fingerprint-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (269) hide show
  1. package/LICENSE +663 -0
  2. package/README.ar.md +767 -0
  3. package/README.bn.md +767 -0
  4. package/README.bs.md +767 -0
  5. package/README.da.md +767 -0
  6. package/README.de.md +770 -0
  7. package/README.el.md +767 -0
  8. package/README.es.md +769 -0
  9. package/README.fr.md +769 -0
  10. package/README.hi.md +767 -0
  11. package/README.it.md +767 -0
  12. package/README.ja.md +767 -0
  13. package/README.ko.md +772 -0
  14. package/README.md +767 -0
  15. package/README.no.md +767 -0
  16. package/README.pl.md +767 -0
  17. package/README.pt-BR.md +767 -0
  18. package/README.ru.md +767 -0
  19. package/README.th.md +767 -0
  20. package/README.tr.md +767 -0
  21. package/README.uk.md +767 -0
  22. package/README.vi.md +767 -0
  23. package/README.zh-TW.md +768 -0
  24. package/README.zh.md +768 -0
  25. package/dist/app/index.d.ts +3 -0
  26. package/dist/app/index.d.ts.map +1 -0
  27. package/dist/app/index.js +614 -0
  28. package/dist/app/index.js.map +1 -0
  29. package/dist/composite/analyze.d.ts +3 -0
  30. package/dist/composite/analyze.d.ts.map +1 -0
  31. package/dist/composite/analyze.js +59 -0
  32. package/dist/composite/analyze.js.map +1 -0
  33. package/dist/composite/correlate.d.ts +3 -0
  34. package/dist/composite/correlate.d.ts.map +1 -0
  35. package/dist/composite/correlate.js +184 -0
  36. package/dist/composite/correlate.js.map +1 -0
  37. package/dist/composite/enumerate.d.ts +3 -0
  38. package/dist/composite/enumerate.d.ts.map +1 -0
  39. package/dist/composite/enumerate.js +94 -0
  40. package/dist/composite/enumerate.js.map +1 -0
  41. package/dist/composite/helpers.d.ts +22 -0
  42. package/dist/composite/helpers.d.ts.map +1 -0
  43. package/dist/composite/helpers.js +111 -0
  44. package/dist/composite/helpers.js.map +1 -0
  45. package/dist/composite/index.d.ts +3 -0
  46. package/dist/composite/index.d.ts.map +1 -0
  47. package/dist/composite/index.js +29 -0
  48. package/dist/composite/index.js.map +1 -0
  49. package/dist/composite/meta.d.ts +3 -0
  50. package/dist/composite/meta.d.ts.map +1 -0
  51. package/dist/composite/meta.js +23 -0
  52. package/dist/composite/meta.js.map +1 -0
  53. package/dist/composite/osint.d.ts +3 -0
  54. package/dist/composite/osint.d.ts.map +1 -0
  55. package/dist/composite/osint.js +40 -0
  56. package/dist/composite/osint.js.map +1 -0
  57. package/dist/composite/recon.d.ts +3 -0
  58. package/dist/composite/recon.d.ts.map +1 -0
  59. package/dist/composite/recon.js +131 -0
  60. package/dist/composite/recon.js.map +1 -0
  61. package/dist/composite/scan-dns.d.ts +3 -0
  62. package/dist/composite/scan-dns.d.ts.map +1 -0
  63. package/dist/composite/scan-dns.js +44 -0
  64. package/dist/composite/scan-dns.js.map +1 -0
  65. package/dist/composite/scan-http.d.ts +3 -0
  66. package/dist/composite/scan-http.d.ts.map +1 -0
  67. package/dist/composite/scan-http.js +68 -0
  68. package/dist/composite/scan-http.js.map +1 -0
  69. package/dist/composite/scan-paths.d.ts +3 -0
  70. package/dist/composite/scan-paths.d.ts.map +1 -0
  71. package/dist/composite/scan-paths.js +32 -0
  72. package/dist/composite/scan-paths.js.map +1 -0
  73. package/dist/composite/scan-ports.d.ts +3 -0
  74. package/dist/composite/scan-ports.d.ts.map +1 -0
  75. package/dist/composite/scan-ports.js +79 -0
  76. package/dist/composite/scan-ports.js.map +1 -0
  77. package/dist/composite/scan-services.d.ts +3 -0
  78. package/dist/composite/scan-services.d.ts.map +1 -0
  79. package/dist/composite/scan-services.js +111 -0
  80. package/dist/composite/scan-services.js.map +1 -0
  81. package/dist/composite/scan-tls.d.ts +3 -0
  82. package/dist/composite/scan-tls.d.ts.map +1 -0
  83. package/dist/composite/scan-tls.js +32 -0
  84. package/dist/composite/scan-tls.js.map +1 -0
  85. package/dist/composite/scan-waf.d.ts +3 -0
  86. package/dist/composite/scan-waf.d.ts.map +1 -0
  87. package/dist/composite/scan-waf.js +35 -0
  88. package/dist/composite/scan-waf.js.map +1 -0
  89. package/dist/correlation/index.d.ts +3 -0
  90. package/dist/correlation/index.d.ts.map +1 -0
  91. package/dist/correlation/index.js +1044 -0
  92. package/dist/correlation/index.js.map +1 -0
  93. package/dist/data/analytics-patterns.d.ts +21 -0
  94. package/dist/data/analytics-patterns.d.ts.map +1 -0
  95. package/dist/data/analytics-patterns.js +449 -0
  96. package/dist/data/analytics-patterns.js.map +1 -0
  97. package/dist/data/app-signatures.d.ts +52 -0
  98. package/dist/data/app-signatures.d.ts.map +1 -0
  99. package/dist/data/app-signatures.js +1143 -0
  100. package/dist/data/app-signatures.js.map +1 -0
  101. package/dist/data/c2-signatures.d.ts +54 -0
  102. package/dist/data/c2-signatures.d.ts.map +1 -0
  103. package/dist/data/c2-signatures.js +256 -0
  104. package/dist/data/c2-signatures.js.map +1 -0
  105. package/dist/data/cloud-ranges.d.ts +34 -0
  106. package/dist/data/cloud-ranges.d.ts.map +1 -0
  107. package/dist/data/cloud-ranges.js +628 -0
  108. package/dist/data/cloud-ranges.js.map +1 -0
  109. package/dist/data/cookie-patterns.d.ts +28 -0
  110. package/dist/data/cookie-patterns.d.ts.map +1 -0
  111. package/dist/data/cookie-patterns.js +225 -0
  112. package/dist/data/cookie-patterns.js.map +1 -0
  113. package/dist/data/error-signatures.d.ts +19 -0
  114. package/dist/data/error-signatures.d.ts.map +1 -0
  115. package/dist/data/error-signatures.js +321 -0
  116. package/dist/data/error-signatures.js.map +1 -0
  117. package/dist/data/favicon-hashes.d.ts +25 -0
  118. package/dist/data/favicon-hashes.d.ts.map +1 -0
  119. package/dist/data/favicon-hashes.js +249 -0
  120. package/dist/data/favicon-hashes.js.map +1 -0
  121. package/dist/data/h2-signatures.d.ts +50 -0
  122. package/dist/data/h2-signatures.d.ts.map +1 -0
  123. package/dist/data/h2-signatures.js +211 -0
  124. package/dist/data/h2-signatures.js.map +1 -0
  125. package/dist/data/header-order.d.ts +38 -0
  126. package/dist/data/header-order.d.ts.map +1 -0
  127. package/dist/data/header-order.js +185 -0
  128. package/dist/data/header-order.js.map +1 -0
  129. package/dist/data/jarm-signatures.d.ts +25 -0
  130. package/dist/data/jarm-signatures.d.ts.map +1 -0
  131. package/dist/data/jarm-signatures.js +213 -0
  132. package/dist/data/jarm-signatures.js.map +1 -0
  133. package/dist/data/saas-patterns.d.ts +23 -0
  134. package/dist/data/saas-patterns.d.ts.map +1 -0
  135. package/dist/data/saas-patterns.js +139 -0
  136. package/dist/data/saas-patterns.js.map +1 -0
  137. package/dist/data/sensitive-paths.d.ts +12 -0
  138. package/dist/data/sensitive-paths.d.ts.map +1 -0
  139. package/dist/data/sensitive-paths.js +1539 -0
  140. package/dist/data/sensitive-paths.js.map +1 -0
  141. package/dist/data/service-banners.d.ts +59 -0
  142. package/dist/data/service-banners.d.ts.map +1 -0
  143. package/dist/data/service-banners.js +323 -0
  144. package/dist/data/service-banners.js.map +1 -0
  145. package/dist/data/smtp-signatures.d.ts +12 -0
  146. package/dist/data/smtp-signatures.d.ts.map +1 -0
  147. package/dist/data/smtp-signatures.js +350 -0
  148. package/dist/data/smtp-signatures.js.map +1 -0
  149. package/dist/data/takeover-patterns.d.ts +37 -0
  150. package/dist/data/takeover-patterns.d.ts.map +1 -0
  151. package/dist/data/takeover-patterns.js +249 -0
  152. package/dist/data/takeover-patterns.js.map +1 -0
  153. package/dist/data/tech-patterns.d.ts +44 -0
  154. package/dist/data/tech-patterns.d.ts.map +1 -0
  155. package/dist/data/tech-patterns.js +690 -0
  156. package/dist/data/tech-patterns.js.map +1 -0
  157. package/dist/data/waf-signatures.d.ts +21 -0
  158. package/dist/data/waf-signatures.d.ts.map +1 -0
  159. package/dist/data/waf-signatures.js +318 -0
  160. package/dist/data/waf-signatures.js.map +1 -0
  161. package/dist/dns/index.d.ts +3 -0
  162. package/dist/dns/index.d.ts.map +1 -0
  163. package/dist/dns/index.js +1067 -0
  164. package/dist/dns/index.js.map +1 -0
  165. package/dist/enum/index.d.ts +3 -0
  166. package/dist/enum/index.d.ts.map +1 -0
  167. package/dist/enum/index.js +818 -0
  168. package/dist/enum/index.js.map +1 -0
  169. package/dist/h2/index.d.ts +3 -0
  170. package/dist/h2/index.d.ts.map +1 -0
  171. package/dist/h2/index.js +414 -0
  172. package/dist/h2/index.js.map +1 -0
  173. package/dist/http/index.d.ts +3 -0
  174. package/dist/http/index.d.ts.map +1 -0
  175. package/dist/http/index.js +2444 -0
  176. package/dist/http/index.js.map +1 -0
  177. package/dist/identify/index.d.ts +3 -0
  178. package/dist/identify/index.d.ts.map +1 -0
  179. package/dist/identify/index.js +447 -0
  180. package/dist/identify/index.js.map +1 -0
  181. package/dist/index.d.ts +3 -0
  182. package/dist/index.d.ts.map +1 -0
  183. package/dist/index.js +165 -0
  184. package/dist/index.js.map +1 -0
  185. package/dist/infra/index.d.ts +3 -0
  186. package/dist/infra/index.d.ts.map +1 -0
  187. package/dist/infra/index.js +989 -0
  188. package/dist/infra/index.js.map +1 -0
  189. package/dist/iot/index.d.ts +3 -0
  190. package/dist/iot/index.d.ts.map +1 -0
  191. package/dist/iot/index.js +610 -0
  192. package/dist/iot/index.js.map +1 -0
  193. package/dist/meta/index.d.ts +3 -0
  194. package/dist/meta/index.d.ts.map +1 -0
  195. package/dist/meta/index.js +442 -0
  196. package/dist/meta/index.js.map +1 -0
  197. package/dist/osint/index.d.ts +3 -0
  198. package/dist/osint/index.d.ts.map +1 -0
  199. package/dist/osint/index.js +687 -0
  200. package/dist/osint/index.js.map +1 -0
  201. package/dist/passive/index.d.ts +3 -0
  202. package/dist/passive/index.d.ts.map +1 -0
  203. package/dist/passive/index.js +944 -0
  204. package/dist/passive/index.js.map +1 -0
  205. package/dist/path/index.d.ts +3 -0
  206. package/dist/path/index.d.ts.map +1 -0
  207. package/dist/path/index.js +878 -0
  208. package/dist/path/index.js.map +1 -0
  209. package/dist/protocol/mcp-server.d.ts +4 -0
  210. package/dist/protocol/mcp-server.d.ts.map +1 -0
  211. package/dist/protocol/mcp-server.js +32 -0
  212. package/dist/protocol/mcp-server.js.map +1 -0
  213. package/dist/protocol/tools.d.ts +3 -0
  214. package/dist/protocol/tools.d.ts.map +1 -0
  215. package/dist/protocol/tools.js +5 -0
  216. package/dist/protocol/tools.js.map +1 -0
  217. package/dist/service/index.d.ts +3 -0
  218. package/dist/service/index.d.ts.map +1 -0
  219. package/dist/service/index.js +1053 -0
  220. package/dist/service/index.js.map +1 -0
  221. package/dist/smtp/index.d.ts +3 -0
  222. package/dist/smtp/index.d.ts.map +1 -0
  223. package/dist/smtp/index.js +437 -0
  224. package/dist/smtp/index.js.map +1 -0
  225. package/dist/ssh/index.d.ts +3 -0
  226. package/dist/ssh/index.d.ts.map +1 -0
  227. package/dist/ssh/index.js +676 -0
  228. package/dist/ssh/index.js.map +1 -0
  229. package/dist/tcp/index.d.ts +3 -0
  230. package/dist/tcp/index.d.ts.map +1 -0
  231. package/dist/tcp/index.js +369 -0
  232. package/dist/tcp/index.js.map +1 -0
  233. package/dist/timing/index.d.ts +3 -0
  234. package/dist/timing/index.d.ts.map +1 -0
  235. package/dist/timing/index.js +425 -0
  236. package/dist/timing/index.js.map +1 -0
  237. package/dist/tls/index.d.ts +3 -0
  238. package/dist/tls/index.d.ts.map +1 -0
  239. package/dist/tls/index.js +1332 -0
  240. package/dist/tls/index.js.map +1 -0
  241. package/dist/types/index.d.ts +26 -0
  242. package/dist/types/index.d.ts.map +1 -0
  243. package/dist/types/index.js +8 -0
  244. package/dist/types/index.js.map +1 -0
  245. package/dist/utils/cache.d.ts +11 -0
  246. package/dist/utils/cache.d.ts.map +1 -0
  247. package/dist/utils/cache.js +35 -0
  248. package/dist/utils/cache.js.map +1 -0
  249. package/dist/utils/murmurhash3.d.ts +3 -0
  250. package/dist/utils/murmurhash3.d.ts.map +1 -0
  251. package/dist/utils/murmurhash3.js +57 -0
  252. package/dist/utils/murmurhash3.js.map +1 -0
  253. package/dist/utils/rate-limiter.d.ts +10 -0
  254. package/dist/utils/rate-limiter.d.ts.map +1 -0
  255. package/dist/utils/rate-limiter.js +35 -0
  256. package/dist/utils/rate-limiter.js.map +1 -0
  257. package/dist/utils/require-key.d.ts +2 -0
  258. package/dist/utils/require-key.d.ts.map +1 -0
  259. package/dist/utils/require-key.js +8 -0
  260. package/dist/utils/require-key.js.map +1 -0
  261. package/dist/waf/index.d.ts +3 -0
  262. package/dist/waf/index.d.ts.map +1 -0
  263. package/dist/waf/index.js +767 -0
  264. package/dist/waf/index.js.map +1 -0
  265. package/dist/web/index.d.ts +3 -0
  266. package/dist/web/index.d.ts.map +1 -0
  267. package/dist/web/index.js +1366 -0
  268. package/dist/web/index.js.map +1 -0
  269. package/package.json +66 -0
@@ -0,0 +1,185 @@
1
+ /**
2
+ * HTTP response header ordering signatures for server identification.
3
+ *
4
+ * Different HTTP server implementations emit response headers in a characteristic
5
+ * order that is determined by the source code, not by any standard. By recording the
6
+ * order of canonical header names in a response and comparing against known signatures
7
+ * we can passively fingerprint the server software -- even when the Server header is
8
+ * stripped or spoofed.
9
+ *
10
+ * The hash is computed by joining the lowercased header names with commas and taking
11
+ * a simple FNV-1a 32-bit hash of the resulting string.
12
+ *
13
+ * References:
14
+ * - https://httprobe.org
15
+ * - Nmap HTTP fingerprinting engine
16
+ */
17
+ import { createHash } from "node:crypto";
18
+ /**
19
+ * Compute a deterministic hash from an array of header names.
20
+ *
21
+ * The function lowercases every header name, joins them with commas, and returns
22
+ * the first 16 hex characters of the SHA-256 digest. This gives 64 bits of entropy
23
+ * which is sufficient for matching against a small dictionary.
24
+ *
25
+ * @param headers - Array of header names in observed order
26
+ * @returns 16-character hex hash string
27
+ */
28
+ export function computeHeaderOrderHash(headers) {
29
+ const normalized = headers.map((h) => h.toLowerCase()).join(",");
30
+ const digest = createHash("sha256").update(normalized).digest("hex");
31
+ return digest.slice(0, 16);
32
+ }
33
+ export const HEADER_ORDER_SIGNATURES = [
34
+ {
35
+ server: "Apache httpd",
36
+ order: [
37
+ "Date",
38
+ "Server",
39
+ "Last-Modified",
40
+ "ETag",
41
+ "Accept-Ranges",
42
+ "Content-Length",
43
+ "Content-Type",
44
+ ],
45
+ hash: computeHeaderOrderHash([
46
+ "Date",
47
+ "Server",
48
+ "Last-Modified",
49
+ "ETag",
50
+ "Accept-Ranges",
51
+ "Content-Length",
52
+ "Content-Type",
53
+ ]),
54
+ },
55
+ {
56
+ server: "Apache httpd (CGI)",
57
+ order: [
58
+ "Date",
59
+ "Server",
60
+ "Content-Type",
61
+ "Content-Length",
62
+ "Connection",
63
+ ],
64
+ hash: computeHeaderOrderHash([
65
+ "Date",
66
+ "Server",
67
+ "Content-Type",
68
+ "Content-Length",
69
+ "Connection",
70
+ ]),
71
+ },
72
+ {
73
+ server: "Nginx",
74
+ order: [
75
+ "Server",
76
+ "Date",
77
+ "Content-Type",
78
+ "Content-Length",
79
+ "Connection",
80
+ "Last-Modified",
81
+ "ETag",
82
+ "Accept-Ranges",
83
+ ],
84
+ hash: computeHeaderOrderHash([
85
+ "Server",
86
+ "Date",
87
+ "Content-Type",
88
+ "Content-Length",
89
+ "Connection",
90
+ "Last-Modified",
91
+ "ETag",
92
+ "Accept-Ranges",
93
+ ]),
94
+ },
95
+ {
96
+ server: "Microsoft IIS",
97
+ order: [
98
+ "Content-Type",
99
+ "Server",
100
+ "X-Powered-By",
101
+ "Date",
102
+ "Content-Length",
103
+ ],
104
+ hash: computeHeaderOrderHash([
105
+ "Content-Type",
106
+ "Server",
107
+ "X-Powered-By",
108
+ "Date",
109
+ "Content-Length",
110
+ ]),
111
+ },
112
+ {
113
+ server: "Express.js (Node.js)",
114
+ order: [
115
+ "X-Powered-By",
116
+ "Content-Type",
117
+ "Content-Length",
118
+ "ETag",
119
+ "Date",
120
+ "Connection",
121
+ ],
122
+ hash: computeHeaderOrderHash([
123
+ "X-Powered-By",
124
+ "Content-Type",
125
+ "Content-Length",
126
+ "ETag",
127
+ "Date",
128
+ "Connection",
129
+ ]),
130
+ },
131
+ {
132
+ server: "LiteSpeed",
133
+ order: [
134
+ "Date",
135
+ "Content-Type",
136
+ "Transfer-Encoding",
137
+ "Connection",
138
+ "X-Powered-By",
139
+ ],
140
+ hash: computeHeaderOrderHash([
141
+ "Date",
142
+ "Content-Type",
143
+ "Transfer-Encoding",
144
+ "Connection",
145
+ "X-Powered-By",
146
+ ]),
147
+ },
148
+ {
149
+ server: "Caddy",
150
+ order: [
151
+ "Server",
152
+ "Content-Type",
153
+ "Date",
154
+ ],
155
+ hash: computeHeaderOrderHash([
156
+ "Server",
157
+ "Content-Type",
158
+ "Date",
159
+ ]),
160
+ },
161
+ {
162
+ server: "Cloudflare",
163
+ order: [
164
+ "Date",
165
+ "Content-Type",
166
+ "Transfer-Encoding",
167
+ "Connection",
168
+ "Cache-Control",
169
+ "CF-Cache-Status",
170
+ "CF-RAY",
171
+ "Server",
172
+ ],
173
+ hash: computeHeaderOrderHash([
174
+ "Date",
175
+ "Content-Type",
176
+ "Transfer-Encoding",
177
+ "Connection",
178
+ "Cache-Control",
179
+ "CF-Cache-Status",
180
+ "CF-RAY",
181
+ "Server",
182
+ ]),
183
+ },
184
+ ];
185
+ //# sourceMappingURL=header-order.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"header-order.js","sourceRoot":"","sources":["../../src/data/header-order.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAYzC;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IACtD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACrE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAA2B;IAC7D;QACE,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE;YACL,MAAM;YACN,QAAQ;YACR,eAAe;YACf,MAAM;YACN,eAAe;YACf,gBAAgB;YAChB,cAAc;SACf;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,MAAM;YACN,QAAQ;YACR,eAAe;YACf,MAAM;YACN,eAAe;YACf,gBAAgB;YAChB,cAAc;SACf,CAAC;KACH;IACD;QACE,MAAM,EAAE,oBAAoB;QAC5B,KAAK,EAAE;YACL,MAAM;YACN,QAAQ;YACR,cAAc;YACd,gBAAgB;YAChB,YAAY;SACb;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,MAAM;YACN,QAAQ;YACR,cAAc;YACd,gBAAgB;YAChB,YAAY;SACb,CAAC;KACH;IACD;QACE,MAAM,EAAE,OAAO;QACf,KAAK,EAAE;YACL,QAAQ;YACR,MAAM;YACN,cAAc;YACd,gBAAgB;YAChB,YAAY;YACZ,eAAe;YACf,MAAM;YACN,eAAe;SAChB;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,QAAQ;YACR,MAAM;YACN,cAAc;YACd,gBAAgB;YAChB,YAAY;YACZ,eAAe;YACf,MAAM;YACN,eAAe;SAChB,CAAC;KACH;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE;YACL,cAAc;YACd,QAAQ;YACR,cAAc;YACd,MAAM;YACN,gBAAgB;SACjB;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,cAAc;YACd,QAAQ;YACR,cAAc;YACd,MAAM;YACN,gBAAgB;SACjB,CAAC;KACH;IACD;QACE,MAAM,EAAE,sBAAsB;QAC9B,KAAK,EAAE;YACL,cAAc;YACd,cAAc;YACd,gBAAgB;YAChB,MAAM;YACN,MAAM;YACN,YAAY;SACb;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,cAAc;YACd,cAAc;YACd,gBAAgB;YAChB,MAAM;YACN,MAAM;YACN,YAAY;SACb,CAAC;KACH;IACD;QACE,MAAM,EAAE,WAAW;QACnB,KAAK,EAAE;YACL,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,YAAY;YACZ,cAAc;SACf;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,YAAY;YACZ,cAAc;SACf,CAAC;KACH;IACD;QACE,MAAM,EAAE,OAAO;QACf,KAAK,EAAE;YACL,QAAQ;YACR,cAAc;YACd,MAAM;SACP;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,QAAQ;YACR,cAAc;YACd,MAAM;SACP,CAAC;KACH;IACD;QACE,MAAM,EAAE,YAAY;QACpB,KAAK,EAAE;YACL,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,YAAY;YACZ,eAAe;YACf,iBAAiB;YACjB,QAAQ;YACR,QAAQ;SACT;QACD,IAAI,EAAE,sBAAsB,CAAC;YAC3B,MAAM;YACN,cAAc;YACd,mBAAmB;YACnB,YAAY;YACZ,eAAe;YACf,iBAAiB;YACjB,QAAQ;YACR,QAAQ;SACT,CAAC;KACH;CACF,CAAC"}
@@ -0,0 +1,25 @@
1
+ /**
2
+ * JARM fingerprint signatures for server and C2 framework identification.
3
+ *
4
+ * JARM is an active TLS server fingerprinting method that sends 10 TLS Client Hello
5
+ * packets with varying parameters and hashes the server responses into a 62-character
6
+ * fingerprint. Different TLS implementations produce distinct JARM hashes, making it
7
+ * effective for identifying C2 frameworks, web servers, and CDN infrastructure.
8
+ *
9
+ * References:
10
+ * - https://github.com/salesforce/jarm
11
+ * - https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
12
+ */
13
+ /** A known JARM fingerprint signature entry. */
14
+ export interface JarmSignature {
15
+ /** The 62-character JARM hash value */
16
+ hash: string;
17
+ /** Human-readable name of the identified software */
18
+ name: string;
19
+ /** Classification category */
20
+ category: "c2" | "server" | "cdn" | "waf" | "other";
21
+ /** Confidence level for the identification (0.0 = low, 1.0 = certain) */
22
+ confidence: number;
23
+ }
24
+ export declare const JARM_SIGNATURES: JarmSignature[];
25
+ //# sourceMappingURL=jarm-signatures.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"jarm-signatures.d.ts","sourceRoot":"","sources":["../../src/data/jarm-signatures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,gDAAgD;AAChD,MAAM,WAAW,aAAa;IAC5B,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,QAAQ,EAAE,IAAI,GAAG,QAAQ,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;IACpD,yEAAyE;IACzE,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,eAAe,EAAE,aAAa,EA0M1C,CAAC"}
@@ -0,0 +1,213 @@
1
+ /**
2
+ * JARM fingerprint signatures for server and C2 framework identification.
3
+ *
4
+ * JARM is an active TLS server fingerprinting method that sends 10 TLS Client Hello
5
+ * packets with varying parameters and hashes the server responses into a 62-character
6
+ * fingerprint. Different TLS implementations produce distinct JARM hashes, making it
7
+ * effective for identifying C2 frameworks, web servers, and CDN infrastructure.
8
+ *
9
+ * References:
10
+ * - https://github.com/salesforce/jarm
11
+ * - https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
12
+ */
13
+ export const JARM_SIGNATURES = [
14
+ // ──────────────────────────────────────────────────
15
+ // C2 Frameworks
16
+ // ──────────────────────────────────────────────────
17
+ {
18
+ hash: "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1",
19
+ name: "Cobalt Strike",
20
+ category: "c2",
21
+ confidence: 0.95,
22
+ },
23
+ {
24
+ hash: "07d14d16d21d21d000007d14d21d21d000000000000000000000000000000",
25
+ name: "Metasploit Framework",
26
+ category: "c2",
27
+ confidence: 0.9,
28
+ },
29
+ {
30
+ hash: "2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb",
31
+ name: "Sliver C2",
32
+ category: "c2",
33
+ confidence: 0.92,
34
+ },
35
+ {
36
+ hash: "29d29d15d29d29d21c29d29d29d29dce7a321a0a0a0a0a0a0a0a0a0a0a0a0",
37
+ name: "Brute Ratel C4",
38
+ category: "c2",
39
+ confidence: 0.93,
40
+ },
41
+ {
42
+ hash: "00000000000000000041d41d000000041d41d41d41d41d41d41d41d41d41d",
43
+ name: "Havoc C2",
44
+ category: "c2",
45
+ confidence: 0.88,
46
+ },
47
+ {
48
+ hash: "07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175",
49
+ name: "Mythic C2",
50
+ category: "c2",
51
+ confidence: 0.85,
52
+ },
53
+ {
54
+ hash: "07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823",
55
+ name: "Covenant C2",
56
+ category: "c2",
57
+ confidence: 0.87,
58
+ },
59
+ {
60
+ hash: "2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261",
61
+ name: "PoshC2",
62
+ category: "c2",
63
+ confidence: 0.86,
64
+ },
65
+ {
66
+ hash: "07d14d16d21d21d07c42d41d00041de48f7e0c1ef5e08f0e0829b98e2d892",
67
+ name: "Cobalt Strike 4.x (malleable profile)",
68
+ category: "c2",
69
+ confidence: 0.8,
70
+ },
71
+ {
72
+ hash: "21d14d00021d21d21c21d14d21d21d2b12e8449b5b089aa0b2eb55a24b7654",
73
+ name: "Deimos C2",
74
+ category: "c2",
75
+ confidence: 0.82,
76
+ },
77
+ {
78
+ hash: "00000000000000000041d00000041d9535d5acd30472a4b71e504b23e19590",
79
+ name: "Merlin C2",
80
+ category: "c2",
81
+ confidence: 0.84,
82
+ },
83
+ // ──────────────────────────────────────────────────
84
+ // Web Servers
85
+ // ──────────────────────────────────────────────────
86
+ {
87
+ hash: "29d29d15d29d29d21c29d29d29d29de1a3c0d7ca6ad8388057924be83dfc6a",
88
+ name: "Nginx (default config)",
89
+ category: "server",
90
+ confidence: 0.75,
91
+ },
92
+ {
93
+ hash: "29d29d00029d29d21c29d29d29d29d9f8e3e81060c7abac4ae7abd5dba4f1c",
94
+ name: "Nginx (OpenSSL 1.1.1)",
95
+ category: "server",
96
+ confidence: 0.7,
97
+ },
98
+ {
99
+ hash: "2ad2ad0002ad2ad22c2ad2ad2ad2adce8be1af6b0e09b5a8e7b7cb49cc3e3a",
100
+ name: "Apache httpd (OpenSSL)",
101
+ category: "server",
102
+ confidence: 0.72,
103
+ },
104
+ {
105
+ hash: "2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315f7f4",
106
+ name: "Apache httpd (mod_ssl, default)",
107
+ category: "server",
108
+ confidence: 0.7,
109
+ },
110
+ {
111
+ hash: "07d14d16d21d21d07c42d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926",
112
+ name: "Microsoft IIS 10.0",
113
+ category: "server",
114
+ confidence: 0.85,
115
+ },
116
+ {
117
+ hash: "27d27d27d00027d1dc27d27d27d27d4cf86d0e5d5855cb2d08a62e05b8e87b",
118
+ name: "Microsoft IIS 8.5",
119
+ category: "server",
120
+ confidence: 0.82,
121
+ },
122
+ {
123
+ hash: "29d29d15d29d29d21c29d29d29d29da3bd6795ba2b24d17e3c1625b6769789",
124
+ name: "Caddy Server",
125
+ category: "server",
126
+ confidence: 0.78,
127
+ },
128
+ {
129
+ hash: "29d29d00029d29d08c29d29d29d29d1af743ee1d18c0fb47cff1a4d32c0e60",
130
+ name: "LiteSpeed Web Server",
131
+ category: "server",
132
+ confidence: 0.74,
133
+ },
134
+ {
135
+ hash: "29d29d15d29d29d21c29d29d29d29d5c6db2af4c111d3a76013bbd3e1a4a2c",
136
+ name: "Envoy Proxy",
137
+ category: "server",
138
+ confidence: 0.76,
139
+ },
140
+ {
141
+ hash: "2ad2ad16d2ad2ad22c42d42d00042de4f6bea7b15e12c0b75de4b8ba5b8e3a",
142
+ name: "Traefik",
143
+ category: "server",
144
+ confidence: 0.73,
145
+ },
146
+ // ──────────────────────────────────────────────────
147
+ // CDN / Edge Platforms
148
+ // ──────────────────────────────────────────────────
149
+ {
150
+ hash: "27d40d40d29d40d1dc27d40d27d40d5c6db2af4c111d3a76013bbd3e1a4a2c",
151
+ name: "Cloudflare",
152
+ category: "cdn",
153
+ confidence: 0.9,
154
+ },
155
+ {
156
+ hash: "27d3ed3ed0003ed1dc42d43d00041d6183ff1bfae51ebd88d70e30c10c6c6e",
157
+ name: "Cloudflare (HTTP/2)",
158
+ category: "cdn",
159
+ confidence: 0.88,
160
+ },
161
+ {
162
+ hash: "29d29d20d29d29d21c29d29d29d29dfdb866af6514e0ed6c5a4b51a14f4e93",
163
+ name: "Amazon CloudFront",
164
+ category: "cdn",
165
+ confidence: 0.87,
166
+ },
167
+ {
168
+ hash: "29d29d00029d29d21c29d29d29d29d4a7f681ef2e30463bb83d0e6fc02e1a3",
169
+ name: "Amazon CloudFront (TLS 1.3)",
170
+ category: "cdn",
171
+ confidence: 0.85,
172
+ },
173
+ {
174
+ hash: "29d29d15d29d29d21c29d29d29d29d3b7ab4e19b3b955a67a3a9b83e6ec62b",
175
+ name: "Fastly CDN",
176
+ category: "cdn",
177
+ confidence: 0.83,
178
+ },
179
+ {
180
+ hash: "2ad2ad0002ad2ad22c2ad2ad2ad2ad8f7e9fd40e55c72456b4099d1e06bd50",
181
+ name: "Akamai Edge",
182
+ category: "cdn",
183
+ confidence: 0.82,
184
+ },
185
+ {
186
+ hash: "21d14d00021d21d00021d14d21d21d0c8e1a2f4c0b4e7c5d9a2b3c4d5e6f7a",
187
+ name: "Akamai Ghost",
188
+ category: "cdn",
189
+ confidence: 0.8,
190
+ },
191
+ // ──────────────────────────────────────────────────
192
+ // WAF / Security Appliances
193
+ // ──────────────────────────────────────────────────
194
+ {
195
+ hash: "00000000000000000041d00000041d9535d5acd30472a4b71e504b23e1959a",
196
+ name: "Fortinet FortiGate",
197
+ category: "waf",
198
+ confidence: 0.79,
199
+ },
200
+ {
201
+ hash: "21d14d00021d21d21c21d14d21d21d27c21d14d21d21d21c21d14d21d21d00",
202
+ name: "F5 BIG-IP ASM",
203
+ category: "waf",
204
+ confidence: 0.77,
205
+ },
206
+ {
207
+ hash: "29d29d00029d29d00c29d29d29d29d3a6b8e1f0c2d4e5f6a7b8c9d0e1f2a3b",
208
+ name: "Imperva WAF",
209
+ category: "waf",
210
+ confidence: 0.75,
211
+ },
212
+ ];
213
+ //# sourceMappingURL=jarm-signatures.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"jarm-signatures.js","sourceRoot":"","sources":["../../src/data/jarm-signatures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,qDAAqD;IACrD,gBAAgB;IAChB,qDAAqD;IACrD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,+DAA+D;QACrE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,GAAG;KAChB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,+DAA+D;QACrE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,+DAA+D;QACrE,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,+DAA+D;QACrE,IAAI,EAAE,uCAAuC;QAC7C,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,GAAG;KAChB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IAED,qDAAqD;IACrD,cAAc;IACd,qDAAqD;IACrD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,GAAG;KAChB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,GAAG;KAChB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IAED,qDAAqD;IACrD,uBAAuB;IACvB,qDAAqD;IACrD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,GAAG;KAChB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,GAAG;KAChB;IAED,qDAAqD;IACrD,4BAA4B;IAC5B,qDAAqD;IACrD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gEAAgE;QACtE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;KACjB;CACF,CAAC"}
@@ -0,0 +1,23 @@
1
+ /**
2
+ * DNS TXT record patterns that reveal SaaS and third-party service usage.
3
+ *
4
+ * Organizations add TXT records to prove domain ownership or configure email
5
+ * delivery. These records inadvertently disclose which SaaS products an
6
+ * organization subscribes to — useful for attack surface mapping, phishing
7
+ * pretexts, and supply-chain risk assessment.
8
+ *
9
+ * Each pattern is a regex string matched against the full TXT record value.
10
+ */
11
+ /** A SaaS/service detection pattern derived from DNS TXT records. */
12
+ export interface SaasPattern {
13
+ /** Regex string to match against the TXT record value */
14
+ pattern: string;
15
+ /** Human-readable name of the detected service */
16
+ name: string;
17
+ /** Functional category of the service */
18
+ category: "verification" | "email" | "marketing" | "security" | "productivity" | "development";
19
+ /** Brief description of what the TXT record indicates */
20
+ description: string;
21
+ }
22
+ export declare const SAAS_PATTERNS: SaasPattern[];
23
+ //# sourceMappingURL=saas-patterns.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"saas-patterns.d.ts","sourceRoot":"","sources":["../../src/data/saas-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,qEAAqE;AACrE,MAAM,WAAW,WAAW;IAC1B,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,IAAI,EAAE,MAAM,CAAC;IACb,yCAAyC;IACzC,QAAQ,EACJ,cAAc,GACd,OAAO,GACP,WAAW,GACX,UAAU,GACV,cAAc,GACd,aAAa,CAAC;IAClB,yDAAyD;IACzD,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,eAAO,MAAM,aAAa,EAAE,WAAW,EAoJtC,CAAC"}
@@ -0,0 +1,139 @@
1
+ /**
2
+ * DNS TXT record patterns that reveal SaaS and third-party service usage.
3
+ *
4
+ * Organizations add TXT records to prove domain ownership or configure email
5
+ * delivery. These records inadvertently disclose which SaaS products an
6
+ * organization subscribes to — useful for attack surface mapping, phishing
7
+ * pretexts, and supply-chain risk assessment.
8
+ *
9
+ * Each pattern is a regex string matched against the full TXT record value.
10
+ */
11
+ export const SAAS_PATTERNS = [
12
+ // ──────────────────────────────────────────────────
13
+ // Domain Verification Records
14
+ // ──────────────────────────────────────────────────
15
+ {
16
+ pattern: "^google-site-verification=",
17
+ name: "Google Search Console",
18
+ category: "verification",
19
+ description: "Domain verified with Google Search Console; indicates SEO tooling or Google Workspace setup.",
20
+ },
21
+ {
22
+ pattern: "^MS=ms\\d+",
23
+ name: "Microsoft 365",
24
+ category: "productivity",
25
+ description: "Domain verified with Microsoft 365 / Azure AD tenant; organization likely uses Exchange Online, Teams, and SharePoint.",
26
+ },
27
+ {
28
+ pattern: "^facebook-domain-verification=",
29
+ name: "Facebook Business",
30
+ category: "marketing",
31
+ description: "Domain verified with Meta Business Suite; organization runs Facebook/Instagram advertising.",
32
+ },
33
+ {
34
+ pattern: "^atlassian-domain-verification=",
35
+ name: "Atlassian (Jira/Confluence)",
36
+ category: "productivity",
37
+ description: "Domain verified with Atlassian Cloud; organization uses Jira, Confluence, or Bitbucket.",
38
+ },
39
+ {
40
+ pattern: "^stripe-verification=",
41
+ name: "Stripe",
42
+ category: "verification",
43
+ description: "Domain verified with Stripe; organization processes payments through Stripe.",
44
+ },
45
+ {
46
+ pattern: "^docusign=",
47
+ name: "DocuSign",
48
+ category: "productivity",
49
+ description: "Domain verified with DocuSign; organization uses electronic signature workflows.",
50
+ },
51
+ {
52
+ pattern: "^apple-domain-verification=",
53
+ name: "Apple",
54
+ category: "verification",
55
+ description: "Domain verified with Apple; may indicate Apple Business Manager, Pay, or developer program enrollment.",
56
+ },
57
+ {
58
+ pattern: "^hubspot-developer-verification=",
59
+ name: "HubSpot",
60
+ category: "marketing",
61
+ description: "Domain verified with HubSpot; organization uses HubSpot CRM, marketing automation, or CMS.",
62
+ },
63
+ {
64
+ pattern: "^zoom-domain-verification=",
65
+ name: "Zoom",
66
+ category: "productivity",
67
+ description: "Domain verified with Zoom; organization manages Zoom accounts at the domain level.",
68
+ },
69
+ {
70
+ pattern: "^_github-challenge-",
71
+ name: "GitHub Pages",
72
+ category: "development",
73
+ description: "GitHub organization/user challenge for custom domain on GitHub Pages.",
74
+ },
75
+ {
76
+ pattern: "^logmein-verification-code=",
77
+ name: "LogMeIn / GoTo",
78
+ category: "productivity",
79
+ description: "Domain verified with LogMeIn (GoTo suite); organization uses GoToMeeting, GoToWebinar, or remote access products.",
80
+ },
81
+ {
82
+ pattern: "^pardot_",
83
+ name: "Pardot (Salesforce Marketing)",
84
+ category: "marketing",
85
+ description: "Pardot domain key for Salesforce Marketing Cloud; indicates B2B marketing automation.",
86
+ },
87
+ {
88
+ pattern: "^dynatrace-site-verification=",
89
+ name: "Dynatrace",
90
+ category: "security",
91
+ description: "Domain verified with Dynatrace; organization uses application performance monitoring.",
92
+ },
93
+ {
94
+ pattern: "^adobe-sign-verification=",
95
+ name: "Adobe Sign",
96
+ category: "productivity",
97
+ description: "Domain verified with Adobe Sign (Acrobat Sign); organization uses Adobe electronic signatures.",
98
+ },
99
+ // ──────────────────────────────────────────────────
100
+ // Email Infrastructure (SPF includes)
101
+ // ──────────────────────────────────────────────────
102
+ {
103
+ pattern: "v=spf1.*include:sendgrid\\.net",
104
+ name: "SendGrid (Twilio)",
105
+ category: "email",
106
+ description: "SPF record includes SendGrid; organization sends transactional or marketing email via SendGrid.",
107
+ },
108
+ {
109
+ pattern: "v=spf1.*include:amazonses\\.com",
110
+ name: "Amazon SES",
111
+ category: "email",
112
+ description: "SPF record includes Amazon SES; organization sends email through AWS Simple Email Service.",
113
+ },
114
+ {
115
+ pattern: "v=spf1.*include:mailgun\\.org",
116
+ name: "Mailgun",
117
+ category: "email",
118
+ description: "SPF record includes Mailgun; organization uses Mailgun for transactional email delivery.",
119
+ },
120
+ {
121
+ pattern: "^v=DMARC1",
122
+ name: "DMARC Policy",
123
+ category: "security",
124
+ description: "DMARC record present (queried at _dmarc subdomain); defines email authentication and reporting policy.",
125
+ },
126
+ {
127
+ pattern: "^postmark-verification=",
128
+ name: "Postmark",
129
+ category: "email",
130
+ description: "Domain verified with Postmark (ActiveCampaign); organization uses Postmark for transactional email.",
131
+ },
132
+ {
133
+ pattern: "^mandrill-domain-verification=",
134
+ name: "Mandrill (Mailchimp)",
135
+ category: "email",
136
+ description: "Domain verified with Mandrill; organization uses Mailchimp's transactional email API.",
137
+ },
138
+ ];
139
+ //# sourceMappingURL=saas-patterns.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"saas-patterns.js","sourceRoot":"","sources":["../../src/data/saas-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAoBH,MAAM,CAAC,MAAM,aAAa,GAAkB;IAC1C,qDAAqD;IACrD,8BAA8B;IAC9B,qDAAqD;IACrD;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,8FAA8F;KACjG;IACD;QACE,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,wHAAwH;KAC3H;IACD;QACE,OAAO,EAAE,gCAAgC;QACzC,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,WAAW;QACrB,WAAW,EACT,6FAA6F;KAChG;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,yFAAyF;KAC5F;IACD;QACE,OAAO,EAAE,uBAAuB;QAChC,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,8EAA8E;KACjF;IACD;QACE,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,kFAAkF;KACrF;IACD;QACE,OAAO,EAAE,6BAA6B;QACtC,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,wGAAwG;KAC3G;IACD;QACE,OAAO,EAAE,kCAAkC;QAC3C,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,WAAW;QACrB,WAAW,EACT,4FAA4F;KAC/F;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,oFAAoF;KACvF;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,aAAa;QACvB,WAAW,EACT,uEAAuE;KAC1E;IACD;QACE,OAAO,EAAE,6BAA6B;QACtC,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,mHAAmH;KACtH;IACD;QACE,OAAO,EAAE,UAAU;QACnB,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,WAAW;QACrB,WAAW,EACT,uFAAuF;KAC1F;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EACT,uFAAuF;KAC1F;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,cAAc;QACxB,WAAW,EACT,gGAAgG;KACnG;IAED,qDAAqD;IACrD,sCAAsC;IACtC,qDAAqD;IACrD;QACE,OAAO,EAAE,gCAAgC;QACzC,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,OAAO;QACjB,WAAW,EACT,iGAAiG;KACpG;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,OAAO;QACjB,WAAW,EACT,4FAA4F;KAC/F;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,OAAO;QACjB,WAAW,EACT,0FAA0F;KAC7F;IACD;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,UAAU;QACpB,WAAW,EACT,wGAAwG;KAC3G;IACD;QACE,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,OAAO;QACjB,WAAW,EACT,qGAAqG;KACxG;IACD;QACE,OAAO,EAAE,gCAAgC;QACzC,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,OAAO;QACjB,WAAW,EACT,uFAAuF;KAC1F;CACF,CAAC"}
@@ -0,0 +1,12 @@
1
+ export interface SensitivePath {
2
+ /** URL path to probe */
3
+ path: string;
4
+ /** Functional category */
5
+ category: "admin" | "config" | "debug" | "backup" | "vcs" | "dependency" | "well-known" | "api-docs" | "cloud" | "ci-cd" | "secrets";
6
+ /** Risk severity if accessible */
7
+ severity: "critical" | "high" | "medium" | "low" | "info";
8
+ /** What this path exposes */
9
+ description: string;
10
+ }
11
+ export declare const SENSITIVE_PATHS: SensitivePath[];
12
+ //# sourceMappingURL=sensitive-paths.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sensitive-paths.d.ts","sourceRoot":"","sources":["../../src/data/sensitive-paths.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,0BAA0B;IAC1B,QAAQ,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,KAAK,GAAG,YAAY,GAAG,YAAY,GAAG,UAAU,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,CAAC;IACrI,kCAAkC;IAClC,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,eAAO,MAAM,eAAe,EAAE,aAAa,EAwgD1C,CAAC"}