npm - honeyweb-core - Versions diffs - 1.0.1 → 1.0.2 - Mend

honeyweb-core 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/blocked-ips.json ADDED Viewed

File without changes

package/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-// honeyweb-core/index.js
+// honeyweb-core/index.js (V2 - Full Suite)
 const fs = require('fs-extra');
 const path = require('path');
 const cheerio = require('cheerio');
@@ -7,100 +7,191 @@ const { GoogleGenerativeAI } = require("@google/generative-ai");
 const DB_FILE = path.join(__dirname, 'blocked-ips.json');
 // ------------------------------------------------------
-// CONFIGURATION
+// 1. CONFIGURATION
 // ------------------------------------------------------
-// ⚠️ PASTE YOUR GOOGLE API KEY HERE
-const GOOGLE_API_KEY = 'YOUR_GOOGLE_API_KEY_HERE';
-const TRAP_PATHS = [
-    '/admin-backup-v2',
-    '/wp-login-hidden',
-    '/db-dump-2024',
-    '/auth/root-access',
-    '/sys/config-safe'
+const GOOGLE_API_KEY = process.env.HONEYWEB_API_KEY;
+if (!GOOGLE_API_KEY) {
+    console.error("⚠️ [HoneyWeb] Error: HONEYWEB_API_KEY is missing from environment variables.");
+}
+const TRAP_PATHS = ['/admin-backup-v2', '/wp-login-hidden', '/db-dump-2024', '/auth/root-access'];
+// Brute Force Config
+const RATE_LIMIT_WINDOW = 10000; // 10s
+const MAX_REQUESTS = 50;
+const trafficMap = new Map();
+// NEW: SQL Injection & XSS Patterns (The WAF)
+const MALICIOUS_PATTERNS = [
+    /(\%27)|(\')|(\-\-)|(\%23)|(#)/i,       // SQLi: ' -- #
+    /((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i, // SQLi: = ' ;
+    /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/i, // SQLi: ' OR
+    /(<script>)/i,                          // XSS
+    /(alert\()/i                            // XSS
 ];
+// Ensure DB exists
 if (!fs.existsSync(DB_FILE)) { fs.writeJsonSync(DB_FILE, []); }
 // ------------------------------------------------------
-// AI REPORTING FUNCTION
+// 2. AI INTELLIGENCE
 // ------------------------------------------------------
-async function generateThreatReport(ip, userAgent, trapPath) {
-    // If you haven't pasted the key yet, skip AI to prevent crash
-    if (GOOGLE_API_KEY === 'YOUR_GOOGLE_API_KEY_HERE') {
-        console.log("⚠️  [HoneyWeb] No Google API Key found. Skipping AI Report.");
-        return;
-    }
-    console.log("🤖 [HoneyWeb] Asking Gemini to analyze the attack...");
+async function generateThreatReport(ip, userAgent, type, details) {
+    if (!GOOGLE_API_KEY || GOOGLE_API_KEY.includes('YOUR_KEY')) return;
+    console.log(`🤖 [HoneyWeb] Asking Gemini to analyze: ${type}...`);
     try {
         const genAI = new GoogleGenerativeAI(GOOGLE_API_KEY);
         const model = genAI.getGenerativeModel({ model: "gemini-2.5-flash" });
-        const prompt = `
-            You are a cybersecurity analyst. Analyze this bot attack caught by a honeypot.
-            Attack Details:
-            - IP Address: ${ip}
-            - User-Agent: ${userAgent}
-            - Trap Link Accessed: ${trapPath}
-            Please provide a 1-sentence summary of what kind of threat this is (e.g., reconnaissance, targeted scan) and what they were likely looking for.
-        `;
+        const prompt = `Cybersecurity Alert. Analyze this blocked attack.
+            Type: ${type} | IP: ${ip} | UA: ${userAgent} | Detail: ${details}
+            Respond in 1 sentence: What is the attacker trying to exploit?`;
         const result = await model.generateContent(prompt);
-        const report = result.response.text();
         console.log("\n📝 [HoneyWeb INTELLIGENCE REPORT]");
         console.log("---------------------------------------------------");
-        console.log(report.trim());
+        console.log(result.response.text().trim());
         console.log("---------------------------------------------------\n");
+    } catch (e) { console.error("❌ Gemini Error:", e.message); }
+}
-    } catch (error) {
-        // Detailed error logging to help you debug
-        console.error("❌ [HoneyWeb] Gemini Analysis Failed:", error.message);
+// ------------------------------------------------------
+// 3. HELPER: BAN SYSTEM
+// ------------------------------------------------------
+async function banIP(ip, reason) {
+    let list = [];
+    try { list = await fs.readJson(DB_FILE); } catch (e) {}
+    // Check if IP is already in the list (simple check)
+    const exists = list.some(entry => entry.ip === ip);
+    if (!exists) {
+        list.push({ ip, reason, date: new Date().toISOString() });
+        await fs.writeJson(DB_FILE, list);
+        console.log(`🚫 [HoneyWeb] BANNED IP: ${ip} | Reason: ${reason}`);
+        return true;
     }
+    return false;
 }
 // ------------------------------------------------------
-// MIDDLEWARE LOGIC
+// 4. MAIN MIDDLEWARE
 // ------------------------------------------------------
 function honeyWeb() {
     return async (req, res, next) => {
         const clientIP = req.ip || req.connection.remoteAddress;
+        const userAgent = req.headers['user-agent'] || 'Unknown';
+        // A. STATUS DASHBOARD
+        if (req.path === '/honeyweb-status') {
+            // Insert your own secret key here
+            // Usage: http://localhost:3000/honeyweb-status?key=admin123
+            if (req.query.key !== 'admin123') {
+                return res.status(404).send('Not Found'); // Pretend it doesn't exist
+            }
+            const list = await fs.readJson(DB_FILE);
+            return res.send(`
+                <html><body style="font-family:monospace; background:#222; color:#0f0; padding:20px;">
+                <h1>🛡️ HoneyWeb Active Defense Status</h1>
+                <p>Total Banned IPs: ${list.length}</p>
+                <table border="1" style="border-collapse:collapse; width:100%; color:#fff;">
+                <tr><th>IP</th><th>Reason</th><th>Time</th></tr>
+                ${list.map(i => `<tr><td>${i.ip}</td><td>${i.reason}</td><td>${i.date}</td></tr>`).join('')}
+                </table></body></html>
+            `);
+        }
-        // 1. Check Blocklist
-        let bannedIPs = [];
-        try { bannedIPs = await fs.readJson(DB_FILE); } catch (e) {}
+        // B. CHECK BLOCKLIST
+        let bannedList = [];
+        try { bannedList = await fs.readJson(DB_FILE); } catch (e) {}
+        if (bannedList.some(entry => entry.ip === clientIP)) {
+            return res.status(403).send('<h1>403 Forbidden</h1><p>Your IP is flagged by HoneyWeb.</p>');
+        }
-        if (bannedIPs.includes(clientIP)) {
-            return res.status(403).send('<h1>403 Forbidden</h1><p>Banned by HoneyWeb.</p>');
+        // C. ANTI-BRUTE FORCE (Rate Limit)
+        const now = Date.now();
+        if (!trafficMap.has(clientIP)) trafficMap.set(clientIP, { count: 1, start: now });
+        else {
+            const data = trafficMap.get(clientIP);
+            if (now - data.start > RATE_LIMIT_WINDOW) trafficMap.set(clientIP, { count: 1, start: now });
+            else {
+                data.count++;
+                if (data.count > MAX_REQUESTS) {
+                    if (await banIP(clientIP, "Brute Force (Rate Limit Exceeded)")) {
+                        generateThreatReport(clientIP, userAgent, "Volumetric Attack", `> ${MAX_REQUESTS} reqs/10s`);
+                    }
+                    return res.status(429).send('Too Many Requests');
+                }
+            }
         }
-        // 2. Check Trap
-        if (TRAP_PATHS.includes(req.path)) {
-            console.log(`[HoneyWeb] 🚨 TRAP TRIGGERED by ${clientIP}`);
-            if (!bannedIPs.includes(clientIP)) {
-                bannedIPs.push(clientIP);
-                await fs.writeJson(DB_FILE, bannedIPs);
+        // D. BAIT PARAMETER ANALYSIS (Smarter WAF)
+        const checkPayload = (str) => {
+            if (!str) return false;
+            return MALICIOUS_PATTERNS.some(regex => regex.test(str));
+        };
+        // Scan URL Query Params (?id=1 OR 1=1)
+        if (checkPayload(req.originalUrl)) {
+             if (await banIP(clientIP, "Malicious URL Payload")) {
+                generateThreatReport(clientIP, userAgent, "Injection Attack", `Dirty URL: ${req.originalUrl}`);
             }
+            return res.status(403).send('Forbidden');
+        }
-            // Trigger AI Analysis
-            generateThreatReport(clientIP, req.headers['user-agent'], req.path);
+        // Scan specific "Login" fields only (Reduces false positives on other forms)
+        if (req.method === 'POST' && req.body) {
+            const riskyInputs = [req.body.username, req.body.password, req.body.search];
+            if (riskyInputs.some(input => checkPayload(input))) {
+                 if (await banIP(clientIP, "Malicious Form Data")) {
+                    generateThreatReport(clientIP, userAgent, "SQL Injection", `Payload in form: ${JSON.stringify(req.body)}`);
+                }
+                return res.status(403).send('Forbidden');
+            }
+        }
+        // E. HONEYPOT TRAP
+        if (TRAP_PATHS.includes(req.path)) {
+            if (await banIP(clientIP, "Trap Triggered")) {
+                generateThreatReport(clientIP, userAgent, "Reconnaissance", `Accessed trap: ${req.path}`);
+            }
             return res.status(403).send('<h1>403 Forbidden</h1>');
         }
-        // 3. Inject Hidden Links
+        // F. INJECTION
         const originalSend = res.send;
         res.send = function (body) {
-            if (typeof body === 'string' && (body.includes('<html') || body.includes('<body'))) {
+            if (typeof body === 'string' && (body.includes('<body') || body.includes('<html'))) {
                 const $ = cheerio.load(body);
+                // Select a random trap URL
                 const trapUrl = TRAP_PATHS[Math.floor(Math.random() * TRAP_PATHS.length)];
-                $('body').append(`<a href="${trapUrl}" style="opacity:0; position:absolute; z-index:-999;">Admin</a>`);
+                // Inject CSS that mimics standard Accessibility Hiding (Bootstrap/Tailwind style)
+                // This reduces the element to a 1x1 pixel clip that is technically "visible" but unclickable.
+                const cssCamouflage = `
+                    <style>
+                        .sr-only-utility {
+                            position: absolute;
+                            width: 1px;
+                            height: 1px;
+                            padding: 0;
+                            margin: -1px;
+                            overflow: hidden;
+                            clip: rect(0, 0, 0, 0);
+                            white-space: nowrap;
+                            border: 0;
+                        }
+                    </style>
+                `;
+                // Inject the link with a boring name ("Skip to content", "Toolbar")
+                // A bot sees this as a valid navigation aid.
+                $('head').append(cssCamouflage);
+                $('body').prepend(`<a href="${trapUrl}" class="sr-only-utility">Skip to Content</a>`);
                 body = $.html();
             }
             originalSend.call(this, body);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "honeyweb-core",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "",
   "main": "index.js",
   "scripts": {