parser": "LOGIC",
|
|
1289
|
+
"family": null
|
|
1185
1290
|
},
|
|
1186
1291
|
{
|
|
1187
1292
|
"id": "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
|
|
@@ -1293,6 +1398,7 @@
|
|
|
1293
1398
|
"unvalidated": true,
|
|
1294
1399
|
"cross_language": false,
|
|
1295
1400
|
"family": "idor",
|
|
1401
|
+
"parser": "REGEX",
|
|
1296
1402
|
"_unsigned": false,
|
|
1297
1403
|
"_passThroughSigning": false,
|
|
1298
1404
|
"signatureStatus": "verified",
|
|
@@ -1386,7 +1492,7 @@
|
|
|
1386
1492
|
"whyFired": {
|
|
1387
1493
|
"detector": "sast/idor",
|
|
1388
1494
|
"ruleId": "CWE-347",
|
|
1389
|
-
"parser": "
|
|
1495
|
+
"parser": "REGEX",
|
|
1390
1496
|
"evidence": {
|
|
1391
1497
|
"sinkSnippet": "// We require: a `jwt.verify(` call within ~200 chars of a missing `algorithms`",
|
|
1392
1498
|
"sourceSnippet": null,
|
|
@@ -1526,6 +1632,7 @@
|
|
|
1526
1632
|
"unvalidated": true,
|
|
1527
1633
|
"cross_language": false,
|
|
1528
1634
|
"family": "client-side-eval-with-dynamic-input",
|
|
1635
|
+
"parser": "REGEX",
|
|
1529
1636
|
"_unsigned": false,
|
|
1530
1637
|
"_passThroughSigning": false,
|
|
1531
1638
|
"signatureStatus": "verified",
|
|
@@ -1614,7 +1721,7 @@
|
|
|
1614
1721
|
"whyFired": {
|
|
1615
1722
|
"detector": "sast/client-side-eval-with-dynamic-input",
|
|
1616
1723
|
"ruleId": "CWE-95",
|
|
1617
|
-
"parser": "
|
|
1724
|
+
"parser": "REGEX",
|
|
1618
1725
|
"evidence": {
|
|
1619
1726
|
"sinkSnippet": null,
|
|
1620
1727
|
"sourceSnippet": null,
|
|
@@ -1749,6 +1856,7 @@
|
|
|
1749
1856
|
"unvalidated": true,
|
|
1750
1857
|
"cross_language": false,
|
|
1751
1858
|
"family": "client-side-eval-with-dynamic-input",
|
|
1859
|
+
"parser": "REGEX",
|
|
1752
1860
|
"_unsigned": false,
|
|
1753
1861
|
"_passThroughSigning": false,
|
|
1754
1862
|
"signatureStatus": "verified",
|
|
@@ -1837,7 +1945,7 @@
|
|
|
1837
1945
|
"whyFired": {
|
|
1838
1946
|
"detector": "sast/client-side-eval-with-dynamic-input",
|
|
1839
1947
|
"ruleId": "CWE-95",
|
|
1840
|
-
"parser": "
|
|
1948
|
+
"parser": "REGEX",
|
|
1841
1949
|
"evidence": {
|
|
1842
1950
|
"sinkSnippet": null,
|
|
1843
1951
|
"sourceSnippet": null,
|
|
@@ -1972,6 +2080,7 @@
|
|
|
1972
2080
|
"unvalidated": true,
|
|
1973
2081
|
"cross_language": false,
|
|
1974
2082
|
"family": "client-side-eval-with-dynamic-input",
|
|
2083
|
+
"parser": "REGEX",
|
|
1975
2084
|
"_unsigned": false,
|
|
1976
2085
|
"_passThroughSigning": false,
|
|
1977
2086
|
"signatureStatus": "verified",
|
|
@@ -2060,7 +2169,7 @@
|
|
|
2060
2169
|
"whyFired": {
|
|
2061
2170
|
"detector": "sast/client-side-eval-with-dynamic-input",
|
|
2062
2171
|
"ruleId": "CWE-95",
|
|
2063
|
-
"parser": "
|
|
2172
|
+
"parser": "REGEX",
|
|
2064
2173
|
"evidence": {
|
|
2065
2174
|
"sinkSnippet": null,
|
|
2066
2175
|
"sourceSnippet": null,
|
|
@@ -2198,6 +2307,7 @@
|
|
|
2198
2307
|
"unvalidated": true,
|
|
2199
2308
|
"cross_language": false,
|
|
2200
2309
|
"family": "prompt-injection-system-prompt-built-fro",
|
|
2310
|
+
"parser": "REGEX",
|
|
2201
2311
|
"_unsigned": false,
|
|
2202
2312
|
"_passThroughSigning": false,
|
|
2203
2313
|
"signatureStatus": "verified",
|
|
@@ -2286,7 +2396,7 @@
|
|
|
2286
2396
|
"whyFired": {
|
|
2287
2397
|
"detector": "sast/prompt-injection-system-prompt-built-fro",
|
|
2288
2398
|
"ruleId": "CWE-1427",
|
|
2289
|
-
"parser": "
|
|
2399
|
+
"parser": "REGEX",
|
|
2290
2400
|
"evidence": {
|
|
2291
2401
|
"sinkSnippet": "// \"system\": SYSTEM_PROMPT + \"\\n\" + context",
|
|
2292
2402
|
"sourceSnippet": null,
|
|
@@ -2424,6 +2534,7 @@
|
|
|
2424
2534
|
"unvalidated": true,
|
|
2425
2535
|
"cross_language": false,
|
|
2426
2536
|
"family": "prompt-injection-system-prompt-built-fro",
|
|
2537
|
+
"parser": "REGEX",
|
|
2427
2538
|
"_unsigned": false,
|
|
2428
2539
|
"_passThroughSigning": false,
|
|
2429
2540
|
"signatureStatus": "verified",
|
|
@@ -2512,7 +2623,7 @@
|
|
|
2512
2623
|
"whyFired": {
|
|
2513
2624
|
"detector": "sast/prompt-injection-system-prompt-built-fro",
|
|
2514
2625
|
"ruleId": "CWE-1427",
|
|
2515
|
-
"parser": "
|
|
2626
|
+
"parser": "REGEX",
|
|
2516
2627
|
"evidence": {
|
|
2517
2628
|
"sinkSnippet": "// system = f\"...{context_bloc}...\"",
|
|
2518
2629
|
"sourceSnippet": null,
|
|
@@ -2650,6 +2761,7 @@
|
|
|
2650
2761
|
"unvalidated": true,
|
|
2651
2762
|
"cross_language": false,
|
|
2652
2763
|
"family": "prompt-injection-system-prompt-built-fro",
|
|
2764
|
+
"parser": "REGEX",
|
|
2653
2765
|
"_unsigned": false,
|
|
2654
2766
|
"_passThroughSigning": false,
|
|
2655
2767
|
"signatureStatus": "verified",
|
|
@@ -2738,7 +2850,7 @@
|
|
|
2738
2850
|
"whyFired": {
|
|
2739
2851
|
"detector": "sast/prompt-injection-system-prompt-built-fro",
|
|
2740
2852
|
"ruleId": "CWE-1427",
|
|
2741
|
-
"parser": "
|
|
2853
|
+
"parser": "REGEX",
|
|
2742
2854
|
"evidence": {
|
|
2743
2855
|
"sinkSnippet": "// system: `... ${context}`",
|
|
2744
2856
|
"sourceSnippet": null,
|
|
@@ -2876,6 +2988,7 @@
|
|
|
2876
2988
|
"unvalidated": true,
|
|
2877
2989
|
"cross_language": false,
|
|
2878
2990
|
"family": "prompt-template-user-input-interpolated-",
|
|
2991
|
+
"parser": "REGEX",
|
|
2879
2992
|
"_unsigned": false,
|
|
2880
2993
|
"_passThroughSigning": false,
|
|
2881
2994
|
"signatureStatus": "verified",
|
|
@@ -2964,7 +3077,7 @@
|
|
|
2964
3077
|
"whyFired": {
|
|
2965
3078
|
"detector": "sast/prompt-template-user-input-interpolated-",
|
|
2966
3079
|
"ruleId": "CWE-1336",
|
|
2967
|
-
"parser": "
|
|
3080
|
+
"parser": "REGEX",
|
|
2968
3081
|
"evidence": {
|
|
2969
3082
|
"sinkSnippet": "if (/`/.test(first)) delim = '`';",
|
|
2970
3083
|
"sourceSnippet": null,
|
|
@@ -3099,15 +3212,16 @@
|
|
|
3099
3212
|
"unvalidated": true,
|
|
3100
3213
|
"cross_language": false,
|
|
3101
3214
|
"family": "zip-slip",
|
|
3215
|
+
"parser": "ZIP-SLIP",
|
|
3102
3216
|
"_unsigned": false,
|
|
3103
3217
|
"_passThroughSigning": false,
|
|
3104
3218
|
"signatureStatus": "verified",
|
|
3105
3219
|
"regression_test": {
|
|
3106
3220
|
"lang": "node",
|
|
3107
|
-
"framework":
|
|
3108
|
-
"filename":
|
|
3109
|
-
"runHint":
|
|
3110
|
-
"code":
|
|
3221
|
+
"framework": null,
|
|
3222
|
+
"filename": null,
|
|
3223
|
+
"runHint": null,
|
|
3224
|
+
"code": null
|
|
3111
3225
|
},
|
|
3112
3226
|
"poc": {
|
|
3113
3227
|
"lang": "node",
|
|
@@ -3115,7 +3229,10 @@
|
|
|
3115
3229
|
"cwe": "CWE-22",
|
|
3116
3230
|
"family": "path-traversal",
|
|
3117
3231
|
"runHint": "node poc.mjs",
|
|
3118
|
-
"code": "// Demonstrates path traversal by reading a sentinel file outside the intended dir.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: ../../../../../../etc/hostname\n// Expect: response body contains a hostname-shaped string (lowercased letters/digits, no traversal markers)\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `../../../../../../etc/hostname`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text && /^[a-z0-9\\-]+$/i.test(text.trim().slice(0, 64)) ? 'hostname-shaped response' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
3232
|
+
"code": "// Demonstrates path traversal by reading a sentinel file outside the intended dir.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: ../../../../../../etc/hostname\n// Expect: response body contains a hostname-shaped string (lowercased letters/digits, no traversal markers)\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `../../../../../../etc/hostname`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text && /^[a-z0-9\\-]+$/i.test(text.trim().slice(0, 64)) ? 'hostname-shaped response' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
3233
|
+
"paramKey": null,
|
|
3234
|
+
"paramKeyConfidence": "low",
|
|
3235
|
+
"paramKeyInferred": false
|
|
3119
3236
|
},
|
|
3120
3237
|
"calibrated_confidence": null,
|
|
3121
3238
|
"calibrated_confidence_ci": null,
|
|
@@ -3340,15 +3457,16 @@
|
|
|
3340
3457
|
"unvalidated": true,
|
|
3341
3458
|
"cross_language": false,
|
|
3342
3459
|
"family": "ssrf",
|
|
3460
|
+
"parser": "SSRF-METADATA",
|
|
3343
3461
|
"_unsigned": false,
|
|
3344
3462
|
"_passThroughSigning": false,
|
|
3345
3463
|
"signatureStatus": "verified",
|
|
3346
3464
|
"regression_test": {
|
|
3347
3465
|
"lang": "node",
|
|
3348
|
-
"framework":
|
|
3349
|
-
"filename":
|
|
3350
|
-
"runHint":
|
|
3351
|
-
"code":
|
|
3466
|
+
"framework": null,
|
|
3467
|
+
"filename": null,
|
|
3468
|
+
"runHint": null,
|
|
3469
|
+
"code": null
|
|
3352
3470
|
},
|
|
3353
3471
|
"poc": {
|
|
3354
3472
|
"lang": "node",
|
|
@@ -3356,7 +3474,10 @@
|
|
|
3356
3474
|
"cwe": "CWE-918",
|
|
3357
3475
|
"family": "ssrf",
|
|
3358
3476
|
"runHint": "node poc.mjs",
|
|
3359
|
-
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
3477
|
+
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
3478
|
+
"paramKey": null,
|
|
3479
|
+
"paramKeyConfidence": "low",
|
|
3480
|
+
"paramKeyInferred": false
|
|
3360
3481
|
},
|
|
3361
3482
|
"calibrated_confidence": null,
|
|
3362
3483
|
"calibrated_confidence_ci": null,
|
|
@@ -3586,6 +3707,7 @@
|
|
|
3586
3707
|
"unvalidated": true,
|
|
3587
3708
|
"cross_language": false,
|
|
3588
3709
|
"family": "unbounded-consumption-llm-call-has-no-to",
|
|
3710
|
+
"parser": "REGEX",
|
|
3589
3711
|
"_unsigned": false,
|
|
3590
3712
|
"_passThroughSigning": false,
|
|
3591
3713
|
"signatureStatus": "verified",
|
|
@@ -3674,7 +3796,7 @@
|
|
|
3674
3796
|
"whyFired": {
|
|
3675
3797
|
"detector": "sast/unbounded-consumption-llm-call-has-no-to",
|
|
3676
3798
|
"ruleId": "CWE-400",
|
|
3677
|
-
"parser": "
|
|
3799
|
+
"parser": "REGEX",
|
|
3678
3800
|
"evidence": {
|
|
3679
3801
|
"sinkSnippet": "// payload = { \"system\": <ident> + ... }",
|
|
3680
3802
|
"sourceSnippet": null,
|
|
@@ -3814,15 +3936,16 @@
|
|
|
3814
3936
|
"unvalidated": true,
|
|
3815
3937
|
"cross_language": false,
|
|
3816
3938
|
"family": "ssrf",
|
|
3939
|
+
"parser": "SSRF-METADATA",
|
|
3817
3940
|
"_unsigned": false,
|
|
3818
3941
|
"_passThroughSigning": false,
|
|
3819
3942
|
"signatureStatus": "verified",
|
|
3820
3943
|
"regression_test": {
|
|
3821
3944
|
"lang": "node",
|
|
3822
|
-
"framework":
|
|
3823
|
-
"filename":
|
|
3824
|
-
"runHint":
|
|
3825
|
-
"code":
|
|
3945
|
+
"framework": null,
|
|
3946
|
+
"filename": null,
|
|
3947
|
+
"runHint": null,
|
|
3948
|
+
"code": null
|
|
3826
3949
|
},
|
|
3827
3950
|
"poc": {
|
|
3828
3951
|
"lang": "node",
|
|
@@ -3830,7 +3953,10 @@
|
|
|
3830
3953
|
"cwe": "CWE-918",
|
|
3831
3954
|
"family": "ssrf",
|
|
3832
3955
|
"runHint": "node poc.mjs",
|
|
3833
|
-
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
3956
|
+
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
3957
|
+
"paramKey": null,
|
|
3958
|
+
"paramKeyConfidence": "low",
|
|
3959
|
+
"paramKeyInferred": false
|
|
3834
3960
|
},
|
|
3835
3961
|
"calibrated_confidence": null,
|
|
3836
3962
|
"calibrated_confidence_ci": null,
|
|
@@ -4057,15 +4183,16 @@
|
|
|
4057
4183
|
"unvalidated": true,
|
|
4058
4184
|
"cross_language": false,
|
|
4059
4185
|
"family": "ssrf",
|
|
4186
|
+
"parser": "SSRF-METADATA",
|
|
4060
4187
|
"_unsigned": false,
|
|
4061
4188
|
"_passThroughSigning": false,
|
|
4062
4189
|
"signatureStatus": "verified",
|
|
4063
4190
|
"regression_test": {
|
|
4064
4191
|
"lang": "node",
|
|
4065
|
-
"framework":
|
|
4066
|
-
"filename":
|
|
4067
|
-
"runHint":
|
|
4068
|
-
"code":
|
|
4192
|
+
"framework": null,
|
|
4193
|
+
"filename": null,
|
|
4194
|
+
"runHint": null,
|
|
4195
|
+
"code": null
|
|
4069
4196
|
},
|
|
4070
4197
|
"poc": {
|
|
4071
4198
|
"lang": "node",
|
|
@@ -4073,7 +4200,10 @@
|
|
|
4073
4200
|
"cwe": "CWE-918",
|
|
4074
4201
|
"family": "ssrf",
|
|
4075
4202
|
"runHint": "node poc.mjs",
|
|
4076
|
-
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
4203
|
+
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
4204
|
+
"paramKey": null,
|
|
4205
|
+
"paramKeyConfidence": "low",
|
|
4206
|
+
"paramKeyInferred": false
|
|
4077
4207
|
},
|
|
4078
4208
|
"calibrated_confidence": null,
|
|
4079
4209
|
"calibrated_confidence_ci": null,
|
|
@@ -4300,15 +4430,16 @@
|
|
|
4300
4430
|
"unvalidated": true,
|
|
4301
4431
|
"cross_language": false,
|
|
4302
4432
|
"family": "ssrf",
|
|
4433
|
+
"parser": "SSRF-METADATA",
|
|
4303
4434
|
"_unsigned": false,
|
|
4304
4435
|
"_passThroughSigning": false,
|
|
4305
4436
|
"signatureStatus": "verified",
|
|
4306
4437
|
"regression_test": {
|
|
4307
4438
|
"lang": "node",
|
|
4308
|
-
"framework":
|
|
4309
|
-
"filename":
|
|
4310
|
-
"runHint":
|
|
4311
|
-
"code":
|
|
4439
|
+
"framework": null,
|
|
4440
|
+
"filename": null,
|
|
4441
|
+
"runHint": null,
|
|
4442
|
+
"code": null
|
|
4312
4443
|
},
|
|
4313
4444
|
"poc": {
|
|
4314
4445
|
"lang": "node",
|
|
@@ -4316,7 +4447,10 @@
|
|
|
4316
4447
|
"cwe": "CWE-918",
|
|
4317
4448
|
"family": "ssrf",
|
|
4318
4449
|
"runHint": "node poc.mjs",
|
|
4319
|
-
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
4450
|
+
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
4451
|
+
"paramKey": null,
|
|
4452
|
+
"paramKeyConfidence": "low",
|
|
4453
|
+
"paramKeyInferred": false
|
|
4320
4454
|
},
|
|
4321
4455
|
"calibrated_confidence": null,
|
|
4322
4456
|
"calibrated_confidence_ci": null,
|
|
@@ -4543,15 +4677,16 @@
|
|
|
4543
4677
|
"unvalidated": true,
|
|
4544
4678
|
"cross_language": false,
|
|
4545
4679
|
"family": "ssrf",
|
|
4680
|
+
"parser": "SSRF-METADATA",
|
|
4546
4681
|
"_unsigned": false,
|
|
4547
4682
|
"_passThroughSigning": false,
|
|
4548
4683
|
"signatureStatus": "verified",
|
|
4549
4684
|
"regression_test": {
|
|
4550
4685
|
"lang": "node",
|
|
4551
|
-
"framework":
|
|
4552
|
-
"filename":
|
|
4553
|
-
"runHint":
|
|
4554
|
-
"code":
|
|
4686
|
+
"framework": null,
|
|
4687
|
+
"filename": null,
|
|
4688
|
+
"runHint": null,
|
|
4689
|
+
"code": null
|
|
4555
4690
|
},
|
|
4556
4691
|
"poc": {
|
|
4557
4692
|
"lang": "node",
|
|
@@ -4559,7 +4694,10 @@
|
|
|
4559
4694
|
"cwe": "CWE-918",
|
|
4560
4695
|
"family": "ssrf",
|
|
4561
4696
|
"runHint": "node poc.mjs",
|
|
4562
|
-
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
|
|
4697
|
+
"code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
|
|
4698
|
+
"paramKey": null,
|
|
4699
|
+
"paramKeyConfidence": "low",
|
|
4700
|
+
"paramKeyInferred": false
|
|
4563
4701
|
},
|
|
4564
4702
|
"calibrated_confidence": null,
|
|
4565
4703
|
"calibrated_confidence_ci": null,
|
|
@@ -4696,7 +4834,7 @@
|
|
|
4696
4834
|
}
|
|
4697
4835
|
],
|
|
4698
4836
|
"components": [],
|
|
4699
|
-
"suppressedCount":
|
|
4837
|
+
"suppressedCount": 25,
|
|
4700
4838
|
"blastRadiusSignals": {
|
|
4701
4839
|
"industry": "generic",
|
|
4702
4840
|
"industryConfidence": "low",
|
|
@@ -4714,7 +4852,7 @@
|
|
|
4714
4852
|
"_v3": {
|
|
4715
4853
|
"counterfactual": {
|
|
4716
4854
|
"spofControls": [],
|
|
4717
|
-
"controlsDetected":
|
|
4855
|
+
"controlsDetected": 1928
|
|
4718
4856
|
},
|
|
4719
4857
|
"threatModel": {
|
|
4720
4858
|
"summary": {
|
|
@@ -5047,5 +5185,6 @@
|
|
|
5047
5185
|
"alarms": [],
|
|
5048
5186
|
"note": "no-feedback-data"
|
|
5049
5187
|
}
|
|
5050
|
-
}
|
|
5188
|
+
},
|
|
5189
|
+
"annotatorErrors": []
|
|
5051
5190
|
}
|