kramscan 0.1.0 → 0.2.0

package/dist/core/vulnerability-detector.js

@@ -3,23 +3,52 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.VulnerabilityDetector = void 0;
 class VulnerabilityDetector {
     vulnerabilities = [];
-    // XSS Detection
+    reportedHeaders = new Set();
+    reportedPaths = new Set();
+    onVulnerabilityFound;
+    setOnVulnerabilityFound(callback) {
+        this.onVulnerabilityFound = callback;
+    }
+    addVulnerability(vuln) {
+        this.vulnerabilities.push(vuln);
+        if (this.onVulnerabilityFound) {
+            this.onVulnerabilityFound(vuln);
+        }
+    }
     detectXSS(url, param, payload, response) {
-        // Check if payload is reflected in response
         if (response.includes(payload)) {
-            this.vulnerabilities.push({
+            const existing = this.vulnerabilities.find(v => v.type === "xss" && v.url === url && v.evidence?.includes(param));
+            if (existing)
+                return;
+            this.addVulnerability({
                 type: "xss",
                 severity: "high",
                 title: "Reflected Cross-Site Scripting (XSS)",
-                description: `The parameter '${param}' appears to be vulnerable to XSS. The payload was reflected in the response without proper encoding.`,
+                description: `The parameter '${param}' reflects user input without proper encoding, allowing script injection.`,
                 url,
                 evidence: `Payload: ${payload}`,
-                remediation: "Implement proper output encoding/escaping for user-controlled data. Use Content Security Policy (CSP) headers.",
+                remediation: "Implement input validation, output encoding, and Content Security Policy (CSP) headers.",
+                cwe: "CWE-79",
+            });
+        }
+    }
+    detectStoredXSS(url, payload, response) {
+        if (response.includes(payload)) {
+            const existing = this.vulnerabilities.find(v => v.type === "xss" && v.url === url && v.title.includes("Stored"));
+            if (existing)
+                return;
+            this.addVulnerability({
+                type: "xss",
+                severity: "critical",
+                title: "Stored Cross-Site Scripting (XSS)",
+                description: `Malicious script is persisted on the server and executed when other users view the affected content.`,
+                url,
+                evidence: `Stored payload reflected in response`,
+                remediation: "Implement input validation, output encoding, and CSP. Sanitize HTML content.",
                 cwe: "CWE-79",
             });
         }
     }
-    // SQL Injection Detection
     detectSQLi(url, param, errorResponse) {
         const sqlErrors = [
             "SQL syntax",
@@ -30,97 +59,377 @@ class VulnerabilityDetector {
             "ODBC",
             "JET Database",
             "Microsoft Access Driver",
+            "unterminated",
+            "mysql_num_rows",
+            "mysql_query",
+            "Microsoft SQL Native Client error",
+            "SQLServer JDBC Driver",
+            "ORA-00933",
+            "PG::SyntaxError",
+            "Warning: pg_",
+            "Syntax error",
         ];
+        // Check if vulnerability already exists to avoid duplicates
+        const existing = this.vulnerabilities.find(v => v.type === "sqli" && v.url === url);
+        if (existing)
+            return;
         for (const error of sqlErrors) {
             if (errorResponse.includes(error)) {
-                this.vulnerabilities.push({
+                this.addVulnerability({
                     type: "sqli",
                     severity: "critical",
                     title: "SQL Injection",
-                    description: `The parameter '${param}' may be vulnerable to SQL injection. Database error messages were detected in the response.`,
+                    description: `The parameter '${param}' is vulnerable to SQL injection. Database error messages were detected.`,
                     url,
-                    evidence: `Error pattern: ${error}`,
-                    remediation: "Use parameterized queries or prepared statements. Never concatenate user input directly into SQL queries.",
+                    evidence: `Error: ${error}`,
+                    remediation: "Use parameterized queries (prepared statements). Never concatenate user input into SQL.",
                     cwe: "CWE-89",
                 });
                 break;
             }
         }
     }
-    // CSRF Detection
+    detectBlindSQLi(url, param, originalTime, testTime) {
+        if (testTime > originalTime + 3000) {
+            const existing = this.vulnerabilities.find(v => v.type === "sqli" && v.url === url && v.title.includes("Blind"));
+            if (existing)
+                return;
+            this.addVulnerability({
+                type: "sqli",
+                severity: "high",
+                title: "Blind SQL Injection",
+                description: `Time-based blind SQL injection detected on parameter '${param}'. Response time indicates successful payload execution.`,
+                url,
+                evidence: `Response time increased by ${testTime - originalTime}ms with sleep payload`,
+                remediation: "Use parameterized queries. Implement input validation and proper error handling.",
+                cwe: "CWE-89",
+            });
+        }
+    }
     detectCSRF(url, formHtml) {
         const hasCSRFToken = formHtml.includes('name="csrf') ||
             formHtml.includes('name="_token') ||
-            formHtml.includes('name="authenticity_token');
+            formHtml.includes('name="authenticity_token') ||
+            formHtml.includes('name="_csrf');
         if (!hasCSRFToken) {
-            this.vulnerabilities.push({
+            const existing = this.vulnerabilities.find(v => v.type === "csrf" && v.url === url);
+            if (existing)
+                return;
+            this.addVulnerability({
                 type: "csrf",
                 severity: "medium",
                 title: "Missing CSRF Protection",
-                description: "The form does not appear to have CSRF token protection. This could allow attackers to perform unauthorized actions on behalf of authenticated users.",
+                description: "Form lacks CSRF tokens. Attackers can forge requests to perform unauthorized actions.",
                 url,
-                remediation: "Implement CSRF tokens for all state-changing operations. Use SameSite cookie attribute.",
+                remediation: "Implement anti-CSRF tokens. Use SameSite cookies.",
                 cwe: "CWE-352",
             });
         }
     }
-    // Security Headers Analysis
     analyzeSecurityHeaders(url, headers) {
+        const host = new URL(url).host;
+        if (this.reportedHeaders.has(host)) {
+            return;
+        }
         const requiredHeaders = {
             "content-security-policy": {
                 title: "Missing Content-Security-Policy",
-                severity: "medium",
-                remediation: "Implement a strict Content-Security-Policy to prevent XSS and data injection attacks.",
+                severity: "low",
+                remediation: "Implement a strict CSP to prevent XSS and data injection attacks.",
             },
             "x-frame-options": {
                 title: "Missing X-Frame-Options",
-                severity: "medium",
-                remediation: "Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjacking attacks.",
+                severity: "low",
+                remediation: "Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjacking.",
             },
             "strict-transport-security": {
-                title: "Missing Strict-Transport-Security",
-                severity: "medium",
-                remediation: "Enable HSTS to force HTTPS connections and prevent protocol downgrade attacks.",
+                title: "Missing Strict-Transport-Security (HSTS)",
+                severity: "low",
+                remediation: "Enable HSTS with max-age of at least 31536000 seconds.",
             },
             "x-content-type-options": {
                 title: "Missing X-Content-Type-Options",
-                severity: "low",
-                remediation: "Set X-Content-Type-Options to 'nosniff' to prevent MIME-sniffing attacks.",
+                severity: "info",
+                remediation: "Set X-Content-Type-Options to 'nosniff'.",
+            },
+            "referrer-policy": {
+                title: "Missing Referrer-Policy",
+                severity: "info",
+                remediation: "Set Referrer-Policy to 'strict-origin-when-cross-origin'.",
+            },
+            "permissions-policy": {
+                title: "Missing Permissions-Policy",
+                severity: "info",
+                remediation: "Restrict browser features using Permissions-Policy header.",
             },
         };
+        let missingCount = 0;
         for (const [header, config] of Object.entries(requiredHeaders)) {
             if (!headers[header.toLowerCase()]) {
-                this.vulnerabilities.push({
+                missingCount++;
+                this.addVulnerability({
                     type: "header",
                     severity: config.severity,
                     title: config.title,
-                    description: `The ${header} security header is not set.`,
+                    description: `The ${header} security header is not set on ${host}.`,
                     url,
                     remediation: config.remediation,
                 });
             }
         }
+        if (missingCount > 0) {
+            this.reportedHeaders.add(host);
+        }
     }
-    // Sensitive Data Detection
     detectSensitiveData(url, response) {
         const patterns = [
-            { regex: /api[_-]?key["\s:=]+[\w-]{20,}/gi, name: "API Key" },
-            { regex: /sk-[a-zA-Z0-9]{48}/g, name: "OpenAI API Key" },
-            { regex: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token" },
-            { regex: /AKIA[0-9A-Z]{16}/g, name: "AWS Access Key" },
-            { regex: /password["\s:=]+[^\s"]{8,}/gi, name: "Password" },
+            { regex: /sk-[a-zA-Z0-9]{48}/g, name: "OpenAI API Key", severity: "critical" },
+            { regex: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token", severity: "critical" },
+            { regex: /AKIA[0-9A-Z]{16}/g, name: "AWS Access Key", severity: "critical" },
+            { regex: /xox[baprs]-[0-9a-zA-Z]{10,}/g, name: "Slack Token", severity: "high" },
+            { regex: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*/g, name: "JWT Token", severity: "high" },
+            { regex: /AIza[0-9A-Za-z_-]{35}/g, name: "Google API Key", severity: "high" },
+            { regex: /password["\s:=]+[^\s"]{6,}/gi, name: "Hardcoded Password", severity: "high" },
+            { regex: /api[_-]?key["\s:=]+[\w-]{20,}/gi, name: "Generic API Key", severity: "medium" },
+            { regex: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/g, name: "Private Key", severity: "critical" },
+            { regex: /database[_-]?url["\s:=]+.*(?:mysql|postgres|mongodb):\/\//gi, name: "Database Connection String", severity: "high" },
         ];
         for (const pattern of patterns) {
             const matches = response.match(pattern.regex);
             if (matches && matches.length > 0) {
-                this.vulnerabilities.push({
+                const existing = this.vulnerabilities.find(v => v.type === "sensitive_data" && v.url === url && v.title.includes(pattern.name));
+                if (existing)
+                    continue;
+                this.addVulnerability({
                     type: "sensitive_data",
-                    severity: "high",
+                    severity: pattern.severity,
                     title: `Exposed ${pattern.name}`,
-                    description: `Potential ${pattern.name} found in the response. Sensitive data should never be exposed in client-side code.`,
+                    description: `Sensitive ${pattern.name} found in response. This could lead to account compromise or data breach.`,
+                    url,
+                    evidence: `Found: ${matches[0].substring(0, 30)}...`,
+                    remediation: "Remove sensitive data from client-side code. Use environment variables and secure secret management.",
+                    cwe: "CWE-200",
+                });
+            }
+        }
+    }
+    detectIDOR(url, paramName, paramValue, testResponse, originalResponse) {
+        if (testResponse.length < originalResponse.length * 0.5 ||
+            testResponse.length > originalResponse.length * 1.5 ||
+            testResponse !== originalResponse) {
+            const existing = this.vulnerabilities.find(v => v.type === "idor" && v.url === url && v.evidence?.includes(paramName));
+            if (existing)
+                return;
+            this.addVulnerability({
+                type: "idor",
+                severity: "high",
+                title: "Insecure Direct Object Reference (IDOR)",
+                description: `Changing the parameter '${paramName}' from '${paramValue}' reveals different content without authorization. This could allow unauthorized access to other users' data.`,
+                url,
+                evidence: `Parameter: ${paramName}, Original: ${paramValue}, Response changed significantly`,
+                remediation: "Implement proper authorization checks. Validate user permissions before returning data.",
+                cwe: "CWE-639",
+            });
+        }
+    }
+    detectLFI(url, param, payload, response) {
+        const lfiIndicators = [
+            "root:x:0:0:",
+            "/bin/bash",
+            "/bin/sh",
+            "[boot loader]",
+            "Windows",
+            "C:\\Windows",
+            "Volume Serial Number",
+            "<!DOCTYPE html>",
+            "<html",
+        ];
+        for (const indicator of lfiIndicators) {
+            if (response.includes(indicator)) {
+                const existing = this.vulnerabilities.find(v => v.type === "lfi" && v.url === url);
+                if (existing)
+                    return;
+                this.addVulnerability({
+                    type: "lfi",
+                    severity: "critical",
+                    title: "Local File Inclusion (LFI)",
+                    description: `The parameter '${param}' allows reading arbitrary files from the server.`,
+                    url,
+                    evidence: `Payload: ${payload}, Response contains system file content`,
+                    remediation: "Validate and sanitize file paths. Use whitelisting. Never allow direct user input in file paths.",
+                    cwe: "CWE-22",
+                });
+                break;
+            }
+        }
+    }
+    detectPathTraversal(url, param, payload, response) {
+        const traversalIndicators = [
+            "root:x:0:0:",
+            "[boot loader]",
+            "<!DOCTYPE html>",
+            "<html",
+            "<!DOCTYPE",
+            "<?xml",
+        ];
+        const isLikelyTraversalPayload = payload.includes("../") || payload.includes("..\\");
+        if (isLikelyTraversalPayload) {
+            for (const indicator of traversalIndicators) {
+                if (response.includes(indicator) && !response.includes("<script>")) {
+                    const pathKey = `${url}:${param}`;
+                    if (this.reportedPaths.has(pathKey))
+                        return;
+                    this.reportedPaths.add(pathKey);
+                    this.addVulnerability({
+                        type: "lfi",
+                        severity: "high",
+                        title: "Path Traversal",
+                        description: `The parameter '${param}' allows directory traversal to access files outside the web root.`,
+                        url,
+                        evidence: `Payload: ${payload}`,
+                        remediation: "Validate file paths. Use basename(). Implement whitelist approach.",
+                        cwe: "CWE-22",
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    detectCMDI(url, param, payload, response) {
+        const cmdiIndicators = [
+            "uid=",
+            "gid=",
+            "root",
+            "/usr/bin/",
+            "Microsoft Windows",
+            "Volume Serial Number",
+            "C:\\",
+            "DIR",
+            "Volume in drive",
+            "The system cannot find",
+            "command not found",
+            "Syntax error",
+        ];
+        for (const indicator of cmdiIndicators) {
+            if (response.toLowerCase().includes(indicator.toLowerCase())) {
+                const existing = this.vulnerabilities.find(v => v.type === "cmdi" && v.url === url);
+                if (existing)
+                    return;
+                this.addVulnerability({
+                    type: "cmdi",
+                    severity: "critical",
+                    title: "OS Command Injection",
+                    description: `The parameter '${param}' executes system commands on the server.`,
+                    url,
+                    evidence: `Payload: ${payload}, Response contains system output`,
+                    remediation: "Avoid system calls. Use built-in APIs. If needed, use strict allowlists for input.",
+                    cwe: "CWE-78",
+                });
+                break;
+            }
+        }
+    }
+    detectSSRF(url, param, payload, response) {
+        const ssrfIndicators = [
+            "169.254.169.254",
+            "metadata.google.internal",
+            "instance-data",
+            "internal ip",
+            "localhost",
+            "127.0.0.1",
+            "aws credentials",
+            "security credentials",
+            "iam",
+        ];
+        for (const indicator of ssrfIndicators) {
+            if (response.toLowerCase().includes(indicator.toLowerCase())) {
+                const existing = this.vulnerabilities.find(v => v.type === "ssrf" && v.url === url);
+                if (existing)
+                    return;
+                this.addVulnerability({
+                    type: "ssrf",
+                    severity: "high",
+                    title: "Server-Side Request Forgery (SSRF)",
+                    description: `The parameter '${param}' allows fetching arbitrary URLs, potentially accessing internal services.`,
+                    url,
+                    evidence: `Payload: ${payload}, Response contains internal service data`,
+                    remediation: "Validate URLs against allowlists. Disable unused URL schemas. Restrict redirects.",
+                    cwe: "CWE-918",
+                });
+                break;
+            }
+        }
+    }
+    detectOpenRedirect(url, param, payload, finalUrl) {
+        try {
+            const payloadUrl = new URL(payload);
+            const finalParsed = new URL(finalUrl);
+            if (payloadUrl.host &&
+                payloadUrl.host !== finalParsed.host &&
+                !payload.startsWith("/") &&
+                !payload.startsWith(".")) {
+                const existing = this.vulnerabilities.find(v => v.type === "redirect" && v.url === url);
+                if (existing)
+                    return;
+                this.addVulnerability({
+                    type: "redirect",
+                    severity: "medium",
+                    title: "Open Redirect",
+                    description: `The parameter '${param}' redirects users to an external site.`,
+                    url,
+                    evidence: `Payload: ${payload}, Redirects to: ${finalUrl}`,
+                    remediation: "Validate redirect URLs. Use allowlists for permitted destinations.",
+                    cwe: "CWE-601",
+                });
+            }
+        }
+        catch {
+            if (payload.startsWith("http://") || payload.startsWith("https://")) {
+                const existing = this.vulnerabilities.find(v => v.type === "redirect" && v.url === url);
+                if (existing)
+                    return;
+                this.addVulnerability({
+                    type: "redirect",
+                    severity: "medium",
+                    title: "Open Redirect",
+                    description: `The parameter '${param}' allows redirects to arbitrary external URLs.`,
+                    url,
+                    evidence: `Payload: ${payload}`,
+                    remediation: "Validate redirect URLs against allowlists.",
+                    cwe: "CWE-601",
+                });
+            }
+        }
+    }
+    detectInfoDisclosure(url, response) {
+        const infoPatterns = [
+            { regex: /(?:stack trace|StackTrace|exception|Error) in \//gi, name: "Stack Trace", severity: "low" },
+            { regex: /<\?php\s+\w+\(/gi, name: "PHP Code Exposure", severity: "medium" },
+            { regex: /\.git\/[^\s<>]+/gi, name: "Git Directory Exposed", severity: "medium" },
+            { regex: /\.env[^\s<>]*/gi, name: "Environment File Exposed", severity: "high" },
+            { regex: /\.gitignore[^\s<>]*/gi, name: "Gitignore Exposed", severity: "low" },
+            { regex: /\.DS_Store[^\s<>]*/gi, name: "DS_Store Exposed", severity: "low" },
+            { regex: /wp-config\.php/gi, name: "WordPress Config Exposed", severity: "high" },
+            { regex: /phpinfo\(\)/gi, name: "PHPInfo Exposure", severity: "medium" },
+            { regex: /debug[\s:=]*(true|1|on|yes)/gi, name: "Debug Mode Enabled", severity: "medium" },
+            { regex: /"version":\s*"[\d.]+"/gi, name: "Version Information", severity: "info" },
+            { regex: /Server:\s*\w+/gi, name: "Server Header", severity: "info" },
+            { regex: /X-Powered-By:[^\r\n]+/gi, name: "X-Powered-By Header", severity: "info" },
+        ];
+        for (const pattern of infoPatterns) {
+            const matches = response.match(pattern.regex);
+            if (matches && matches.length > 0) {
+                const existing = this.vulnerabilities.find(v => v.type === "info" && v.url === url && v.title === pattern.name);
+                if (existing)
+                    continue;
+                this.addVulnerability({
+                    type: "info",
+                    severity: pattern.severity,
+                    title: pattern.name,
+                    description: `Sensitive information exposed: ${pattern.name}. This could aid attackers in further exploitation.`,
                     url,
-                    evidence: `Pattern matched: ${matches[0].substring(0, 20)}...`,
-                    remediation: "Remove sensitive data from responses. Use environment variables and secure secret management.",
+                    evidence: `Found: ${matches[0].substring(0, 50)}`,
+                    remediation: "Disable debug mode. Remove exposed files. Configure server to hide sensitive headers.",
                     cwe: "CWE-200",
                 });
             }
@@ -145,6 +454,8 @@ class VulnerabilityDetector {
     }
     clear() {
         this.vulnerabilities = [];
+        this.reportedHeaders.clear();
+        this.reportedPaths.clear();
     }
 }
 exports.VulnerabilityDetector = VulnerabilityDetector;

package/dist/core/vulnerability-detector.test.d.ts

@@ -0,0 +1 @@
+export {};