honeyweb-core 2.0.2 → 2.0.4

package/detection/behavioral.js

@@ -1,186 +1,94 @@
-// honeyweb-core/detection/behavioral.js
-// Behavioral analysis to detect bot-like patterns
-
 class BehavioralAnalyzer {
     constructor(config) {
         this.enabled = config.enabled !== false;
         this.suspicionThreshold = config.suspicionThreshold || 50;
         this.trackTiming = config.trackTiming !== false;
         this.trackNavigation = config.trackNavigation !== false;
-
-        // Track sessions per IP
-        this.sessions = new Map(); // ip -> { requests: [], pages: [], firstSeen: timestamp }
-
-        // Auto-cleanup old sessions every 5 minutes
-        this.cleanupInterval = setInterval(() => {
-            this._cleanupOldSessions();
-        }, 300000);
+        this.sessions = new Map();
+        this.cleanupInterval = setInterval(() => this._cleanupOldSessions(), 300000);
     }
 
-    /**
-     * Analyze request for bot-like behavior
-     * @param {Object} req - Express request object
-     * @param {string} ip - Client IP address
-     * @returns {Object} - { suspicious: boolean, suspicionScore: number, reasons: string[] }
-     */
     analyze(req, ip) {
-        if (!this.enabled) {
-            return { suspicious: false, suspicionScore: 0, reasons: [] };
-        }
+        if (!this.enabled) return { suspicious: false, suspicionScore: 0, reasons: [] };
 
         const now = Date.now();
         const reasons = [];
         let suspicionScore = 0;
 
-        // Get or create session
         let session = this.sessions.get(ip);
         if (!session) {
-            session = {
-                requests: [],
-                pages: [],
-                firstSeen: now
-            };
+            session = { requests: [], pages: [], firstSeen: now };
             this.sessions.set(ip, session);
         }
 
-        // 1. TIMING ANALYSIS
+        // Timing analysis
         if (this.trackTiming && session.requests.length > 0) {
-            const lastRequest = session.requests[session.requests.length - 1];
-            const timeSinceLastRequest = now - lastRequest;
+            const timeSinceLast = now - session.requests[session.requests.length - 1];
 
-            // Too fast (< 100ms between requests)
-            if (timeSinceLastRequest < 100) {
+            if (timeSinceLast < 100) {
                 reasons.push('Requests too fast (< 100ms interval)');
                 suspicionScore += 30;
             }
 
-            // Check for consistent timing (bot pattern)
             if (session.requests.length >= 5) {
                 const intervals = [];
                 for (let i = 1; i < session.requests.length; i++) {
                     intervals.push(session.requests[i] - session.requests[i - 1]);
                 }
+                const avg = intervals.reduce((a, b) => a + b, 0) / intervals.length;
+                const variance = intervals.reduce((s, v) => s + Math.pow(v - avg, 2), 0) / intervals.length;
 
-                // Calculate variance
-                const avgInterval = intervals.reduce((a, b) => a + b, 0) / intervals.length;
-                const variance = intervals.reduce((sum, interval) => {
-                    return sum + Math.pow(interval - avgInterval, 2);
-                }, 0) / intervals.length;
-
-                // Low variance = consistent timing = bot
-                if (variance < 1000 && avgInterval < 2000) {
+                if (variance < 1000 && avg < 2000) {
                     reasons.push('Consistent request timing (bot pattern)');
                     suspicionScore += 25;
                 }
             }
         }
 
-        // 2. NAVIGATION ANALYSIS
+        // Navigation analysis
         if (this.trackNavigation) {
-            const path = req.path;
-
-            // Detect direct deep link access (skipping homepage)
-            if (session.pages.length === 0 && path !== '/' && !path.startsWith('/public')) {
+            if (session.pages.length === 0 && req.path !== '/' && !req.path.startsWith('/public')) {
                 reasons.push('Direct deep link access (skipped homepage)');
                 suspicionScore += 15;
             }
 
-            // Detect breadth-first crawling (accessing many different paths quickly)
-            const uniquePaths = new Set(session.pages);
-            if (uniquePaths.size > 10 && (now - session.firstSeen) < 10000) {
+            if (new Set(session.pages).size > 10 && (now - session.firstSeen) < 10000) {
                 reasons.push('Breadth-first crawling detected');
                 suspicionScore += 20;
             }
 
-            session.pages.push(path);
+            session.pages.push(req.path);
         }
 
-        // 3. SESSION ANALYSIS
-        const sessionDuration = now - session.firstSeen;
-        const requestCount = session.requests.length;
-
-        // Short session with many requests (scraping)
-        if (sessionDuration < 5000 && requestCount > 10) {
+        // Session analysis
+        const duration = now - session.firstSeen;
+        if (duration < 5000 && session.requests.length > 10) {
             reasons.push('High request rate in short session');
             suspicionScore += 20;
         }
-
-        // Very long session with consistent activity (persistent bot)
-        if (sessionDuration > 300000 && requestCount > 100) {
+        if (duration > 300000 && session.requests.length > 100) {
             reasons.push('Persistent automated activity');
             suspicionScore += 15;
         }
 
-        // Record this request
         session.requests.push(now);
+        if (session.requests.length > 20) session.requests = session.requests.slice(-20);
+        if (session.pages.length > 50) session.pages = session.pages.slice(-50);
 
-        // Keep only last 20 requests to prevent memory bloat
-        if (session.requests.length > 20) {
-            session.requests = session.requests.slice(-20);
-        }
-        if (session.pages.length > 50) {
-            session.pages = session.pages.slice(-50);
-        }
-
-        // Cap score at 100
-        suspicionScore = Math.min(100, suspicionScore);
-
-        return {
-            suspicious: suspicionScore >= this.suspicionThreshold,
-            suspicionScore,
-            reasons
-        };
+        return { suspicious: Math.min(100, suspicionScore) >= this.suspicionThreshold, suspicionScore: Math.min(100, suspicionScore), reasons };
     }
 
-    /**
-     * Clean up old sessions (> 1 hour)
-     * @private
-     */
     _cleanupOldSessions() {
         const now = Date.now();
-        const maxAge = 3600000; // 1 hour
-
         for (const [ip, session] of this.sessions.entries()) {
-            if (now - session.firstSeen > maxAge) {
-                this.sessions.delete(ip);
-            }
+            if (now - session.firstSeen > 3600000) this.sessions.delete(ip);
         }
     }
 
-    /**
-     * Get statistics
-     * @returns {Object}
-     */
-    getStats() {
-        return {
-            activeSessions: this.sessions.size,
-            enabled: this.enabled
-        };
-    }
-
-    /**
-     * Reset session for an IP
-     * @param {string} ip
-     */
-    resetSession(ip) {
-        this.sessions.delete(ip);
-    }
-
-    /**
-     * Clear all sessions
-     */
-    clear() {
-        this.sessions.clear();
-    }
-
-    /**
-     * Cleanup and stop timers
-     */
-    destroy() {
-        if (this.cleanupInterval) {
-            clearInterval(this.cleanupInterval);
-        }
-    }
+    getStats() { return { activeSessions: this.sessions.size, enabled: this.enabled }; }
+    resetSession(ip) { this.sessions.delete(ip); }
+    clear() { this.sessions.clear(); }
+    destroy() { if (this.cleanupInterval) clearInterval(this.cleanupInterval); }
 }
 
 module.exports = BehavioralAnalyzer;

package/detection/bot-detector.js

@@ -1,31 +1,17 @@
-// honeyweb-core/detection/bot-detector.js
-// Bot fingerprinting - detect automated tools and headless browsers
-
 class BotDetector {
     constructor(config = {}) {
         this.enabled = config.enabled !== false;
     }
 
-    /**
-     * Detect if request is from a bot
-     * @param {Object} req - Express request object
-     * @returns {Object} - { isBot: boolean, confidence: number, indicators: string[] }
-     */
     detect(req) {
-        if (!this.enabled) {
-            return { isBot: false, confidence: 0, indicators: [] };
-        }
+        if (!this.enabled) return { isBot: false, confidence: 0, indicators: [] };
 
         const indicators = [];
         let confidence = 0;
-
         const userAgent = req.headers['user-agent'] || '';
         const headers = req.headers;
 
-        // 1. USER-AGENT ANALYSIS
-
-        // Known bot patterns
-        const knownBotPatterns = [
+        const knownBots = [
             { pattern: /curl/i, name: 'curl', confidence: 90 },
             { pattern: /wget/i, name: 'wget', confidence: 90 },
             { pattern: /python-requests/i, name: 'Python Requests', confidence: 85 },
@@ -42,99 +28,62 @@ class BotDetector {
             { pattern: /okhttp/i, name: 'OkHttp', confidence: 75 }
         ];
 
-        for (const { pattern, name, confidence: conf } of knownBotPatterns) {
+        for (const { pattern, name, confidence: conf } of knownBots) {
             if (pattern.test(userAgent)) {
                 indicators.push(`Known bot User-Agent: ${name}`);
                 confidence = Math.max(confidence, conf);
             }
         }
 
-        // Empty or missing User-Agent
         if (!userAgent || userAgent.trim() === '') {
             indicators.push('Missing User-Agent header');
             confidence = Math.max(confidence, 70);
         }
 
-        // 2. HEADER ANALYSIS
-
-        // Missing common browser headers
-        const commonHeaders = ['accept', 'accept-language', 'accept-encoding'];
-        const missingHeaders = commonHeaders.filter(h => !headers[h]);
-
+        const missingHeaders = ['accept', 'accept-language', 'accept-encoding'].filter(h => !headers[h]);
         if (missingHeaders.length > 0) {
             indicators.push(`Missing headers: ${missingHeaders.join(', ')}`);
             confidence = Math.max(confidence, 40 + (missingHeaders.length * 10));
         }
 
-        // Suspicious header combinations
-        if (headers['accept'] && headers['accept'] === '*/*') {
-            indicators.push('Generic Accept header (*/*)')
+        if (headers['accept'] === '*/*') {
+            indicators.push('Generic Accept header (*/*)');
             confidence = Math.max(confidence, 30);
         }
 
-        // No Accept-Language (browsers always send this)
         if (!headers['accept-language']) {
             indicators.push('Missing Accept-Language header');
             confidence = Math.max(confidence, 40);
         }
 
-        // Connection: close (common in automated tools)
         if (headers['connection'] === 'close') {
             indicators.push('Connection: close (bot pattern)');
             confidence = Math.max(confidence, 20);
         }
 
-        // 3. BROWSER VERSION ANALYSIS
-
-        // Detect outdated browser versions (bots often use old UA strings)
         const chromeMatch = userAgent.match(/Chrome\/(\d+)/);
-        if (chromeMatch) {
-            const version = parseInt(chromeMatch[1]);
-            if (version < 90) {
-                indicators.push(`Outdated Chrome version: ${version}`);
-                confidence = Math.max(confidence, 30);
-            }
+        if (chromeMatch && parseInt(chromeMatch[1]) < 90) {
+            indicators.push(`Outdated Chrome version: ${chromeMatch[1]}`);
+            confidence = Math.max(confidence, 30);
         }
 
-        // 4. SUSPICIOUS PATTERNS
-
-        // User-Agent too short (< 20 chars)
         if (userAgent.length > 0 && userAgent.length < 20) {
             indicators.push('Suspiciously short User-Agent');
             confidence = Math.max(confidence, 50);
         }
-
-        // User-Agent too long (> 500 chars) - sometimes bots add extra info
         if (userAgent.length > 500) {
             indicators.push('Suspiciously long User-Agent');
             confidence = Math.max(confidence, 30);
         }
-
-        // Multiple spaces in User-Agent (malformed)
         if (/\s{2,}/.test(userAgent)) {
             indicators.push('Malformed User-Agent (multiple spaces)');
             confidence = Math.max(confidence, 40);
         }
 
-        // Cap confidence at 100
-        confidence = Math.min(100, confidence);
-
-        return {
-            isBot: confidence >= 60,
-            confidence,
-            indicators
-        };
+        return { isBot: Math.min(100, confidence) >= 60, confidence: Math.min(100, confidence), indicators };
     }
 
-    /**
-     * Get statistics
-     * @returns {Object}
-     */
-    getStats() {
-        return {
-            enabled: this.enabled
-        };
-    }
+    getStats() { return { enabled: this.enabled }; }
 }
 
 module.exports = BotDetector;

package/detection/index.js

@@ -1,7 +1,5 @@
-// honeyweb-core/detection/index.js
-// Detection orchestrator - combines all detection modules
-
 const { detectMaliciousPatterns } = require('./patterns');
+const { detectTraversal } = require('./traversal');
 const RateLimiter = require('./rate-limiter');
 const BotWhitelist = require('./whitelist');
 const BehavioralAnalyzer = require('./behavioral');
@@ -11,12 +9,10 @@ class DetectionEngine {
     constructor(config) {
         this.config = config;
 
-        // Initialize rate limiter
         this.rateLimiter = config.rateLimit.enabled
             ? new RateLimiter(config.rateLimit)
             : null;
 
-        // Initialize Phase 2 detection modules
         this.whitelist = config.detection.whitelist.enabled
             ? new BotWhitelist(config.detection.whitelist)
             : null;
@@ -28,22 +24,15 @@ class DetectionEngine {
         this.botDetector = new BotDetector({ enabled: true });
     }
 
-    /**
-     * Analyze request for threats
-     * @param {Object} req - Express request object
-     * @param {string} ip - Client IP address
-     * @returns {Promise<Object>} - { detected: boolean, threats: string[], threatLevel: number, whitelist: Object, behavioral: Object, botDetection: Object }
-     */
     async analyze(req, ip) {
         const threats = [];
         let threatLevel = 0;
 
-        // 0. Check whitelist first (legitimate bots should skip other checks)
+        // Whitelist check first — legitimate bots skip all checks
         let whitelistResult = null;
         if (this.whitelist) {
             whitelistResult = await this.whitelist.check(req, ip);
             if (whitelistResult.isLegitimate) {
-                // Legitimate bot - skip all other checks
                 return {
                     detected: false,
                     threats: [],
@@ -54,46 +43,52 @@ class DetectionEngine {
             }
         }
 
-        // 1. Pattern detection (SQLi/XSS)
+        // Pattern detection (SQLi/XSS)
         if (this.config.detection.patterns.enabled) {
             const patternResult = detectMaliciousPatterns(req);
             if (patternResult.detected) {
                 threats.push(...patternResult.threats);
-                threatLevel += 50; // High threat
+                threatLevel += 50;
             }
         }
 
-        // 2. Rate limiting
+        // Path traversal detection
+        const traversalResult = detectTraversal(req);
+        if (traversalResult.detected) {
+            threats.push(...traversalResult.threats);
+            threatLevel += 50;
+        }
+
+        // Rate limiting
         let rateLimitResult = null;
         if (this.rateLimiter) {
             rateLimitResult = this.rateLimiter.check(ip);
             if (rateLimitResult.limited) {
                 threats.push(`Rate limit exceeded: ${rateLimitResult.count} requests in ${this.config.rateLimit.window}ms`);
-                threatLevel += 30; // Medium threat
+                threatLevel += 30;
             }
         }
 
-        // 3. Behavioral analysis (Phase 2)
+        // Behavioral analysis
         let behavioralResult = null;
         if (this.behavioral) {
             behavioralResult = this.behavioral.analyze(req, ip);
             if (behavioralResult.suspicious) {
                 threats.push(...behavioralResult.reasons);
-                threatLevel += behavioralResult.suspicionScore * 0.3; // Scale down behavioral score
+                threatLevel += behavioralResult.suspicionScore * 0.5;
             }
         }
 
-        // 4. Bot detection (Phase 2)
+        // Bot fingerprinting
         let botDetectionResult = null;
         if (this.botDetector) {
             botDetectionResult = this.botDetector.detect(req);
             if (botDetectionResult.isBot) {
                 threats.push(...botDetectionResult.indicators);
-                threatLevel += botDetectionResult.confidence * 0.2; // Scale down bot detection score
+                threatLevel += botDetectionResult.confidence * 0.4;
             }
         }
 
-        // Cap threat level at 100
         threatLevel = Math.min(100, threatLevel);
 
         return {
@@ -108,10 +103,6 @@ class DetectionEngine {
         };
     }
 
-    /**
-     * Get detection statistics
-     * @returns {Object}
-     */
     getStats() {
         return {
             rateLimiter: this.rateLimiter ? this.rateLimiter.getStats() : null,
@@ -120,16 +111,9 @@ class DetectionEngine {
         };
     }
 
-    /**
-     * Cleanup and stop timers
-     */
     destroy() {
-        if (this.rateLimiter) {
-            this.rateLimiter.destroy();
-        }
-        if (this.behavioral) {
-            this.behavioral.destroy();
-        }
+        if (this.rateLimiter) this.rateLimiter.destroy();
+        if (this.behavioral) this.behavioral.destroy();
     }
 }
 

package/detection/patterns.js

@@ -1,9 +1,5 @@
-// honeyweb-core/detection/patterns.js
-// SQLi and XSS pattern detection (extracted from main index.js)
-
-// Malicious patterns for SQLi and XSS detection
 const MALICIOUS_PATTERNS = [
-    // SQL Injection patterns
+    // SQL Injection
     /(\bUNION\b.*\bSELECT\b)/i,
     /(\bOR\b\s+\d+\s*=\s*\d+)/i,
     /(\bAND\b\s+\d+\s*=\s*\d+)/i,
@@ -14,7 +10,7 @@ const MALICIOUS_PATTERNS = [
     /(--\s*$)/,
     /(';\s*--)/,
 
-    // XSS patterns
+    // XSS
     /(<script[^>]*>.*?<\/script>)/i,
     /(<iframe[^>]*>)/i,
     /(<img[^>]*onerror\s*=)/i,
@@ -25,59 +21,26 @@ const MALICIOUS_PATTERNS = [
     /(<embed[^>]*>)/i
 ];
 
-/**
- * Check if request contains malicious patterns
- * @param {Object} req - Express request object
- * @returns {Object} - { detected: boolean, threats: string[] }
- */
 function detectMaliciousPatterns(req) {
     const threats = [];
+    const targets = [
+        { value: req.url || '', label: 'URL' },
+        { value: JSON.stringify(req.query || {}), label: 'query' },
+        { value: req.headers['user-agent'] || '', label: 'User-Agent' },
+        { value: req.headers['referer'] || '', label: 'Referer' },
+    ];
 
-    // Check URL
-    const url = req.url || '';
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(url)) {
-            threats.push(`Malicious pattern in URL: ${pattern.source.substring(0, 50)}`);
-        }
-    }
-
-    // Check query parameters
-    const query = JSON.stringify(req.query || {});
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(query)) {
-            threats.push(`Malicious pattern in query: ${pattern.source.substring(0, 50)}`);
-        }
-    }
+    if (req.body) targets.push({ value: JSON.stringify(req.body), label: 'body' });
 
-    // Check body (if exists)
-    if (req.body) {
-        const body = JSON.stringify(req.body);
+    for (const { value, label } of targets) {
         for (const pattern of MALICIOUS_PATTERNS) {
-            if (pattern.test(body)) {
-                threats.push(`Malicious pattern in body: ${pattern.source.substring(0, 50)}`);
+            if (pattern.test(value)) {
+                threats.push(`Malicious pattern in ${label}: ${pattern.source.substring(0, 50)}`);
             }
         }
     }
 
-    // Check headers (User-Agent, Referer, etc.)
-    const userAgent = req.headers['user-agent'] || '';
-    const referer = req.headers['referer'] || '';
-    for (const pattern of MALICIOUS_PATTERNS) {
-        if (pattern.test(userAgent)) {
-            threats.push(`Malicious pattern in User-Agent`);
-        }
-        if (pattern.test(referer)) {
-            threats.push(`Malicious pattern in Referer`);
-        }
-    }
-
-    return {
-        detected: threats.length > 0,
-        threats
-    };
+    return { detected: threats.length > 0, threats };
 }
 
-module.exports = {
-    MALICIOUS_PATTERNS,
-    detectMaliciousPatterns
-};
+module.exports = { MALICIOUS_PATTERNS, detectMaliciousPatterns };