@zerothreatai/vulnerability-registry 1.0.0

package/src/categories/ssrf.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Vulnerability Registry - SSRF and Misconfiguration Vulnerabilities
+ *
+ * Definitions for SSRF, Open Redirect, Host Header, and related issues
+ */
+import type { VulnerabilityDefinition } from '../types.js';
+export declare const SSRF_VULNERABILITIES: Record<string, VulnerabilityDefinition>;
+export default SSRF_VULNERABILITIES;

package/src/categories/ssrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf.d.ts","sourceRoot":"","sources":["ssrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE3D,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAyPxE,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/src/categories/ssrf.js

@@ -0,0 +1,250 @@
+"use strict";
+/**
+ * Vulnerability Registry - SSRF and Misconfiguration Vulnerabilities
+ *
+ * Definitions for SSRF, Open Redirect, Host Header, and related issues
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSRF_VULNERABILITIES = void 0;
+const error_codes_js_1 = require("../error-codes.js");
+exports.SSRF_VULNERABILITIES = {
+    [error_codes_js_1.VulnerabilityCode.SSRF_CLOUD_METADATA]: {
+        id: 46,
+        code: error_codes_js_1.VulnerabilityCode.SSRF_CLOUD_METADATA,
+        title: 'Server-Side Request Forgery - Cloud Metadata Access',
+        description: 'Critical SSRF vulnerability enabling access to cloud provider metadata services (AWS IMDSv1, GCP, Azure) which expose sensitive information including IAM credentials, API tokens, and instance configuration that can lead to full cloud account compromise and lateral movement.',
+        severity: 'critical',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 9.1,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N',
+            severity: 'CRITICAL',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Block access to cloud metadata IP ranges (169.254.169.254). Implement IMDSv2 which requires tokens. Use allowlist for external URLs. Validate and sanitize all URL inputs.',
+    },
+    [error_codes_js_1.VulnerabilityCode.SSRF_INTERNAL_SERVICE]: {
+        id: 47,
+        code: error_codes_js_1.VulnerabilityCode.SSRF_INTERNAL_SERVICE,
+        title: 'Server-Side Request Forgery - Internal Service Access',
+        description: 'SSRF vulnerability allowing attackers to access internal network services that should not be reachable from the internet, including databases, admin panels, cache servers, and other infrastructure components protected only by network segmentation without authentication.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement URL allowlist for permitted external resources. Block requests to private IP ranges and localhost. Use network segmentation with proper authentication for internal services.',
+    },
+    [error_codes_js_1.VulnerabilityCode.SSRF_PROTOCOL_SMUGGLING]: {
+        id: 48,
+        code: error_codes_js_1.VulnerabilityCode.SSRF_PROTOCOL_SMUGGLING,
+        title: 'Server-Side Request Forgery - Protocol Smuggling',
+        description: 'SSRF vulnerability exploiting non-HTTP protocol handlers like file://, gopher://, dict://, or ftp:// to read local files, interact with internal services using raw TCP, or perform attacks that would not be possible through HTTP requests alone, significantly expanding impact scope.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 8.6,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Enforce HTTP/HTTPS only for outbound requests. Disable or block dangerous protocol handlers at the application and network level. Validate URL schemes against strict allowlist.',
+    },
+    [error_codes_js_1.VulnerabilityCode.SSRF_BLIND_OOB]: {
+        id: 49,
+        code: error_codes_js_1.VulnerabilityCode.SSRF_BLIND_OOB,
+        title: 'Server-Side Request Forgery - Blind OOB',
+        description: 'Blind SSRF vulnerability confirmed through out-of-band DNS or HTTP callbacks indicating the server makes requests to attacker-controlled destinations even though responses are not reflected, enabling internal network scanning and data exfiltration through DNS or timing side channels.',
+        severity: 'medium',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement URL allowlist validation. Block outbound DNS to untrusted domains. Use egress firewall rules. Monitor for unusual outbound connection patterns.',
+    },
+    // ========================================
+    // OPEN REDIRECT
+    // ========================================
+    [error_codes_js_1.VulnerabilityCode.REDIRECT_HEADER_INJECTION]: {
+        id: 50,
+        code: error_codes_js_1.VulnerabilityCode.REDIRECT_HEADER_INJECTION,
+        title: 'Open Redirect - HTTP Header Injection',
+        description: 'Open redirect vulnerability through Location header manipulation allowing attackers to redirect victims to malicious websites after authenticating or interacting with the legitimate application, facilitating phishing attacks that abuse user trust in the original domain.',
+        severity: 'medium',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Use allowlist of permitted redirect destinations. Avoid using user input for redirect URLs. If redirects are required, use indirect references or validate against known safe patterns.',
+    },
+    [error_codes_js_1.VulnerabilityCode.REDIRECT_JS_NAVIGATION]: {
+        id: 51,
+        code: error_codes_js_1.VulnerabilityCode.REDIRECT_JS_NAVIGATION,
+        title: 'Open Redirect - JavaScript Navigation',
+        description: 'Client-side open redirect vulnerability through JavaScript navigation methods like window.location or location.href being set to user-controlled values, allowing attackers to redirect users to malicious sites through specially crafted URLs that bypass server-side validation.',
+        severity: 'medium',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Validate redirect URLs on both client and server side. Use allowlist of permitted domains. Never pass raw URL parameters to navigation functions without validation.',
+    },
+    // ========================================
+    // HOST HEADER INJECTION
+    // ========================================
+    [error_codes_js_1.VulnerabilityCode.HOST_CACHE_POISONING]: {
+        id: 52,
+        code: error_codes_js_1.VulnerabilityCode.HOST_CACHE_POISONING,
+        title: 'Host Header Injection - Cache Poisoning',
+        description: 'Host header injection vulnerability where manipulated Host headers are reflected in cached responses, allowing attackers to poison web caches and CDNs with malicious content that is then served to all users, potentially enabling widespread defacement or malware distribution.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 6.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Configure web servers to reject requests with unexpected Host headers. Include Host header in cache keys. Use canonical URLs for all generated links.',
+    },
+    [error_codes_js_1.VulnerabilityCode.HOST_PASSWORD_RESET]: {
+        id: 53,
+        code: error_codes_js_1.VulnerabilityCode.HOST_PASSWORD_RESET,
+        title: 'Host Header Injection - Password Reset Poisoning',
+        description: 'Critical host header injection vulnerability in password reset functionality where the injected Host header is used to generate password reset URLs, allowing attackers to receive password reset tokens when victims click the manipulated links in legitimate reset emails.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Use hardcoded canonical domain for generated URLs. Never trust Host header for security-sensitive functionality. Validate Host header against configured allowed hosts.',
+    },
+    [error_codes_js_1.VulnerabilityCode.SSRF_FILTER_BYPASS]: {
+        id: 54,
+        code: error_codes_js_1.VulnerabilityCode.SSRF_FILTER_BYPASS,
+        title: 'Server-Side Request Forgery - Filter Bypass',
+        description: 'SSRF vulnerability that bypasses security filters through encoding tricks (URL encoding, IPv6 representation, decimal IP notation), DNS rebinding, or using alternative representations of blocked addresses to reach internal resources despite URL validation controls.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement defense-in-depth with multiple validation layers. Resolve DNS before validation. Use strict URL parsing libraries. Block all private IP ranges including encoded forms.',
+    },
+    [error_codes_js_1.VulnerabilityCode.REDIRECT_META_REFRESH]: {
+        id: 55,
+        code: error_codes_js_1.VulnerabilityCode.REDIRECT_META_REFRESH,
+        title: 'Open Redirect - Meta Refresh',
+        description: 'Open redirect vulnerability through HTML meta refresh tags where user input controls the redirect target URL, enabling phishing attacks by sending victims to malicious sites after a brief delay on the legitimate domain, bypassing some security controls.',
+        severity: 'low',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 4.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Validate meta refresh URLs against allowlist. Avoid using user input in meta refresh tags. Prefer server-side redirects with proper validation over client-side meta refresh.',
+    },
+    [error_codes_js_1.VulnerabilityCode.HOST_REDIRECT]: {
+        id: 56,
+        code: error_codes_js_1.VulnerabilityCode.HOST_REDIRECT,
+        title: 'Host Header Injection - Open Redirect',
+        description: 'Host header injection leading to open redirect where the application uses the Host header to generate redirect URLs, allowing attackers to redirect users to malicious domains by manipulating the Host header in their requests.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Configure web server to validate Host header. Use hardcoded domain for redirect URLs. Implement allowlist for accepted Host header values.',
+    },
+};
+exports.default = exports.SSRF_VULNERABILITIES;

package/src/categories/ssrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf.js","sourceRoot":"","sources":["ssrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAGtD,MAAM,CAAC,MAAM,oBAAoB,GAA4C;IACzE,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,EAAE;QACrC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,mBAAmB;QAC3C,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,oRAAoR;QACjS,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,UAAU;SACvB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC1F;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0EAA0E,EAAE;SACpH;QACD,WAAW,EAAE,4KAA4K;KAC5L;IAED,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,EAAE;QACvC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,qBAAqB;QAC7C,KAAK,EAAE,uDAAuD;QAC9D,WAAW,EAAE,gRAAgR;QAC7R,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC1F;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0EAA0E,EAAE;SACpH;QACD,WAAW,EAAE,yLAAyL;KACzM;IAED,CAAC,iBAAiB,CAAC,uBAAuB,CAAC,EAAE;QACzC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;QAC/C,KAAK,EAAE,kDAAkD;QACzD,WAAW,EAAE,2RAA2R;QACxS,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC1F;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0EAA0E,EAAE;SACpH;QACD,WAAW,EAAE,kLAAkL;KAClM;IAED,CAAC,iBAAiB,CAAC,cAAc,CAAC,EAAE;QAChC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,cAAc;QACtC,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,8RAA8R;QAC3S,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC1F;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0EAA0E,EAAE;SACpH;QACD,WAAW,EAAE,2JAA2J;KAC3K;IAED,2CAA2C;IAC3C,gBAAgB;IAChB,2CAA2C;IAC3C,CAAC,iBAAiB,CAAC,yBAAyB,CAAC,EAAE;QAC3C,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,yBAAyB;QACjD,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,gRAAgR;QAC7R,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,yLAAyL;KACzM;IAED,CAAC,iBAAiB,CAAC,sBAAsB,CAAC,EAAE;QACxC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,sBAAsB;QAC9C,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,qRAAqR;QAClS,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,sKAAsK;KACtL;IAED,2CAA2C;IAC3C,wBAAwB;IACxB,2CAA2C;IAC3C,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,EAAE;QACtC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,oBAAoB;QAC5C,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,qRAAqR;QAClS,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,yCAAyC,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC7H;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,GAAG,EAAE,6DAA6D,EAAE;SAC5H;QACD,WAAW,EAAE,uJAAuJ;KACvK;IAED,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,EAAE;QACrC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,mBAAmB;QAC3C,KAAK,EAAE,kDAAkD;QACzD,WAAW,EAAE,+QAA+Q;QAC5R,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,yCAAyC,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC7H;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,GAAG,EAAE,6DAA6D,EAAE;SAC5H;QACD,WAAW,EAAE,yKAAyK;KACzL;IAED,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,EAAE;QACpC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,kBAAkB;QAC1C,KAAK,EAAE,6CAA6C;QACpD,WAAW,EAAE,2QAA2Q;QACxR,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC1F;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,0EAA0E,EAAE;SACpH;QACD,WAAW,EAAE,mLAAmL;KACnM;IAED,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,EAAE;QACvC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,qBAAqB;QAC7C,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,+PAA+P;QAC5Q,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,+KAA+K;KAC/L;IAED,CAAC,iBAAiB,CAAC,aAAa,CAAC,EAAE;QAC/B,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,aAAa;QACrC,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,mOAAmO;QAChP,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,yCAAyC,EAAE,GAAG,EAAE,iDAAiD,EAAE;YAC1H,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,GAAG,EAAE,6DAA6D,EAAE;SAC5H;QACD,WAAW,EAAE,4IAA4I;KAC5J;CACJ,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/src/categories/ssrf.ts

@@ -0,0 +1,261 @@
+/**
+ * Vulnerability Registry - SSRF and Misconfiguration Vulnerabilities
+ * 
+ * Definitions for SSRF, Open Redirect, Host Header, and related issues
+ */
+
+import { VulnerabilityCode } from '../error-codes.js';
+import type { VulnerabilityDefinition } from '../types.js';
+
+export const SSRF_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
+    [VulnerabilityCode.SSRF_CLOUD_METADATA]: {
+        id: 46,
+        code: VulnerabilityCode.SSRF_CLOUD_METADATA,
+        title: 'Server-Side Request Forgery - Cloud Metadata Access',
+        description: 'Critical SSRF vulnerability enabling access to cloud provider metadata services (AWS IMDSv1, GCP, Azure) which expose sensitive information including IAM credentials, API tokens, and instance configuration that can lead to full cloud account compromise and lateral movement.',
+        severity: 'critical',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 9.1,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N',
+            severity: 'CRITICAL',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Block access to cloud metadata IP ranges (169.254.169.254). Implement IMDSv2 which requires tokens. Use allowlist for external URLs. Validate and sanitize all URL inputs.',
+    },
+
+    [VulnerabilityCode.SSRF_INTERNAL_SERVICE]: {
+        id: 47,
+        code: VulnerabilityCode.SSRF_INTERNAL_SERVICE,
+        title: 'Server-Side Request Forgery - Internal Service Access',
+        description: 'SSRF vulnerability allowing attackers to access internal network services that should not be reachable from the internet, including databases, admin panels, cache servers, and other infrastructure components protected only by network segmentation without authentication.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement URL allowlist for permitted external resources. Block requests to private IP ranges and localhost. Use network segmentation with proper authentication for internal services.',
+    },
+
+    [VulnerabilityCode.SSRF_PROTOCOL_SMUGGLING]: {
+        id: 48,
+        code: VulnerabilityCode.SSRF_PROTOCOL_SMUGGLING,
+        title: 'Server-Side Request Forgery - Protocol Smuggling',
+        description: 'SSRF vulnerability exploiting non-HTTP protocol handlers like file://, gopher://, dict://, or ftp:// to read local files, interact with internal services using raw TCP, or perform attacks that would not be possible through HTTP requests alone, significantly expanding impact scope.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 8.6,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Enforce HTTP/HTTPS only for outbound requests. Disable or block dangerous protocol handlers at the application and network level. Validate URL schemes against strict allowlist.',
+    },
+
+    [VulnerabilityCode.SSRF_BLIND_OOB]: {
+        id: 49,
+        code: VulnerabilityCode.SSRF_BLIND_OOB,
+        title: 'Server-Side Request Forgery - Blind OOB',
+        description: 'Blind SSRF vulnerability confirmed through out-of-band DNS or HTTP callbacks indicating the server makes requests to attacker-controlled destinations even though responses are not reflected, enabling internal network scanning and data exfiltration through DNS or timing side channels.',
+        severity: 'medium',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement URL allowlist validation. Block outbound DNS to untrusted domains. Use egress firewall rules. Monitor for unusual outbound connection patterns.',
+    },
+
+    // ========================================
+    // OPEN REDIRECT
+    // ========================================
+    [VulnerabilityCode.REDIRECT_HEADER_INJECTION]: {
+        id: 50,
+        code: VulnerabilityCode.REDIRECT_HEADER_INJECTION,
+        title: 'Open Redirect - HTTP Header Injection',
+        description: 'Open redirect vulnerability through Location header manipulation allowing attackers to redirect victims to malicious websites after authenticating or interacting with the legitimate application, facilitating phishing attacks that abuse user trust in the original domain.',
+        severity: 'medium',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Use allowlist of permitted redirect destinations. Avoid using user input for redirect URLs. If redirects are required, use indirect references or validate against known safe patterns.',
+    },
+
+    [VulnerabilityCode.REDIRECT_JS_NAVIGATION]: {
+        id: 51,
+        code: VulnerabilityCode.REDIRECT_JS_NAVIGATION,
+        title: 'Open Redirect - JavaScript Navigation',
+        description: 'Client-side open redirect vulnerability through JavaScript navigation methods like window.location or location.href being set to user-controlled values, allowing attackers to redirect users to malicious sites through specially crafted URLs that bypass server-side validation.',
+        severity: 'medium',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Validate redirect URLs on both client and server side. Use allowlist of permitted domains. Never pass raw URL parameters to navigation functions without validation.',
+    },
+
+    // ========================================
+    // HOST HEADER INJECTION
+    // ========================================
+    [VulnerabilityCode.HOST_CACHE_POISONING]: {
+        id: 52,
+        code: VulnerabilityCode.HOST_CACHE_POISONING,
+        title: 'Host Header Injection - Cache Poisoning',
+        description: 'Host header injection vulnerability where manipulated Host headers are reflected in cached responses, allowing attackers to poison web caches and CDNs with malicious content that is then served to all users, potentially enabling widespread defacement or malware distribution.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 6.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Configure web servers to reject requests with unexpected Host headers. Include Host header in cache keys. Use canonical URLs for all generated links.',
+    },
+
+    [VulnerabilityCode.HOST_PASSWORD_RESET]: {
+        id: 53,
+        code: VulnerabilityCode.HOST_PASSWORD_RESET,
+        title: 'Host Header Injection - Password Reset Poisoning',
+        description: 'Critical host header injection vulnerability in password reset functionality where the injected Host header is used to generate password reset URLs, allowing attackers to receive password reset tokens when victims click the manipulated links in legitimate reset emails.',
+        severity: 'high',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Use hardcoded canonical domain for generated URLs. Never trust Host header for security-sensitive functionality. Validate Host header against configured allowed hosts.',
+    },
+
+    [VulnerabilityCode.SSRF_FILTER_BYPASS]: {
+        id: 54,
+        code: VulnerabilityCode.SSRF_FILTER_BYPASS,
+        title: 'Server-Side Request Forgery - Filter Bypass',
+        description: 'SSRF vulnerability that bypasses security filters through encoding tricks (URL encoding, IPv6 representation, decimal IP notation), DNS rebinding, or using alternative representations of blocked addresses to reach internal resources despite URL validation controls.',
+        severity: 'high',
+        category: 'ssrf',
+        scanner: 'ssrf',
+        cvss: {
+            score: 7.5,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
+            severity: 'HIGH',
+        },
+        cwe: [
+            { id: 'CWE-918', name: 'SSRF', url: 'https://cwe.mitre.org/data/definitions/918.html' },
+        ],
+        owasp: [
+            { id: 'A10:2021', name: 'SSRF', url: 'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/' },
+        ],
+        remediation: 'Implement defense-in-depth with multiple validation layers. Resolve DNS before validation. Use strict URL parsing libraries. Block all private IP ranges including encoded forms.',
+    },
+
+    [VulnerabilityCode.REDIRECT_META_REFRESH]: {
+        id: 55,
+        code: VulnerabilityCode.REDIRECT_META_REFRESH,
+        title: 'Open Redirect - Meta Refresh',
+        description: 'Open redirect vulnerability through HTML meta refresh tags where user input controls the redirect target URL, enabling phishing attacks by sending victims to malicious sites after a brief delay on the legitimate domain, bypassing some security controls.',
+        severity: 'low',
+        category: 'business_logic',
+        scanner: 'redirect-route',
+        cvss: {
+            score: 4.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
+        ],
+        remediation: 'Validate meta refresh URLs against allowlist. Avoid using user input in meta refresh tags. Prefer server-side redirects with proper validation over client-side meta refresh.',
+    },
+
+    [VulnerabilityCode.HOST_REDIRECT]: {
+        id: 56,
+        code: VulnerabilityCode.HOST_REDIRECT,
+        title: 'Host Header Injection - Open Redirect',
+        description: 'Host header injection leading to open redirect where the application uses the Host header to generate redirect URLs, allowing attackers to redirect users to malicious domains by manipulating the Host header in their requests.',
+        severity: 'medium',
+        category: 'configuration',
+        scanner: 'host-header',
+        cvss: {
+            score: 5.3,
+            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N',
+            severity: 'MEDIUM',
+        },
+        cwe: [
+            { id: 'CWE-644', name: 'Improper Neutralization of HTTP Headers', url: 'https://cwe.mitre.org/data/definitions/644.html' },
+            { id: 'CWE-601', name: 'URL Redirection', url: 'https://cwe.mitre.org/data/definitions/601.html' },
+        ],
+        owasp: [
+            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
+        ],
+        remediation: 'Configure web server to validate Host header. Use hardcoded domain for redirect URLs. Implement allowlist for accepted Host header values.',
+    },
+};
+
+export default SSRF_VULNERABILITIES;

package/src/categories/xss.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Vulnerability Registry - XSS Vulnerabilities
+ *
+ * Definitions for all Cross-Site Scripting vulnerability types
+ */
+import type { VulnerabilityDefinition } from '../types.js';
+export declare const XSS_VULNERABILITIES: Record<string, VulnerabilityDefinition>;

package/src/categories/xss.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss.d.ts","sourceRoot":"","sources":["xss.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE3D,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CA4UvE,CAAC"}