@saulwade/swl-ses 1.4.0 → 1.4.2

package/scripts/audit-tools/pentest-scanner.js

@@ -0,0 +1,1436 @@
+// Adaptado de temp/ultraship-main/tools/pentest-scanner.mjs bajo MIT License
+// Fuente: Houseofmvps/ultraship (https://github.com/Houseofmvps/ultraship)
+// Puerto ESM→CJS: Node.js >=22 CommonJS, zero-deps adicionales, SSRF protegido
+'use strict';
+
+const http  = require('http');
+const https = require('https');
+const tls   = require('tls');
+const { validateUrl, createResponseAccumulator } = require('../../hooks/lib/security-net.js');
+
+// ── Constantes ────────────────────────────────────────────────────────────────
+
+const SCAN_ID  = Math.random().toString(36).slice(2, 8);
+const CANARY   = `xss${SCAN_ID}`;
+const UA       = 'Mozilla/5.0 (compatible; SecurityScanner/1.0)';
+const DEFAULT_TIMEOUT          = 10000;
+const RATE_LIMIT_MS            = 50;
+const MAX_ENDPOINTS            = 100;
+const MAX_PARAMS_PER_ENDPOINT  = 10;
+
+function output(data) {
+  process.stdout.write(JSON.stringify(data, null, 2) + '\n');
+}
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+function simpleHash(str) {
+  let h = 0;
+  for (let i = 0; i < str.length; i++) {
+    h = ((h << 5) - h + str.charCodeAt(i)) | 0;
+  }
+  return (h >>> 0).toString(16);
+}
+
+// ── Payloads ──────────────────────────────────────────────────────────────────
+
+const XSS_PAYLOADS = [
+  `<script>document.title='${CANARY}'</script>`,
+  `"><img src=x onerror="document.title='${CANARY}'">`,
+  `'><svg onload="document.title='${CANARY}'">`,
+  `javascript:document.title='${CANARY}'`,
+  `<details open ontoggle="document.title='${CANARY}'">`,
+  `${CANARY}<script>`,
+];
+
+const SQLI_ERROR_PAYLOADS = ["'", "\"", "' OR '1'='1", "' OR 1=1--", "\" OR \"1\"=\"1", "; SELECT 1--", "' WAITFOR DELAY '0:0:3'--", "' AND SLEEP(3)--", "1; DROP TABLE users--", "' UNION SELECT NULL--", "\\", "' OR 'x'='x"];
+const SQLI_ERROR_PATTERNS = [
+  /sql syntax/i, /mysql_fetch/i, /ora-\d{5}/i, /unclosed quotation/i,
+  /syntax error.*sql/i, /sqlite.*error/i, /pg.*error/i, /mssql/i,
+  /sqlexception/i, /jdbc/i, /odbc/i, /invalid query/i,
+];
+const SQLI_TIME_PAYLOADS = [
+  { payload: "' AND SLEEP(3)--", delay: 3000, label: 'MySQL SLEEP' },
+  { payload: "'; WAITFOR DELAY '0:0:3'--", delay: 3000, label: 'MSSQL WAITFOR' },
+  { payload: "' AND pg_sleep(3)--", delay: 3000, label: 'PostgreSQL pg_sleep' },
+  { payload: "' AND (SELECT * FROM (SELECT(SLEEP(3)))a)--", delay: 3000, label: 'MySQL subquery' },
+];
+const SSTI_PAYLOADS = [
+  { payload: '{{7*7}}', verify: '49', label: 'Jinja2/Twig' },
+  { payload: '${7*7}', verify: '49', label: 'Freemarker/EL' },
+  { payload: '<%= 7*7 %>', verify: '49', label: 'Ruby ERB' },
+  { payload: '#{7*7}', verify: '49', label: 'ERB/EJS' },
+  { payload: '{7*7}', verify: '49', label: 'Smarty' },
+];
+const CMD_PAYLOADS = [
+  { payload: `; echo ${CANARY}`, label: 'Unix semicolon' },
+  { payload: `| echo ${CANARY}`, label: 'Unix pipe' },
+  { payload: `\`echo ${CANARY}\``, label: 'Backtick' },
+  { payload: `$(echo ${CANARY})`, label: 'Command substitution' },
+];
+const TRAVERSAL_PAYLOADS = [
+  { payload: '../../../etc/passwd', verify: /root:.*:0:0/i },
+  { payload: '..%2F..%2F..%2Fetc%2Fpasswd', verify: /root:.*:0:0/i },
+  { payload: '....//....//etc/passwd', verify: /root:.*:0:0/i },
+  { payload: '%2e%2e%2f%2e%2e%2fetc%2fpasswd', verify: /root:.*:0:0/i },
+  { payload: '../../../windows/win.ini', verify: /\[fonts\]/i },
+];
+const SENSITIVE_FILES = [
+  { path: '/.env', verify: /^[A-Z_]+=.+/m, severity: 'critical', title: 'Environment file exposed', cwe: 'CWE-538' },
+  { path: '/.env.local', verify: /^[A-Z_]+=.+/m, severity: 'critical', title: '.env.local exposed', cwe: 'CWE-538' },
+  { path: '/.git/config', verify: /\[core\]/i, severity: 'high', title: 'Git config exposed', cwe: 'CWE-538' },
+  { path: '/config.php', verify: /\$db|password|host/i, severity: 'high', title: 'PHP config exposed', cwe: 'CWE-538' },
+  { path: '/wp-config.php', verify: /DB_PASSWORD|DB_HOST/i, severity: 'critical', title: 'WordPress config exposed', cwe: 'CWE-538' },
+  { path: '/phpinfo.php', verify: /phpinfo|PHP Version/i, severity: 'medium', title: 'phpinfo exposed', cwe: 'CWE-200' },
+  { path: '/server-status', verify: /Apache Server Status|Server Version/i, severity: 'medium', title: 'Apache server-status exposed', cwe: 'CWE-200' },
+  { path: '/.DS_Store', verify: /Bud1|\x00/i, severity: 'low', title: '.DS_Store exposed', cwe: 'CWE-538' },
+  { path: '/robots.txt', verify: /disallow/i, severity: 'info', title: 'robots.txt (may reveal paths)', cwe: 'CWE-200' },
+  { path: '/sitemap.xml', verify: /<url>|<loc>/i, severity: 'info', title: 'Sitemap exposed', cwe: 'CWE-200' },
+  { path: '/backup.zip', verify: /PK\x03\x04/, severity: 'critical', title: 'Backup archive exposed', cwe: 'CWE-530' },
+  { path: '/backup.sql', verify: /CREATE TABLE|INSERT INTO/i, severity: 'critical', title: 'SQL backup exposed', cwe: 'CWE-530' },
+  { path: '/api-docs', verify: /swagger|openapi/i, severity: 'info', title: 'API docs exposed', cwe: 'CWE-200' },
+  { path: '/swagger.json', verify: /swagger|openapi/i, severity: 'info', title: 'Swagger JSON exposed', cwe: 'CWE-200' },
+  { path: '/openapi.json', verify: /openapi/i, severity: 'info', title: 'OpenAPI spec exposed', cwe: 'CWE-200' },
+  { path: '/.htaccess', verify: /RewriteRule|Options|AuthType/i, severity: 'medium', title: '.htaccess exposed', cwe: 'CWE-538' },
+  { path: '/web.config', verify: /<configuration>|<system.web>/i, severity: 'high', title: 'web.config exposed', cwe: 'CWE-538' },
+  { path: '/package.json', verify: /"name"|"version"/i, severity: 'low', title: 'package.json exposed', cwe: 'CWE-200' },
+  { path: '/composer.json', verify: /"name"|"require"/i, severity: 'low', title: 'composer.json exposed', cwe: 'CWE-200' },
+  { path: '/Gemfile', verify: /gem |source /i, severity: 'low', title: 'Gemfile exposed', cwe: 'CWE-200' },
+  { path: '/requirements.txt', verify: /==|>=|<=/, severity: 'low', title: 'requirements.txt exposed', cwe: 'CWE-200' },
+  { path: '/docker-compose.yml', verify: /version:|services:/i, severity: 'medium', title: 'Docker Compose exposed', cwe: 'CWE-538' },
+  { path: '/Dockerfile', verify: /FROM |RUN |CMD /i, severity: 'medium', title: 'Dockerfile exposed', cwe: 'CWE-538' },
+  { path: '/.travis.yml', verify: /language:|script:/i, severity: 'low', title: '.travis.yml exposed', cwe: 'CWE-200' },
+  { path: '/.github/workflows', verify: /on:|jobs:/i, severity: 'low', title: 'GitHub Actions workflow exposed', cwe: 'CWE-200' },
+  { path: '/config/database.yml', verify: /adapter:|database:/i, severity: 'critical', title: 'Rails DB config exposed', cwe: 'CWE-538' },
+  { path: '/application.properties', verify: /spring\.|server\.port/i, severity: 'high', title: 'Spring config exposed', cwe: 'CWE-538' },
+  { path: '/application.yml', verify: /spring:|server:/i, severity: 'high', title: 'Spring YAML config exposed', cwe: 'CWE-538' },
+  { path: '/appsettings.json', verify: /"ConnectionStrings"|"AppSettings"/i, severity: 'high', title: 'ASP.NET config exposed', cwe: 'CWE-538' },
+  { path: '/crossdomain.xml', verify: /<cross-domain-policy>/i, severity: 'medium', title: 'crossdomain.xml found', cwe: 'CWE-942' },
+  { path: '/clientaccesspolicy.xml', verify: /<access-policy>/i, severity: 'medium', title: 'clientaccesspolicy.xml found', cwe: 'CWE-942' },
+  { path: '/admin', verify: /admin|dashboard|login/i, severity: 'info', title: 'Admin panel discovered', cwe: 'CWE-284' },
+  { path: '/login', verify: /login|sign.?in|password/i, severity: 'info', title: 'Login page discovered', cwe: 'CWE-200' },
+  { path: '/phpMyAdmin/', verify: /phpMyAdmin|pma_|PMA_/i, severity: 'high', title: 'phpMyAdmin exposed', cwe: 'CWE-284' },
+];
+const SECURITY_HEADERS = [
+  { name: 'strict-transport-security', severity: 'medium', title: 'Missing HSTS', cwe: 'CWE-319' },
+  { name: 'x-frame-options', severity: 'medium', title: 'Missing X-Frame-Options', cwe: 'CWE-1021' },
+  { name: 'x-content-type-options', severity: 'low', title: 'Missing X-Content-Type-Options', cwe: 'CWE-693' },
+  { name: 'content-security-policy', severity: 'medium', title: 'Missing Content-Security-Policy', cwe: 'CWE-1021' },
+  { name: 'referrer-policy', severity: 'low', title: 'Missing Referrer-Policy', cwe: 'CWE-116' },
+  { name: 'permissions-policy', severity: 'info', title: 'Missing Permissions-Policy', cwe: 'CWE-693' },
+  { name: 'cross-origin-opener-policy', severity: 'info', title: 'Missing Cross-Origin-Opener-Policy', cwe: 'CWE-346' },
+];
+
+// ── HTTP Utilities ────────────────────────────────────────────────────────────
+
+/**
+ * Realiza un request HTTP/HTTPS seguro con timeout, acumulador de respuesta y
+ * validación SSRF via validateUrl().
+ *
+ * @param {string} urlString
+ * @param {object} opts
+ * @returns {Promise<{success,statusCode,headers,body,timing,error?}>}
+ */
+function fetchWithTiming(urlString, opts = {}) {
+  return new Promise((resolve) => {
+    // Validación SSRF obligatoria antes de cualquier request
+    const validation = validateUrl(urlString);
+    if (!validation.valid) {
+      resolve({
+        success: false,
+        blocked: true,
+        blockReason: validation.reason,
+        statusCode: 0,
+        headers: {},
+        body: '',
+        timing: 0,
+      });
+      return;
+    }
+
+    const parsed = validation.url;
+    const isHttps = parsed.protocol === 'https:';
+    const lib = isHttps ? https : http;
+    const timeout = opts.timeout || DEFAULT_TIMEOUT;
+    const start = Date.now();
+
+    const reqOpts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (isHttps ? 443 : 80),
+      path: parsed.pathname + (parsed.search || ''),
+      method: opts.method || 'GET',
+      headers: {
+        'User-Agent': UA,
+        'Accept': 'text/html,application/json,*/*',
+        'Accept-Language': 'en-US,en;q=0.5',
+        ...opts.headers,
+      },
+      rejectUnauthorized: false, // pentest scanner examina TLS por separado
+    };
+
+    if (opts.cookie) reqOpts.headers['Cookie'] = opts.cookie;
+
+    const body = opts.body;
+    if (body) {
+      const ct = opts.contentType || 'application/x-www-form-urlencoded';
+      reqOpts.headers['Content-Type'] = ct;
+      reqOpts.headers['Content-Length'] = Buffer.byteLength(body, 'utf8').toString();
+    }
+
+    const accumulator = createResponseAccumulator();
+    let timedOut = false;
+
+    const req = lib.request(reqOpts, (res) => {
+      res.on('data', (chunk) => accumulator.onData(chunk.toString('binary')));
+      res.on('end', () => {
+        if (timedOut) return;
+        resolve({
+          success: true,
+          statusCode: res.statusCode,
+          headers: res.headers || {},
+          body: accumulator.getBody(),
+          timing: Date.now() - start,
+        });
+      });
+      res.on('error', () => {
+        if (!timedOut) resolve({ success: false, statusCode: 0, headers: {}, body: '', timing: Date.now() - start, error: 'response error' });
+      });
+    });
+
+    const timer = setTimeout(() => {
+      timedOut = true;
+      req.destroy();
+      resolve({ success: false, statusCode: 0, headers: {}, body: '', timing: Date.now() - start, error: 'timeout' });
+    }, timeout);
+
+    req.on('error', (err) => {
+      clearTimeout(timer);
+      if (!timedOut) resolve({ success: false, statusCode: 0, headers: {}, body: '', timing: Date.now() - start, error: err.message });
+    });
+
+    req.on('close', () => clearTimeout(timer));
+
+    if (body) req.write(body);
+    req.end();
+  });
+}
+
+// ── Reconocimiento ────────────────────────────────────────────────────────────
+
+async function get404Baseline(baseUrl, opts) {
+  const randomPath = `/${simpleHash(SCAN_ID + Date.now())}-notfound`;
+  const res = await fetchWithTiming(baseUrl + randomPath, opts);
+  return {
+    statusCode: res.statusCode,
+    bodyLength: (res.body || '').length,
+    bodyHash: simpleHash(res.body || ''),
+  };
+}
+
+function isSoft404(response, baseline) {
+  if (!baseline || !response.success) return false;
+  if (response.statusCode === baseline.statusCode) {
+    const lengthDiff = Math.abs((response.body || '').length - baseline.bodyLength);
+    const percentDiff = baseline.bodyLength > 0 ? lengthDiff / baseline.bodyLength : 0;
+    if (percentDiff < 0.1) return true;
+    if (simpleHash(response.body || '') === baseline.bodyHash) return true;
+  }
+  return false;
+}
+
+function extractFromHTML(body, baseUrl) {
+  const links  = new Set();
+  const forms  = [];
+  const scripts = [];
+  const params = new Set();
+
+  // Extraer hrefs
+  const hrefRe = /href\s*=\s*["']([^"'#?]+(?:\?[^"']*)?)/gi;
+  let m;
+  while ((m = hrefRe.exec(body)) !== null) {
+    try {
+      const u = new URL(m[1], baseUrl);
+      if (u.origin === new URL(baseUrl).origin) {
+        links.add(u.href);
+        for (const [k] of u.searchParams) params.add(k);
+      }
+    } catch {}
+  }
+
+  // Extraer scripts
+  const scriptRe = /src\s*=\s*["']([^"']+\.js[^"']*)/gi;
+  while ((m = scriptRe.exec(body)) !== null) {
+    try { scripts.push(new URL(m[1], baseUrl).href); } catch {}
+  }
+
+  // Extraer forms
+  const formRe = /<form([^>]*)>([\s\S]*?)<\/form>/gi;
+  while ((m = formRe.exec(body)) !== null) {
+    const attrs = m[1];
+    const inner = m[2];
+    const actionM = /action\s*=\s*["']([^"']*)/i.exec(attrs);
+    const methodM = /method\s*=\s*["']([^"']*)/i.exec(attrs);
+    const inputs = [];
+    const inputRe = /<input[^>]+name\s*=\s*["']([^"']*)/gi;
+    let im;
+    while ((im = inputRe.exec(inner)) !== null) inputs.push(im[1]);
+    const hasCSRF = inputs.some(n => /csrf|token|_token|authenticity/i.test(n));
+    forms.push({
+      action: actionM ? actionM[1] : null,
+      method: (methodM ? methodM[1] : 'GET').toUpperCase(),
+      inputs,
+      hasCSRF,
+    });
+  }
+
+  // Extraer query params desde links del body
+  const qpRe = /[?&]([a-zA-Z0-9_\-]+)=/g;
+  while ((m = qpRe.exec(body)) !== null) params.add(m[1]);
+
+  return {
+    links: [...links].slice(0, MAX_ENDPOINTS),
+    forms,
+    scripts: [...new Set(scripts)],
+    params: [...params].slice(0, MAX_PARAMS_PER_ENDPOINT),
+  };
+}
+
+function detectTechStack(headers, body) {
+  const stack = [];
+  const h = JSON.stringify(headers).toLowerCase();
+  if (h.includes('php')) stack.push('PHP');
+  if (h.includes('express')) stack.push('Express.js');
+  if (h.includes('nginx')) stack.push('Nginx');
+  if (h.includes('apache')) stack.push('Apache');
+  if (h.includes('wordpress') || body.toLowerCase().includes('wp-content')) stack.push('WordPress');
+  if (h.includes('drupal') || body.toLowerCase().includes('drupal')) stack.push('Drupal');
+  if (body.toLowerCase().includes('react') || body.includes('__next')) stack.push('React/Next.js');
+  if (body.toLowerCase().includes('angular')) stack.push('Angular');
+  if (body.toLowerCase().includes('vue')) stack.push('Vue.js');
+  return stack;
+}
+
+// ── Hallazgos ─────────────────────────────────────────────────────────────────
+
+let findingCounter = 0;
+
+function createFinding(category, subcategory, severity, title, opts = {}) {
+  return {
+    id: ++findingCounter,
+    category,
+    subcategory,
+    severity,
+    title,
+    url: opts.url || null,
+    cwe: opts.cwe || null,
+    owasp: opts.owasp || null,
+    proof: opts.proof || null,
+    fix: opts.fix || null,
+  };
+}
+
+// ── Archivos sensibles ────────────────────────────────────────────────────────
+
+async function scanSensitiveFiles(baseUrl, baseline, opts) {
+  const findings = [];
+  for (const entry of SENSITIVE_FILES) {
+    const url = baseUrl + entry.path;
+    const res = await fetchWithTiming(url, opts);
+    await sleep(RATE_LIMIT_MS);
+    if (!res.success) continue;
+    if (res.statusCode !== 200 && res.statusCode !== 206) continue;
+    if (isSoft404(res, baseline)) continue;
+    const body = res.body || '';
+    if (!entry.verify.test(body)) continue;
+    findings.push(createFinding('exposure', 'sensitive_file', entry.severity, entry.title, {
+      url,
+      cwe: entry.cwe,
+      owasp: 'A05:2021 Security Misconfiguration',
+      proof: {
+        request: `GET ${entry.path}`,
+        status: res.statusCode,
+        response_excerpt: body.slice(0, 200),
+        verification: `Pattern matched: ${entry.verify}`,
+      },
+      fix: `Restrict access to ${entry.path} via server configuration. Never expose sensitive config files.`,
+    }));
+  }
+  return findings;
+}
+
+// ── Cabeceras de seguridad ────────────────────────────────────────────────────
+
+function analyzeHeaders(response) {
+  const findings = [];
+  const headers = response.headers || {};
+  const body = response.body || '';
+
+  for (const h of SECURITY_HEADERS) {
+    if (!headers[h.name]) {
+      findings.push(createFinding('headers', h.name.replace(/-/g, '_'), h.severity, h.title, {
+        cwe: h.cwe,
+        owasp: 'A05:2021 Security Misconfiguration',
+        proof: { missing_header: h.name, verification: `Header "${h.name}" absent from response` },
+        fix: `Add the "${h.name}" header to all HTTP responses.`,
+      }));
+    }
+  }
+
+  // CSP débil
+  const csp = headers['content-security-policy'] || '';
+  if (csp && (csp.includes("'unsafe-inline'") || csp.includes("'unsafe-eval'") || csp.includes('*'))) {
+    findings.push(createFinding('headers', 'weak_csp', 'medium', 'Content-Security-Policy is weak', {
+      cwe: 'CWE-1021', owasp: 'A05:2021',
+      proof: { csp_value: csp, verification: "CSP contains 'unsafe-inline', 'unsafe-eval', or wildcard" },
+      fix: "Remove 'unsafe-inline', 'unsafe-eval', and wildcard sources from CSP.",
+    }));
+  }
+
+  // Cookies sin Secure/HttpOnly
+  const cookies = [].concat(headers['set-cookie'] || []);
+  for (const cookie of cookies) {
+    const lc = cookie.toLowerCase();
+    if (!lc.includes('httponly')) {
+      findings.push(createFinding('headers', 'cookie_no_httponly', 'medium', 'Cookie missing HttpOnly flag', {
+        cwe: 'CWE-1004', owasp: 'A05:2021',
+        proof: { cookie: cookie.slice(0, 80), verification: 'HttpOnly flag absent in Set-Cookie' },
+        fix: 'Add HttpOnly flag to all session cookies.',
+      }));
+    }
+    if (response.statusCode && !lc.includes('secure') && !lc.includes('samesite=none')) {
+      findings.push(createFinding('headers', 'cookie_no_secure', 'low', 'Cookie missing Secure flag', {
+        cwe: 'CWE-614', owasp: 'A05:2021',
+        proof: { cookie: cookie.slice(0, 80), verification: 'Secure flag absent in Set-Cookie' },
+        fix: 'Add Secure flag to all session cookies to prevent transmission over HTTP.',
+      }));
+    }
+  }
+
+  // Server header con versión
+  const serverHeader = headers['server'] || '';
+  if (serverHeader && /\d\.\d/.test(serverHeader)) {
+    findings.push(createFinding('exposure', 'server_version', 'low', `Server version disclosed: ${serverHeader}`, {
+      cwe: 'CWE-200', owasp: 'A05:2021',
+      proof: { server_header: serverHeader, verification: 'Version number found in Server header' },
+      fix: 'Configure server to omit version from the Server header.',
+    }));
+  }
+
+  // X-Powered-By
+  const xPoweredBy = headers['x-powered-by'];
+  if (xPoweredBy) {
+    findings.push(createFinding('exposure', 'technology_disclosure', 'low', `Technology disclosed via X-Powered-By: ${xPoweredBy}`, {
+      cwe: 'CWE-200', owasp: 'A05:2021',
+      proof: { header: xPoweredBy, verification: 'X-Powered-By header reveals technology stack' },
+      fix: 'Remove or obfuscate the X-Powered-By header.',
+    }));
+  }
+
+  return findings;
+}
+
+// ── TLS ───────────────────────────────────────────────────────────────────────
+
+function analyzeTLS(hostname, port) {
+  port = port || 443;
+  return new Promise((resolve) => {
+    const findings = [];
+    const socket = tls.connect({ host: hostname, port, rejectUnauthorized: false, timeout: 5000 }, () => {
+      const cert = socket.getPeerCertificate();
+      const proto = socket.getProtocol ? socket.getProtocol() : null;
+
+      if (proto && (proto === 'TLSv1' || proto === 'TLSv1.1')) {
+        findings.push(createFinding('tls', 'weak_protocol', 'high', `Deprecated TLS version in use: ${proto}`, {
+          cwe: 'CWE-326', owasp: 'A02:2021',
+          proof: { protocol: proto, verification: 'TLS 1.0/1.1 is deprecated and vulnerable to POODLE/BEAST attacks' },
+          fix: 'Disable TLS 1.0 and 1.1. Use TLS 1.2+ only.',
+        }));
+      }
+
+      if (cert && cert.valid_to) {
+        const expiry = new Date(cert.valid_to);
+        const daysLeft = (expiry - Date.now()) / 86400000;
+        if (daysLeft < 30) {
+          findings.push(createFinding('tls', 'cert_expiry', daysLeft < 0 ? 'critical' : 'high',
+            daysLeft < 0 ? 'TLS certificate has expired' : `TLS certificate expires in ${Math.floor(daysLeft)} days`, {
+              cwe: 'CWE-298', owasp: 'A02:2021',
+              proof: { valid_to: cert.valid_to, days_remaining: Math.floor(daysLeft), verification: 'Certificate expiry within 30 days or already expired' },
+              fix: 'Renew the TLS certificate immediately.',
+            }));
+        }
+      }
+
+      if (cert && !cert.subject) {
+        findings.push(createFinding('tls', 'self_signed', 'medium', 'Self-signed TLS certificate detected', {
+          cwe: 'CWE-297', owasp: 'A02:2021',
+          proof: { verification: 'Certificate subject missing or self-signed' },
+          fix: 'Use a certificate issued by a trusted Certificate Authority.',
+        }));
+      }
+
+      socket.destroy();
+      resolve(findings);
+    });
+
+    socket.on('error', () => resolve(findings));
+    socket.setTimeout(5000, () => { socket.destroy(); resolve(findings); });
+  });
+}
+
+// ── JWT ───────────────────────────────────────────────────────────────────────
+
+function analyzeJWTs(response) {
+  const findings = [];
+  const body = response.body || '';
+  const headers = response.headers || {};
+
+  const allText = body + JSON.stringify(headers);
+  const jwtRe = /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]*/g;
+  const tokens = allText.match(jwtRe) || [];
+
+  for (const token of tokens.slice(0, 5)) {
+    try {
+      const parts = token.split('.');
+      if (parts.length < 3) continue;
+      const header = JSON.parse(Buffer.from(parts[0], 'base64').toString());
+      const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+
+      if (header.alg === 'none' || header.alg === 'NONE') {
+        findings.push(createFinding('auth', 'jwt_none_algorithm', 'critical', 'JWT using "none" algorithm', {
+          cwe: 'CWE-347', owasp: 'A02:2021 Cryptographic Failures',
+          proof: { alg: header.alg, token_preview: token.slice(0, 60) + '...', verification: 'JWT header declares alg:none — no signature verification' },
+          fix: 'Reject JWTs with alg:none. Whitelist only accepted algorithms (RS256, ES256).',
+        }));
+      }
+
+      if (header.alg === 'HS256' || header.alg === 'HS384' || header.alg === 'HS512') {
+        findings.push(createFinding('auth', 'jwt_weak_algorithm', 'medium', `JWT uses symmetric algorithm: ${header.alg}`, {
+          cwe: 'CWE-327', owasp: 'A02:2021',
+          proof: { alg: header.alg, verification: 'HMAC algorithms are vulnerable to secret brute-force' },
+          fix: 'Prefer asymmetric algorithms (RS256, ES256) for JWTs.',
+        }));
+      }
+
+      if (payload.exp) {
+        const expDate = new Date(payload.exp * 1000);
+        if (expDate < new Date()) {
+          findings.push(createFinding('auth', 'jwt_expired', 'high', 'Expired JWT accepted', {
+            cwe: 'CWE-613', owasp: 'A07:2021',
+            proof: { exp: expDate.toISOString(), verification: 'JWT expiry is in the past' },
+            fix: 'Validate JWT expiry (exp claim) on every request.',
+          }));
+        }
+      }
+
+      // Datos sensibles en payload
+      const payloadStr = JSON.stringify(payload);
+      if (/password|secret|key|token|credential/i.test(payloadStr)) {
+        findings.push(createFinding('exposure', 'jwt_sensitive_data', 'high', 'JWT payload contains sensitive data', {
+          cwe: 'CWE-312', owasp: 'A02:2021',
+          proof: { fields: Object.keys(payload), verification: 'Sensitive field name detected in JWT payload' },
+          fix: 'Never store sensitive data in JWT payload. JWT payload is base64-encoded, not encrypted.',
+        }));
+      }
+    } catch {}
+  }
+
+  return findings;
+}
+
+// ── GraphQL ───────────────────────────────────────────────────────────────────
+
+async function testGraphQL(targetUrl, opts) {
+  const findings = [];
+  const endpoints = ['/graphql', '/api/graphql', '/query', '/gql', '/v1/graphql'];
+
+  for (const ep of endpoints) {
+    const url = targetUrl + ep;
+    const introspect = '{"query":"{ __schema { types { name } } }"}';
+    const res = await fetchWithTiming(url, { ...opts, method: 'POST', body: introspect, contentType: 'application/json' });
+    await sleep(RATE_LIMIT_MS);
+
+    if (!res.success) continue;
+    if (res.statusCode !== 200) continue;
+
+    try {
+      const json = JSON.parse(res.body || '');
+      if (json.data && json.data.__schema) {
+        findings.push(createFinding('exposure', 'graphql_introspection', 'medium', `GraphQL introspection enabled at ${ep}`, {
+          url,
+          cwe: 'CWE-200', owasp: 'A05:2021',
+          proof: {
+            endpoint: ep,
+            types_count: (json.data.__schema.types || []).length,
+            verification: 'Introspection query returned __schema data',
+          },
+          fix: 'Disable GraphQL introspection in production environments.',
+        }));
+        break;
+      }
+    } catch {}
+  }
+  return findings;
+}
+
+// ── Source Maps ───────────────────────────────────────────────────────────────
+
+async function testSourceMaps(targetUrl, scripts, opts) {
+  const findings = [];
+  const checked = new Set();
+
+  for (const scriptUrl of scripts.slice(0, 10)) {
+    const mapUrl = scriptUrl + '.map';
+    if (checked.has(mapUrl)) continue;
+    checked.add(mapUrl);
+
+    const res = await fetchWithTiming(mapUrl, opts);
+    await sleep(RATE_LIMIT_MS);
+    if (!res.success || res.statusCode !== 200) continue;
+
+    try {
+      const json = JSON.parse(res.body || '');
+      if (json.sources || json.mappings) {
+        findings.push(createFinding('exposure', 'source_map_exposed', 'medium', `Source map exposed: ${mapUrl}`, {
+          url: mapUrl,
+          cwe: 'CWE-540', owasp: 'A05:2021',
+          proof: {
+            sources_count: (json.sources || []).length,
+            verification: 'Source map file accessible and contains valid mappings',
+          },
+          fix: 'Remove .map files from production deployments or block access via server config.',
+        }));
+      }
+    } catch {}
+  }
+  return findings;
+}
+
+// ── Error Disclosure ──────────────────────────────────────────────────────────
+
+async function testErrorDisclosure(targetUrl, opts) {
+  const findings = [];
+  const probes = [
+    targetUrl + "/'",
+    targetUrl + '/undefined/undefined',
+    targetUrl + '?id=../../../../etc/passwd',
+    targetUrl + '/api?debug=true&verbose=1',
+  ];
+
+  for (const url of probes) {
+    const res = await fetchWithTiming(url, opts);
+    await sleep(RATE_LIMIT_MS);
+    if (!res.success) continue;
+    const body = res.body || '';
+
+    const patterns = [
+      { re: /stack trace|stacktrace|at\s+\w+\s+\(/i, label: 'Stack trace in response' },
+      { re: /exception in thread|unhandled exception|java\.lang\./i, label: 'Java exception disclosed' },
+      { re: /Microsoft\.CSharp|System\.Web|ASP\.NET|\.aspx/i, label: 'ASP.NET error disclosed' },
+      { re: /Parse error:|Fatal error:|Warning:|Notice:/i, label: 'PHP error disclosed' },
+      { re: /OperationalError|IntegrityError|ProgrammingError/i, label: 'Python DB error' },
+      { re: /SyntaxError:|ReferenceError:|TypeError:/i, label: 'JS error disclosed' },
+      { re: /server error|internal server error/i, label: 'Generic server error' },
+    ];
+
+    for (const { re, label } of patterns) {
+      if (re.test(body)) {
+        findings.push(createFinding('exposure', 'error_disclosure', 'medium', label, {
+          url,
+          cwe: 'CWE-209', owasp: 'A05:2021',
+          proof: {
+            request: `GET ${new URL(url).pathname}`,
+            response_excerpt: body.slice(0, 300),
+            verification: `Pattern matched: ${re}`,
+          },
+          fix: 'Configure generic error pages. Never expose stack traces in production.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── CORS ──────────────────────────────────────────────────────────────────────
+
+async function testCORS(targetUrl, endpoints, opts) {
+  const findings = [];
+  const urls = [targetUrl, ...endpoints.slice(0, 5)];
+
+  for (const url of urls) {
+    const origins = [
+      'https://evil.example.com',
+      'null',
+      targetUrl.replace('://', '://evil.'),
+    ];
+
+    for (const origin of origins) {
+      const res = await fetchWithTiming(url, {
+        ...opts,
+        headers: { ...opts.headers, 'Origin': origin },
+      });
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success) continue;
+
+      const acao = res.headers['access-control-allow-origin'] || '';
+      const acac = (res.headers['access-control-allow-credentials'] || '').toLowerCase();
+
+      if ((acao === '*' && acac === 'true') || acao === origin) {
+        const severity = (acac === 'true') ? 'high' : 'medium';
+        findings.push(createFinding('config', 'cors_misconfiguration', severity, `CORS misconfiguration — allows origin: ${origin}`, {
+          url,
+          cwe: 'CWE-942', owasp: 'A05:2021',
+          proof: {
+            origin_sent: origin,
+            acao_header: acao,
+            acac_header: acac || '(not present)',
+            verification: 'Server reflects or wildcard-allows the malicious origin',
+          },
+          fix: 'Restrict Access-Control-Allow-Origin to specific trusted origins. Never combine wildcard with credentials.',
+        }));
+      }
+    }
+  }
+  return findings;
+}
+
+// ── XSS ───────────────────────────────────────────────────────────────────────
+
+function extractContext(body, needle, radius) {
+  radius = radius || 100;
+  const idx = body.indexOf(needle);
+  if (idx === -1) return null;
+  return body.slice(Math.max(0, idx - radius), idx + needle.length + radius);
+}
+
+async function testXSS(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    for (const xssPayload of XSS_PAYLOADS.slice(0, 3)) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, xssPayload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+
+      const body = res.body;
+      // Verificar reflexión del canary
+      if (body.includes(CANARY) && body.includes(xssPayload)) {
+        const context = extractContext(body, xssPayload);
+        findings.push(createFinding('injection', 'xss_reflected', 'high', `Reflected XSS on parameter "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-79', owasp: 'A03:2021',
+          proof: {
+            parameter: target.param,
+            payload: xssPayload,
+            context: context ? context.slice(0, 200) : '(see response)',
+            verification: `Canary "${CANARY}" and payload reflected unescaped in response body`,
+          },
+          fix: 'Encode all user-controlled output. Use Content-Security-Policy. Avoid innerHTML with user data.',
+        }));
+        break; // un hallazgo por parámetro es suficiente
+      }
+    }
+  }
+  return findings;
+}
+
+// ── SQLi ──────────────────────────────────────────────────────────────────────
+
+async function testSQLi(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    // Prueba basada en errores
+    for (const payload of SQLI_ERROR_PAYLOADS) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+
+      const body = res.body;
+      const matched = SQLI_ERROR_PATTERNS.find(p => p.test(body));
+      if (matched) {
+        findings.push(createFinding('injection', 'sqli_error_based', 'critical', `SQL Injection (error-based) on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-89', owasp: 'A03:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            error_pattern: matched.toString(),
+            response_excerpt: body.slice(0, 300),
+            verification: 'Database error pattern matched in response',
+          },
+          fix: 'Use parameterized queries or prepared statements. Never concatenate user input into SQL.',
+        }));
+        break;
+      }
+    }
+
+    // Prueba basada en tiempo (solo primer parámetro)
+    if (targets.indexOf(target) > 2) continue; // limitar pruebas de tiempo
+    for (const { payload, delay, label } of SQLI_TIME_PAYLOADS) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), { ...opts, timeout: (opts.timeout || DEFAULT_TIMEOUT) + delay });
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success) continue;
+
+      if (res.timing >= delay * 0.9) {
+        findings.push(createFinding('injection', 'sqli_time_based', 'critical', `SQL Injection (time-based, ${label}) on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-89', owasp: 'A03:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            timing_ms: res.timing,
+            expected_delay_ms: delay,
+            verification: `Response delayed ${res.timing}ms (≥ ${delay * 0.9}ms threshold for ${label})`,
+          },
+          fix: 'Use parameterized queries. Disable verbose timing in DB queries.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── SSTI ──────────────────────────────────────────────────────────────────────
+
+async function testSSTI(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    for (const { payload, verify, label } of SSTI_PAYLOADS) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+
+      if ((res.body || '').includes(verify)) {
+        findings.push(createFinding('injection', 'ssti', 'critical', `Server-Side Template Injection (${label}) on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-94', owasp: 'A03:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            expected_output: verify,
+            verification: `Template expression ${payload} evaluated to ${verify} in response`,
+          },
+          fix: 'Use logic-less templates. Never render user input as template code.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── Inyección de comandos ─────────────────────────────────────────────────────
+
+async function testCmdInjection(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    for (const { payload, label } of CMD_PAYLOADS) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+
+      if ((res.body || '').includes(CANARY)) {
+        findings.push(createFinding('injection', 'command_injection', 'critical', `Command Injection (${label}) on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-78', owasp: 'A03:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            canary: CANARY,
+            verification: `Canary "${CANARY}" echoed back in response — command executed on server`,
+          },
+          fix: 'Never pass user input to shell commands. Use APIs instead of shell calls.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── Path Traversal ────────────────────────────────────────────────────────────
+
+async function testTraversal(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    for (const { payload, verify } of TRAVERSAL_PAYLOADS) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+
+      if (verify.test(res.body || '')) {
+        findings.push(createFinding('injection', 'path_traversal', 'high', `Path Traversal on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-22', owasp: 'A01:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            verification: `Pattern ${verify} matched in response (likely /etc/passwd or win.ini content)`,
+          },
+          fix: 'Canonicalize file paths. Use allowlists for file access. Never pass user input directly to file operations.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── Open Redirect ─────────────────────────────────────────────────────────────
+
+async function testOpenRedirect(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+  const redirectPayloads = ['https://evil.example.com', '//evil.example.com', 'https://evil.example.com%2F@' + new URL(targetUrl).hostname];
+
+  for (const target of targets) {
+    const paramLower = target.param.toLowerCase();
+    if (!/url|redirect|next|return|to|location|target|goto/i.test(paramLower)) continue;
+
+    for (const payload of redirectPayloads) {
+      const u = new URL(target.url);
+      u.searchParams.set(target.param, payload);
+      const res = await fetchWithTiming(u.toString(), opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success) continue;
+
+      const loc = res.headers['location'] || '';
+      if ((res.statusCode >= 300 && res.statusCode < 400) && loc.includes('evil.example.com')) {
+        findings.push(createFinding('logic', 'open_redirect', 'medium', `Open Redirect on "${target.param}"`, {
+          url: u.toString(),
+          cwe: 'CWE-601', owasp: 'A01:2021',
+          proof: {
+            parameter: target.param,
+            payload,
+            redirect_to: loc,
+            status_code: res.statusCode,
+            verification: 'Server redirected to attacker-controlled domain',
+          },
+          fix: 'Validate redirect targets against an allowlist. Never use user input as redirect URLs.',
+        }));
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// ── Host Header Injection ─────────────────────────────────────────────────────
+
+async function testHostHeader(targetUrl, opts) {
+  const findings = [];
+  const poisonedHost = 'evil.example.com';
+  const res = await fetchWithTiming(targetUrl, {
+    ...opts,
+    headers: { ...opts.headers, 'Host': poisonedHost },
+  });
+  await sleep(RATE_LIMIT_MS);
+
+  if (!res.success || !res.body) return findings;
+  if ((res.body || '').includes(poisonedHost) || (res.headers['location'] || '').includes(poisonedHost)) {
+    findings.push(createFinding('config', 'host_header_injection', 'medium', 'Host Header Injection', {
+      url: targetUrl,
+      cwe: 'CWE-113', owasp: 'A03:2021',
+      proof: {
+        poisoned_host: poisonedHost,
+        verification: 'Server reflected poisoned Host header in response body or Location header',
+      },
+      fix: 'Validate the Host header against a whitelist of allowed hosts. Use absolute URLs in redirects.',
+    }));
+  }
+  return findings;
+}
+
+// ── Method Tampering ──────────────────────────────────────────────────────────
+
+async function testMethodTampering(targetUrl, endpoints, opts) {
+  const findings = [];
+  const urls = [targetUrl, ...endpoints.slice(0, 5)];
+  const methods = ['PUT', 'DELETE', 'PATCH', 'TRACE', 'OPTIONS', 'CONNECT'];
+
+  for (const url of urls) {
+    for (const method of methods) {
+      const res = await fetchWithTiming(url, { ...opts, method });
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success) continue;
+
+      if (res.statusCode === 200 && method !== 'OPTIONS') {
+        findings.push(createFinding('config', 'method_tampering', 'medium', `Unexpected HTTP method allowed: ${method}`, {
+          url,
+          cwe: 'CWE-650', owasp: 'A05:2021',
+          proof: {
+            method,
+            status_code: res.statusCode,
+            verification: `Server returned 200 for ${method} request`,
+          },
+          fix: `Restrict allowed HTTP methods. Only expose GET/POST (and others only where explicitly required).`,
+        }));
+      }
+
+      if (method === 'TRACE' && res.statusCode === 200) {
+        findings.push(createFinding('config', 'trace_enabled', 'low', 'HTTP TRACE method enabled (XST risk)', {
+          url,
+          cwe: 'CWE-16', owasp: 'A05:2021',
+          proof: { method: 'TRACE', status_code: 200, verification: 'TRACE method returns 200 — XST attack vector' },
+          fix: 'Disable TRACE method on the web server.',
+        }));
+      }
+    }
+  }
+  return findings;
+}
+
+// ── Race Condition ────────────────────────────────────────────────────────────
+
+async function testRaceCondition(targetUrl, recon, opts) {
+  const findings = [];
+  const endpoint = recon.forms.find(f => f.method === 'POST') ? targetUrl : null;
+  if (!endpoint) return findings;
+
+  const concurrency = 20;
+  const start = Date.now();
+  const results = await Promise.all(
+    Array.from({ length: concurrency }, () =>
+      fetchWithTiming(endpoint, { ...opts, method: 'POST', body: 'amount=1', contentType: 'application/x-www-form-urlencoded' })
+    )
+  );
+  const elapsed = Date.now() - start;
+
+  const successes = results.filter(r => r.success && r.statusCode === 200);
+  if (successes.length > 1 && elapsed < 2000) {
+    findings.push(createFinding('logic', 'race_condition', 'high', `Potential Race Condition on POST endpoint`, {
+      url: endpoint,
+      cwe: 'CWE-362', owasp: 'A04:2021',
+      proof: {
+        concurrent_requests: concurrency,
+        successful_responses: successes.length,
+        elapsed_ms: elapsed,
+        verification: `${successes.length} concurrent POST requests succeeded within ${elapsed}ms`,
+      },
+      fix: 'Use database-level locks or atomic operations for state-changing requests.',
+    }));
+  }
+  return findings;
+}
+
+// ── Prototype Pollution ───────────────────────────────────────────────────────
+
+async function testPrototypePollution(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, MAX_ENDPOINTS);
+
+  for (const target of targets) {
+    const pollutionParams = ['__proto__[polluted]', 'constructor[prototype][polluted]'];
+    for (const pp of pollutionParams) {
+      const u = new URL(target.url);
+      u.searchParams.set(pp, 'true');
+      const url = u.toString();
+      const res = await fetchWithTiming(url, opts);
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+      try {
+        const json = JSON.parse(res.body);
+        if (json.polluted === 'true' || json.polluted === true) {
+          findings.push(createFinding('injection', 'prototype_pollution', 'critical', `Prototype Pollution via query parameter on ${target.url}`, {
+            url,
+            cwe: 'CWE-1321', owasp: 'A03:2021',
+            proof: {
+              request: `GET ${url}`,
+              response_excerpt: JSON.stringify(json).slice(0, 200),
+              verification: 'Polluted property appeared in response JSON object',
+            },
+            fix: 'Sanitize object keys. Use Object.create(null) for user-controlled objects. Block __proto__ and constructor keys.',
+          }));
+          return findings;
+        }
+      } catch {}
+    }
+
+    // Body pollution
+    const jsonPayloads = [
+      '{"__proto__":{"polluted":true}}',
+      '{"constructor":{"prototype":{"polluted":true}}}',
+    ];
+    for (const body of jsonPayloads) {
+      const res = await fetchWithTiming(target.url, { ...opts, method: 'POST', body, contentType: 'application/json' });
+      await sleep(RATE_LIMIT_MS);
+      if (!res.success || !res.body) continue;
+      try {
+        const json = JSON.parse(res.body);
+        if (json.polluted === true) {
+          findings.push(createFinding('injection', 'prototype_pollution', 'critical', `Prototype Pollution via JSON body on ${target.url}`, {
+            url: target.url,
+            cwe: 'CWE-1321', owasp: 'A03:2021',
+            proof: {
+              request: `POST ${target.url} with ${body}`,
+              verification: 'Polluted property appeared in response after __proto__ injection',
+            },
+            fix: 'Use a JSON schema validator. Strip __proto__ and constructor from parsed objects.',
+          }));
+          return findings;
+        }
+      } catch {}
+    }
+  }
+  return findings;
+}
+
+// ── HTTP Request Smuggling ────────────────────────────────────────────────────
+
+async function testRequestSmuggling(targetUrl, opts) {
+  const findings = [];
+  const res = await fetchWithTiming(targetUrl, {
+    ...opts, method: 'POST',
+    headers: { ...opts.headers, 'Transfer-Encoding': 'chunked' },
+    body: '0\r\n\r\n',
+  });
+  if (!res.success) return findings;
+
+  const smuggleRes = await fetchWithTiming(targetUrl, {
+    ...opts, method: 'POST', timeout: 15000,
+    headers: {
+      ...opts.headers,
+      'Content-Length': '4',
+      'Transfer-Encoding': 'chunked',
+    },
+    body: '1\r\nZ\r\nQ\r\n\r\n',
+  });
+
+  if (smuggleRes.success && res.success && smuggleRes.statusCode === 400 && res.statusCode < 400) {
+    findings.push(createFinding('network', 'request_smuggling_potential', 'medium', 'Server may be vulnerable to HTTP Request Smuggling (CL/TE desync)', {
+      url: targetUrl,
+      cwe: 'CWE-444', owasp: 'A05:2021',
+      proof: {
+        normal_status: res.statusCode,
+        smuggle_status: smuggleRes.statusCode,
+        verification: 'Server returned different status for conflicting CL/TE headers',
+      },
+      fix: 'Normalize CL/TE handling. Use HTTP/2 where possible.',
+    }));
+  }
+  return findings;
+}
+
+// ── CSRF ──────────────────────────────────────────────────────────────────────
+
+function testCSRF(recon) {
+  const findings = [];
+  for (const form of recon.forms) {
+    if (form.method !== 'POST') continue;
+    if (!form.hasCSRF) {
+      findings.push(createFinding('session', 'csrf_missing', 'medium', `POST form at "${form.action || '/'}" has no CSRF token`, {
+        cwe: 'CWE-352', owasp: 'A01:2021',
+        proof: {
+          form_action: form.action || '/',
+          form_method: form.method,
+          input_fields: form.inputs,
+          verification: 'No field matching csrf/token/_token/authenticity_token found in form',
+        },
+        fix: 'Add a CSRF token to all state-changing forms. Verify the token server-side on submission.',
+      }));
+    }
+  }
+  return findings;
+}
+
+// ── Parameter Pollution ───────────────────────────────────────────────────────
+
+async function testParamPollution(targetUrl, recon, opts) {
+  const findings = [];
+  const tested = new Set();
+  const targets = collectTargets(targetUrl, recon, tested).slice(0, 5);
+
+  for (const target of targets) {
+    const u = new URL(target.url);
+    u.searchParams.append(target.param, 'val1');
+    u.searchParams.append(target.param, 'val2');
+    const res = await fetchWithTiming(u.toString(), opts);
+    await sleep(RATE_LIMIT_MS);
+    if (!res.success || !res.body) continue;
+
+    if (res.body.includes('val1') && res.body.includes('val2')) {
+      findings.push(createFinding('logic', 'param_pollution', 'low', `HTTP Parameter Pollution on "${target.param}"`, {
+        url: u.toString(),
+        cwe: 'CWE-235',
+        proof: {
+          request: `GET ${u.pathname}?${target.param}=val1&${target.param}=val2`,
+          verification: 'Both parameter values reflected in response',
+        },
+        fix: 'Reject or deduplicate duplicate query parameters.',
+      }));
+    }
+  }
+  return findings;
+}
+
+// ── Utilidad ──────────────────────────────────────────────────────────────────
+
+function collectTargets(targetUrl, recon, tested) {
+  const targets = [];
+  for (const link of recon.links) {
+    try {
+      const u = new URL(link, targetUrl);
+      for (const [key] of u.searchParams) {
+        const sig = `${u.pathname}:${key}`;
+        if (tested.has(sig)) continue;
+        tested.add(sig);
+        targets.push({ url: `${u.origin}${u.pathname}`, param: key });
+      }
+    } catch {}
+  }
+  for (const param of recon.params) {
+    const sig = `/:${param}`;
+    if (!tested.has(sig)) { tested.add(sig); targets.push({ url: targetUrl, param }); }
+  }
+  return targets;
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+async function main() {
+  const args = process.argv.slice(2);
+  const positional = args.filter(a => !a.startsWith('--'));
+  const flags      = args.filter(a => a.startsWith('--'));
+  const deep       = flags.includes('--deep');
+
+  let cookie = null, customHeaders = {}, scope = null, timeout = DEFAULT_TIMEOUT;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--cookie'  && args[i + 1]) { cookie = args[++i]; }
+    if (args[i] === '--header'  && args[i + 1]) {
+      const h = args[++i]; const idx = h.indexOf(':');
+      if (idx > 0) customHeaders[h.slice(0, idx).trim().toLowerCase()] = h.slice(idx + 1).trim();
+    }
+    if (args[i] === '--scope'   && args[i + 1]) { scope = args[++i]; }
+    if (args[i] === '--timeout' && args[i + 1]) { timeout = parseInt(args[++i]) || DEFAULT_TIMEOUT; }
+  }
+
+  if (positional.length < 1) {
+    output({ error: 'Usage: node pentest-scanner.js <target-url> [--deep] [--cookie "name=value"] [--header "Key: Value"] [--scope /path]', success: false });
+    process.exit(0);
+  }
+
+  let targetUrl = positional[0];
+  if (!/^https?:\/\//i.test(targetUrl)) targetUrl = 'https://' + targetUrl;
+  targetUrl = targetUrl.replace(/\/+$/, '');
+
+  // Validación SSRF del target principal antes de iniciar
+  const targetValidation = validateUrl(targetUrl);
+  if (!targetValidation.valid) {
+    output({
+      success: false,
+      target: targetUrl,
+      scanned_at: new Date().toISOString(),
+      findings: [{ type: 'url_bloqueada', razon: targetValidation.reason }],
+      summary: { high: 0, medium: 0, low: 0, false_positives_filtered: 0 },
+    });
+    process.exit(0);
+  }
+
+  const fetchOpts = { timeout, cookie, headers: customHeaders };
+  const startTime = Date.now();
+  const allFindings = [];
+
+  // Fase 1: Reconocimiento
+  const [mainPage, baseline] = await Promise.all([
+    fetchWithTiming(targetUrl, { ...fetchOpts, followRedirects: true }),
+    get404Baseline(targetUrl, fetchOpts),
+  ]);
+
+  if (!mainPage.success) {
+    output({
+      success: false,
+      target: targetUrl,
+      scanned_at: new Date().toISOString(),
+      error: `No se pudo alcanzar el objetivo: ${mainPage.error || mainPage.blockReason || 'desconocido'}`,
+      findings: [],
+      summary: { high: 0, medium: 0, low: 0, false_positives_filtered: 0 },
+    });
+    process.exit(0);
+  }
+
+  const recon      = extractFromHTML(mainPage.body || '', targetUrl);
+  const techStack  = detectTechStack(mainPage.headers || {}, mainPage.body || '');
+
+  if (scope) recon.links = recon.links.filter(l => l.startsWith(scope));
+
+  // Fase 2: Análisis pasivo
+  const [headerFindings, tlsFindings, jwtFindings, csrfFindings] = await Promise.all([
+    Promise.resolve(analyzeHeaders(mainPage)),
+    targetUrl.startsWith('https://') ? analyzeTLS(new URL(targetUrl).hostname) : Promise.resolve([]),
+    Promise.resolve(analyzeJWTs(mainPage)),
+    Promise.resolve(testCSRF(recon)),
+  ]);
+  allFindings.push(...headerFindings, ...tlsFindings, ...jwtFindings, ...csrfFindings);
+
+  // Fase 3: Escaneo activo en paralelo
+  const [sensitiveFileFindings, corsFindings, errorFindings, hostHeaderFindings, graphqlFindings, sourceMapFindings] = await Promise.all([
+    scanSensitiveFiles(targetUrl, baseline, fetchOpts),
+    testCORS(targetUrl, recon.links, fetchOpts),
+    testErrorDisclosure(targetUrl, fetchOpts),
+    testHostHeader(targetUrl, fetchOpts),
+    testGraphQL(targetUrl, fetchOpts),
+    testSourceMaps(targetUrl, recon.scripts, fetchOpts),
+  ]);
+  allFindings.push(...sensitiveFileFindings, ...corsFindings, ...errorFindings, ...hostHeaderFindings, ...graphqlFindings, ...sourceMapFindings);
+
+  // Pruebas de inyección secuenciales
+  allFindings.push(...await testXSS(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testSQLi(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testSSTI(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testCmdInjection(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testTraversal(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testOpenRedirect(targetUrl, recon, fetchOpts));
+  allFindings.push(...await testMethodTampering(targetUrl, recon.links, fetchOpts));
+
+  // Fase 4: Modo deep
+  if (deep) {
+    allFindings.push(...await testRaceCondition(targetUrl, recon, fetchOpts));
+    allFindings.push(...await testPrototypePollution(targetUrl, recon, fetchOpts));
+    allFindings.push(...await testParamPollution(targetUrl, recon, fetchOpts));
+    allFindings.push(...await testRequestSmuggling(targetUrl, fetchOpts));
+  }
+
+  // Compilar resultados
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+  allFindings.sort((a, b) => (severityOrder[a.severity] || 5) - (severityOrder[b.severity] || 5));
+
+  const summary = { critical: 0, high: 0, medium: 0, low: 0, info: 0, false_positives_filtered: 0, total: allFindings.length };
+  for (const f of allFindings) {
+    if (f.severity) summary[f.severity] = (summary[f.severity] || 0) + 1;
+  }
+
+  output({
+    success: true,
+    target: targetUrl,
+    scanned_at: new Date().toISOString(),
+    scan_mode: deep ? 'deep' : 'standard',
+    scan_duration_ms: Date.now() - startTime,
+    tech_stack: techStack,
+    recon: {
+      endpoints_discovered: recon.links.length,
+      parameters_found: recon.params.length,
+      forms_found: recon.forms.length,
+      scripts_found: recon.scripts.length,
+    },
+    summary,
+    findings: allFindings,
+  });
+}
+
+// Exportar funciones para tests
+module.exports = {
+  fetchWithTiming,
+  validateUrl,
+  extractFromHTML,
+  collectTargets,
+  analyzeHeaders,
+  analyzeJWTs,
+  testCSRF,
+  testCORS,
+  testXSS,
+  testSQLi,
+  testSSTI,
+  testCmdInjection,
+  testTraversal,
+  testOpenRedirect,
+  testHostHeader,
+  testMethodTampering,
+  testRaceCondition,
+  testPrototypePollution,
+  testParamPollution,
+  testRequestSmuggling,
+  scanSensitiveFiles,
+  testGraphQL,
+  testSourceMaps,
+  testErrorDisclosure,
+  analyzeTLS,
+  get404Baseline,
+  isSoft404,
+  detectTechStack,
+  generateReportCard: () => '', // placeholder — solo CLI
+  CANARY,
+  SCAN_ID,
+  RATE_LIMIT_MS,
+  MAX_ENDPOINTS,
+  // internal para acceso en tests
+  _internal: { createFinding },
+};
+
+// Generar report card ASCII (accesible externamente)
+function generateReportCard(target, summary, duration, topFindings) {
+  const w = 64;
+  const pad = (s, n) => (s + ' '.repeat(n)).slice(0, n);
+  const ctr = (s, n) => { const p = Math.max(0, n - s.length); const l = Math.floor(p / 2); return ' '.repeat(l) + s + ' '.repeat(p - l); };
+  let score = 100;
+  score -= (summary.critical || 0) * 20;
+  score -= (summary.high || 0) * 10;
+  score -= (summary.medium || 0) * 5;
+  score -= (summary.low || 0) * 2;
+  score = Math.max(0, Math.min(100, score));
+  const rating = score >= 90 ? 'SECURE' : score >= 70 ? 'MODERATE RISK' : score >= 40 ? 'HIGH RISK' : 'CRITICAL RISK';
+  const barLen = Math.round(score / 100 * 20);
+  const bar = '#'.repeat(barLen) + '-'.repeat(20 - barLen);
+  const lines = [];
+  lines.push('+' + '='.repeat(w) + '+');
+  lines.push('|' + ctr('ULTRASHIP PENETRATION TEST REPORT', w) + '|');
+  lines.push('+' + '='.repeat(w) + '+');
+  lines.push('|' + pad(`  Target: ${new URL(target).host}`, w) + '|');
+  lines.push('|' + pad(`  Duration: ${(duration / 1000).toFixed(1)}s | Findings: ${summary.total}`, w) + '|');
+  lines.push('+' + '='.repeat(w) + '+');
+  lines.push('|' + pad(`  ${bar}  SCORE: ${score}/100 (${rating})`, w) + '|');
+  lines.push('+' + '='.repeat(w) + '+');
+  lines.push('|' + pad(`  [!!] CRITICAL: ${summary.critical}    [!] HIGH: ${summary.high}    [~] MEDIUM: ${summary.medium}    [-] LOW: ${summary.low}`, w) + '|');
+  lines.push('+' + '-'.repeat(w) + '+');
+  if (topFindings && topFindings.length > 0) {
+    lines.push('|' + pad('  TOP FINDINGS:', w) + '|');
+    for (const f of topFindings.slice(0, 8)) {
+      const sev = f.severity === 'critical' ? '[!!]' : f.severity === 'high' ? ' [!]' : f.severity === 'medium' ? ' [~]' : ' [-]';
+      lines.push('|' + pad(`  ${sev} ${f.title}`.slice(0, w), w) + '|');
+    }
+  } else {
+    lines.push('|' + ctr('No vulnerabilities found', w) + '|');
+  }
+  lines.push('+' + '='.repeat(w) + '+');
+  return lines.join('\n');
+}
+
+// Actualizar export con la versión real
+module.exports.generateReportCard = generateReportCard;
+
+if (require.main === module) {
+  main().catch((err) => {
+    process.stderr.write('[pentest-scanner] Error fatal: ' + (err.message || String(err)) + '\n');
+    process.exit(0); // exit 0 — nunca crash Claude Code
+  });
+}