jaku.sh 1.0.0

package/src/core/responsive-checker.js

@@ -0,0 +1,228 @@
+import { chromium } from 'playwright';
+import { createFinding } from '../utils/finding.js';
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * Responsive Checker — Tests pages across viewport breakpoints.
+ * Detects horizontal overflow, overlapping elements, and captures screenshots.
+ */
+export class ResponsiveChecker {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.findings = [];
+        this.screenshotDir = path.join(config.output_dir || 'jaku-reports', 'screenshots', 'responsive');
+        this.viewports = config.viewports || {
+            mobile: { width: 375, height: 812 },
+            tablet: { width: 768, height: 1024 },
+            desktop: { width: 1440, height: 900 },
+        };
+    }
+
+    /**
+     * Check responsiveness of all crawled pages.
+     */
+    async check(surfaceInventory) {
+        if (!fs.existsSync(this.screenshotDir)) {
+            fs.mkdirSync(this.screenshotDir, { recursive: true });
+        }
+
+        // Only test a subset of pages for responsiveness (top-level pages, not API endpoints)
+        const pagesToTest = surfaceInventory.pages
+            .filter(p => typeof p.status === 'number' && p.status < 400)
+            .slice(0, 20); // Cap at 20 pages
+
+        if (pagesToTest.length === 0) {
+            this.logger?.info?.('No valid pages to check responsiveness');
+            return [];
+        }
+
+        const browser = await chromium.launch({ headless: true });
+
+        for (const page of pagesToTest) {
+            await this._checkPage(browser, page);
+        }
+
+        await browser.close();
+        this.logger?.info?.(`Responsive checker found ${this.findings.length} issues`);
+        return this.findings;
+    }
+
+    async _checkPage(browser, pageData) {
+        for (const [viewportName, viewport] of Object.entries(this.viewports)) {
+            const context = await browser.newContext({
+                viewport,
+                ignoreHTTPSErrors: true,
+            });
+            const page = await context.newPage();
+
+            try {
+                await page.goto(pageData.url, { waitUntil: 'networkidle', timeout: 15000 });
+
+                // Capture screenshot
+                const screenshotName = `${this._sanitizeFilename(pageData.url)}-${viewportName}.png`;
+                const screenshotPath = path.join(this.screenshotDir, screenshotName);
+                await page.screenshot({ path: screenshotPath, fullPage: true });
+
+                // Check for horizontal overflow
+                const overflowData = await page.evaluate(() => {
+                    const docWidth = document.documentElement.scrollWidth;
+                    const viewWidth = window.innerWidth;
+                    const isOverflowing = docWidth > viewWidth;
+
+                    // Find elements causing overflow
+                    const overflowingElements = [];
+                    if (isOverflowing) {
+                        const allElements = document.querySelectorAll('*');
+                        for (const el of allElements) {
+                            const rect = el.getBoundingClientRect();
+                            if (rect.right > viewWidth + 5) {
+                                overflowingElements.push({
+                                    tag: el.tagName,
+                                    id: el.id,
+                                    class: el.className?.toString?.()?.substring(0, 50) || '',
+                                    width: Math.round(rect.width),
+                                    right: Math.round(rect.right),
+                                });
+                                if (overflowingElements.length >= 5) break;
+                            }
+                        }
+                    }
+
+                    return {
+                        docWidth,
+                        viewWidth,
+                        isOverflowing,
+                        overflowingElements,
+                    };
+                });
+
+                if (overflowData.isOverflowing) {
+                    this.findings.push(
+                        createFinding({
+                            module: 'qa',
+                            title: `Horizontal Overflow at ${viewportName}: ${this._shortUrl(pageData.url)}`,
+                            severity: 'medium',
+                            affected_surface: pageData.url,
+                            description: `Page content (${overflowData.docWidth}px) exceeds ${viewportName} viewport width (${overflowData.viewWidth}px). This causes a horizontal scrollbar and breaks the responsive layout.\n\nOverflowing elements:\n${overflowData.overflowingElements.map(e => `- <${e.tag}> (${e.id || e.class || 'no id/class'}): ${e.width}px wide, extends to ${e.right}px`).join('\n')}`,
+                            reproduction: [
+                                `1. Open ${pageData.url}`,
+                                `2. Set viewport to ${viewport.width}×${viewport.height} (${viewportName})`,
+                                `3. Observe horizontal scrollbar`,
+                            ],
+                            evidence: JSON.stringify(overflowData, null, 2),
+                            remediation: `Fix the overflow by adding max-width: 100%, overflow-x: hidden, or using responsive CSS. Check the identified elements for fixed widths.`,
+                        })
+                    );
+                }
+
+                // Check for overlapping interactive elements
+                const overlapData = await page.evaluate(() => {
+                    const interactive = Array.from(
+                        document.querySelectorAll('a, button, input, select, textarea, [role="button"]')
+                    );
+                    const overlaps = [];
+
+                    for (let i = 0; i < interactive.length - 1; i++) {
+                        for (let j = i + 1; j < interactive.length; j++) {
+                            const r1 = interactive[i].getBoundingClientRect();
+                            const r2 = interactive[j].getBoundingClientRect();
+
+                            // Skip invisible elements
+                            if (r1.width === 0 || r1.height === 0 || r2.width === 0 || r2.height === 0) continue;
+
+                            const overlap = !(r1.right < r2.left || r1.left > r2.right ||
+                                r1.bottom < r2.top || r1.top > r2.bottom);
+
+                            if (overlap) {
+                                overlaps.push({
+                                    el1: { tag: interactive[i].tagName, text: interactive[i].textContent?.substring(0, 30) },
+                                    el2: { tag: interactive[j].tagName, text: interactive[j].textContent?.substring(0, 30) },
+                                });
+                                if (overlaps.length >= 3) break;
+                            }
+                        }
+                        if (overlaps.length >= 3) break;
+                    }
+
+                    return overlaps;
+                });
+
+                if (overlapData.length > 0) {
+                    this.findings.push(
+                        createFinding({
+                            module: 'qa',
+                            title: `Overlapping Elements at ${viewportName}: ${this._shortUrl(pageData.url)}`,
+                            severity: 'low',
+                            affected_surface: pageData.url,
+                            description: `${overlapData.length} pair(s) of interactive elements overlap at ${viewportName} (${viewport.width}×${viewport.height}). This makes them difficult or impossible to click.\n\n${overlapData.map(o => `- <${o.el1.tag}> "${o.el1.text}" overlaps with <${o.el2.tag}> "${o.el2.text}"`).join('\n')}`,
+                            reproduction: [
+                                `1. Open ${pageData.url}`,
+                                `2. Set viewport to ${viewport.width}×${viewport.height} (${viewportName})`,
+                                `3. Observe overlapping interactive elements`,
+                            ],
+                            evidence: JSON.stringify(overlapData, null, 2),
+                            remediation: 'Use responsive CSS, media queries, or flexbox/grid to ensure interactive elements do not overlap at smaller viewports.',
+                        })
+                    );
+                }
+
+                // Check for tiny text (< 12px)
+                const tinyText = await page.evaluate(() => {
+                    const allText = document.querySelectorAll('p, span, a, li, td, th, label, div');
+                    let tinyCount = 0;
+                    for (const el of allText) {
+                        const fontSize = parseFloat(window.getComputedStyle(el).fontSize);
+                        if (fontSize < 12 && el.textContent?.trim()) {
+                            tinyCount++;
+                        }
+                    }
+                    return tinyCount;
+                });
+
+                if (viewportName === 'mobile' && tinyText > 10) {
+                    this.findings.push(
+                        createFinding({
+                            module: 'qa',
+                            title: `Tiny Text on Mobile: ${this._shortUrl(pageData.url)}`,
+                            severity: 'low',
+                            affected_surface: pageData.url,
+                            description: `Found ${tinyText} text elements with font-size below 12px on mobile viewport. This makes content difficult to read without zooming.`,
+                            reproduction: [
+                                `1. Open ${pageData.url} on mobile (375×812)`,
+                                `2. Observe small, hard-to-read text`,
+                            ],
+                            remediation: 'Use a minimum font-size of 14px on mobile viewports. Add media queries to scale text appropriately.',
+                        })
+                    );
+                }
+            } catch (err) {
+                this.logger?.debug?.(`Responsive check failed for ${pageData.url} at ${viewportName}: ${err.message}`);
+            } finally {
+                await page.close();
+                await context.close();
+            }
+        }
+    }
+
+    _shortUrl(url) {
+        try {
+            const u = new URL(url);
+            return u.pathname === '/' ? u.hostname : u.pathname;
+        } catch {
+            return url;
+        }
+    }
+
+    _sanitizeFilename(url) {
+        try {
+            const u = new URL(url);
+            return (u.hostname + u.pathname).replace(/[^a-zA-Z0-9]/g, '_').substring(0, 50);
+        } catch {
+            return 'page';
+        }
+    }
+}
+
+export default ResponsiveChecker;

package/src/core/security/cors-prober.js

@@ -0,0 +1,150 @@
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * CORSProber — Tests for Cross-Origin Resource Sharing misconfigurations.
+ *
+ * Common misconfigs:
+ * 1. Wildcard with credentials — Access-Control-Allow-Origin: * + Allow-Credentials: true (impossible per spec, but some servers do it anyway)
+ * 2. Arbitrary origin reflection — server mirrors back whatever Origin: header is sent
+ * 3. Null origin accepted — Origin: null bypasses same-origin policy
+ * 4. Pre-flight bypass — complex request proceeds without OPTIONS check
+ * 5. Subdomain wildcard — *.yourapp.com allows evil.yourapp.com (subdomain takeover vector)
+ * 6. Trusted domain substring match — trusts "evil-yourapp.com" because it contains "yourapp.com"
+ */
+export class CORSProber {
+    constructor(logger) {
+        this.logger = logger;
+    }
+
+    async probe(surfaceInventory) {
+        const findings = [];
+        const tested = new Set();
+
+        // Test API endpoints and key pages
+        const targets = [
+            ...surfaceInventory.pages.filter(p => p.status < 400),
+            ...(surfaceInventory.apis || []),
+        ];
+
+        for (const target of targets) {
+            const url = target.url || target;
+            if (!url || tested.has(url)) continue;
+            tested.add(url);
+
+            try {
+                const result = await this._testCORS(url);
+                if (result) findings.push(result);
+            } catch (err) {
+                this.logger?.debug?.(`CORS probe failed for ${url}: ${err.message}`);
+            }
+        }
+
+        this.logger?.info?.(`CORS Prober: found ${findings.length} misconfigurations`);
+        return findings;
+    }
+
+    async _testCORS(url) {
+        const testOrigins = [
+            { origin: 'https://evil.attacker.com', label: 'arbitrary external origin' },
+            { origin: 'null', label: 'null origin' },
+            { origin: `https://evil.${new URL(url).hostname}`, label: 'evil subdomain of target' },
+            { origin: `https://evil-${new URL(url).hostname}`, label: 'substring match bypass' },
+        ];
+
+        for (const { origin, label } of testOrigins) {
+            try {
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), 10000);
+
+                const response = await fetch(url, {
+                    method: 'GET',
+                    headers: { 'Origin': origin },
+                    signal: controller.signal,
+                });
+                clearTimeout(timeout);
+
+                const acao = response.headers.get('access-control-allow-origin');
+                const acac = response.headers.get('access-control-allow-credentials');
+
+                if (!acao) continue;
+
+                // Check 1: Arbitrary origin reflected
+                if (acao === origin || acao === '*') {
+                    const withCredentials = acac === 'true';
+                    const severity = withCredentials ? 'critical' : (acao === '*' ? 'low' : 'high');
+
+                    if (withCredentials && acao === '*') continue; // Impossible per spec, browser blocks it
+
+                    return createFinding({
+                        module: 'security',
+                        title: `CORS Misconfiguration: ${label}`,
+                        severity,
+                        affected_surface: url,
+                        description: `The server at ${url} reflects a ${label} in its CORS response header (Access-Control-Allow-Origin: ${acao}${withCredentials ? ', Access-Control-Allow-Credentials: true' : ''}). ${withCredentials
+                            ? 'This is a CRITICAL misconfiguration — credentialed cross-origin requests from any origin are permitted, enabling session hijacking from any website.'
+                            : 'This allows cross-origin reads from any origin.'}`,
+                        reproduction: [
+                            `1. Send a request to ${url} with header: Origin: ${origin}`,
+                            `2. Response includes: Access-Control-Allow-Origin: ${acao}`,
+                            withCredentials ? '3. Access-Control-Allow-Credentials: true is also present' : '',
+                            `4. Any website on the internet can now read the response with ${withCredentials ? 'user credentials' : 'no credentials'}`,
+                        ].filter(Boolean),
+                        evidence: `Request Origin: ${origin}\nResponse ACAO: ${acao}\nResponse ACAC: ${acac || 'not set'}`,
+                        remediation: 'Only allow specific, known origins in CORS policy. Never reflect the request Origin back directly. Never combine Access-Control-Allow-Credentials: true with a wildcard or arbitrary origin. Maintain an explicit allowlist of trusted origins.',
+                        references: [
+                            'https://portswigger.net/web-security/cors',
+                            'https://owasp.org/www-community/attacks/CORS_RequestPreflightScrutiny',
+                            'CWE-942',
+                        ],
+                    });
+                }
+            } catch { /* continue to next origin */ }
+        }
+
+        // Check pre-flight bypass: send complex request without OPTIONS
+        await this._testPreflightBypass(url, findings);
+
+        return null;
+    }
+
+    async _testPreflightBypass(url, findings) {
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 8000);
+
+            // Complex request that SHOULD trigger pre-flight but might not
+            const response = await fetch(url, {
+                method: 'PUT',
+                headers: {
+                    'Origin': 'https://evil.attacker.com',
+                    'Content-Type': 'application/json',
+                    'X-Custom-Header': 'jaku-test',
+                },
+                body: JSON.stringify({ test: 'preflight-bypass' }),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+
+            const acao = response.headers.get('access-control-allow-origin');
+            if (acao === 'https://evil.attacker.com' || acao === '*') {
+                findings.push(createFinding({
+                    module: 'security',
+                    title: 'CORS Pre-flight Bypass: Complex requests allowed from arbitrary origin',
+                    severity: 'high',
+                    affected_surface: url,
+                    description: `${url} accepts complex cross-origin PUT requests from arbitrary origins without requiring a proper OPTIONS pre-flight check. This allows attackers to make state-changing requests on behalf of authenticated users from any origin.`,
+                    reproduction: [
+                        `1. Send PUT ${url} with Origin: https://evil.attacker.com`,
+                        `2. Server responds with Access-Control-Allow-Origin: ${acao}`,
+                        '3. Complex cross-origin request succeeds without pre-flight',
+                    ],
+                    evidence: `Method: PUT | Origin: https://evil.attacker.com | Response ACAO: ${acao}`,
+                    remediation: 'Ensure all state-changing endpoints trigger and validate CORS pre-flight requests. On the server side, explicitly validate the Origin header against an allowlist for all methods other than GET/HEAD.',
+                    references: ['https://portswigger.net/web-security/cors'],
+                }));
+            }
+        } catch { /* ignore */ }
+    }
+}
+
+export default CORSProber;

package/src/core/security/csrf-prober.js

@@ -0,0 +1,217 @@
+import { chromium } from 'playwright';
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * CSRFProber — Tests for Cross-Site Request Forgery vulnerabilities.
+ *
+ * Active tests:
+ * 1. State-changing GET requests (no CSRF protection by design)
+ * 2. Missing SameSite cookie attribute
+ * 3. CSRF token absent on state-changing forms
+ * 4. Weak CSRF token (predictable, short, static)
+ * 5. Double-submit cookie bypass
+ * 6. Custom header bypass attempt (some apps use X-Requested-With as CSRF protection)
+ */
+export class CSRFProber {
+    constructor(logger) {
+        this.logger = logger;
+    }
+
+    async probe(surfaceInventory) {
+        const findings = [];
+
+        // Test 1: State-changing GET endpoints
+        findings.push(...await this._testStateChangingGET(surfaceInventory));
+
+        // Test 2: Cookie SameSite attribute
+        findings.push(...await this._testCookieSameSite(surfaceInventory));
+
+        // Test 3: CSRF token validation on forms
+        findings.push(...await this._testFormCSRFTokens(surfaceInventory));
+
+        this.logger?.info?.(`CSRF Prober: found ${findings.length} issues`);
+        return findings;
+    }
+
+    /**
+     * Detect state-changing GET endpoints which are inherently CSRF-vulnerable
+     * (Safe HTTP methods should never change state).
+     */
+    async _testStateChangingGET(surfaceInventory) {
+        const findings = [];
+        const stateChangingPatterns = [
+            /\/(delete|remove|destroy|logout|signout|clear|reset|confirm|activate|deactivate|ban|unban|approve|reject|cancel|archive)/i,
+            /[?&](action|do|cmd|command)=(delete|remove|logout|reset|confirm|activate|deactivate)/i,
+        ];
+
+        for (const page of surfaceInventory.pages) {
+            if (!page.url || page.status >= 400) continue;
+            const url = page.url;
+
+            for (const pattern of stateChangingPatterns) {
+                if (pattern.test(url)) {
+                    try {
+                        const controller = new AbortController();
+                        const timeout = setTimeout(() => controller.abort(), 8000);
+
+                        const response = await fetch(url, {
+                            method: 'GET',
+                            redirect: 'manual',
+                            signal: controller.signal,
+                        });
+                        clearTimeout(timeout);
+
+                        // If it returns 200 (not a redirect to login) it's likely processing the action
+                        if (response.status === 200) {
+                            findings.push(createFinding({
+                                module: 'security',
+                                title: `CSRF: State-Changing GET Request at ${new URL(url).pathname}`,
+                                severity: 'high',
+                                affected_surface: url,
+                                description: `The endpoint ${url} appears to perform a state-changing action (${url.match(stateChangingPatterns[0])?.[1] || 'action'}) via GET request. GET requests cannot be protected by CSRF tokens in standard implementations, and browsers will silently follow GET-based CSRF via <img>, <link> or fetch() from any origin.`,
+                                reproduction: [
+                                    `1. While victim is authenticated, embed: <img src="${url}">`,
+                                    `2. Victim's browser silently GETs the URL with their session cookies`,
+                                    `3. Action is performed without victim's knowledge`,
+                                ],
+                                evidence: `URL: ${url}\nMethod: GET\nResponse: ${response.status}`,
+                                remediation: 'All state-changing operations must use POST, PUT, PATCH, or DELETE. Never use GET for actions that modify data. Combine with CSRF tokens on all state-changing endpoints.',
+                                references: ['https://owasp.org/www-community/attacks/csrf', 'CWE-352'],
+                            }));
+                        }
+                    } catch { /* skip */ }
+                    break;
+                }
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Check cookies for missing SameSite attribute.
+     */
+    async _testCookieSameSite(surfaceInventory) {
+        const findings = [];
+        const baseUrl = surfaceInventory.pages[0]?.url;
+        if (!baseUrl) return findings;
+
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 10000);
+
+            const response = await fetch(baseUrl, { signal: controller.signal });
+            clearTimeout(timeout);
+
+            const cookies = response.headers.getSetCookie?.() || [];
+
+            for (const cookie of cookies) {
+                const isSession = /session|auth|token|sid|jwt|access|refresh/i.test(cookie);
+                const hasSameSite = /samesite=/i.test(cookie);
+                const isStrict = /samesite=strict/i.test(cookie);
+                const isLax = /samesite=lax/i.test(cookie);
+                const isSecure = /;\s*secure/i.test(cookie);
+                const isHttpOnly = /;\s*httponly/i.test(cookie);
+                const cookieName = cookie.split('=')[0].trim();
+
+                if (isSession && !hasSameSite) {
+                    findings.push(createFinding({
+                        module: 'security',
+                        title: `CSRF: Session Cookie Missing SameSite Attribute (${cookieName})`,
+                        severity: 'medium',
+                        affected_surface: baseUrl,
+                        description: `The session cookie "${cookieName}" does not have a SameSite attribute. Without SameSite=Lax or SameSite=Strict, the cookie is sent on all cross-site requests, enabling CSRF attacks against all state-changing endpoints. Modern browsers default to Lax for cookies without SameSite, but this is not enforced in all scenarios (e.g., top-level POST navigations).`,
+                        reproduction: [
+                            `1. Auth cookie "${cookieName}" is set without SameSite`,
+                            '2. A cross-site form submission targeting a state-changing endpoint will include this cookie',
+                            '3. Server processes the request as authenticated',
+                        ],
+                        evidence: `Set-Cookie: ${cookie.substring(0, 200)}`,
+                        remediation: 'Set SameSite=Strict on session cookies for the highest protection. If Strict breaks legitimate cross-site navigation, use SameSite=Lax. Combine with CSRF tokens for defense-in-depth. Also ensure Secure and HttpOnly flags are set.',
+                        references: ['https://owasp.org/www-community/SameSite', 'CWE-352'],
+                    }));
+                }
+
+                // Separate finding for missing Secure flag on session cookies
+                if (isSession && !isSecure) {
+                    findings.push(createFinding({
+                        module: 'security',
+                        title: `Insecure Cookie: Missing Secure Flag (${cookieName})`,
+                        severity: 'medium',
+                        affected_surface: baseUrl,
+                        description: `The session cookie "${cookieName}" does not have the Secure flag. This means the cookie may be transmitted over unencrypted HTTP connections, where it can be intercepted by network attackers.`,
+                        reproduction: [
+                            `1. Make an HTTP (non-HTTPS) request to ${baseUrl}`,
+                            `2. Cookie "${cookieName}" may be sent in plaintext`,
+                        ],
+                        evidence: `Set-Cookie: ${cookie.substring(0, 200)}`,
+                        remediation: 'Always set the Secure flag on session and authentication cookies. Enforce HTTPS everywhere and use HSTS.',
+                        references: ['https://owasp.org/www-community/HttpOnly', 'CWE-614'],
+                    }));
+                }
+            }
+        } catch (err) {
+            this.logger?.debug?.(`CSRF cookie test failed: ${err.message}`);
+        }
+
+        return findings;
+    }
+
+    /**
+     * Test if state-changing forms have CSRF token validation.
+     */
+    async _testFormCSRFTokens(surfaceInventory) {
+        const findings = [];
+
+        const stateChangingForms = (surfaceInventory.forms || []).filter(f => {
+            const method = (f.method || 'GET').toUpperCase();
+            return method === 'POST' || method === 'PUT' || method === 'DELETE';
+        });
+
+        if (stateChangingForms.length === 0) return findings;
+
+        const browser = await chromium.launch({ headless: true });
+        const context = await browser.newContext({ ignoreHTTPSErrors: true });
+
+        for (const form of stateChangingForms.slice(0, 10)) { // limit to 10
+            const page = await context.newPage();
+            try {
+                await page.goto(form.page, { waitUntil: 'domcontentloaded', timeout: 15000 });
+
+                // Check if form has a CSRF token field
+                const csrfField = await page.$('[name*="csrf"], [name*="_token"], [name*="authenticity_token"], [name*="nonce"], [name*="__RequestVerificationToken"]');
+
+                if (!csrfField) {
+                    // No CSRF token — check if the form action changes state
+                    const formEl = await page.$(`#${form.id}`) || await page.$('form');
+                    const action = form.action || await formEl?.getAttribute('action') || form.page;
+
+                    findings.push(createFinding({
+                        module: 'security',
+                        title: `CSRF: No Token on State-Changing Form at ${new URL(form.page).pathname}`,
+                        severity: 'high',
+                        affected_surface: form.page,
+                        description: `The form at ${form.page} (action: ${action}) submits via ${form.method || 'POST'} but does not contain a CSRF token. An attacker can host a forged form on any website that will automatically submit with the victim's session cookies.`,
+                        reproduction: [
+                            `1. Host this HTML on a malicious site: <form action="${action}" method="post"><input type="submit"></form>`,
+                            '2. Trick victim into visiting the malicious page while authenticated',
+                            '3. Form auto-submits with victim\'s cookies',
+                        ],
+                        evidence: `Form page: ${form.page}\nForm action: ${action}\nCSRF token: none found`,
+                        remediation: 'Add a cryptographically random CSRF token to all state-changing forms. Validate the token server-side on every submission. Use the Synchronizer Token Pattern or Double Submit Cookie pattern. Combine with SameSite=Strict cookies.',
+                        references: ['https://owasp.org/www-community/attacks/csrf', 'CWE-352'],
+                    }));
+                }
+            } catch (err) {
+                this.logger?.debug?.(`CSRF form test failed for ${form.page}: ${err.message}`);
+            } finally {
+                await page.close();
+            }
+        }
+
+        await browser.close();
+        return findings;
+    }
+}
+
+export default CSRFProber;