jaku.sh 1.0.0

package/src/core/logic/pricing-exploiter.js

@@ -0,0 +1,299 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * PricingExploiter — Tests payment & pricing logic for manipulation vulnerabilities.
+ *
+ * Probes:
+ * - Negative price/quantity injection
+ * - Zero-amount order attempts
+ * - Coupon stacking and reuse
+ * - Price parameter tampering
+ * - Currency confusion
+ * - Integer overflow quantities
+ * - Discount manipulation
+ */
+export class PricingExploiter {
+    constructor(logger) {
+        this.logger = logger;
+
+        this.PROBES = [
+            {
+                name: 'Negative quantity',
+                description: 'Submit negative quantity to reverse charges or get credits',
+                paramTargets: ['quantity', 'qty', 'amount', 'count'],
+                value: '-1',
+                severity: 'critical',
+            },
+            {
+                name: 'Negative price',
+                description: 'Submit negative price to reduce total or get refund',
+                paramTargets: ['price', 'amount', 'total', 'subtotal', 'unit_price'],
+                value: '-100',
+                severity: 'critical',
+            },
+            {
+                name: 'Zero amount checkout',
+                description: 'Attempt to complete purchase with zero total',
+                paramTargets: ['total', 'amount', 'price', 'charge'],
+                value: '0',
+                severity: 'high',
+            },
+            {
+                name: 'Fractional quantity',
+                description: 'Submit fractional quantity (0.001) to exploit rounding',
+                paramTargets: ['quantity', 'qty', 'amount', 'count'],
+                value: '0.001',
+                severity: 'medium',
+            },
+            {
+                name: 'Integer overflow quantity',
+                description: 'Submit extremely large quantity to cause integer overflow',
+                paramTargets: ['quantity', 'qty', 'count'],
+                value: '999999999',
+                severity: 'high',
+            },
+            {
+                name: 'Price tampering - penny',
+                description: 'Change price to 1 cent to test server-side validation',
+                paramTargets: ['price', 'amount', 'unit_price', 'cost'],
+                value: '0.01',
+                severity: 'critical',
+            },
+            {
+                name: 'Currency confusion',
+                description: 'Submit unexpected currency code to exploit conversion',
+                paramTargets: ['currency', 'currency_code', 'cur'],
+                value: 'XXX',
+                severity: 'medium',
+            },
+            {
+                name: 'Coupon code - empty',
+                description: 'Submit empty coupon to test for default discount',
+                paramTargets: ['coupon', 'coupon_code', 'promo', 'promo_code', 'discount_code'],
+                value: '',
+                severity: 'low',
+            },
+            {
+                name: 'Coupon code - universal',
+                description: 'Try common test/debug coupon codes',
+                paramTargets: ['coupon', 'coupon_code', 'promo', 'promo_code', 'discount_code'],
+                values: ['TEST', 'DEBUG', 'ADMIN', '100OFF', 'FREE', 'DISCOUNT', 'OVERRIDE'],
+                severity: 'high',
+            },
+            {
+                name: 'Negative discount',
+                description: 'Submit negative discount percentage to increase price awareness',
+                paramTargets: ['discount', 'discount_percent', 'discount_amount'],
+                value: '-50',
+                severity: 'medium',
+            },
+            {
+                name: 'Tax bypass',
+                description: 'Set tax to zero or remove tax parameter',
+                paramTargets: ['tax', 'tax_amount', 'tax_rate', 'vat'],
+                value: '0',
+                severity: 'medium',
+            },
+            {
+                name: 'Shipping manipulation',
+                description: 'Set shipping cost to zero or negative',
+                paramTargets: ['shipping', 'shipping_cost', 'delivery_fee', 'shipping_amount'],
+                value: '0',
+                severity: 'medium',
+            },
+        ];
+    }
+
+    /**
+     * Test pricing surfaces for manipulation vulnerabilities.
+     */
+    async exploit(businessContext) {
+        const findings = [];
+        const pricingSurfaces = businessContext.pricingSurfaces || [];
+
+        if (pricingSurfaces.length === 0) {
+            this.logger?.info?.('Pricing Exploiter: no pricing surfaces found — skipping');
+            return findings;
+        }
+
+        this.logger?.info?.(`Pricing Exploiter: testing ${pricingSurfaces.length} pricing surfaces`);
+
+        for (const surface of pricingSurfaces) {
+            // Test forms with pricing fields
+            if (surface.type === 'form' && surface.fields) {
+                const formFindings = await this._testForm(surface);
+                findings.push(...formFindings);
+            }
+
+            // Test API endpoints
+            if (surface.type === 'api') {
+                const apiFindings = await this._testAPI(surface);
+                findings.push(...apiFindings);
+            }
+        }
+
+        this.logger?.info?.(`Pricing Exploiter: found ${findings.length} issues`);
+        return findings;
+    }
+
+    async _testForm(surface) {
+        const findings = [];
+        const fields = (surface.fields || []).map(f => ({
+            name: (f.name || f.id || '').toLowerCase(),
+            original: f,
+        }));
+
+        for (const probe of this.PROBES) {
+            const matchingFields = fields.filter(f =>
+                probe.paramTargets.some(target => f.name.includes(target))
+            );
+
+            if (matchingFields.length === 0) continue;
+
+            for (const field of matchingFields) {
+                const values = probe.values || [probe.value];
+                for (const value of values) {
+                    const result = await this._submitProbe(surface, field, value, probe);
+                    if (result) {
+                        findings.push(result);
+                    }
+                }
+            }
+        }
+
+        return findings;
+    }
+
+    async _testAPI(surface) {
+        const findings = [];
+        const url = surface.url;
+
+        for (const probe of this.PROBES) {
+            const values = probe.values || [probe.value];
+            for (const value of values) {
+                for (const param of probe.paramTargets) {
+                    try {
+                        const body = {};
+                        body[param] = value;
+
+                        const controller = new AbortController();
+                        const timeout = setTimeout(() => controller.abort(), 8000);
+
+                        const response = await fetch(url, {
+                            method: surface.method || 'POST',
+                            headers: { 'Content-Type': 'application/json' },
+                            body: JSON.stringify(body),
+                            signal: controller.signal,
+                        });
+                        clearTimeout(timeout);
+
+                        // If the server accepts the manipulated value (2xx), flag it
+                        if (response.ok) {
+                            const text = await response.text();
+                            const accepted = this._checkAccepted(text, probe, value);
+                            if (accepted) {
+                                findings.push(createFinding({
+                                    module: 'logic',
+                                    title: `Pricing Manipulation: ${probe.name}`,
+                                    severity: probe.severity,
+                                    affected_surface: url,
+                                    description: `${probe.description}. The API at ${url} accepted ${param}=${value} without server-side validation. ${accepted.reason}`,
+                                    reproduction: [
+                                        `1. Send ${surface.method || 'POST'} to ${url}`,
+                                        `2. Set "${param}" to "${value}"`,
+                                        `3. Server responds with 200 OK — value accepted`,
+                                    ],
+                                    evidence: `Parameter: ${param}=${value}\nResponse status: ${response.status}\nResponse: ${text.substring(0, 300)}`,
+                                    remediation: 'Implement server-side validation for all pricing parameters. Never trust client-supplied prices, quantities, or totals. Recalculate all amounts server-side from the product catalog. Validate quantities are positive integers within allowed ranges.',
+                                }));
+                            }
+                        }
+                    } catch {
+                        continue;
+                    }
+                }
+            }
+        }
+
+        return findings;
+    }
+
+    async _submitProbe(surface, field, value, probe) {
+        try {
+            const url = surface.url || surface.pageUrl;
+            const body = {};
+            body[field.name] = value;
+
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 8000);
+
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(body),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+
+            if (response.ok) {
+                const text = await response.text();
+                const accepted = this._checkAccepted(text, probe, value);
+                if (accepted) {
+                    return createFinding({
+                        module: 'logic',
+                        title: `Pricing Manipulation: ${probe.name}`,
+                        severity: probe.severity,
+                        affected_surface: url,
+                        description: `${probe.description}. The form accepted "${field.name}=${value}" without validation. ${accepted.reason}`,
+                        reproduction: [
+                            `1. Navigate to ${surface.pageUrl || url}`,
+                            `2. Set "${field.name}" to "${value}"`,
+                            `3. Submit the form`,
+                        ],
+                        evidence: `Field: ${field.name}=${value}\nStatus: ${response.status}`,
+                        remediation: 'Implement server-side validation for all pricing parameters. Never trust client-supplied prices or quantities.',
+                    });
+                }
+            }
+        } catch {
+            // Network error — skip
+        }
+        return null;
+    }
+
+    _checkAccepted(responseText, probe, value) {
+        const lower = responseText.toLowerCase();
+
+        // If the response contains success indicators
+        const successIndicators = [
+            /success/i, /accepted/i, /confirmed/i, /processed/i,
+            /order.*created/i, /added.*cart/i, /applied/i,
+        ];
+
+        // If the response contains the manipulated value echoed back
+        const echoed = lower.includes(value.toLowerCase());
+
+        // If the response does NOT contain error indicators
+        const errorIndicators = [
+            /invalid/i, /error/i, /not allowed/i, /rejected/i,
+            /must be positive/i, /minimum/i, /maximum/i, /out of range/i,
+        ];
+        const hasError = errorIndicators.some(p => p.test(responseText));
+
+        if (hasError) return null;
+
+        const hasSuccess = successIndicators.some(p => p.test(responseText));
+
+        if (hasSuccess || echoed) {
+            return {
+                reason: hasSuccess
+                    ? 'Server returned success response for manipulated value'
+                    : 'Server echoed the manipulated value without rejection',
+            };
+        }
+
+        return null;
+    }
+}
+
+export default PricingExploiter;

package/src/core/logic/race-condition-detector.js

@@ -0,0 +1,222 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * RaceConditionDetector — Tests for race conditions in critical paths.
+ *
+ * Fires concurrent requests at state-changing endpoints to detect:
+ * - Double spend (concurrent payment/transfer)
+ * - Duplicate submission (same action processed twice)
+ * - TOCTOU (time-of-check vs time-of-use)
+ * - Limit bypass (concurrent requests that individually pass limits but collectively exceed)
+ * - Inventory oversell (concurrent purchases of limited-stock item)
+ */
+export class RaceConditionDetector {
+    constructor(logger) {
+        this.logger = logger;
+        this.CONCURRENCY = 10; // Number of simultaneous requests
+    }
+
+    /**
+     * Test for race conditions on critical endpoints.
+     */
+    async detect(businessContext, surfaceInventory) {
+        const findings = [];
+
+        this.logger?.info?.('Race Condition Detector: starting tests');
+
+        // Gather critical endpoints from all business domains
+        const criticalEndpoints = this._gatherCriticalEndpoints(businessContext);
+
+        if (criticalEndpoints.length === 0) {
+            this.logger?.info?.('Race Condition Detector: no critical endpoints found — skipping');
+            return findings;
+        }
+
+        this.logger?.info?.(`Race Condition Detector: testing ${criticalEndpoints.length} endpoints`);
+
+        for (const endpoint of criticalEndpoints) {
+            const result = await this._testEndpoint(endpoint);
+            if (result) {
+                findings.push(result);
+            }
+        }
+
+        this.logger?.info?.(`Race Condition Detector: found ${findings.length} issues`);
+        return findings;
+    }
+
+    /**
+     * Gather state-changing endpoints that are race-condition sensitive.
+     */
+    _gatherCriticalEndpoints(businessContext) {
+        const endpoints = [];
+
+        // Payment endpoints
+        for (const surface of (businessContext.domains.payments || [])) {
+            if (surface.type === 'api' || surface.type === 'form') {
+                endpoints.push({
+                    url: surface.url,
+                    method: surface.method || 'POST',
+                    category: 'payment',
+                    body: { amount: 1, action: 'process' },
+                });
+            }
+        }
+
+        // Inventory endpoints
+        for (const surface of (businessContext.domains.inventory || [])) {
+            if (surface.type === 'api') {
+                endpoints.push({
+                    url: surface.url,
+                    method: surface.method || 'POST',
+                    category: 'inventory',
+                    body: { quantity: 1, action: 'purchase' },
+                });
+            }
+        }
+
+        // Referral/reward endpoints
+        for (const surface of (businessContext.domains.referrals || [])) {
+            if (surface.type === 'api') {
+                endpoints.push({
+                    url: surface.url,
+                    method: surface.method || 'POST',
+                    category: 'reward',
+                    body: { action: 'claim' },
+                });
+            }
+        }
+
+        // Subscription endpoints
+        for (const surface of (businessContext.domains.subscriptions || [])) {
+            if (surface.type === 'api') {
+                endpoints.push({
+                    url: surface.url,
+                    method: surface.method || 'POST',
+                    category: 'subscription',
+                    body: { action: 'change' },
+                });
+            }
+        }
+
+        return endpoints;
+    }
+
+    /**
+     * Fire concurrent requests at an endpoint and analyze results.
+     */
+    async _testEndpoint(endpoint) {
+        try {
+            // Fire N concurrent identical requests
+            const requests = Array.from({ length: this.CONCURRENCY }, () =>
+                this._fireRequest(endpoint)
+            );
+
+            const results = await Promise.allSettled(requests);
+
+            // Analyze results
+            const successes = results.filter(r =>
+                r.status === 'fulfilled' && r.value?.ok
+            );
+            const failures = results.filter(r =>
+                r.status === 'fulfilled' && r.value && !r.value.ok
+            );
+            const errors = results.filter(r => r.status === 'rejected');
+
+            // If all requests succeeded, the endpoint may lack concurrency control
+            if (successes.length >= 2) {
+                // Check if responses are identical (indicating no state change detection)
+                const responseBodies = successes
+                    .map(r => r.value?.body)
+                    .filter(Boolean);
+
+                const allIdentical = responseBodies.length >= 2 &&
+                    responseBodies.every(b => b === responseBodies[0]);
+
+                const severity = this._getSeverity(endpoint.category, successes.length);
+
+                return createFinding({
+                    module: 'logic',
+                    title: `Race Condition: ${this._getCategoryTitle(endpoint.category)}`,
+                    severity,
+                    affected_surface: endpoint.url,
+                    description: `${this.CONCURRENCY} concurrent requests were fired at ${endpoint.url}. ${successes.length}/${this.CONCURRENCY} succeeded, suggesting the endpoint lacks concurrency control. This could lead to ${this._getImpact(endpoint.category)}.`,
+                    reproduction: [
+                        `1. Prepare ${this.CONCURRENCY} identical ${endpoint.method} requests to ${endpoint.url}`,
+                        `2. Fire all requests simultaneously using Promise.all`,
+                        `3. ${successes.length} requests returned success (2xx)`,
+                        allIdentical
+                            ? `4. All success responses were identical — no state change detected`
+                            : `4. Responses varied — partial state corruption possible`,
+                    ],
+                    evidence: `Concurrent requests: ${this.CONCURRENCY}\nSuccesses: ${successes.length}\nFailures: ${failures.length}\nErrors: ${errors.length}\nIdentical responses: ${allIdentical}`,
+                    remediation: this._getRemediation(endpoint.category),
+                });
+            }
+        } catch (err) {
+            this.logger?.debug?.(`Race test for ${endpoint.url} failed: ${err.message}`);
+        }
+
+        return null;
+    }
+
+    async _fireRequest(endpoint) {
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+
+            const response = await fetch(endpoint.url, {
+                method: endpoint.method,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(endpoint.body),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+
+            const body = await response.text();
+            return { ok: response.ok, status: response.status, body };
+        } catch {
+            return null;
+        }
+    }
+
+    _getCategoryTitle(category) {
+        const titles = {
+            payment: 'Double Spend Risk',
+            inventory: 'Oversell Risk',
+            reward: 'Reward Farming',
+            subscription: 'State Corruption',
+        };
+        return titles[category] || 'Concurrent Modification';
+    }
+
+    _getImpact(category) {
+        const impacts = {
+            payment: 'double charges, double payouts, or multiple payment processing for a single transaction',
+            inventory: 'selling more items than available stock, inventory going negative',
+            reward: 'claiming the same reward multiple times, point/credit inflation',
+            subscription: 'corrupted subscription state, free access to paid tiers',
+        };
+        return impacts[category] || 'inconsistent state from concurrent modifications';
+    }
+
+    _getSeverity(category, successCount) {
+        if (category === 'payment' && successCount >= 2) return 'critical';
+        if (category === 'inventory' && successCount >= 3) return 'high';
+        if (category === 'reward' && successCount >= 3) return 'high';
+        return 'medium';
+    }
+
+    _getRemediation(category) {
+        const base = 'Implement concurrency control: ';
+        const remediations = {
+            payment: base + 'Use database-level locking (SELECT FOR UPDATE), idempotency keys, and optimistic concurrency control for all payment operations. Process payments through a queue to serialize concurrent requests.',
+            inventory: base + 'Use atomic database operations (UPDATE ... WHERE stock > 0) for inventory decrements. Implement pessimistic locking on stock-sensitive operations.',
+            reward: base + 'Use unique constraints on reward claims (user_id + reward_id). Implement rate limiting and claim deduplication. Process reward claims through a serialized queue.',
+            subscription: base + 'Use optimistic locking with version numbers on subscription records. Reject concurrent modifications with a 409 Conflict response.',
+        };
+        return remediations[category] || base + 'Use database-level locking and idempotency keys for state-changing operations.';
+    }
+}
+
+export default RaceConditionDetector;