jaku.sh 1.0.0

package/src/core/logic/graphql-auditor.js

@@ -0,0 +1,298 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * GraphQLAuditor — Comprehensive GraphQL security audit.
+ *
+ * Tests:
+ * 1. Introspection enabled — allows schema discovery
+ * 2. Batch query amplification — N identical queries in one request
+ * 3. Deeply nested query DoS — infinite depth via recursive types
+ * 4. Field suggestion extraction — even without introspection
+ * 5. Mutation authorization bypass — mutate without auth
+ * 6. Alias-based rate limit bypass — 100 alias queries = 1 request
+ */
+export class GraphQLAuditor {
+    constructor(logger) {
+        this.logger = logger;
+
+        this.COMMON_ENDPOINTS = ['/graphql', '/api/graphql', '/query', '/gql', '/v1/graphql', '/graphql/v1', '/graphql/v2', '/api/query'];
+    }
+
+    async audit(surfaceInventory) {
+        const findings = [];
+
+        // Discover GraphQL endpoints
+        const baseUrl = surfaceInventory.pages[0]?.url;
+        if (!baseUrl) return findings;
+
+        const origin = new URL(baseUrl).origin;
+        const graphqlEndpoints = await this._discoverEndpoints(origin, surfaceInventory);
+
+        if (graphqlEndpoints.length === 0) {
+            this.logger?.info?.('GraphQL Auditor: no GraphQL endpoints found');
+            return findings;
+        }
+
+        this.logger?.info?.(`GraphQL Auditor: testing ${graphqlEndpoints.length} endpoint(s)`);
+
+        for (const endpoint of graphqlEndpoints) {
+            // Test 1: Introspection
+            const introspectionFinding = await this._testIntrospection(endpoint);
+            if (introspectionFinding) findings.push(introspectionFinding);
+
+            // Test 2: Batch query amplification
+            const batchFinding = await this._testBatchAmplification(endpoint);
+            if (batchFinding) findings.push(batchFinding);
+
+            // Test 3: Deep nesting DoS
+            const nestingFinding = await this._testDeepNesting(endpoint);
+            if (nestingFinding) findings.push(nestingFinding);
+
+            // Test 4: Field suggestion extraction (works even without introspection)
+            const suggestionFinding = await this._testFieldSuggestions(endpoint);
+            if (suggestionFinding) findings.push(suggestionFinding);
+
+            // Test 5: Alias-based rate limit bypass
+            const aliasFinding = await this._testAliasBypass(endpoint);
+            if (aliasFinding) findings.push(aliasFinding);
+        }
+
+        this.logger?.info?.(`GraphQL Auditor: found ${findings.length} issues`);
+        return findings;
+    }
+
+    async _discoverEndpoints(origin, surfaceInventory) {
+        const endpoints = [];
+        const tested = new Set();
+
+        // Check common paths
+        for (const path of this.COMMON_ENDPOINTS) {
+            const url = `${origin}${path}`;
+            if (tested.has(url)) continue;
+            tested.add(url);
+
+            try {
+                const response = await this._gqlRequest(url, '{ __typename }');
+                if (response?.data?.__typename || response?.errors) {
+                    endpoints.push(url);
+                }
+            } catch { /* not GraphQL */ }
+        }
+
+        // Also detect from surface inventory (look for /graphql in API paths)
+        for (const page of (surfaceInventory.pages || [])) {
+            const url = page.url;
+            if (!url || tested.has(url)) continue;
+            if (!/graphql|gql|query/i.test(url)) continue;
+            tested.add(url);
+
+            try {
+                const response = await this._gqlRequest(url, '{ __typename }');
+                if (response?.data?.__typename || response?.errors) {
+                    endpoints.push(url);
+                }
+            } catch { /* not GraphQL */ }
+        }
+
+        return [...new Set(endpoints)];
+    }
+
+    async _testIntrospection(endpoint) {
+        const introspectionQuery = `{
+          __schema {
+            types { name kind fields { name type { name kind } } }
+            queryType { name }
+            mutationType { name }
+          }
+        }`;
+
+        try {
+            const response = await this._gqlRequest(endpoint, introspectionQuery);
+            if (response?.data?.__schema) {
+                const types = response.data.__schema.types || [];
+                const queryFields = types.find(t => t.name === response.data.__schema.queryType?.name)?.fields || [];
+                const hasMutation = !!response.data.__schema.mutationType;
+
+                return createFinding({
+                    module: 'logic',
+                    title: 'GraphQL: Introspection Enabled',
+                    severity: 'medium',
+                    affected_surface: endpoint,
+                    description: `The GraphQL endpoint at ${endpoint} has introspection enabled. Introspection exposes the full schema — all types, fields, queries, and mutations — allowing attackers to enumerate the entire API surface, discover hidden or internal fields, and construct targeted attacks. Found ${queryFields.length} queries${hasMutation ? ' and mutations' : ''}.`,
+                    reproduction: [
+                        `1. POST to ${endpoint} with Content-Type: application/json`,
+                        '2. Body: {"query": "{ __schema { types { name } } }"}',
+                        '3. Full schema is returned',
+                    ],
+                    evidence: `Schema returned ${types.length} types. Query fields: ${queryFields.slice(0, 5).map(f => f.name).join(', ')}...`,
+                    remediation: 'Disable introspection in production. In Apollo Server: introspection: false in production config. In graphql-yoga: use disableIntrospection plugin. Allow introspection only for trusted IP ranges or dev environments.',
+                    references: ['https://owasp.org/www-project-top-10-for-large-language-model-applications/', 'https://graphql.org/learn/introspection/'],
+                });
+            }
+        } catch { /* not vulnerable */ }
+        return null;
+    }
+
+    async _testBatchAmplification(endpoint) {
+        // Send 100 identical queries as a batch array
+        const batchQuery = Array.from({ length: 100 }, (_, i) => ({
+            query: `query q${i} { __typename }`,
+        }));
+
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 15000);
+
+            const response = await fetch(endpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(batchQuery),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+
+            if (response.ok) {
+                const data = await response.json().catch(() => null);
+                if (Array.isArray(data) && data.length >= 10) {
+                    return createFinding({
+                        module: 'logic',
+                        title: 'GraphQL: Batch Query Amplification (DoS Vector)',
+                        severity: 'high',
+                        affected_surface: endpoint,
+                        description: `The GraphQL endpoint at ${endpoint} accepts batched queries and processed ${data.length} queries in a single HTTP request. Without limits, an attacker can amplify a single request into thousands of server-side operations, causing resource exhaustion. For authenticated endpoints, this also bypasses per-IP rate limiting since all 100 queries share one network request.`,
+                        reproduction: [
+                            `1. POST to ${endpoint} with a JSON array of queries`,
+                            `2. Server processed ${data.length} queries in one request`,
+                            '3. Amplify further with authentication-heavy queries',
+                        ],
+                        evidence: `Sent 100 batched queries. Response contained ${data.length} results.`,
+                        remediation: 'Limit batch query size (Apollo: maxBatchSize option). Implement query cost analysis. Rate limit by operation count, not just HTTP request count. Consider disabling batching entirely in production.',
+                        references: ['https://www.apollographql.com/docs/apollo-server/performance/apq/', 'https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html'],
+                    });
+                }
+            }
+        } catch { /* not vulnerable or not supported */ }
+        return null;
+    }
+
+    async _testDeepNesting(endpoint) {
+        // Build a deeply nested query using __type (always available)
+        const depth = 10;
+        let query = 'query { __type(name: "Query") { ';
+        let closing = '';
+        for (let i = 0; i < depth; i++) {
+            query += 'fields { type { ';
+            closing += '} }';
+        }
+        query += 'name' + closing + ' } }';
+
+        const start = Date.now();
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 20000);
+
+            const response = await this._gqlRequest(endpoint, query, controller);
+            clearTimeout(timeout);
+            const elapsed = Date.now() - start;
+
+            // If it succeeds and takes >3s, it's likely not limiting depth
+            if (response && !response.errors?.some(e => /depth|complexity|limit/i.test(e.message)) && elapsed > 2000) {
+                return createFinding({
+                    module: 'logic',
+                    title: 'GraphQL: No Query Depth Limit (DoS Vector)',
+                    severity: 'medium',
+                    affected_surface: endpoint,
+                    description: `The GraphQL endpoint at ${endpoint} processed a ${depth}-level deeply nested query in ${elapsed}ms without rejecting it. Without query depth limits, exponentially nested queries can cause CPU/memory exhaustion on the server, leading to denial of service.`,
+                    reproduction: [
+                        `1. Send the nested query (${depth} levels deep) to ${endpoint}`,
+                        `2. Server processed it in ${elapsed}ms`,
+                        '3. Increase depth to 50+ levels to cause resource exhaustion',
+                    ],
+                    evidence: `Query depth: ${depth} levels\nTime to respond: ${elapsed}ms\nNo depth limit error returned`,
+                    remediation: 'Implement query depth limiting. Apollo Server: use graphql-depth-limit (maxDepth: 7). graphql-yoga: install @escape.tech/graphman and configure depth limit. Also implement query complexity analysis.',
+                    references: ['https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html'],
+                });
+            }
+        } catch { /* timeout or error — may be protected */ }
+        return null;
+    }
+
+    async _testFieldSuggestions(endpoint) {
+        // Send a query with a typo to trigger "Did you mean X?" suggestions
+        // This reveals field names even without introspection
+        try {
+            const response = await this._gqlRequest(endpoint, '{ usr { nam emai } }');
+            if (!response?.errors) return null;
+
+            const suggestions = response.errors
+                .filter(e => /did you mean|suggestion/i.test(e.message))
+                .map(e => e.message);
+
+            if (suggestions.length > 0) {
+                return createFinding({
+                    module: 'logic',
+                    title: 'GraphQL: Field Suggestions Leak Schema (Introspection Disabled Bypass)',
+                    severity: 'low',
+                    affected_surface: endpoint,
+                    description: `The GraphQL endpoint at ${endpoint} returns "Did you mean?" suggestions in error messages, even though introspection may be disabled. This allows attackers to enumerate field names by submitting intentional typos and reading the suggestions. Schema enumeration is possible without introspection access.`,
+                    reproduction: [
+                        `1. POST to ${endpoint}: {"query": "{ usr { emai } }"}`,
+                        '2. Server responds with "Did you mean: email?"',
+                        '3. Repeat with systematic typos to enumerate all fields',
+                    ],
+                    evidence: suggestions.slice(0, 3).join('\n'),
+                    remediation: 'Disable field suggestions in production. Apollo Server: set fieldSuggestions: false (Apollo Server 3.6+). Ensure error messages in production are generic and do not leak schema information.',
+                    references: ['https://www.apollographql.com/docs/apollo-server/security/security/'],
+                });
+            }
+        } catch { /* not GraphQL or no suggestions */ }
+        return null;
+    }
+
+    async _testAliasBypass(endpoint) {
+        // Use aliases to send 50 operations as a single query (bypasses per-query rate limits)
+        const aliases = Array.from({ length: 50 }, (_, i) => `q${i}: __typename`).join('\n');
+        const query = `{ ${aliases} }`;
+
+        try {
+            const response = await this._gqlRequest(endpoint, query);
+            if (response?.data && Object.keys(response.data).length >= 50) {
+                return createFinding({
+                    module: 'logic',
+                    title: 'GraphQL: Alias-Based Rate Limit Bypass',
+                    severity: 'medium',
+                    affected_surface: endpoint,
+                    description: `The GraphQL endpoint at ${endpoint} allows a single query to execute 50+ aliased operations. Since rate limiting is typically applied per HTTP request, aliases can be used to bypass rate limits by bundling many operations into one request. For expensive operations (e.g., login, search), this amplifies brute-force capability by 50×.`,
+                    reproduction: [
+                        `1. Send a single query with 50 aliased operations to ${endpoint}`,
+                        `2. All 50 executed (response has ${Object.keys(response.data).length} keys)`,
+                        '3. For login: 50 password attempts in 1 HTTP request',
+                    ],
+                    evidence: `Sent 50 aliases in one query. Response had ${Object.keys(response.data).length} data fields.`,
+                    remediation: 'Implement query complexity scoring that counts aliased fields. Limit the total number of aliases (Apollo: maxAliases). Implement per-operation rate limiting, not just per-request. Use persisted queries to restrict allowed operations.',
+                    references: ['https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html'],
+                });
+            }
+        } catch { /* not vulnerable */ }
+        return null;
+    }
+
+    async _gqlRequest(endpoint, query, controller) {
+        if (!controller) {
+            controller = new AbortController();
+            setTimeout(() => controller.abort(), 12000);
+        }
+
+        const response = await fetch(endpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ query }),
+            signal: controller.signal,
+        });
+
+        if (!response.ok && response.status !== 400) return null;
+        return response.json().catch(() => null);
+    }
+}
+
+export default GraphQLAuditor;

package/src/core/logic/parameter-polluter.js

@@ -0,0 +1,212 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * ParameterPolluter — Tests for HTTP Parameter Pollution (HPP) vulnerabilities.
+ *
+ * HPP occurs when an application receives multiple values for the same parameter
+ * and uses an unexpected one. This can bypass security checks, WAF rules,
+ * or access controls depending on which parameter value the backend actually uses.
+ *
+ * Attack variants:
+ * 1. URL query string duplication: ?user_id=1&user_id=admin
+ * 2. Body + Query collision: POST body user_id=1, URL ?user_id=admin
+ * 3. Array notation: ?user_id[]=1&user_id[]=admin
+ * 4. Verb tampering for bypass: change GET → POST or HEAD
+ * 5. Content-Type confusion: send JSON payload as form-encoded
+ */
+export class ParameterPolluter {
+    constructor(logger) {
+        this.logger = logger;
+
+        // High-value parameters to test for pollution
+        this.SENSITIVE_PARAMS = [
+            { name: 'user_id', testValues: ['0', 'null', 'undefined', '../admin', 'admin', '1 OR 1=1'] },
+            { name: 'role', testValues: ['admin', 'superuser', 'root', 'administrator'] },
+            { name: 'admin', testValues: ['true', '1', 'yes', 'on'] },
+            { name: 'is_admin', testValues: ['true', '1'] },
+            { name: 'account_id', testValues: ['0', '-1', 'null', '../'] },
+            { name: 'token', testValues: ['undefined', 'null', '', '0'] },
+            { name: 'redirect', testValues: ['https://evil.com', '//evil.com', '/\\/evil.com'] },
+            { name: 'callback', testValues: ['alert', 'console.log', 'https://evil.com?'] },
+            { name: 'action', testValues: ['delete', 'admin', 'debug', 'export'] },
+            { name: 'debug', testValues: ['true', '1', 'yes'] },
+        ];
+    }
+
+    async pollute(businessContext, surfaceInventory) {
+        const findings = [];
+
+        for (const page of surfaceInventory.pages) {
+            if (!page.url || page.status >= 400) continue;
+            const url = new URL(page.url);
+            const existingParams = [...url.searchParams.keys()];
+
+            // Test 1: Duplicate existing parameters with escalated values
+            for (const param of existingParams) {
+                const original = url.searchParams.get(param);
+                const result = await this._testDuplication(url, param, original);
+                if (result) findings.push(result);
+            }
+
+            // Test 2: Inject sensitive parameters that aren't in the URL
+            for (const { name, testValues } of this.SENSITIVE_PARAMS) {
+                if (existingParams.includes(name)) continue;
+                const result = await this._testInjection(url, name, testValues);
+                if (result) findings.push(result);
+            }
+        }
+
+        // Test 3: HTTP verb tampering on API endpoints
+        for (const page of surfaceInventory.pages.slice(0, 15)) {
+            const result = await this._testVerbTamper(page.url);
+            if (result) findings.push(result);
+        }
+
+        this.logger?.info?.(`Parameter Polluter: found ${findings.length} issues`);
+        return findings;
+    }
+
+    /**
+     * Test parameter duplication: ?param=original&param=escalated
+     * Measure if behavior changes when the param appears twice.
+     */
+    async _testDuplication(url, param, original) {
+        try {
+            // Baseline request (normal param)
+            const baseResponse = await this._fetchWithTimeout(url.toString());
+            if (!baseResponse) return null;
+
+            // Polluted request: append escalated value
+            const pollutedUrl = new URL(url.toString());
+            // Append a second value by manipulating the string directly
+            const pollutedStr = pollutedUrl.toString() + `&${param}=admin&${param}=0&${param}=undefined`;
+
+            const pollutedResponse = await this._fetchWithTimeout(pollutedStr);
+            if (!pollutedResponse) return null;
+
+            // Compare: different status code or significantly different response size indicates different handling
+            const statusDiff = baseResponse.status !== pollutedResponse.status;
+            const sizeDiff = Math.abs(baseResponse.body.length - pollutedResponse.body.length) > 200;
+            const newPrivileges = /admin|dashboard|user.*list|export|settings/i.test(pollutedResponse.body) &&
+                !/admin|dashboard|user.*list|export|settings/i.test(baseResponse.body);
+
+            if (statusDiff || newPrivileges) {
+                return createFinding({
+                    module: 'logic',
+                    title: `HTTP Parameter Pollution: "${param}" behavior change with duplicate values`,
+                    severity: newPrivileges ? 'high' : 'medium',
+                    affected_surface: url.toString(),
+                    description: `The parameter "${param}" at ${url.toString()} behaves differently when submitted with duplicate (polluted) values. The baseline response had status ${baseResponse.status}, but the polluted request (with ?${param}=${original}&${param}=admin) returned status ${pollutedResponse.status}. This may indicate that the server uses a different copy of the parameter than expected, potentially bypassing access controls or validation.`,
+                    reproduction: [
+                        `1. Baseline: GET ${url.toString()}`,
+                        `2. Polluted: GET ${pollutedStr}`,
+                        `3. Response differs: baseline ${baseResponse.status} → polluted ${pollutedResponse.status}`,
+                    ],
+                    evidence: `Param: ${param}\nBaseline status: ${baseResponse.status}\nPolluted status: ${pollutedResponse.status}\nSize diff: ${Math.abs(baseResponse.body.length - pollutedResponse.body.length)} bytes`,
+                    remediation: 'Use a strict parameter parsing strategy: reject requests with duplicate parameters, or explicitly define which value to use (first or last). Apply the same strategy consistently across all framework layers (web server, app framework, middleware).',
+                    references: ['https://owasp.org/www-project-cheat-sheets/cheatsheets/HTTP_Parameter_Pollution_Prevention_Cheat_Sheet.html', 'CWE-235'],
+                });
+            }
+        } catch { /* skip */ }
+        return null;
+    }
+
+    /**
+     * Test injecting new sensitive parameters into URLs that don't already have them.
+     */
+    async _testInjection(url, paramName, testValues) {
+        try {
+            const baseResponse = await this._fetchWithTimeout(url.toString());
+            if (!baseResponse || baseResponse.status >= 400) return null;
+
+            for (const value of testValues) {
+                const testUrl = new URL(url.toString());
+                testUrl.searchParams.set(paramName, value);
+
+                const response = await this._fetchWithTimeout(testUrl.toString());
+                if (!response) continue;
+
+                // Look for clear indicators of privilege change
+                const privilegeGranted =
+                    (response.status < 400 && baseResponse.status >= 400) || // Became accessible
+                    (/admin|dashboard|panel|settings|debug.*true|is_admin.*true/i.test(response.body) &&
+                        !/admin|dashboard|panel|settings/i.test(baseResponse.body));
+
+                if (privilegeGranted) {
+                    return createFinding({
+                        module: 'logic',
+                        title: `Parameter Injection: ?${paramName}=${value} grants elevated access`,
+                        severity: 'critical',
+                        affected_surface: url.toString(),
+                        description: `Adding the parameter "?${paramName}=${value}" to ${url.toString()} appears to grant elevated access or change application behavior in an unexpected way. The server accepted the parameter and changed its response significantly. This suggests the parameter is processed by the backend without proper authorization checks.`,
+                        reproduction: [
+                            `1. Baseline: GET ${url.toString()} — status ${baseResponse.status}`,
+                            `2. Injected: GET ${testUrl.toString()} — status ${response.status}`,
+                            '3. Application behavior changed',
+                        ],
+                        evidence: `Injected: ?${paramName}=${value}\nBaseline status: ${baseResponse.status}\nInjected status: ${response.status}`,
+                        remediation: 'Never use query parameters alone to determine authorization or privileges. All access control decisions must be based on server-side session state and validated credentials, never on client-supplied parameters.',
+                        references: ['CWE-235', 'https://owasp.org/www-project-top-ten/'],
+                    });
+                }
+            }
+        } catch { /* skip */ }
+        return null;
+    }
+
+    /**
+     * Test HTTP verb tampering — some apps restrict DELETE but allow POST with ?_method=DELETE.
+     */
+    async _testVerbTamper(url) {
+        if (!url) return null;
+        try {
+            const methods = ['DELETE', 'PUT', 'PATCH'];
+            const baseGet = await this._fetchWithTimeout(url.toString(), 'GET');
+            if (!baseGet) return null;
+
+            for (const method of methods) {
+                const response = await this._fetchWithTimeout(url.toString(), method);
+                if (!response) continue;
+
+                // If DELETE/PUT succeeds (2xx) on a page that GETs normally, flag it
+                if (response.status < 300 && baseGet.status < 400) {
+                    return createFinding({
+                        module: 'logic',
+                        title: `HTTP Verb Tampering: ${method} accepted at ${new URL(url).pathname}`,
+                        severity: 'high',
+                        affected_surface: url,
+                        description: `The endpoint ${url} accepts ${method} requests without apparent authorization restrictions. If this endpoint supports state-changing operations via ${method}, it may be exploitable without CSRF protection (since CORS does protect non-simple methods, but SPA apps with CORS misconfiguration may still be vulnerable).`,
+                        reproduction: [
+                            `1. Send ${method} ${url}`,
+                            `2. Server responds with ${response.status} (success)`,
+                        ],
+                        evidence: `GET status: ${baseGet.status}\n${method} status: ${response.status}`,
+                        remediation: 'Implement strict HTTP method validation. Return 405 Method Not Allowed for unsupported verbs on each endpoint. Use server framework routing to explicitly define allowed methods per route.',
+                        references: ['https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods'],
+                    });
+                }
+            }
+        } catch { /* skip */ }
+        return null;
+    }
+
+    async _fetchWithTimeout(url, method = 'GET') {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 8000);
+        try {
+            const response = await fetch(url, {
+                method,
+                redirect: 'manual',
+                signal: controller.signal,
+            });
+            const body = await response.text().catch(() => '');
+            return { status: response.status, body };
+        } catch {
+            return null;
+        } finally {
+            clearTimeout(timeout);
+        }
+    }
+}
+
+export default ParameterPolluter;