kramscan 0.1.1 → 0.3.0

package/dist/core/scanner.js

@@ -5,10 +5,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Scanner = void 0;
 const puppeteer_1 = __importDefault(require("puppeteer"));
+const events_1 = require("events");
 const vulnerability_detector_1 = require("./vulnerability-detector");
 const config_1 = require("./config");
+const ai_client_1 = require("./ai-client");
+const ai_payloads_1 = require("./ai-payloads");
 const logger_1 = require("../utils/logger");
-class Scanner {
+const plugins_1 = require("../plugins");
+const plugins_2 = require("../plugins");
+class Scanner extends events_1.EventEmitter {
     browser = null;
     detector;
     visitedUrls = new Set();
@@ -18,21 +23,128 @@ class Scanner {
     headersChecked = new Set();
     rateLimiter;
     retryConfig;
-    constructor() {
+    maxConcurrency = 5;
+    strictScope = true;
+    baseOrigin = null;
+    maxPages = 30;
+    maxLinksPerPage = 50;
+    includePatterns = [];
+    excludePatterns = [];
+    userAgent = "KramScan/0.2.0";
+    scanErrors = [];
+    pluginErrors = new Map();
+    usePlugins = true;
+    useAiPayloads = false;
+    payloadGenerator = null;
+    constructor(usePlugins = true) {
+        super();
+        this.usePlugins = usePlugins;
         this.detector = new vulnerability_detector_1.VulnerabilityDetector();
+        this.detector.setOnVulnerabilityFound((vuln) => {
+            this.emit("vuln:found", { vulnerability: vuln });
+        });
         this.rateLimiter = {
             lastRequestTime: 0,
-            minInterval: 200, // Default: 5 requests per second
+            minInterval: 200,
         };
         this.retryConfig = {
             maxRetries: 3,
             baseDelay: 1000,
             maxDelay: 10000,
         };
+        // Register default plugins
+        if (usePlugins) {
+            this.registerDefaultPlugins();
+        }
+    }
+    registerDefaultPlugins() {
+        plugins_1.pluginManager.register(new plugins_2.XSSPlugin());
+        plugins_1.pluginManager.register(new plugins_2.SQLInjectionPlugin());
+        plugins_1.pluginManager.register(new plugins_2.SecurityHeadersPlugin());
+        plugins_1.pluginManager.register(new plugins_2.SensitiveDataPlugin());
+        plugins_1.pluginManager.register(new plugins_2.CSRFPlugin());
+        plugins_1.pluginManager.register(new plugins_2.CORSAnalyzerPlugin());
+        plugins_1.pluginManager.register(new plugins_2.DebugEndpointPlugin());
+        plugins_1.pluginManager.register(new plugins_2.DirectoryTraversalPlugin());
+        plugins_1.pluginManager.register(new plugins_2.CookieSecurityPlugin());
+        plugins_1.pluginManager.register(new plugins_2.OpenRedirectPlugin());
+    }
+    // Type-safe event emitter methods
+    emit(event, data) {
+        return super.emit(event, data);
+    }
+    on(event, listener) {
+        return super.on(event, listener);
     }
-    async initializeRateLimiter() {
+    once(event, listener) {
+        return super.once(event, listener);
+    }
+    getScanErrors() {
+        return [...this.scanErrors];
+    }
+    getPluginErrors() {
+        return new Map(this.pluginErrors);
+    }
+    async initializeScanSettings(targetUrl, options) {
         const config = await (0, config_1.getConfig)();
         this.rateLimiter.minInterval = 1000 / (config.scan.rateLimitPerSecond || 5);
+        this.maxConcurrency = Math.max(1, config.scan.maxThreads || 5);
+        this.strictScope = options.strictScope ?? (config.scan.strictScope ?? true);
+        this.baseOrigin = new URL(targetUrl).origin;
+        this.userAgent = config.scan.userAgent || this.userAgent;
+        // Load scan profile
+        const profileName = options.profile || config.scan.defaultProfile || "balanced";
+        const profile = await (0, config_1.getScanProfile)(profileName);
+        this.maxPages = Math.max(1, options.maxPages ?? profile?.maxPages ?? 30);
+        this.maxLinksPerPage = Math.max(1, options.maxLinksPerPage ?? profile?.maxLinksPerPage ?? 50);
+        // Initialize AI payload generator if requested and AI is enabled
+        this.useAiPayloads = options.useAiPayloads ?? false;
+        if (this.useAiPayloads && config.ai.enabled) {
+            try {
+                const aiClient = await (0, ai_client_1.createAIClient)();
+                this.payloadGenerator = new ai_payloads_1.PayloadGenerator(aiClient);
+                logger_1.logger.info("AI contextual payload generation enabled");
+            }
+            catch (err) {
+                logger_1.logger.warn(`Failed to initialize AI payload generator: ${err.message}`);
+                this.useAiPayloads = false;
+            }
+        }
+        const compileList = (values) => {
+            if (!values || values.length === 0)
+                return [];
+            const patterns = [];
+            for (const raw of values) {
+                try {
+                    patterns.push(new RegExp(raw));
+                }
+                catch {
+                    logger_1.logger.warn(`Invalid regex pattern ignored: ${raw}`);
+                }
+            }
+            return patterns;
+        };
+        this.includePatterns = compileList(options.include);
+        this.excludePatterns = compileList(options.exclude);
+    }
+    resetScanState() {
+        this.detector.clear();
+        this.visitedUrls.clear();
+        this.crawledUrls = 0;
+        this.testedForms = 0;
+        this.requestsMade = 0;
+        this.headersChecked.clear();
+        this.scanErrors = [];
+        this.pluginErrors.clear();
+        this.rateLimiter.lastRequestTime = 0;
+        this.removeAllListeners();
+        // Reset plugin manager state
+        if (this.usePlugins) {
+            const securityHeadersPlugin = plugins_1.pluginManager.getPlugin("Security Headers Analyzer");
+            if (securityHeadersPlugin && typeof securityHeadersPlugin.reset === "function") {
+                securityHeadersPlugin.reset();
+            }
+        }
     }
     async initialize(options = {}) {
         const headless = options.headless ?? true;
@@ -51,16 +163,20 @@ class Scanner {
         const startTime = Date.now();
         const depth = options.depth ?? 2;
         const timeout = options.timeout ?? 30000;
-        await this.initializeRateLimiter();
+        this.resetScanState();
+        await this.initializeScanSettings(targetUrl, options);
         if (!this.browser) {
             await this.initialize(options);
         }
+        this.emit("scan:start", { target: targetUrl, options });
         logger_1.logger.info(`Starting scan of ${targetUrl} (depth: ${depth}, timeout: ${timeout}ms)`);
         try {
             await this.crawl(targetUrl, depth, timeout);
         }
         catch (error) {
-            logger_1.logger.error(`Scan failed: ${error.message}`);
+            const err = error;
+            this.emit("scan:error", { error: err });
+            logger_1.logger.error(`Scan failed: ${err.message}`);
             throw error;
         }
         finally {
@@ -78,7 +194,9 @@ class Scanner {
                 testedForms: this.testedForms,
                 requestsMade: this.requestsMade,
             },
+            score: this.detector.calculateScore(),
         };
+        this.emit("scan:complete", { result });
         return result;
     }
     async applyRateLimit() {
@@ -108,62 +226,198 @@ class Scanner {
         }
         throw new Error(`Failed after ${this.retryConfig.maxRetries + 1} attempts: ${lastError?.message}`);
     }
-    sanitizePayload(payload) {
-        // Prevent null bytes and extreme length payloads
-        if (payload.includes('\0')) {
-            throw new Error("Payload contains null bytes");
+    async createInstrumentedPage() {
+        const page = await this.browser.newPage();
+        await page.setUserAgent(this.userAgent);
+        await page.setRequestInterception(true);
+        page.on("request", (request) => {
+            this.requestsMade++;
+            const resourceType = request.resourceType();
+            if (resourceType === "image" || resourceType === "font" || resourceType === "media") {
+                request.abort();
+                return;
+            }
+            request.continue();
+        });
+        return page;
+    }
+    async runInIsolatedPage(operation) {
+        const page = await this.createInstrumentedPage();
+        try {
+            return await operation(page);
         }
-        if (payload.length > 10000) {
-            throw new Error("Payload exceeds maximum length of 10000 characters");
+        finally {
+            await page.close().catch((err) => logger_1.logger.debug(`Error closing page: ${err.message}`));
         }
-        return payload;
     }
     async crawl(url, depth, timeout) {
+        if (this.crawledUrls >= this.maxPages) {
+            return;
+        }
         if (depth === 0 || this.visitedUrls.has(url)) {
             return;
         }
         this.visitedUrls.add(url);
         this.crawledUrls++;
-        const page = await this.browser.newPage();
+        this.emit("crawl:start", { url, depth });
+        this.emit("crawl:page", { url, crawledCount: this.crawledUrls, maxPages: this.maxPages });
+        this.emit("progress", {
+            stage: "crawling",
+            current: this.crawledUrls,
+            total: this.maxPages,
+            message: `Crawling: ${url}`
+        });
+        const page = await this.createInstrumentedPage();
         try {
-            await page.setRequestInterception(true);
-            page.on("request", (request) => {
-                this.requestsMade++;
-                request.continue();
-            });
             const response = await this.withRetry(() => page.goto(url, { waitUntil: "networkidle2", timeout }), `crawl ${url}`);
             if (!response) {
                 logger_1.logger.warn(`No response from ${url}`);
+                this.scanErrors.push({ url, error: "No response" });
                 return;
             }
-            const host = new URL(url).host;
-            if (!this.headersChecked.has(host)) {
-                this.detector.analyzeSecurityHeaders(url, response.headers());
-                this.headersChecked.add(host);
-            }
             const content = await page.content();
-            this.detector.detectSensitiveData(url, content);
-            this.detector.detectInfoDisclosure(url, content);
-            await this.testForms(page, url, timeout);
-            await this.testUrlParameters(page, url, timeout);
+            const headers = response.headers();
+            // Analyze with plugins
+            if (this.usePlugins) {
+                await this.runPlugins(page, url, content, headers, timeout);
+            }
+            else {
+                // Fallback to legacy detector
+                await this.runLegacyDetection(page, url, content, headers, timeout);
+            }
             if (depth > 1) {
                 const links = await this.extractLinks(page, url);
-                for (const link of links.slice(0, 10)) {
+                for (const link of links) {
                     await this.crawl(link, depth - 1, timeout);
                 }
             }
+            this.emit("crawl:complete", { url });
         }
         catch (error) {
-            logger_1.logger.error(`Error crawling ${url}: ${error.message}`);
+            const err = error;
+            this.scanErrors.push({ url, error: err.message });
+            this.emit("crawl:error", { url, error: err });
+            logger_1.logger.error(`Error crawling ${url}: ${err.message}`);
         }
         finally {
             await page.close().catch(err => logger_1.logger.debug(`Error closing page: ${err.message}`));
         }
     }
-    async testForms(page, url, timeout) {
+    async runPlugins(page, url, content, headers, timeout) {
+        const context = {
+            page,
+            url,
+            baseUrl: this.baseOrigin || url,
+            timeout,
+            userAgent: this.userAgent,
+            payloadGenerator: this.payloadGenerator,
+        };
+        // Analyze headers
+        const host = new URL(url).host;
+        if (!this.headersChecked.has(host)) {
+            const headerResults = await plugins_1.pluginManager.analyzeHeaders(context, headers);
+            this.processPluginResults(headerResults);
+            this.headersChecked.add(host);
+        }
+        // Analyze content
+        const contentResults = await plugins_1.pluginManager.analyzeContent(context, content);
+        this.processPluginResults(contentResults);
+        // Test URL parameters
+        await this.testUrlParametersWithPlugins(page, url, timeout);
+        // Test forms
+        await this.testFormsWithPlugins(page, url, timeout);
+    }
+    processPluginResults(results) {
+        for (const result of results) {
+            // Track plugin errors
+            if (result.errors.length > 0) {
+                const existing = this.pluginErrors.get(result.plugin) || [];
+                this.pluginErrors.set(result.plugin, [...existing, ...result.errors]);
+            }
+            // Add vulnerabilities to detector
+            for (const vuln of result.vulnerabilities) {
+                this.detector.addVulnerability(vuln);
+            }
+            // Emit event for monitoring
+            this.emit("plugin:execute", {
+                plugin: result.plugin,
+                url: result.errors[0]?.url || "",
+                duration: result.duration,
+            });
+        }
+    }
+    async testUrlParametersWithPlugins(page, url, timeout) {
+        try {
+            const urlObj = new URL(url);
+            const params = Array.from(urlObj.searchParams.keys());
+            for (const param of params) {
+                const value = urlObj.searchParams.get(param) || "";
+                const context = {
+                    page,
+                    url,
+                    baseUrl: this.baseOrigin || url,
+                    timeout,
+                    userAgent: this.userAgent,
+                    payloadGenerator: this.payloadGenerator,
+                };
+                const results = await plugins_1.pluginManager.testParameter(context, param, value);
+                this.processPluginResults(results);
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug(`Error testing URL parameters with plugins: ${error.message}`);
+        }
+    }
+    async testFormsWithPlugins(page, url, timeout) {
         const forms = await page.$$("form");
-        const config = await (0, config_1.getConfig)();
-        const maxConcurrency = config.scan.maxThreads || 5;
+        if (forms.length > 0) {
+            this.emit("form:test", { url, formCount: forms.length });
+        }
+        for (const form of forms) {
+            this.testedForms++;
+            try {
+                const inputs = await form.$$eval("input, textarea, select", (elements) => elements.map((el) => ({
+                    name: el.getAttribute("name") || "",
+                    type: el.getAttribute("type") || "text",
+                    value: el.value || "",
+                })).filter((input) => input.name && input.type !== "hidden" && input.type !== "submit"));
+                const formData = {
+                    action: await form.evaluate((el) => el.action || ""),
+                    method: await form.evaluate((el) => el.method || "GET"),
+                    inputs,
+                };
+                const context = {
+                    page,
+                    url,
+                    baseUrl: this.baseOrigin || url,
+                    timeout,
+                    userAgent: this.userAgent,
+                    payloadGenerator: this.payloadGenerator,
+                };
+                const results = await plugins_1.pluginManager.testFormInput(context, formData);
+                this.processPluginResults(results);
+            }
+            catch (error) {
+                logger_1.logger.debug(`Error testing form with plugins: ${error.message}`);
+            }
+        }
+    }
+    async runLegacyDetection(page, url, content, headers, timeout) {
+        const host = new URL(url).host;
+        if (!this.headersChecked.has(host)) {
+            this.detector.analyzeSecurityHeaders(url, headers);
+            this.headersChecked.add(host);
+        }
+        this.detector.detectSensitiveData(url, content);
+        this.detector.detectInfoDisclosure(url, content);
+        await this.testFormsLegacy(page, url, timeout);
+        await this.testUrlParametersLegacy(page, url, timeout);
+    }
+    async testFormsLegacy(page, url, timeout) {
+        const forms = await page.$$("form");
+        if (forms.length > 0) {
+            this.emit("form:test", { url, formCount: forms.length });
+        }
         for (const form of forms) {
             this.testedForms++;
             try {
@@ -177,66 +431,60 @@ class Scanner {
                     if (!name || type === "hidden" || type === "submit") {
                         continue;
                     }
-                    inputTests.push(() => this.testXSS(page, url, name, timeout));
-                    inputTests.push(() => this.testSQLi(page, url, name, timeout));
-                    inputTests.push(() => this.testLFI(page, url, name, timeout));
-                    inputTests.push(() => this.testCMDI(page, url, name, timeout));
+                    inputTests.push(() => this.runInIsolatedPage((testPage) => this.testXSS(testPage, url, name, timeout)));
+                    inputTests.push(() => this.runInIsolatedPage((testPage) => this.testSQLi(testPage, url, name, timeout)));
                 }
-                // Execute tests with concurrency control
-                await this.runWithConcurrency(inputTests, maxConcurrency);
+                await this.runWithConcurrency(inputTests, this.maxConcurrency);
             }
             catch (error) {
                 logger_1.logger.debug(`Error testing form: ${error.message}`);
             }
         }
     }
-    async runWithConcurrency(tasks, maxConcurrency) {
-        const executing = [];
-        for (const task of tasks) {
-            const promise = task().catch((error) => {
-                logger_1.logger.debug(`Task failed: ${error.message}`);
-                return undefined;
-            });
-            executing.push(promise);
-            if (executing.length >= maxConcurrency) {
-                await Promise.race(executing);
-                executing.splice(executing.findIndex(p => p === promise), 1);
-            }
-        }
-        await Promise.all(executing);
-    }
-    async testUrlParameters(page, baseUrl, timeout) {
+    async testUrlParametersLegacy(page, baseUrl, timeout) {
         try {
             const url = new URL(baseUrl);
             const params = Array.from(url.searchParams.keys());
             for (const param of params) {
-                await this.testIDOR(baseUrl, param, timeout);
-                await this.testLFI(page, baseUrl, param, timeout);
-                await this.testPathTraversal(page, baseUrl, param, timeout);
-                await this.testCMDI(page, baseUrl, param, timeout);
-                await this.testSSRF(page, baseUrl, param, timeout);
-                await this.testOpenRedirect(page, baseUrl, param, timeout);
+                await this.testXSS(page, baseUrl, param, timeout);
+                await this.testSQLi(page, baseUrl, param, timeout);
             }
         }
         catch (error) {
             logger_1.logger.debug(`Error testing URL parameters: ${error.message}`);
         }
     }
+    async runWithConcurrency(tasks, maxConcurrency) {
+        if (tasks.length === 0) {
+            return;
+        }
+        const workerCount = Math.max(1, Math.min(maxConcurrency, tasks.length));
+        let nextIndex = 0;
+        const workers = Array.from({ length: workerCount }, async () => {
+            while (nextIndex < tasks.length) {
+                const currentTask = tasks[nextIndex++];
+                try {
+                    await currentTask();
+                }
+                catch (error) {
+                    logger_1.logger.debug(`Task failed: ${error.message}`);
+                }
+            }
+        });
+        await Promise.all(workers);
+    }
     async testXSS(page, url, param, timeout) {
         const payloads = [
             "<script>alert('XSS')</script>",
             '"><script>alert(1)</script>',
             "<img src=x onerror=alert(1)>",
-            "'-alert(1)-'",
-            "<svg/onload=alert(1)>",
         ];
         for (const payload of payloads) {
             try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
+                const testUrl = this.buildTestUrl(url, param, payload);
                 await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `XSS test for ${param}`);
                 const content = await page.content();
-                this.detector.detectXSS(url, param, sanitizedPayload, content);
+                this.detector.detectXSS(url, param, payload, content);
             }
             catch (error) {
                 logger_1.logger.debug(`XSS test failed for ${param}: ${error.message}`);
@@ -244,31 +492,11 @@ class Scanner {
         }
     }
     async testSQLi(page, url, param, timeout) {
-        const errorBasedPayloads = [
-            "'",
-            "1' OR '1'='1",
-            "1; DROP TABLE users--",
-            "' OR 1=1--",
-            "' UNION SELECT 1--",
-            "1' AND '1'='1",
-        ];
-        const timeBasedPayloads = [
-            "' AND SLEEP(5)--",
-            "1' AND SLEEP(5)--",
-            "'; WAITFOR DELAY '00:00:05'--",
-        ];
-        try {
-            await page.content();
-        }
-        catch (error) {
-            logger_1.logger.debug(`Could not get original response for SQLi test: ${error.message}`);
-            return;
-        }
+        const errorBasedPayloads = ["'", "1' OR '1'='1", "' OR 1=1--"];
         for (const payload of errorBasedPayloads) {
             try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `SQLi error test for ${param}`);
+                const testUrl = this.buildTestUrl(url, param, payload);
+                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `SQLi test for ${param}`);
                 const content = await page.content();
                 this.detector.detectSQLi(url, param, content);
             }
@@ -276,162 +504,6 @@ class Scanner {
                 logger_1.logger.debug(`SQLi test failed for ${param}: ${error.message}`);
             }
         }
-        const startTime = Date.now();
-        for (const payload of timeBasedPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `Blind SQLi test for ${param}`);
-                const testTime = Date.now() - startTime;
-                this.detector.detectBlindSQLi(url, param, 0, testTime);
-            }
-            catch (error) {
-                logger_1.logger.debug(`Blind SQLi test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testLFI(page, url, param, timeout) {
-        const lfiPayloads = [
-            "../../../../etc/passwd",
-            "../../../../../../etc/passwd",
-            "..\\..\\..\\..\\..\\windows\\system32\\drivers\\etc\\hosts",
-            "..%2f..%2f..%2f..%2fetc%2fpasswd",
-            "/etc/passwd",
-            "/etc/shadow",
-        ];
-        for (const payload of lfiPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `LFI test for ${param}`);
-                const content = await page.content();
-                this.detector.detectLFI(url, param, sanitizedPayload, content);
-            }
-            catch (error) {
-                logger_1.logger.debug(`LFI test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testPathTraversal(page, url, param, timeout) {
-        const traversalPayloads = [
-            "../../../../etc/passwd",
-            "..%2f..%2f..%2f..%2fetc%2fpasswd",
-            "....//....//....//etc/passwd",
-            "..\\..\\..\\..\\windows\\system32\\config\\sam",
-        ];
-        for (const payload of traversalPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `Path traversal test for ${param}`);
-                const content = await page.content();
-                this.detector.detectPathTraversal(url, param, sanitizedPayload, content);
-            }
-            catch (error) {
-                logger_1.logger.debug(`Path traversal test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testCMDI(page, url, param, timeout) {
-        const cmdiPayloads = [
-            "; whoami",
-            "| whoami",
-            "`whoami`",
-            "$(whoami)",
-            "; id",
-            "| id",
-            "; cat /etc/passwd",
-            "| ls -la",
-            "& ping -c 3 127.0.0.1",
-            "&& whoami",
-        ];
-        for (const payload of cmdiPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `CMDI test for ${param}`);
-                const content = await page.content();
-                this.detector.detectCMDI(url, param, sanitizedPayload, content);
-            }
-            catch (error) {
-                logger_1.logger.debug(`CMDI test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testSSRF(page, url, param, _timeout) {
-        const ssrfPayloads = [
-            "http://localhost",
-            "http://127.0.0.1",
-            "http://169.254.169.254/latest/meta-data/",
-            "https://metadata.google.internal/",
-            "http://0.0.0.0",
-            "http://[::1]",
-        ];
-        for (const payload of ssrfPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                try {
-                    await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout: 5000 }), `SSRF test for ${param}`);
-                }
-                catch {
-                    // Expected to fail for internal URLs
-                }
-                const content = await page.content();
-                this.detector.detectSSRF(url, param, sanitizedPayload, content);
-            }
-            catch (error) {
-                logger_1.logger.debug(`SSRF test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testOpenRedirect(page, url, param, _timeout) {
-        const redirectPayloads = [
-            "https://evil.com",
-            "https://google.com",
-            "//evil.com",
-            "///evil.com",
-            "https://google.com%23",
-            "javascript:alert(1)",
-        ];
-        for (const payload of redirectPayloads) {
-            try {
-                const sanitizedPayload = this.sanitizePayload(payload);
-                const testUrl = this.buildTestUrl(url, param, sanitizedPayload);
-                const response = await this.withRetry(() => page.goto(testUrl, { waitUntil: "domcontentloaded", timeout: 5000 }), `Open redirect test for ${param}`);
-                if (response) {
-                    const finalUrl = response.url();
-                    this.detector.detectOpenRedirect(url, param, sanitizedPayload, finalUrl);
-                }
-            }
-            catch (error) {
-                logger_1.logger.debug(`Open redirect test failed for ${param}: ${error.message}`);
-            }
-        }
-    }
-    async testIDOR(baseUrl, param, timeout) {
-        const page = await this.browser.newPage();
-        try {
-            const url = new URL(baseUrl);
-            const originalValue = url.searchParams.get(param);
-            if (!originalValue || isNaN(Number(originalValue))) {
-                return;
-            }
-            const originalResponse = await this.withRetry(() => page.goto(baseUrl, { waitUntil: "networkidle2", timeout }), `IDOR original request for ${param}`);
-            const originalContent = originalResponse ? await originalResponse.text() : "";
-            const modifiedValue = String(Number(originalValue) + 1);
-            url.searchParams.set(param, modifiedValue);
-            const testUrl = url.toString();
-            const testResponse = await this.withRetry(() => page.goto(testUrl, { waitUntil: "networkidle2", timeout }), `IDOR test request for ${param}`);
-            const testContent = testResponse ? await testResponse.text() : "";
-            this.detector.detectIDOR(baseUrl, param, originalValue, testContent, originalContent);
-        }
-        catch (error) {
-            logger_1.logger.debug(`IDOR test failed for ${param}: ${error.message}`);
-        }
-        finally {
-            await page.close().catch(err => logger_1.logger.debug(`Error closing page: ${err.message}`));
-        }
     }
     buildTestUrl(baseUrl, param, value) {
         try {
@@ -446,20 +518,42 @@ class Scanner {
     async extractLinks(page, baseUrl) {
         const links = await page.$$eval("a[href]", (anchors) => anchors.map((a) => a.getAttribute("href")).filter(Boolean));
         const absoluteLinks = [];
+        const baseOrigin = this.baseOrigin || new URL(baseUrl).origin;
+        const isAllowedByPatterns = (candidate) => {
+            const asString = candidate.toString();
+            for (const pattern of this.excludePatterns) {
+                if (pattern.test(asString)) {
+                    return false;
+                }
+            }
+            if (this.includePatterns.length > 0) {
+                return this.includePatterns.some((pattern) => pattern.test(asString));
+            }
+            return true;
+        };
         for (const link of links) {
             if (!link)
                 continue;
             try {
                 const absolute = new URL(link, baseUrl);
-                if (absolute.origin === new URL(baseUrl).origin) {
-                    absoluteLinks.push(absolute.toString());
+                if (!["http:", "https:"].includes(absolute.protocol)) {
+                    continue;
+                }
+                if (this.strictScope && absolute.origin !== baseOrigin) {
+                    continue;
+                }
+                if (!isAllowedByPatterns(absolute)) {
+                    continue;
                 }
+                absolute.hash = "";
+                absoluteLinks.push(absolute.toString());
             }
             catch {
                 // Skip invalid URLs
             }
         }
-        return [...new Set(absoluteLinks)];
+        const deduped = [...new Set(absoluteLinks)];
+        return deduped.slice(0, this.maxLinksPerPage);
     }
     async close() {
         if (this.browser) {