@vulcn/engine 0.8.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +24 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,29 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.9.1
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- b4030c8: Migrate `vulcn crawl` to v2 session directory format and add benchmark pipeline.
|
|
8
|
+
- **`vulcn crawl`**: Now uses `saveSessionDir()` to output v2 session directories (`manifest.yml` + `sessions/` + `auth/`) instead of individual `.vulcn.yml` files. `vulcn run <dir>` loads these directly via `loadSessionDir()`.
|
|
9
|
+
- **Benchmark runner** (`benchmarks/run.ts`): Automated pipeline that crawls + scans 5 benchmark targets (Acunetix test sites + DVWA + WebGoat), scores findings against ground truth (TPR/FPR/Youden), and publishes results to vulcn.dev.
|
|
10
|
+
- **Benchmark CI** (`.github/workflows/benchmark.yml`): GitHub Action triggered on release — spins up DVWA, runs benchmarks, uploads artifacts, and comments scorecard on the release.
|
|
11
|
+
- **www**: Added `POST /api/benchmarks` endpoint (API_SECRET auth) to receive benchmark results from CI, and `GET /api/benchmarks` for the upcoming `/benchmarks` page. New `BenchmarkRun` + `BenchmarkTarget` Prisma models.
|
|
12
|
+
|
|
13
|
+
## 0.9.0
|
|
14
|
+
|
|
15
|
+
### Minor Changes
|
|
16
|
+
|
|
17
|
+
- 5011ca5: Add Tier 1 HTTP fast scanner for high-speed payload testing
|
|
18
|
+
- **`httpScan()`** — replay captured HTTP requests via `fetch()` at ~50ms/payload, detecting reflected XSS, error-based SQLi, and server-side reflection without launching a browser
|
|
19
|
+
- **`buildCapturedRequests()`** — convert crawler-discovered forms into `CapturedRequest` metadata for Tier 1 scanning
|
|
20
|
+
- **`CrawlResult`** — `crawlAndBuildSessions()` now returns both `Session[]` (Tier 2 browser replay) and `CapturedRequest[]` (Tier 1 HTTP scan)
|
|
21
|
+
- Tier 1 findings are tagged with `metadata.detectionMethod: "tier1-http"` and `metadata.needsBrowserConfirmation: true` for escalation to Tier 2
|
|
22
|
+
- Supports payload injection into URL params (GET), form-urlencoded bodies, JSON bodies, and multipart form data
|
|
23
|
+
- Configurable concurrency, timeout, cookies, and custom headers via `HttpScanOptions`
|
|
24
|
+
- Progress callbacks for real-time scan monitoring
|
|
25
|
+
- 14 new tests covering XSS/SQLi detection, safe encoding, timeouts, and `buildCapturedRequests` form conversion
|
|
26
|
+
|
|
3
27
|
## 0.8.0
|
|
4
28
|
|
|
5
29
|
### Minor Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vulcn/engine",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.1",
|
|
4
4
|
"description": "Fast, modern security testing engine — record browser sessions, replay with attack payloads, and detect vulnerabilities automatically. Pluggable driver and detection system for web application penetration testing.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.cjs",
|