npm - @vulcn/driver-browser - Versions diffs - 0.3.0 → 0.4.0 - Mend

@vulcn/driver-browser 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -24,12 +24,14 @@ __export(index_exports, {
   BrowserRecorder: () => BrowserRecorder,
   BrowserRunner: () => BrowserRunner,
   BrowserStepSchema: () => BrowserStepSchema,
+  buildCapturedRequests: () => buildCapturedRequests,
   checkBrowsers: () => checkBrowsers,
   checkSessionAlive: () => checkSessionAlive,
   configSchema: () => configSchema,
   crawlAndBuildSessions: () => crawlAndBuildSessions,
   default: () => index_default,
   detectLoginForm: () => detectLoginForm,
+  httpScan: () => httpScan,
   installBrowsers: () => installBrowsers,
   launchBrowser: () => launchBrowser,
   performLogin: () => performLogin
@@ -814,6 +816,248 @@ function interleavePayloads(payloads) {
   return result;
 }
+// src/http-scanner.ts
+async function httpScan(requests, payloads, options = {}) {
+  const timeout = options.timeout ?? 1e4;
+  const concurrency = options.concurrency ?? 10;
+  const start = Date.now();
+  const findings = [];
+  const reflectedRequests = [];
+  let requestsSent = 0;
+  const tasks = [];
+  for (const request of requests) {
+    if (!request.injectableField) continue;
+    for (const payloadSet of payloads) {
+      for (const value of payloadSet.payloads) {
+        tasks.push({ request, payloadSet, value });
+      }
+    }
+  }
+  const totalTasks = tasks.length;
+  if (totalTasks === 0) {
+    return { requestsSent: 0, duration: 0, findings, reflectedRequests };
+  }
+  for (let i = 0; i < tasks.length; i += concurrency) {
+    const batch = tasks.slice(i, i + concurrency);
+    const results = await Promise.allSettled(
+      batch.map(async ({ request, payloadSet, value }) => {
+        try {
+          const body = await sendPayload(request, value, {
+            timeout,
+            cookies: options.cookies,
+            headers: options.headers
+          });
+          requestsSent++;
+          const finding = checkHttpReflection(body, request, payloadSet, value);
+          if (finding) {
+            findings.push(finding);
+            reflectedRequests.push({
+              request,
+              payload: value,
+              category: payloadSet.category
+            });
+          }
+        } catch {
+          requestsSent++;
+        }
+      })
+    );
+    const completed = Math.min(i + batch.length, totalTasks);
+    options.onProgress?.(completed, totalTasks);
+    for (const result of results) {
+      if (result.status === "rejected") {
+      }
+    }
+  }
+  return {
+    requestsSent,
+    duration: Date.now() - start,
+    findings,
+    reflectedRequests
+  };
+}
+async function sendPayload(request, payload, options) {
+  const { method, url, headers, body, contentType, injectableField } = request;
+  const reqHeaders = {
+    ...headers,
+    ...options.headers ?? {}
+  };
+  if (options.cookies) {
+    reqHeaders["Cookie"] = options.cookies;
+  }
+  delete reqHeaders["content-length"];
+  delete reqHeaders["Content-Length"];
+  let requestUrl = url;
+  let requestBody;
+  if (method.toUpperCase() === "GET") {
+    requestUrl = injectIntoUrl(url, injectableField, payload);
+  } else {
+    requestBody = injectIntoBody(body, contentType, injectableField, payload);
+    if (contentType) {
+      reqHeaders["Content-Type"] = contentType;
+    } else {
+      reqHeaders["Content-Type"] = "application/x-www-form-urlencoded";
+    }
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), options.timeout);
+  try {
+    const response = await fetch(requestUrl, {
+      method: method.toUpperCase(),
+      headers: reqHeaders,
+      body: requestBody,
+      signal: controller.signal,
+      redirect: "follow"
+    });
+    return await response.text();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function injectIntoUrl(url, field, payload) {
+  try {
+    const parsed = new URL(url);
+    parsed.searchParams.set(field, payload);
+    return parsed.toString();
+  } catch {
+    const separator = url.includes("?") ? "&" : "?";
+    return `${url}${separator}${encodeURIComponent(field)}=${encodeURIComponent(payload)}`;
+  }
+}
+function injectIntoBody(body, contentType, field, payload) {
+  if (!body) {
+    return `${encodeURIComponent(field)}=${encodeURIComponent(payload)}`;
+  }
+  const ct = (contentType ?? "").toLowerCase();
+  if (ct.includes("application/json")) {
+    return injectIntoJson(body, field, payload);
+  }
+  if (ct.includes("multipart/form-data")) {
+    return injectIntoMultipart(body, field, payload);
+  }
+  return injectIntoFormUrlEncoded(body, field, payload);
+}
+function injectIntoFormUrlEncoded(body, field, payload) {
+  const params = new URLSearchParams(body);
+  params.set(field, payload);
+  return params.toString();
+}
+function injectIntoJson(body, field, payload) {
+  try {
+    const parsed = JSON.parse(body);
+    if (typeof parsed === "object" && parsed !== null) {
+      parsed[field] = payload;
+      return JSON.stringify(parsed);
+    }
+  } catch {
+  }
+  const escaped = field.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const regex = new RegExp(`("${escaped}"\\s*:\\s*)"[^"]*"`, "g");
+  const replaced = body.replace(regex, `$1"${payload}"`);
+  if (replaced !== body) return replaced;
+  return body;
+}
+function injectIntoMultipart(body, field, payload) {
+  const escaped = field.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const regex = new RegExp(
+    `(Content-Disposition:\\s*form-data;\\s*name="${escaped}"\\r?\\n\\r?\\n)[^\\r\\n-]*`,
+    "i"
+  );
+  return body.replace(regex, `$1${payload}`);
+}
+function checkHttpReflection(responseBody, request, payloadSet, payloadValue) {
+  for (const pattern of payloadSet.detectPatterns) {
+    if (pattern.test(responseBody)) {
+      return {
+        type: payloadSet.category,
+        severity: getSeverity2(payloadSet.category),
+        title: `${payloadSet.category.toUpperCase()} reflection detected (HTTP)`,
+        description: `Payload pattern was reflected in HTTP response body. Needs browser confirmation for execution proof.`,
+        stepId: `http-${request.sessionName}`,
+        payload: payloadValue,
+        url: request.url,
+        evidence: responseBody.match(pattern)?.[0]?.slice(0, 200),
+        metadata: {
+          detectionMethod: "tier1-http",
+          needsBrowserConfirmation: true,
+          requestMethod: request.method,
+          injectableField: request.injectableField
+        }
+      };
+    }
+  }
+  if (responseBody.includes(payloadValue)) {
+    return {
+      type: payloadSet.category,
+      severity: "medium",
+      title: `Potential ${payloadSet.category.toUpperCase()} \u2014 payload reflected in HTTP response`,
+      description: `Payload was reflected in HTTP response without encoding. Escalate to browser for execution proof.`,
+      stepId: `http-${request.sessionName}`,
+      payload: payloadValue,
+      url: request.url,
+      metadata: {
+        detectionMethod: "tier1-http",
+        needsBrowserConfirmation: true,
+        requestMethod: request.method,
+        injectableField: request.injectableField
+      }
+    };
+  }
+  return void 0;
+}
+function getSeverity2(category) {
+  switch (category) {
+    case "sqli":
+    case "command-injection":
+    case "xxe":
+      return "critical";
+    case "xss":
+    case "ssrf":
+    case "path-traversal":
+      return "high";
+    case "open-redirect":
+      return "medium";
+    default:
+      return "medium";
+  }
+}
+function buildCapturedRequests(forms) {
+  const requests = [];
+  for (const form of forms) {
+    const injectableInputs = form.inputs.filter((i) => i.injectable);
+    if (injectableInputs.length === 0) continue;
+    let actionUrl;
+    try {
+      actionUrl = new URL(form.action, form.pageUrl).toString();
+    } catch {
+      actionUrl = form.pageUrl;
+    }
+    const method = (form.method || "GET").toUpperCase();
+    for (const input of injectableInputs) {
+      const formParams = new URLSearchParams();
+      for (const inp of form.inputs) {
+        formParams.set(inp.name || inp.type, inp.injectable ? "test" : "");
+      }
+      const request = {
+        method,
+        url: method === "GET" ? actionUrl : actionUrl,
+        headers: {
+          "User-Agent": "Vulcn/1.0 (Security Scanner)",
+          Accept: "text/html,application/xhtml+xml,*/*"
+        },
+        ...method !== "GET" ? {
+          body: formParams.toString(),
+          contentType: "application/x-www-form-urlencoded"
+        } : {},
+        injectableField: input.name || input.type,
+        sessionName: form.sessionName
+      };
+      requests.push(request);
+    }
+  }
+  return requests;
+}
 // src/crawler.ts
 var INJECTABLE_INPUT_TYPES = /* @__PURE__ */ new Set([
   "text",
@@ -900,7 +1144,20 @@ async function crawlAndBuildSessions(config, options = {}) {
   console.log(
     `[crawler] Complete: ${visited.size} page(s), ${allForms.length} form(s)`
   );
-  return buildSessions(allForms);
+  const sessions = buildSessions(allForms);
+  const capturedRequests = buildCapturedRequests(
+    allForms.filter((f) => f.inputs.some((i) => i.injectable)).map((form, idx) => ({
+      pageUrl: form.pageUrl,
+      action: form.action,
+      method: form.method,
+      inputs: form.inputs,
+      sessionName: sessions[idx]?.name ?? `form-${idx + 1}`
+    }))
+  );
+  console.log(
+    `[crawler] Generated ${sessions.length} session(s), ${capturedRequests.length} HTTP request(s) for Tier 1`
+  );
+  return { sessions, capturedRequests };
 }
 async function discoverForms(page, pageUrl) {
   const forms = [];
@@ -1413,7 +1670,7 @@ var recorderDriver = {
   },
   async crawl(config, options) {
     const parsedConfig = configSchema.parse(config);
-    return crawlAndBuildSessions(
+    const result = await crawlAndBuildSessions(
       {
         startUrl: parsedConfig.startUrl ?? "",
         browser: parsedConfig.browser,
@@ -1422,6 +1679,7 @@ var recorderDriver = {
       },
       options
     );
+    return result.sessions;
   }
 };
 var runnerDriver = {
@@ -1446,11 +1704,13 @@ var index_default = browserDriver;
   BrowserRecorder,
   BrowserRunner,
   BrowserStepSchema,
+  buildCapturedRequests,
   checkBrowsers,
   checkSessionAlive,
   configSchema,
   crawlAndBuildSessions,
   detectLoginForm,
+  httpScan,
   installBrowsers,
   launchBrowser,
   performLogin