kramscan 0.1.0

package/dist/core/scanner.js

@@ -0,0 +1,197 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Scanner = void 0;
+const puppeteer_1 = __importDefault(require("puppeteer"));
+const vulnerability_detector_1 = require("./vulnerability-detector");
+const config_1 = require("./config");
+const logger_1 = require("../utils/logger");
+class Scanner {
+    browser = null;
+    detector;
+    visitedUrls = new Set();
+    crawledUrls = 0;
+    testedForms = 0;
+    requestsMade = 0;
+    constructor() {
+        this.detector = new vulnerability_detector_1.VulnerabilityDetector();
+    }
+    async initialize(options = {}) {
+        const config = (0, config_1.getConfig)();
+        const headless = options.headless ?? true;
+        this.browser = await puppeteer_1.default.launch({
+            headless,
+            args: [
+                "--no-sandbox",
+                "--disable-setuid-sandbox",
+                "--disable-web-security",
+                "--disable-features=IsolateOrigins,site-per-process",
+            ],
+        });
+        logger_1.logger.debug("Browser initialized");
+    }
+    async scan(targetUrl, options = {}) {
+        const startTime = Date.now();
+        const depth = options.depth ?? 2;
+        const timeout = options.timeout ?? 30000;
+        if (!this.browser) {
+            await this.initialize(options);
+        }
+        logger_1.logger.info(`Starting scan of ${targetUrl} (depth: ${depth}, timeout: ${timeout}ms)`);
+        // Start crawling
+        await this.crawl(targetUrl, depth, timeout);
+        // Close browser
+        await this.close();
+        const duration = Date.now() - startTime;
+        const result = {
+            target: targetUrl,
+            timestamp: new Date().toISOString(),
+            duration,
+            vulnerabilities: this.detector.getVulnerabilities(),
+            summary: this.detector.getSummary(),
+            metadata: {
+                crawledUrls: this.crawledUrls,
+                testedForms: this.testedForms,
+                requestsMade: this.requestsMade,
+            },
+        };
+        return result;
+    }
+    async crawl(url, depth, timeout) {
+        if (depth === 0 || this.visitedUrls.has(url)) {
+            return;
+        }
+        this.visitedUrls.add(url);
+        this.crawledUrls++;
+        const page = await this.browser.newPage();
+        try {
+            // Set up request interception
+            await page.setRequestInterception(true);
+            page.on("request", (request) => {
+                this.requestsMade++;
+                request.continue();
+            });
+            // Navigate to page
+            const response = await page.goto(url, {
+                waitUntil: "networkidle2",
+                timeout,
+            });
+            if (!response) {
+                logger_1.logger.warn(`No response from ${url}`);
+                return;
+            }
+            // Get response headers
+            const headers = response.headers();
+            this.detector.analyzeSecurityHeaders(url, headers);
+            // Get page content
+            const content = await page.content();
+            // Check for sensitive data
+            this.detector.detectSensitiveData(url, content);
+            // Find and test forms
+            await this.testForms(page, url, timeout);
+            // Find links and crawl deeper
+            if (depth > 1) {
+                const links = await this.extractLinks(page, url);
+                for (const link of links.slice(0, 10)) {
+                    // Limit to 10 links per page
+                    await this.crawl(link, depth - 1, timeout);
+                }
+            }
+        }
+        catch (error) {
+            logger_1.logger.error(`Error crawling ${url}: ${error.message}`);
+        }
+        finally {
+            await page.close();
+        }
+    }
+    async testForms(page, url, timeout) {
+        const forms = await page.$$("form");
+        for (const form of forms) {
+            this.testedForms++;
+            // Get form HTML for CSRF detection
+            const formHtml = await form.evaluate((el) => el.outerHTML);
+            this.detector.detectCSRF(url, formHtml);
+            // Find input fields
+            const inputs = await form.$$("input, textarea");
+            for (const input of inputs) {
+                const name = await input.evaluate((el) => el.getAttribute("name"));
+                const type = await input.evaluate((el) => el.getAttribute("type"));
+                if (!name || type === "hidden" || type === "submit") {
+                    continue;
+                }
+                // Test for XSS
+                await this.testXSS(page, url, name, timeout);
+                // Test for SQLi
+                await this.testSQLi(page, url, name, timeout);
+            }
+        }
+    }
+    async testXSS(page, url, param, timeout) {
+        const payloads = [
+            "<script>alert('XSS')</script>",
+            '"><script>alert(1)</script>',
+            "<img src=x onerror=alert(1)>",
+        ];
+        for (const payload of payloads) {
+            try {
+                // Try to inject payload
+                const testUrl = this.buildTestUrl(url, param, payload);
+                await page.goto(testUrl, { waitUntil: "networkidle2", timeout });
+                const content = await page.content();
+                this.detector.detectXSS(url, param, payload, content);
+            }
+            catch (error) {
+                logger_1.logger.debug(`XSS test failed for ${param}: ${error.message}`);
+            }
+        }
+    }
+    async testSQLi(page, url, param, timeout) {
+        const payloads = ["'", "1' OR '1'='1", "1; DROP TABLE users--", "' OR 1=1--"];
+        for (const payload of payloads) {
+            try {
+                const testUrl = this.buildTestUrl(url, param, payload);
+                await page.goto(testUrl, { waitUntil: "networkidle2", timeout });
+                const content = await page.content();
+                this.detector.detectSQLi(url, param, content);
+            }
+            catch (error) {
+                logger_1.logger.debug(`SQLi test failed for ${param}: ${error.message}`);
+            }
+        }
+    }
+    buildTestUrl(baseUrl, param, value) {
+        const url = new URL(baseUrl);
+        url.searchParams.set(param, value);
+        return url.toString();
+    }
+    async extractLinks(page, baseUrl) {
+        const links = await page.$$eval("a[href]", (anchors) => anchors.map((a) => a.getAttribute("href")).filter(Boolean));
+        const base = new URL(baseUrl);
+        const absoluteLinks = [];
+        for (const link of links) {
+            if (!link)
+                continue;
+            try {
+                const absolute = new URL(link, baseUrl);
+                // Only crawl same-origin links
+                if (absolute.origin === base.origin) {
+                    absoluteLinks.push(absolute.toString());
+                }
+            }
+            catch {
+                // Invalid URL, skip
+            }
+        }
+        return [...new Set(absoluteLinks)]; // Remove duplicates
+    }
+    async close() {
+        if (this.browser) {
+            await this.browser.close();
+            this.browser = null;
+        }
+    }
+}
+exports.Scanner = Scanner;

package/dist/core/storage.d.ts

@@ -0,0 +1,4 @@
+import { ScanResult } from "./types";
+export declare function saveScanResult(result: ScanResult): string;
+export declare function loadLastScanResult(): ScanResult | null;
+export declare function loadScanResultFromFile(filePath: string): ScanResult;

package/dist/core/storage.js

@@ -0,0 +1,39 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.saveScanResult = saveScanResult;
+exports.loadLastScanResult = loadLastScanResult;
+exports.loadScanResultFromFile = loadScanResultFromFile;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const ROOT_DIR = path_1.default.join(os_1.default.homedir(), ".openscan");
+const SCANS_DIR = path_1.default.join(ROOT_DIR, "scans");
+const LAST_SCAN_PATH = path_1.default.join(SCANS_DIR, "last.json");
+function ensureDir(dirPath) {
+    if (!fs_1.default.existsSync(dirPath)) {
+        fs_1.default.mkdirSync(dirPath, { recursive: true });
+    }
+}
+function saveScanResult(result) {
+    ensureDir(SCANS_DIR);
+    const filename = `${result.id}.json`;
+    const filePath = path_1.default.join(SCANS_DIR, filename);
+    const payload = JSON.stringify(result, null, 2);
+    fs_1.default.writeFileSync(filePath, payload, "utf-8");
+    fs_1.default.writeFileSync(LAST_SCAN_PATH, payload, "utf-8");
+    return filePath;
+}
+function loadLastScanResult() {
+    if (!fs_1.default.existsSync(LAST_SCAN_PATH)) {
+        return null;
+    }
+    const raw = fs_1.default.readFileSync(LAST_SCAN_PATH, "utf-8");
+    return JSON.parse(raw);
+}
+function loadScanResultFromFile(filePath) {
+    const raw = fs_1.default.readFileSync(filePath, "utf-8");
+    return JSON.parse(raw);
+}

package/dist/core/types.d.ts

@@ -0,0 +1,24 @@
+import { Finding } from "../skills/types";
+export interface ScanTarget {
+    url: string;
+}
+export interface ScanOptions {
+    deep: boolean;
+    timeoutSeconds: number;
+    threads: number;
+    skills?: string[];
+    excludeSkills?: string[];
+    proxy?: string;
+    aiEnabled?: boolean;
+    aiModel?: string;
+}
+export interface ScanResult {
+    id: string;
+    startedAt: string;
+    finishedAt: string;
+    target: ScanTarget;
+    options: ScanOptions;
+    skillsRun: string[];
+    findings: Finding[];
+    aiSummary?: string;
+}

package/dist/core/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/core/vulnerability-detector.d.ts

@@ -0,0 +1,47 @@
+export interface Vulnerability {
+    type: "xss" | "sqli" | "csrf" | "header" | "sensitive_data" | "other";
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    title: string;
+    description: string;
+    url: string;
+    evidence?: string;
+    remediation?: string;
+    cwe?: string;
+}
+export interface ScanResult {
+    target: string;
+    timestamp: string;
+    duration: number;
+    vulnerabilities: Vulnerability[];
+    summary: {
+        total: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        info: number;
+    };
+    metadata: {
+        crawledUrls: number;
+        testedForms: number;
+        requestsMade: number;
+    };
+}
+export declare class VulnerabilityDetector {
+    private vulnerabilities;
+    detectXSS(url: string, param: string, payload: string, response: string): void;
+    detectSQLi(url: string, param: string, errorResponse: string): void;
+    detectCSRF(url: string, formHtml: string): void;
+    analyzeSecurityHeaders(url: string, headers: Record<string, string>): void;
+    detectSensitiveData(url: string, response: string): void;
+    getVulnerabilities(): Vulnerability[];
+    getSummary(): {
+        total: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        info: number;
+    };
+    clear(): void;
+}

package/dist/core/vulnerability-detector.js

@@ -0,0 +1,150 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VulnerabilityDetector = void 0;
+class VulnerabilityDetector {
+    vulnerabilities = [];
+    // XSS Detection
+    detectXSS(url, param, payload, response) {
+        // Check if payload is reflected in response
+        if (response.includes(payload)) {
+            this.vulnerabilities.push({
+                type: "xss",
+                severity: "high",
+                title: "Reflected Cross-Site Scripting (XSS)",
+                description: `The parameter '${param}' appears to be vulnerable to XSS. The payload was reflected in the response without proper encoding.`,
+                url,
+                evidence: `Payload: ${payload}`,
+                remediation: "Implement proper output encoding/escaping for user-controlled data. Use Content Security Policy (CSP) headers.",
+                cwe: "CWE-79",
+            });
+        }
+    }
+    // SQL Injection Detection
+    detectSQLi(url, param, errorResponse) {
+        const sqlErrors = [
+            "SQL syntax",
+            "mysql_fetch",
+            "ORA-",
+            "PostgreSQL",
+            "SQLite",
+            "ODBC",
+            "JET Database",
+            "Microsoft Access Driver",
+        ];
+        for (const error of sqlErrors) {
+            if (errorResponse.includes(error)) {
+                this.vulnerabilities.push({
+                    type: "sqli",
+                    severity: "critical",
+                    title: "SQL Injection",
+                    description: `The parameter '${param}' may be vulnerable to SQL injection. Database error messages were detected in the response.`,
+                    url,
+                    evidence: `Error pattern: ${error}`,
+                    remediation: "Use parameterized queries or prepared statements. Never concatenate user input directly into SQL queries.",
+                    cwe: "CWE-89",
+                });
+                break;
+            }
+        }
+    }
+    // CSRF Detection
+    detectCSRF(url, formHtml) {
+        const hasCSRFToken = formHtml.includes('name="csrf') ||
+            formHtml.includes('name="_token') ||
+            formHtml.includes('name="authenticity_token');
+        if (!hasCSRFToken) {
+            this.vulnerabilities.push({
+                type: "csrf",
+                severity: "medium",
+                title: "Missing CSRF Protection",
+                description: "The form does not appear to have CSRF token protection. This could allow attackers to perform unauthorized actions on behalf of authenticated users.",
+                url,
+                remediation: "Implement CSRF tokens for all state-changing operations. Use SameSite cookie attribute.",
+                cwe: "CWE-352",
+            });
+        }
+    }
+    // Security Headers Analysis
+    analyzeSecurityHeaders(url, headers) {
+        const requiredHeaders = {
+            "content-security-policy": {
+                title: "Missing Content-Security-Policy",
+                severity: "medium",
+                remediation: "Implement a strict Content-Security-Policy to prevent XSS and data injection attacks.",
+            },
+            "x-frame-options": {
+                title: "Missing X-Frame-Options",
+                severity: "medium",
+                remediation: "Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjacking attacks.",
+            },
+            "strict-transport-security": {
+                title: "Missing Strict-Transport-Security",
+                severity: "medium",
+                remediation: "Enable HSTS to force HTTPS connections and prevent protocol downgrade attacks.",
+            },
+            "x-content-type-options": {
+                title: "Missing X-Content-Type-Options",
+                severity: "low",
+                remediation: "Set X-Content-Type-Options to 'nosniff' to prevent MIME-sniffing attacks.",
+            },
+        };
+        for (const [header, config] of Object.entries(requiredHeaders)) {
+            if (!headers[header.toLowerCase()]) {
+                this.vulnerabilities.push({
+                    type: "header",
+                    severity: config.severity,
+                    title: config.title,
+                    description: `The ${header} security header is not set.`,
+                    url,
+                    remediation: config.remediation,
+                });
+            }
+        }
+    }
+    // Sensitive Data Detection
+    detectSensitiveData(url, response) {
+        const patterns = [
+            { regex: /api[_-]?key["\s:=]+[\w-]{20,}/gi, name: "API Key" },
+            { regex: /sk-[a-zA-Z0-9]{48}/g, name: "OpenAI API Key" },
+            { regex: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token" },
+            { regex: /AKIA[0-9A-Z]{16}/g, name: "AWS Access Key" },
+            { regex: /password["\s:=]+[^\s"]{8,}/gi, name: "Password" },
+        ];
+        for (const pattern of patterns) {
+            const matches = response.match(pattern.regex);
+            if (matches && matches.length > 0) {
+                this.vulnerabilities.push({
+                    type: "sensitive_data",
+                    severity: "high",
+                    title: `Exposed ${pattern.name}`,
+                    description: `Potential ${pattern.name} found in the response. Sensitive data should never be exposed in client-side code.`,
+                    url,
+                    evidence: `Pattern matched: ${matches[0].substring(0, 20)}...`,
+                    remediation: "Remove sensitive data from responses. Use environment variables and secure secret management.",
+                    cwe: "CWE-200",
+                });
+            }
+        }
+    }
+    getVulnerabilities() {
+        return this.vulnerabilities;
+    }
+    getSummary() {
+        const summary = {
+            total: this.vulnerabilities.length,
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            info: 0,
+        };
+        for (const vuln of this.vulnerabilities) {
+            summary[vuln.severity]++;
+        }
+        return summary;
+    }
+    clear() {
+        this.vulnerabilities = [];
+    }
+}
+exports.VulnerabilityDetector = VulnerabilityDetector;

package/dist/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const cli_1 = require("./cli");
+(0, cli_1.run)().catch((err) => {
+    console.error("Fatal error:", err);
+    process.exit(1);
+});

package/dist/skills/base.d.ts

@@ -0,0 +1,8 @@
+import { Skill, SkillContext, SkillResult } from "./types";
+export declare abstract class BaseSkill implements Skill {
+    abstract id: string;
+    abstract name: string;
+    abstract description: string;
+    abstract tags: string[];
+    abstract run(context: SkillContext): Promise<SkillResult>;
+}

package/dist/skills/base.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseSkill = void 0;
+class BaseSkill {
+}
+exports.BaseSkill = BaseSkill;

package/dist/skills/builtin.d.ts

@@ -0,0 +1,4 @@
+import { SkillContext, SkillResult } from "./types";
+type SkillRunner = (context: SkillContext) => Promise<SkillResult>;
+export declare const builtinSkillRunners: Record<string, SkillRunner>;
+export {};

package/dist/skills/builtin.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.builtinSkillRunners = void 0;
+async function runHeadersSkill(context) {
+    const response = await context.http.get(context.targetUrl);
+    const headers = {};
+    for (const [key, value] of Object.entries(response.headers)) {
+        headers[key.toLowerCase()] = Array.isArray(value) ? value.join(", ") : String(value);
+    }
+    const checks = [
+        {
+            key: "strict-transport-security",
+            title: "Missing HSTS header",
+            recommendation: "Enable Strict-Transport-Security with a long max-age and includeSubDomains."
+        },
+        {
+            key: "content-security-policy",
+            title: "Missing Content-Security-Policy header",
+            recommendation: "Define a CSP to restrict scripts, styles, and frames."
+        },
+        {
+            key: "x-frame-options",
+            title: "Missing X-Frame-Options header",
+            recommendation: "Set X-Frame-Options to DENY or SAMEORIGIN."
+        },
+        {
+            key: "x-content-type-options",
+            title: "Missing X-Content-Type-Options header",
+            recommendation: "Set X-Content-Type-Options to nosniff."
+        },
+        {
+            key: "referrer-policy",
+            title: "Missing Referrer-Policy header",
+            recommendation: "Set Referrer-Policy to strict-origin-when-cross-origin or similar."
+        },
+        {
+            key: "permissions-policy",
+            title: "Missing Permissions-Policy header",
+            recommendation: "Set Permissions-Policy to restrict sensitive browser APIs."
+        }
+    ];
+    const findings = checks
+        .filter((check) => !headers[check.key])
+        .map((check) => ({
+        id: `headers-${check.key}`,
+        skillId: "headers",
+        title: check.title,
+        severity: "low",
+        description: `The response did not include the ${check.key} header.`,
+        recommendation: check.recommendation
+    }));
+    return {
+        skillId: "headers",
+        findings
+    };
+}
+async function runPlaceholderSkill(skillId, context) {
+    context.logger.warn(`${skillId} is not implemented yet. Returning no findings.`);
+    return {
+        skillId,
+        findings: []
+    };
+}
+exports.builtinSkillRunners = {
+    headers: runHeadersSkill,
+    sqli: (context) => runPlaceholderSkill("sqli", context),
+    xss: (context) => runPlaceholderSkill("xss", context),
+    csrf: (context) => runPlaceholderSkill("csrf", context),
+    idor: (context) => runPlaceholderSkill("idor", context),
+    jwt: (context) => runPlaceholderSkill("jwt", context)
+};

package/dist/skills/loader.d.ts

@@ -0,0 +1,2 @@
+import { SkillMetadata } from "./types";
+export declare function loadSkillMetadata(skillDir: string): SkillMetadata | null;

package/dist/skills/loader.js

@@ -0,0 +1,27 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadSkillMetadata = loadSkillMetadata;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const js_yaml_1 = __importDefault(require("js-yaml"));
+function loadSkillMetadata(skillDir) {
+    const skillPath = path_1.default.join(skillDir, "skill.yaml");
+    if (!fs_1.default.existsSync(skillPath)) {
+        return null;
+    }
+    const raw = fs_1.default.readFileSync(skillPath, "utf-8");
+    const doc = js_yaml_1.default.load(raw);
+    if (!doc || !doc.id || !doc.name) {
+        return null;
+    }
+    return {
+        id: doc.id,
+        name: doc.name,
+        description: doc.description ?? "",
+        tags: doc.tags ?? [],
+        category: doc.category
+    };
+}

package/dist/skills/types.d.ts

@@ -0,0 +1,46 @@
+export type Severity = "info" | "low" | "medium" | "high" | "critical";
+export interface Finding {
+    id: string;
+    skillId: string;
+    title: string;
+    severity: Severity;
+    description: string;
+    evidence?: string;
+    recommendation?: string;
+    references?: string[];
+    metadata?: Record<string, unknown>;
+}
+export interface SkillMetadata {
+    id: string;
+    name: string;
+    description: string;
+    tags: string[];
+    category?: string;
+}
+export interface SkillContext {
+    targetUrl: string;
+    timeoutSeconds: number;
+    logger: {
+        info(message: string): void;
+        warn(message: string): void;
+        error(message: string): void;
+    };
+    http: {
+        get: <T = unknown>(url: string) => Promise<{
+            data: T;
+            headers: Record<string, string>;
+        }>;
+    };
+}
+export interface SkillResult {
+    skillId: string;
+    findings: Finding[];
+    metadata?: Record<string, unknown>;
+}
+export interface Skill {
+    id: string;
+    name: string;
+    description: string;
+    tags: string[];
+    run(context: SkillContext): Promise<SkillResult>;
+}

package/dist/skills/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/utils/logger.d.ts

@@ -0,0 +1,9 @@
+import { Ora } from "ora";
+export declare const logger: {
+    info: (message: string) => void;
+    success: (message: string) => void;
+    warn: (message: string) => void;
+    error: (message: string) => void;
+    debug: (message: string) => void;
+    spinner: (text: string) => Ora;
+};