jaku.sh 1.0.0

package/src/core/api/cors-ws-tester.js

@@ -0,0 +1,263 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * CORSWSTester — Tests CORS policy and WebSocket security.
+ *
+ * CORS Probes:
+ * - Access-Control-Allow-Origin: * with credentials
+ * - Origin reflection (arbitrary origin echoed back)
+ * - Null origin accepted
+ * - Credentialed pre-flight misconfiguration
+ *
+ * WebSocket Probes:
+ * - WS upgrade without authentication
+ * - WS connection from arbitrary origin
+ * - WS message injection
+ */
+export class CORSWSTester {
+    constructor(logger) {
+        this.logger = logger;
+
+        this.WS_PATHS = [
+            '/ws', '/websocket', '/socket', '/api/ws', '/api/websocket',
+            '/socket.io/', '/realtime', '/live', '/stream',
+        ];
+    }
+
+    /**
+     * Test CORS and WebSocket security.
+     */
+    async test(surfaceInventory) {
+        const findings = [];
+        const baseUrl = this._getBaseUrl(surfaceInventory);
+        if (!baseUrl) return findings;
+
+        this.logger?.info?.('CORS & WS Tester: starting tests');
+
+        // 1. Test CORS policy
+        const corsFindings = await this._testCORS(baseUrl, surfaceInventory);
+        findings.push(...corsFindings);
+
+        // 2. Test WebSocket security
+        const wsFindings = await this._testWebSockets(baseUrl);
+        findings.push(...wsFindings);
+
+        this.logger?.info?.(`CORS & WS Tester: found ${findings.length} issues`);
+        return findings;
+    }
+
+    /**
+     * Test CORS on discovered endpoints.
+     */
+    async _testCORS(baseUrl, surfaceInventory) {
+        const findings = [];
+        const testUrls = [baseUrl + '/'];
+
+        // Add API endpoints
+        const apis = surfaceInventory.apis || [];
+        testUrls.push(...apis.slice(0, 5).map(a => a.url || a));
+
+        // Add common API paths
+        const apiPaths = ['/api', '/api/v1', '/api/users', '/graphql'];
+        testUrls.push(...apiPaths.map(p => {
+            try { return new URL(p, baseUrl).href; } catch { return null; }
+        }).filter(Boolean));
+
+        const tested = new Set();
+
+        for (const url of testUrls) {
+            if (tested.has(url)) continue;
+            tested.add(url);
+
+            // Test 1: Arbitrary origin reflection
+            await this._testOriginReflection(url, findings);
+
+            // Test 2: Null origin
+            await this._testNullOrigin(url, findings);
+
+            // Test 3: Wildcard with credentials
+            await this._testWildcardCredentials(url, findings);
+        }
+
+        return findings;
+    }
+
+    async _testOriginReflection(url, findings) {
+        try {
+            const evilOrigin = 'https://evil-attacker.com';
+            const response = await fetch(url, {
+                method: 'GET',
+                headers: { 'Origin': evilOrigin },
+                signal: AbortSignal.timeout(5000),
+            });
+
+            const acao = response.headers.get('access-control-allow-origin') || '';
+            const acac = response.headers.get('access-control-allow-credentials') || '';
+
+            if (acao === evilOrigin) {
+                const withCreds = acac.toLowerCase() === 'true';
+                findings.push(createFinding({
+                    module: 'api',
+                    title: withCreds
+                        ? 'CORS: Origin Reflection with Credentials'
+                        : 'CORS: Arbitrary Origin Reflected',
+                    severity: withCreds ? 'critical' : 'high',
+                    affected_surface: url,
+                    description: withCreds
+                        ? `The server reflects any Origin in Access-Control-Allow-Origin AND sets Allow-Credentials: true. An attacker's website can make credentialed cross-origin requests and read the response — effectively bypassing same-origin policy. This enables full cross-origin data theft.`
+                        : `The server reflects any Origin in Access-Control-Allow-Origin. While credentials are not allowed, this still permits cross-origin data reading of non-credentialed responses.`,
+                    reproduction: [
+                        `1. Send request with Origin: ${evilOrigin}`,
+                        `2. Response includes Access-Control-Allow-Origin: ${evilOrigin}`,
+                        withCreds ? `3. Access-Control-Allow-Credentials: true` : '',
+                    ].filter(Boolean),
+                    evidence: `ACAO: ${acao}\nACAC: ${acac}`,
+                    remediation: 'Use a strict allowlist for CORS origins. Never reflect the Origin header. If credentials are needed, specify exact allowed origins. Never combine wildcard (*) with credentials.',
+                }));
+            }
+        } catch {
+            // Endpoint not reachable
+        }
+    }
+
+    async _testNullOrigin(url, findings) {
+        try {
+            const response = await fetch(url, {
+                method: 'GET',
+                headers: { 'Origin': 'null' },
+                signal: AbortSignal.timeout(5000),
+            });
+
+            const acao = response.headers.get('access-control-allow-origin') || '';
+            if (acao === 'null') {
+                findings.push(createFinding({
+                    module: 'api',
+                    title: 'CORS: Null Origin Accepted',
+                    severity: 'high',
+                    affected_surface: url,
+                    description: `The server allows requests from Origin: null. An attacker can trigger null origin from sandboxed iframes, data: URLs, or file: protocol — enabling cross-origin attacks without a real origin.`,
+                    evidence: `Origin: null → ACAO: null`,
+                    remediation: 'Never allow null origin in CORS configuration. Remove "null" from allowed origins list.',
+                }));
+            }
+        } catch {
+            // Not reachable
+        }
+    }
+
+    async _testWildcardCredentials(url, findings) {
+        try {
+            const response = await fetch(url, {
+                method: 'GET',
+                headers: { 'Origin': 'https://test.com' },
+                signal: AbortSignal.timeout(5000),
+            });
+
+            const acao = response.headers.get('access-control-allow-origin') || '';
+            const acac = response.headers.get('access-control-allow-credentials') || '';
+
+            if (acao === '*' && acac.toLowerCase() === 'true') {
+                findings.push(createFinding({
+                    module: 'api',
+                    title: 'CORS: Wildcard with Credentials',
+                    severity: 'critical',
+                    affected_surface: url,
+                    description: `The server sets Access-Control-Allow-Origin: * with Allow-Credentials: true. While modern browsers block this combination, some older clients or custom HTTP libraries may honor it, allowing cross-origin credential theft.`,
+                    evidence: `ACAO: *\nACAC: true`,
+                    remediation: 'Never use wildcard (*) with credentials. Specify exact allowed origins.',
+                }));
+            }
+        } catch {
+            // Not reachable
+        }
+    }
+
+    /**
+     * Test WebSocket security.
+     */
+    async _testWebSockets(baseUrl) {
+        const findings = [];
+        const wsBase = baseUrl.replace(/^http/, 'ws');
+
+        for (const path of this.WS_PATHS) {
+            try {
+                const wsUrl = new URL(path, wsBase).href;
+
+                // Test if WS endpoint exists via HTTP upgrade
+                const httpUrl = wsUrl.replace(/^ws/, 'http');
+                const response = await fetch(httpUrl, {
+                    method: 'GET',
+                    headers: {
+                        'Upgrade': 'websocket',
+                        'Connection': 'Upgrade',
+                        'Sec-WebSocket-Version': '13',
+                        'Sec-WebSocket-Key': 'dGhlIHNhbXBsZSBub25jZQ==',
+                        'Origin': 'https://evil-attacker.com',
+                    },
+                    signal: AbortSignal.timeout(5000),
+                });
+
+                // 101 Switching Protocols = WS upgrade accepted
+                if (response.status === 101) {
+                    findings.push(createFinding({
+                        module: 'api',
+                        title: 'WebSocket: Unauthenticated Upgrade from Arbitrary Origin',
+                        severity: 'high',
+                        affected_surface: wsUrl,
+                        description: `WebSocket endpoint at ${path} accepts upgrade requests from arbitrary origins (https://evil-attacker.com) without authentication. An attacker's website can connect to this WebSocket and read/write messages.`,
+                        reproduction: [
+                            `1. Send WS upgrade request to ${wsUrl}`,
+                            `2. Include Origin: https://evil-attacker.com`,
+                            `3. Server responds with 101 Switching Protocols`,
+                        ],
+                        evidence: `Status: 101\nOrigin accepted: evil-attacker.com`,
+                        remediation: 'Validate Origin header on WebSocket upgrade requests. Require authentication tokens in the initial HTTP upgrade. Implement per-connection authorization.',
+                    }));
+                }
+
+                // Some servers respond 400/426 indicating WS is supported but needs proper upgrade
+                if (response.status === 426 || (response.status === 400 &&
+                    (response.headers.get('upgrade') || '').toLowerCase().includes('websocket'))) {
+                    // WS endpoint exists — check if it requires auth
+                    const authResponse = await fetch(httpUrl, {
+                        method: 'GET',
+                        headers: {
+                            'Upgrade': 'websocket',
+                            'Connection': 'Upgrade',
+                            'Sec-WebSocket-Version': '13',
+                            'Sec-WebSocket-Key': 'dGhlIHNhbXBsZSBub25jZQ==',
+                        },
+                        signal: AbortSignal.timeout(5000),
+                    });
+
+                    if (authResponse.status !== 401 && authResponse.status !== 403) {
+                        findings.push(createFinding({
+                            module: 'api',
+                            title: 'WebSocket: Missing Authentication on Upgrade',
+                            severity: 'medium',
+                            affected_surface: wsUrl,
+                            description: `WebSocket endpoint at ${path} does not return 401/403 for unauthenticated upgrade requests. The endpoint may accept anonymous connections.`,
+                            evidence: `Status without auth: ${authResponse.status} (expected 401 or 403)`,
+                            remediation: 'Require authentication tokens (JWT, session cookie) on WebSocket upgrade requests. Return 401 for unauthenticated connections.',
+                        }));
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return findings;
+    }
+
+    _getBaseUrl(surfaceInventory) {
+        const pages = surfaceInventory.pages || [];
+        if (pages.length === 0) return null;
+        try {
+            const parsed = new URL(pages[0].url || pages[0]);
+            return `${parsed.protocol}//${parsed.host}`;
+        } catch { return null; }
+    }
+}
+
+export default CORSWSTester;

package/src/core/api/graphql-tester.js

@@ -0,0 +1,287 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * GraphQLTester — Tests GraphQL-specific vulnerabilities.
+ *
+ * Probes:
+ * - Introspection exposure (enumerate schema)
+ * - Batch query abuse (credential brute-force)
+ * - Nested query DoS (exponential execution)
+ * - Field suggestion (info disclosure)
+ * - Mutation without auth
+ * - Missing query depth/complexity limits
+ */
+export class GraphQLTester {
+    constructor(logger) {
+        this.logger = logger;
+
+        this.GRAPHQL_PATHS = [
+            '/graphql', '/api/graphql', '/graphql/v1', '/gql',
+            '/query', '/api/query', '/graphql/console', '/graphiql',
+        ];
+    }
+
+    /**
+     * Test GraphQL endpoints for security issues.
+     */
+    async test(surfaceInventory) {
+        const findings = [];
+        const baseUrl = this._getBaseUrl(surfaceInventory);
+        if (!baseUrl) return findings;
+
+        this.logger?.info?.('GraphQL Tester: starting tests');
+
+        // 1. Discover GraphQL endpoints
+        const endpoints = await this._discover(baseUrl);
+
+        if (endpoints.length === 0) {
+            this.logger?.info?.('GraphQL Tester: no GraphQL endpoints found — skipping');
+            return findings;
+        }
+
+        this.logger?.info?.(`GraphQL Tester: found ${endpoints.length} GraphQL endpoints`);
+
+        for (const endpoint of endpoints) {
+            // 2. Test introspection
+            const introFindings = await this._testIntrospection(endpoint);
+            findings.push(...introFindings);
+
+            // 3. Test batch queries
+            const batchFindings = await this._testBatchQueries(endpoint);
+            findings.push(...batchFindings);
+
+            // 4. Test nested query DoS
+            const dosFindings = await this._testNestedDoS(endpoint);
+            findings.push(...dosFindings);
+
+            // 5. Test field suggestions
+            const suggestionFindings = await this._testFieldSuggestions(endpoint);
+            findings.push(...suggestionFindings);
+        }
+
+        this.logger?.info?.(`GraphQL Tester: found ${findings.length} issues`);
+        return findings;
+    }
+
+    async _discover(baseUrl) {
+        const endpoints = [];
+
+        for (const path of this.GRAPHQL_PATHS) {
+            try {
+                const url = new URL(path, baseUrl).href;
+
+                // Test with a simple introspection field
+                const response = await fetch(url, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ query: '{ __typename }' }),
+                    signal: AbortSignal.timeout(5000),
+                });
+
+                if (response.ok) {
+                    const text = await response.text();
+                    if (text.includes('__typename') || text.includes('"data"') || text.includes('"errors"')) {
+                        endpoints.push(url);
+                    }
+                }
+            } catch {
+                continue;
+            }
+        }
+
+        return endpoints;
+    }
+
+    async _testIntrospection(endpoint) {
+        const findings = [];
+
+        const introspectionQuery = `{
+            __schema {
+                types { name kind }
+                queryType { name }
+                mutationType { name }
+            }
+        }`;
+
+        try {
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ query: introspectionQuery }),
+                signal: AbortSignal.timeout(8000),
+            });
+
+            if (response.ok) {
+                const result = await response.json();
+                if (result.data?.__schema?.types) {
+                    const types = result.data.__schema.types;
+                    const customTypes = types.filter(t =>
+                        !t.name.startsWith('__') && !['String', 'Int', 'Float', 'Boolean', 'ID'].includes(t.name)
+                    );
+
+                    findings.push(createFinding({
+                        module: 'api',
+                        title: 'GraphQL Introspection Exposed',
+                        severity: 'high',
+                        affected_surface: endpoint,
+                        description: `GraphQL introspection is enabled at ${endpoint}, exposing the entire API schema (${types.length} types, ${customTypes.length} custom). An attacker can enumerate all queries, mutations, and data types to map the attack surface.`,
+                        reproduction: [
+                            `1. POST to ${endpoint} with __schema introspection query`,
+                            `2. Full schema is returned`,
+                        ],
+                        evidence: `Types: ${types.length} (${customTypes.length} custom)\nCustom types: ${customTypes.slice(0, 10).map(t => t.name).join(', ')}`,
+                        remediation: 'Disable introspection in production. Only allow it in development environments. Use persisted queries/allowlists to restrict which queries clients can execute.',
+                    }));
+                }
+            }
+        } catch {
+            // Not GraphQL or introspection disabled
+        }
+
+        return findings;
+    }
+
+    async _testBatchQueries(endpoint) {
+        const findings = [];
+
+        // Send multiple queries in a single request (batch abuse)
+        const batchPayload = Array.from({ length: 10 }, (_, i) => ({
+            query: `{ __typename }`,
+            operationName: `batch_${i}`,
+        }));
+
+        try {
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(batchPayload),
+                signal: AbortSignal.timeout(8000),
+            });
+
+            if (response.ok) {
+                const result = await response.json();
+                if (Array.isArray(result) && result.length >= 5) {
+                    findings.push(createFinding({
+                        module: 'api',
+                        title: 'GraphQL Batch Query Abuse',
+                        severity: 'high',
+                        affected_surface: endpoint,
+                        description: `GraphQL endpoint accepts batch queries (${result.length}/10 processed). An attacker can abuse batching for credential brute-force (batching login mutations), rate limit bypass, or DoS by sending thousands of queries in a single HTTP request.`,
+                        reproduction: [
+                            `1. POST array of 10 queries to ${endpoint}`,
+                            `2. Server processes all ${result.length} queries`,
+                        ],
+                        evidence: `Batch size: 10 → ${result.length} processed`,
+                        remediation: 'Limit batch query count (max 5-10 per request). Implement per-query rate limiting. Count each query in a batch against rate limits individually.',
+                    }));
+                }
+            }
+        } catch {
+            // Batch not supported
+        }
+
+        return findings;
+    }
+
+    async _testNestedDoS(endpoint) {
+        const findings = [];
+
+        // Test with a deeply nested query
+        const deepQuery = `{
+            __schema {
+                types {
+                    fields {
+                        type {
+                            fields {
+                                type {
+                                    fields {
+                                        type {
+                                            name
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }`;
+
+        try {
+            const startTime = Date.now();
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ query: deepQuery }),
+                signal: AbortSignal.timeout(10000),
+            });
+            const elapsed = Date.now() - startTime;
+
+            if (response.ok) {
+                const text = await response.text();
+
+                if (elapsed > 3000 || text.length > 100000) {
+                    findings.push(createFinding({
+                        module: 'api',
+                        title: 'GraphQL Nested Query DoS: No Depth Limit',
+                        severity: 'high',
+                        affected_surface: endpoint,
+                        description: `GraphQL endpoint processed a deeply nested query (7 levels) in ${elapsed}ms, returning ${text.length} bytes. No depth or complexity limit prevents resource exhaustion via recursive queries.`,
+                        evidence: `Query depth: 7 levels\nResponse time: ${elapsed}ms\nResponse size: ${text.length} bytes`,
+                        remediation: 'Implement query depth limiting (max 5-10 levels). Add query complexity analysis. Set maximum execution time. Use query cost analysis to reject expensive queries.',
+                    }));
+                }
+            }
+        } catch {
+            // Timeout — which actually confirms DoS risk
+        }
+
+        return findings;
+    }
+
+    async _testFieldSuggestions(endpoint) {
+        const findings = [];
+
+        // Send query with a typo to trigger field suggestions
+        const typoQuery = `{ usrs { id naem emial } }`;
+
+        try {
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ query: typoQuery }),
+                signal: AbortSignal.timeout(5000),
+            });
+
+            if (response.ok || response.status === 400) {
+                const text = await response.text();
+                if (/did you mean|suggestion|similar/i.test(text)) {
+                    findings.push(createFinding({
+                        module: 'api',
+                        title: 'GraphQL Field Suggestions: Schema Enumeration',
+                        severity: 'low',
+                        affected_surface: endpoint,
+                        description: `GraphQL endpoint returns field suggestions for invalid queries. An attacker can brute-force valid field names by observing "Did you mean..." suggestions.`,
+                        evidence: `Query with typos returned suggestions`,
+                        remediation: 'Disable field suggestions in production. This leaks schema information even when introspection is disabled.',
+                    }));
+                }
+            }
+        } catch {
+            // Not applicable
+        }
+
+        return findings;
+    }
+
+    _getBaseUrl(surfaceInventory) {
+        const pages = surfaceInventory.pages || [];
+        if (pages.length === 0) return null;
+        try {
+            const parsed = new URL(pages[0].url || pages[0]);
+            return `${parsed.protocol}//${parsed.host}`;
+        } catch { return null; }
+    }
+}
+
+export default GraphQLTester;