@zerothreatai/vulnerability-registry 4.0.0 → 5.0.0

package/src/categories/authentication.d.ts

@@ -1,8 +0,0 @@
-/**
- * Vulnerability Registry - Authentication & Access Control
- *
- * Definitions for JWT, Broken Access Control, and related issues
- */
-import type { VulnerabilityDefinition } from '../types.js';
-export declare const AUTH_VULNERABILITIES: Record<string, VulnerabilityDefinition>;
-export default AUTH_VULNERABILITIES;

package/src/categories/authentication.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["authentication.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE3D,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CA+XxE,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/src/categories/authentication.js

@@ -1,392 +0,0 @@
-/**
- * Vulnerability Registry - Authentication & Access Control
- *
- * Definitions for JWT, Broken Access Control, and related issues
- */
-import { VulnerabilityCode } from '../error-codes.js';
-export const AUTH_VULNERABILITIES = {
-    // ========================================
-    // JWT VULNERABILITIES
-    // ========================================
-    [VulnerabilityCode.JWT_NONE_ALGORITHM]: {
-        id: 57,
-        code: VulnerabilityCode.JWT_NONE_ALGORITHM,
-        title: 'JWT Vulnerability - None Algorithm Attack',
-        description: 'Critical JWT vulnerability where the server accepts tokens with "alg": "none" in the header, allowing attackers to forge valid tokens without knowing the secret key by simply removing the signature and modifying claims to impersonate any user including administrators.',
-        severity: 'critical',
-        levelId: 1,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 9.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature', url: 'https://cwe.mitre.org/data/definitions/347.html' },
-        ],
-        owasp: [
-            { id: 'A02:2021', name: 'Cryptographic Failures', url: 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/' },
-        ],
-        remediation: 'Explicitly specify allowed algorithms during JWT verification and reject "none". Use libraries that do not support "none" algorithm. Always validate the algorithm header against expected values.',
-    },
-    [VulnerabilityCode.JWT_WEAK_SECRET]: {
-        id: 58,
-        code: VulnerabilityCode.JWT_WEAK_SECRET,
-        title: 'JWT Vulnerability - Weak Secret Key',
-        description: 'JWT implementation using a weak or common secret key for HMAC signature verification that can be brute-forced or found in common secret dictionaries, allowing attackers to forge arbitrary valid tokens and bypass authentication to access any user account.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 8.6,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-521', name: 'Weak Password Requirements', url: 'https://cwe.mitre.org/data/definitions/521.html' },
-        ],
-        owasp: [
-            { id: 'A02:2021', name: 'Cryptographic Failures', url: 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/' },
-        ],
-        remediation: 'Use cryptographically strong random secrets of at least 256 bits. Consider using asymmetric algorithms (RS256, ES256) instead of HMAC. Rotate secrets periodically.',
-    },
-    [VulnerabilityCode.JWT_KEY_CONFUSION]: {
-        id: 59,
-        code: VulnerabilityCode.JWT_KEY_CONFUSION,
-        title: 'JWT Vulnerability - Algorithm Confusion Attack',
-        description: 'JWT key confusion vulnerability where the server public key can be used as an HMAC secret by switching the algorithm from RS256 to HS256, allowing attackers to forge valid tokens using the publicly available key to generate valid HMAC signatures.',
-        severity: 'critical',
-        levelId: 1,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 9.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature', url: 'https://cwe.mitre.org/data/definitions/347.html' },
-        ],
-        owasp: [
-            { id: 'A02:2021', name: 'Cryptographic Failures', url: 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/' },
-        ],
-        remediation: 'Explicitly set expected algorithm(s) during verification. Do not accept algorithm from token header. Use separate keys for symmetric and asymmetric algorithms.',
-    },
-    // ========================================
-    // BROKEN ACCESS CONTROL
-    // ========================================
-    [VulnerabilityCode.BAC_ANONYMOUS_ACCESS]: {
-        id: 60,
-        code: VulnerabilityCode.BAC_ANONYMOUS_ACCESS,
-        title: 'Broken Access Control - Anonymous Access',
-        description: 'Critical broken access control vulnerability where authenticated endpoints can be accessed without any authentication by simply removing auth headers or cookies, exposing sensitive functionality and data to unauthenticated attackers without any credential requirement.',
-        severity: 'high',
-        levelId: 2,
-        category: 'access_control',
-        scanner: 'broken-access',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-862', name: 'Missing Authorization', url: 'https://cwe.mitre.org/data/definitions/862.html' },
-        ],
-        owasp: [
-            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
-        ],
-        remediation: 'Enforce authentication checks on all protected endpoints. Implement deny-by-default access control. Verify authentication state server-side before processing any request.',
-    },
-    [VulnerabilityCode.BAC_IDOR]: {
-        id: 61,
-        code: VulnerabilityCode.BAC_IDOR,
-        title: 'Broken Access Control - Insecure Direct Object Reference',
-        description: 'IDOR vulnerability where users can access or modify resources belonging to other users by manipulating predictable identifiers like sequential IDs in URLs or request parameters, without proper authorization checks verifying resource ownership.',
-        severity: 'high',
-        levelId: 2,
-        category: 'access_control',
-        scanner: 'broken-access',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key', url: 'https://cwe.mitre.org/data/definitions/639.html' },
-        ],
-        owasp: [
-            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
-        ],
-        remediation: 'Implement proper authorization checks verifying resource ownership. Use unpredictable identifiers (UUIDs). Apply consistent access control policies across all endpoints.',
-    },
-    [VulnerabilityCode.BAC_VERTICAL_PRIVILEGE]: {
-        id: 62,
-        code: VulnerabilityCode.BAC_VERTICAL_PRIVILEGE,
-        title: 'Broken Access Control - Vertical Privilege Escalation',
-        description: 'Vertical privilege escalation vulnerability allowing regular users to access or perform administrative functions by directly accessing admin endpoints or manipulating role/permission parameters, bypassing role-based access controls to gain elevated privileges.',
-        severity: 'critical',
-        levelId: 1,
-        category: 'access_control',
-        scanner: 'broken-access',
-        cvss: {
-            score: 8.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-269', name: 'Improper Privilege Management', url: 'https://cwe.mitre.org/data/definitions/269.html' },
-        ],
-        owasp: [
-            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
-        ],
-        remediation: 'Implement role-based access control with server-side enforcement. Never trust client-provided role or permission claims. Use centralized authorization service with consistent policies.',
-    },
-    // ========================================
-    // MASS ASSIGNMENT
-    // ========================================
-    [VulnerabilityCode.MASSASSIGN_ROLE_ESCALATION]: {
-        id: 63,
-        code: VulnerabilityCode.MASSASSIGN_ROLE_ESCALATION,
-        title: 'Mass Assignment - Role Escalation',
-        description: 'Mass assignment vulnerability allowing attackers to escalate privileges by including additional parameters like "role", "isAdmin", or "permissions" in requests that the application binds to user objects without proper allowlist filtering of settable fields.',
-        severity: 'high',
-        levelId: 2,
-        category: 'access_control',
-        scanner: 'model-state',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-915', name: 'Mass Assignment', url: 'https://cwe.mitre.org/data/definitions/915.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Use allowlist of permitted fields for each endpoint. Implement separate DTOs for input binding. Never auto-bind request data to domain objects without explicit field selection.',
-    },
-    [VulnerabilityCode.MASSASSIGN_PROTOTYPE_POLLUTION]: {
-        id: 64,
-        code: VulnerabilityCode.MASSASSIGN_PROTOTYPE_POLLUTION,
-        title: 'Mass Assignment - Prototype Pollution',
-        description: 'JavaScript prototype pollution vulnerability through mass assignment where attackers inject __proto__ or constructor.prototype properties that modify the Object prototype globally, potentially leading to denial of service, security bypass, or remote code execution.',
-        severity: 'high',
-        levelId: 2,
-        category: 'access_control',
-        scanner: 'model-state',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-1321', name: 'Prototype Pollution', url: 'https://cwe.mitre.org/data/definitions/1321.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Freeze Object.prototype. Use Object.create(null) for objects used as maps. Filter __proto__ and constructor properties from user input. Use --frozen-intrinsics Node.js flag.',
-    },
-    [VulnerabilityCode.JWT_EXPIRED_TOKEN]: {
-        id: 65,
-        code: VulnerabilityCode.JWT_EXPIRED_TOKEN,
-        title: 'JWT Vulnerability - Expired Token Accepted',
-        description: 'JWT implementation does not properly validate token expiration (exp claim), accepting expired tokens that should be rejected. This allows attackers with previously captured tokens to reuse them indefinitely, maintaining unauthorized access without credential updates.',
-        severity: 'medium',
-        levelId: 3,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-613', name: 'Insufficient Session Expiration', url: 'https://cwe.mitre.org/data/definitions/613.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Always validate exp claim during token verification. Set appropriate token lifetimes. Implement token refresh mechanisms. Use server-side session invalidation for immediate revocation.',
-    },
-    [VulnerabilityCode.JWT_MISSING_CLAIMS]: {
-        id: 66,
-        code: VulnerabilityCode.JWT_MISSING_CLAIMS,
-        title: 'JWT Vulnerability - Missing Required Claims',
-        description: 'JWT tokens are missing critical security claims like exp (expiration), iat (issued at), nbf (not before), or iss (issuer), reducing the security guarantees of the token system and potentially allowing token reuse, replay attacks, or cross-tenant access.',
-        severity: 'medium',
-        levelId: 3,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity', url: 'https://cwe.mitre.org/data/definitions/345.html' },
-        ],
-        owasp: [
-            { id: 'A02:2021', name: 'Cryptographic Failures', url: 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/' },
-        ],
-        remediation: 'Include and validate all standard claims: exp, iat, nbf, iss, aud, sub. Define required claims for your application. Reject tokens missing mandatory claims.',
-    },
-    [VulnerabilityCode.BAC_HORIZONTAL_PRIVILEGE]: {
-        id: 67,
-        code: VulnerabilityCode.BAC_HORIZONTAL_PRIVILEGE,
-        title: 'Broken Access Control - Horizontal Privilege Escalation',
-        description: 'Horizontal privilege escalation vulnerability where authenticated users can access data or perform actions belonging to other users at the same privilege level by manipulating user identifiers, object references, or session parameters without ownership verification.',
-        severity: 'high',
-        levelId: 2,
-        category: 'access_control',
-        scanner: 'broken-access',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key', url: 'https://cwe.mitre.org/data/definitions/639.html' },
-        ],
-        owasp: [
-            { id: 'A01:2021', name: 'Broken Access Control', url: 'https://owasp.org/Top10/A01_2021-Broken_Access_Control/' },
-        ],
-        remediation: 'Implement record-level authorization checks. Verify resource ownership against the authenticated user session. Use indirect references that map to actual resources server-side.',
-    },
-    [VulnerabilityCode.MASSASSIGN_HIDDEN_FIELD]: {
-        id: 68,
-        code: VulnerabilityCode.MASSASSIGN_HIDDEN_FIELD,
-        title: 'Mass Assignment - Hidden Field Manipulation',
-        description: 'Mass assignment vulnerability where attackers can modify hidden form fields or server-side computed values like price, discount, userId, or timestamp by including them in request bodies, bypassing UI restrictions to manipulate business logic or data integrity.',
-        severity: 'medium',
-        levelId: 3,
-        category: 'access_control',
-        scanner: 'model-state',
-        cvss: {
-            score: 6.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-915', name: 'Mass Assignment', url: 'https://cwe.mitre.org/data/definitions/915.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Never trust client-provided values for server-computed fields. Use explicit DTOs with allowlisted fields. Recompute amounts, timestamps, and IDs server-side.',
-    },
-    [VulnerabilityCode.JWT_CLAIM_TAMPERING]: {
-        id: 131,
-        code: VulnerabilityCode.JWT_CLAIM_TAMPERING,
-        title: 'JWT - Claim Tampering',
-        description: 'JWT claim tampering vulnerability where attackers can modify token claims such as roles, user IDs, or permissions and the server accepts the tampered token, enabling privilege escalation or unauthorized access.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-345', name: 'Insufficient Verification of Data Authenticity', url: 'https://cwe.mitre.org/data/definitions/345.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Validate JWT signatures using strong algorithms and trusted keys. Reject unsigned or weakly signed tokens. Enforce claim validation and server-side authorization checks.',
-    },
-    [VulnerabilityCode.JWT_KID_INJECTION]: {
-        id: 132,
-        code: VulnerabilityCode.JWT_KID_INJECTION,
-        title: 'JWT - KID Header Injection',
-        description: 'JWT key identifier (kid) injection vulnerability where attackers manipulate the kid header to influence key selection or file paths, potentially bypassing signature verification or loading attacker-controlled keys.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-73', name: 'External Control of File Name or Path', url: 'https://cwe.mitre.org/data/definitions/73.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Avoid direct use of kid as a file path or URL. Use a strict allowlist of key IDs and map to known keys in configuration. Reject unexpected or oversized kid values.',
-    },
-    [VulnerabilityCode.JWT_JKU_INJECTION]: {
-        id: 133,
-        code: VulnerabilityCode.JWT_JKU_INJECTION,
-        title: 'JWT - JKU Header Injection',
-        description: 'JWT JKU (JWK Set URL) header injection vulnerability where attackers can control the URL used to fetch signing keys, allowing them to supply their own keys and forge valid tokens.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-346', name: 'Origin Validation Error', url: 'https://cwe.mitre.org/data/definitions/346.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Ignore untrusted JKU values or restrict to a strict allowlist of trusted JWKS endpoints. Pin keys or use local key material where possible.',
-    },
-    [VulnerabilityCode.JWT_EMBEDDED_JWK]: {
-        id: 134,
-        code: VulnerabilityCode.JWT_EMBEDDED_JWK,
-        title: 'JWT - Embedded JWK Injection',
-        description: 'JWT embedded JWK vulnerability where attackers include their own JWK in the token header and the server accepts it as a trusted signing key, enabling forged tokens and authentication bypass.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 8.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature', url: 'https://cwe.mitre.org/data/definitions/347.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Reject embedded JWKs from tokens unless explicitly required and validated against a trusted key set. Use pinned keys and strict header validation.',
-    },
-    [VulnerabilityCode.JWT_X5C_INJECTION]: {
-        id: 135,
-        code: VulnerabilityCode.JWT_X5C_INJECTION,
-        title: 'JWT - X5C Header Injection',
-        description: 'JWT x5c header injection vulnerability where attackers provide an untrusted certificate chain, allowing them to influence key selection or bypass signature validation if certificate trust is not strictly enforced.',
-        severity: 'high',
-        levelId: 2,
-        category: 'authentication',
-        scanner: 'jwt',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-295', name: 'Improper Certificate Validation', url: 'https://cwe.mitre.org/data/definitions/295.html' },
-        ],
-        owasp: [
-            { id: 'A07:2021', name: 'Identification and Authentication Failures', url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/' },
-        ],
-        remediation: 'Ignore untrusted x5c headers or validate certificate chains against a trusted root store with strict policy. Prefer pinned public keys or JWKS allowlists.',
-    },
-};
-export default AUTH_VULNERABILITIES;

package/src/categories/authentication.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"authentication.js","sourceRoot":"","sources":["authentication.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAGtD,MAAM,CAAC,MAAM,oBAAoB,GAA4C;IACzE,2CAA2C;IAC3C,sBAAsB;IACtB,2CAA2C;IAC3C,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,EAAE;QACpC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,kBAAkB;QAC1C,KAAK,EAAE,2CAA2C;QAClD,WAAW,EAAE,8QAA8Q;QAC3R,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,UAAU;SACvB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,kDAAkD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACtI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,wBAAwB,EAAE,GAAG,EAAE,0DAA0D,EAAE;SACtH;QACD,WAAW,EAAE,oMAAoM;KACpN;IAED,CAAC,iBAAiB,CAAC,eAAe,CAAC,EAAE;QACjC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,eAAe;QACvC,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EAAE,gQAAgQ;QAC7Q,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,4BAA4B,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAChH;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,wBAAwB,EAAE,GAAG,EAAE,0DAA0D,EAAE;SACtH;QACD,WAAW,EAAE,qKAAqK;KACrL;IAED,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE;QACnC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,iBAAiB;QACzC,KAAK,EAAE,gDAAgD;QACvD,WAAW,EAAE,wPAAwP;QACrQ,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,UAAU;SACvB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,kDAAkD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACtI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,wBAAwB,EAAE,GAAG,EAAE,0DAA0D,EAAE;SACtH;QACD,WAAW,EAAE,iKAAiK;KACjL;IAED,2CAA2C;IAC3C,wBAAwB;IACxB,2CAA2C;IAC3C,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,EAAE;QACtC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,oBAAoB;QAC5C,KAAK,EAAE,0CAA0C;QACjD,WAAW,EAAE,8QAA8Q;QAC3R,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC3G;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,4KAA4K;KAC5L;IAED,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE;QAC1B,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,QAAQ;QAChC,KAAK,EAAE,0DAA0D;QACjE,WAAW,EAAE,qPAAqP;QAClQ,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,kDAAkD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACtI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,2KAA2K;KAC3L;IAED,CAAC,iBAAiB,CAAC,sBAAsB,CAAC,EAAE;QACxC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,sBAAsB;QAC9C,KAAK,EAAE,uDAAuD;QAC9D,WAAW,EAAE,sQAAsQ;QACnR,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,+BAA+B,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACnH;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,0LAA0L;KAC1M;IAED,2CAA2C;IAC3C,kBAAkB;IAClB,2CAA2C;IAC3C,CAAC,iBAAiB,CAAC,0BAA0B,CAAC,EAAE;QAC5C,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,0BAA0B;QAClD,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,mQAAmQ;QAChR,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,sCAAsC,EAAE,GAAG,EAAE,wEAAwE,EAAE;SAClJ;QACD,WAAW,EAAE,kLAAkL;KAClM;IAED,CAAC,iBAAiB,CAAC,8BAA8B,CAAC,EAAE;QAChD,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,8BAA8B;QACtD,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,2QAA2Q;QACxR,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,qBAAqB,EAAE,GAAG,EAAE,kDAAkD,EAAE;SAC3G;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,sCAAsC,EAAE,GAAG,EAAE,wEAAwE,EAAE;SAClJ;QACD,WAAW,EAAE,+KAA+K;KAC/L;IAED,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE;QACnC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,iBAAiB;QACzC,KAAK,EAAE,4CAA4C;QACnD,WAAW,EAAE,6QAA6Q;QAC1R,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iCAAiC,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrH;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,0LAA0L;KAC1M;IAED,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,EAAE;QACpC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,kBAAkB;QAC1C,KAAK,EAAE,6CAA6C;QACpD,WAAW,EAAE,+PAA+P;QAC5Q,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,gDAAgD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACpI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,wBAAwB,EAAE,GAAG,EAAE,0DAA0D,EAAE;SACtH;QACD,WAAW,EAAE,8JAA8J;KAC9K;IAED,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,EAAE;QAC1C,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,wBAAwB;QAChD,KAAK,EAAE,yDAAyD;QAChE,WAAW,EAAE,4QAA4Q;QACzR,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,kDAAkD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACtI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,uBAAuB,EAAE,GAAG,EAAE,yDAAyD,EAAE;SACpH;QACD,WAAW,EAAE,kLAAkL;KAClM;IAED,CAAC,iBAAiB,CAAC,uBAAuB,CAAC,EAAE;QACzC,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,iBAAiB,CAAC,uBAAuB;QAC/C,KAAK,EAAE,6CAA6C;QACpD,WAAW,EAAE,sQAAsQ;QACnR,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,aAAa;QACtB,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,QAAQ;SACrB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrG;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,sCAAsC,EAAE,GAAG,EAAE,wEAAwE,EAAE;SAClJ;QACD,WAAW,EAAE,+JAA+J;KAC/K;IAED,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,EAAE;QACrC,EAAE,EAAE,GAAG;QACP,IAAI,EAAE,iBAAiB,CAAC,mBAAmB;QAC3C,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,oNAAoN;QACjO,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,gDAAgD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACpI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,2KAA2K;KAC3L;IAED,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE;QACnC,EAAE,EAAE,GAAG;QACP,IAAI,EAAE,iBAAiB,CAAC,iBAAiB;QACzC,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,wNAAwN;QACrO,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,uCAAuC,EAAE,GAAG,EAAE,gDAAgD,EAAE;SACzH;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,qKAAqK;KACrL;IAED,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE;QACnC,EAAE,EAAE,GAAG;QACP,IAAI,EAAE,iBAAiB,CAAC,iBAAiB;QACzC,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,qLAAqL;QAClM,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,yBAAyB,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC7G;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,6IAA6I;KAC7J;IAED,CAAC,iBAAiB,CAAC,gBAAgB,CAAC,EAAE;QAClC,EAAE,EAAE,GAAG;QACP,IAAI,EAAE,iBAAiB,CAAC,gBAAgB;QACxC,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,gMAAgM;QAC7M,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,kDAAkD,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACtI;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,oJAAoJ;KACpK;IAED,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE;QACnC,EAAE,EAAE,GAAG;QACP,IAAI,EAAE,iBAAiB,CAAC,iBAAiB;QACzC,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,uNAAuN;QACpO,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,KAAK;QACd,IAAI,EAAE;YACF,KAAK,EAAE,GAAG;YACV,MAAM,EAAE,8CAA8C;YACtD,QAAQ,EAAE,MAAM;SACnB;QACD,GAAG,EAAE;YACD,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,iCAAiC,EAAE,GAAG,EAAE,iDAAiD,EAAE;SACrH;QACD,KAAK,EAAE;YACH,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,4CAA4C,EAAE,GAAG,EAAE,8EAA8E,EAAE;SAC9J;QACD,WAAW,EAAE,4JAA4J;KAC5K;CACJ,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/src/categories/configuration.d.ts

@@ -1,8 +0,0 @@
-/**
- * Vulnerability Registry - Configuration & Headers
- *
- * Definitions for Security Headers, Directory Browsing, and related issues
- */
-import type { VulnerabilityDefinition } from '../types.js';
-export declare const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition>;
-export default CONFIG_VULNERABILITIES;

package/src/categories/configuration.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"configuration.d.ts","sourceRoot":"","sources":["configuration.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE3D,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAw6B1E,CAAC;AAEF,eAAe,sBAAsB,CAAC"}