kramscan 0.1.1 → 0.3.0

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.js

@@ -0,0 +1,222 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DebugEndpointPlugin = void 0;
+const types_1 = require("../types");
+class DebugEndpointPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Debug Endpoint Detector";
+    type = "info";
+    description = "Probes for common debug, admin, and development endpoints left exposed";
+    reportedPaths = new Set();
+    /**
+     * Common debug/dev endpoints that developers forget to disable before deployment.
+     * Each entry has a path, a human-readable name, and expected severity.
+     */
+    debugEndpoints = [
+        {
+            path: "/debug",
+            name: "Debug Panel",
+            severity: "high",
+            indicators: ["debug", "stack", "trace", "error"],
+            remediation: "Remove or protect the /debug endpoint behind authentication.",
+        },
+        {
+            path: "/__debug__",
+            name: "Django Debug Panel",
+            severity: "high",
+            indicators: ["django", "debug", "toolbar"],
+            remediation: "Set DEBUG=False in Django settings for production.",
+        },
+        {
+            path: "/phpinfo.php",
+            name: "PHP Info Page",
+            severity: "high",
+            indicators: ["phpinfo", "PHP Version", "Configuration"],
+            remediation: "Remove phpinfo.php from production servers.",
+        },
+        {
+            path: "/server-status",
+            name: "Apache Server Status",
+            severity: "medium",
+            indicators: ["Apache", "Server Version", "Current Time"],
+            remediation: "Restrict /server-status to internal IPs only.",
+        },
+        {
+            path: "/server-info",
+            name: "Apache Server Info",
+            severity: "medium",
+            indicators: ["Apache", "Server Information"],
+            remediation: "Disable mod_info or restrict access to internal IPs.",
+        },
+        {
+            path: "/graphql",
+            name: "GraphQL Endpoint (Introspection)",
+            severity: "medium",
+            indicators: ["graphql", "__schema", "query"],
+            remediation: "Disable GraphQL introspection in production.",
+        },
+        {
+            path: "/graphiql",
+            name: "GraphiQL IDE",
+            severity: "high",
+            indicators: ["graphiql", "GraphiQL"],
+            remediation: "Remove GraphiQL from production deployments.",
+        },
+        {
+            path: "/swagger",
+            name: "Swagger UI",
+            severity: "medium",
+            indicators: ["swagger", "api-docs", "openapi"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/swagger-ui.html",
+            name: "Swagger UI HTML",
+            severity: "medium",
+            indicators: ["swagger", "api-docs"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/api-docs",
+            name: "API Documentation",
+            severity: "low",
+            indicators: ["api", "docs", "openapi", "swagger"],
+            remediation: "Restrict API docs to authenticated users in production.",
+        },
+        {
+            path: "/actuator",
+            name: "Spring Boot Actuator",
+            severity: "high",
+            indicators: ["actuator", "beans", "health", "info"],
+            remediation: "Secure Spring Boot Actuator endpoints with authentication.",
+        },
+        {
+            path: "/actuator/env",
+            name: "Spring Boot Environment",
+            severity: "critical",
+            indicators: ["property", "source", "value"],
+            remediation: "Never expose /actuator/env publicly. It reveals environment variables and secrets.",
+        },
+        {
+            path: "/actuator/heapdump",
+            name: "Spring Boot Heap Dump",
+            severity: "critical",
+            indicators: [],
+            remediation: "Disable heap dump endpoint. It can expose sensitive memory contents.",
+        },
+        {
+            path: "/elmah.axd",
+            name: "ELMAH Error Log (.NET)",
+            severity: "high",
+            indicators: ["elmah", "error", "exception"],
+            remediation: "Restrict ELMAH access to authenticated administrators.",
+        },
+        {
+            path: "/trace.axd",
+            name: ".NET Trace Page",
+            severity: "high",
+            indicators: ["trace", "request", "response"],
+            remediation: "Disable tracing in production web.config.",
+        },
+        {
+            path: "/.env",
+            name: "Environment File",
+            severity: "critical",
+            indicators: ["=", "KEY", "SECRET", "PASSWORD", "DATABASE"],
+            remediation: "Never serve .env files. Add them to .gitignore and configure your server to deny access.",
+        },
+        {
+            path: "/wp-config.php",
+            name: "WordPress Config",
+            severity: "critical",
+            indicators: ["DB_NAME", "DB_PASSWORD", "AUTH_KEY"],
+            remediation: "Ensure wp-config.php is not accessible via HTTP.",
+        },
+        {
+            path: "/.git/config",
+            name: "Git Repository Config",
+            severity: "critical",
+            indicators: ["[core]", "[remote", "repositoryformatversion"],
+            remediation: "Block access to .git directory. Your source code is exposed.",
+        },
+        {
+            path: "/.git/HEAD",
+            name: "Git HEAD Reference",
+            severity: "high",
+            indicators: ["ref:", "refs/heads/"],
+            remediation: "Block access to the entire .git directory in your web server configuration.",
+        },
+        {
+            path: "/config.json",
+            name: "JSON Config File",
+            severity: "medium",
+            indicators: ["apiKey", "secret", "password", "database", "connection"],
+            remediation: "Do not serve config files via HTTP. Move them outside the web root.",
+        },
+        {
+            path: "/test",
+            name: "Test Endpoint",
+            severity: "low",
+            indicators: ["test", "debug", "hello"],
+            remediation: "Remove test endpoints before deploying to production.",
+        },
+        {
+            path: "/health",
+            name: "Health Check (Verbose)",
+            severity: "low",
+            indicators: ["database", "connection", "redis", "memory", "uptime"],
+            remediation: "Limit health check responses to simple status. Do not expose internal service details.",
+        },
+        {
+            path: "/metrics",
+            name: "Prometheus Metrics",
+            severity: "medium",
+            indicators: ["process_", "http_", "nodejs_", "go_"],
+            remediation: "Protect /metrics endpoint behind authentication or restrict to internal networks.",
+        },
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const baseUrl = new URL(context.url).origin;
+        for (const endpoint of this.debugEndpoints) {
+            const fullPath = `${baseUrl}${endpoint.path}`;
+            if (this.reportedPaths.has(fullPath))
+                continue;
+            try {
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 2000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, fullPath);
+                // Check if the endpoint exists and contains debug indicators
+                if (response.status >= 200 && response.status < 400) {
+                    const bodyLower = response.body.toLowerCase();
+                    // For endpoints with no indicators (like heap dumps), 200 status is enough
+                    const hasIndicators = endpoint.indicators.length === 0 ||
+                        endpoint.indicators.some(ind => bodyLower.includes(ind.toLowerCase()));
+                    if (hasIndicators) {
+                        this.reportedPaths.add(fullPath);
+                        vulnerabilities.push(this.createVulnerability(`Exposed ${endpoint.name}`, `The ${endpoint.name} endpoint is accessible at ${endpoint.path}. ` +
+                            `This can expose sensitive internal information, configuration details, or debug data.`, fullPath, endpoint.severity, `HTTP ${response.status} at ${endpoint.path} (${response.body.substring(0, 100)}...)`, endpoint.remediation, "CWE-215"));
+                    }
+                }
+            }
+            catch {
+                // Endpoint not reachable, skip silently
+            }
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedPaths.clear();
+    }
+}
+exports.DebugEndpointPlugin = DebugEndpointPlugin;

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.d.ts

@@ -0,0 +1,13 @@
+import { BaseVulnerabilityPlugin, PluginContext, VulnerabilityTestResult } from "../types";
+export declare class DirectoryTraversalPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Directory Traversal / LFI Detector";
+    readonly type: "lfi";
+    readonly description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    private readonly payloads;
+    testParameter(context: PluginContext, param: string, value: string): Promise<VulnerabilityTestResult>;
+    private buildTestUrl;
+}

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DirectoryTraversalPlugin = void 0;
+const types_1 = require("../types");
+class DirectoryTraversalPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Directory Traversal / LFI Detector";
+    type = "lfi";
+    description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    payloads = [
+        // Linux/Unix path traversal
+        {
+            payload: "../../../etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh", "nobody:"],
+            os: "linux",
+        },
+        {
+            payload: "....//....//....//etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "..%2F..%2F..%2Fetc%2Fpasswd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        {
+            payload: "....\\\\....\\\\....\\\\etc\\\\passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Windows path traversal
+        {
+            payload: "..\\..\\..\\windows\\win.ini",
+            markers: ["[fonts]", "[extensions]", "[mci extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "..%5C..%5C..%5Cwindows%5Cwin.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "../../../windows/win.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        // Null byte injection (legacy PHP)
+        {
+            payload: "../../../etc/passwd%00",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Double encoding
+        {
+            payload: "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+    ];
+    async testParameter(context, param, value) {
+        for (const { payload, markers, os } of this.payloads) {
+            try {
+                const testUrl = this.buildTestUrl(context.url, param, payload);
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 5000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, testUrl);
+                if (response.status >= 200 && response.status < 500) {
+                    const bodyLower = response.body.toLowerCase();
+                    const matchedMarkers = markers.filter(m => bodyLower.includes(m.toLowerCase()));
+                    if (matchedMarkers.length >= 2) {
+                        return this.success(this.createVulnerability("Directory Traversal / Local File Inclusion", `The parameter '${param}' is vulnerable to directory traversal. ` +
+                            `An attacker can read arbitrary files from the server filesystem (${os}).`, context.url, "critical", `Payload: ${param}=${payload} — matched markers: ${matchedMarkers.join(", ")}`, "Validate and sanitize all file path inputs. Use a whitelist of allowed files/directories. " +
+                            "Never pass user input directly to file system operations. " +
+                            "Use path.resolve() and verify the resolved path starts with the expected base directory.", "CWE-22"));
+                    }
+                }
+            }
+            catch {
+                // Skip this payload, try next
+            }
+        }
+        return this.failure();
+    }
+    buildTestUrl(baseUrl, param, payload) {
+        const url = new URL(baseUrl);
+        url.searchParams.set(param, payload);
+        return url.toString();
+    }
+}
+exports.DirectoryTraversalPlugin = DirectoryTraversalPlugin;

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class OpenRedirectPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Open Redirect Detector";
+    readonly type: "redirect";
+    readonly description = "Detects open redirect vulnerabilities in URL parameters";
+    private readonly redirectParams;
+    private readonly testDomains;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+}

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenRedirectPlugin = void 0;
+const types_1 = require("../types");
+class OpenRedirectPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Open Redirect Detector";
+    type = "redirect";
+    description = "Detects open redirect vulnerabilities in URL parameters";
+    redirectParams = [
+        "url", "redirect", "redirect_url", "redirect_uri", "return", "return_url",
+        "returnTo", "next", "next_url", "goto", "target", "dest", "destination",
+        "rurl", "redir", "out", "continue", "forward", "callback", "callback_url",
+        "path", "ref", "site", "view", "to", "link", "logout_redirect",
+    ];
+    testDomains = [
+        "https://evil.com",
+        "//evil.com",
+        "https://evil.com%2f%2f",
+        "/\\evil.com",
+        "https:evil.com",
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const url = new URL(context.url);
+        // Check if the current URL uses any redirect-like parameters
+        for (const param of this.redirectParams) {
+            const value = url.searchParams.get(param);
+            if (value) {
+                // Current URL has a redirect param — test it
+                for (const testDomain of this.testDomains) {
+                    try {
+                        const testUrl = new URL(context.url);
+                        testUrl.searchParams.set(param, testDomain);
+                        const result = await context.page.evaluate(async (targetUrl) => {
+                            try {
+                                const res = await fetch(targetUrl, {
+                                    method: "GET",
+                                    redirect: "manual",
+                                    credentials: "omit",
+                                });
+                                const location = res.headers.get("location") || "";
+                                return {
+                                    status: res.status,
+                                    location,
+                                };
+                            }
+                            catch {
+                                return { status: 0, location: "" };
+                            }
+                        }, testUrl.toString());
+                        if (result.status >= 300 && result.status < 400 &&
+                            result.location.includes("evil.com")) {
+                            vulnerabilities.push(this.createVulnerability("Open Redirect", `The parameter '${param}' allows redirection to arbitrary external URLs. ` +
+                                `Attackers can use this for phishing by crafting legitimate-looking URLs that redirect to malicious sites.`, context.url, "medium", `${param}=${testDomain} → Location: ${result.location}`, "Validate redirect URLs against a whitelist of allowed domains. " +
+                                "Use relative paths instead of full URLs. " +
+                                "Never redirect to user-supplied URLs without validation.", "CWE-601"));
+                            break; // One proof is enough for this param
+                        }
+                    }
+                    catch {
+                        // Skip this test
+                    }
+                }
+            }
+        }
+        return vulnerabilities;
+    }
+}
+exports.OpenRedirectPlugin = OpenRedirectPlugin;

package/dist/plugins/vulnerabilities/SQLInjectionPlugin.d.ts

@@ -0,0 +1,11 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+export declare class SQLInjectionPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "SQL Injection Detector";
+    readonly type: "sqli";
+    readonly description = "Detects SQL Injection vulnerabilities";
+    private readonly errorBasedPayloads;
+    private readonly timeBasedPayloads;
+    private getErrorPayloads;
+    private readonly sqlErrors;
+    testParameter(context: PluginContext, param: string, _value: string): Promise<import("../types").VulnerabilityTestResult>;
+}

package/dist/plugins/vulnerabilities/SQLInjectionPlugin.js

@@ -0,0 +1,109 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SQLInjectionPlugin = void 0;
+const types_1 = require("../types");
+class SQLInjectionPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "SQL Injection Detector";
+    type = "sqli";
+    description = "Detects SQL Injection vulnerabilities";
+    errorBasedPayloads = [
+        "'",
+        "1' OR '1'='1",
+        "1; DROP TABLE users--",
+        "' OR 1=1--",
+        "' UNION SELECT 1--",
+        "1' AND '1'='1",
+    ];
+    timeBasedPayloads = [
+        "' AND SLEEP(5)--",
+        "1' AND SLEEP(5)--",
+        "'; WAITFOR DELAY '00:00:05'--",
+    ];
+    async getErrorPayloads(context, param) {
+        if (context.payloadGenerator) {
+            const aiPayloads = await context.payloadGenerator.generatePayloads("sqli", {
+                parameterName: param,
+                url: context.url,
+            });
+            if (aiPayloads.length > 0) {
+                return [...aiPayloads, ...this.errorBasedPayloads];
+            }
+        }
+        return this.errorBasedPayloads;
+    }
+    sqlErrors = [
+        "SQL syntax",
+        "mysql_fetch",
+        "ORA-",
+        "PostgreSQL",
+        "SQLite",
+        "ODBC",
+        "JET Database",
+        "Microsoft Access Driver",
+        "unterminated",
+        "mysql_num_rows",
+        "mysql_query",
+        "Microsoft SQL Native Client error",
+        "SQLServer JDBC Driver",
+        "ORA-00933",
+        "PG::SyntaxError",
+        "Warning: pg_",
+        "Syntax error",
+    ];
+    async testParameter(context, param, _value) {
+        // Test for error-based SQL injection
+        const errorPayloads = await this.getErrorPayloads(context, param);
+        for (const payload of errorPayloads) {
+            try {
+                const url = new URL(context.url);
+                url.searchParams.set(param, payload);
+                await context.page.goto(url.toString(), {
+                    waitUntil: "networkidle2",
+                    timeout: context.timeout
+                });
+                const content = await context.page.content();
+                for (const error of this.sqlErrors) {
+                    if (content.includes(error)) {
+                        return this.success(this.createVulnerability("SQL Injection", `The parameter '${param}' is vulnerable to SQL injection. Database error messages were detected.`, context.url, "critical", `Error: ${error}`, "Use parameterized queries (prepared statements). Never concatenate user input into SQL.", "CWE-89"));
+                    }
+                }
+            }
+            catch (error) {
+                return this.failure(error.message);
+            }
+        }
+        // Test for time-based blind SQL injection
+        let baselineTime = 0;
+        try {
+            const baselineStart = Date.now();
+            await context.page.goto(context.url, {
+                waitUntil: "networkidle2",
+                timeout: context.timeout
+            });
+            baselineTime = Date.now() - baselineStart;
+        }
+        catch (error) {
+            return this.failure(error.message);
+        }
+        for (const payload of this.timeBasedPayloads) {
+            try {
+                const url = new URL(context.url);
+                url.searchParams.set(param, payload);
+                const startTime = Date.now();
+                await context.page.goto(url.toString(), {
+                    waitUntil: "networkidle2",
+                    timeout: context.timeout
+                });
+                const testTime = Date.now() - startTime;
+                if (testTime > baselineTime + 3000) {
+                    return this.success(this.createVulnerability("Blind SQL Injection", `Time-based blind SQL injection detected on parameter '${param}'. Response time indicates successful payload execution.`, context.url, "high", `Response time increased by ${testTime - baselineTime}ms with sleep payload`, "Use parameterized queries. Implement input validation and proper error handling.", "CWE-89"));
+                }
+            }
+            catch (error) {
+                return this.failure(error.message);
+            }
+        }
+        return this.failure();
+    }
+}
+exports.SQLInjectionPlugin = SQLInjectionPlugin;

package/dist/plugins/vulnerabilities/SecurityHeadersPlugin.d.ts

@@ -0,0 +1,11 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class SecurityHeadersPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Security Headers Analyzer";
+    readonly type: "header";
+    readonly description = "Analyzes HTTP security headers";
+    private readonly reportedHosts;
+    private readonly requiredHeaders;
+    analyzeHeaders(context: PluginContext, headers: Record<string, string>): Promise<Vulnerability[]>;
+    reset(): void;
+}

package/dist/plugins/vulnerabilities/SecurityHeadersPlugin.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityHeadersPlugin = void 0;
+const types_1 = require("../types");
+class SecurityHeadersPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Security Headers Analyzer";
+    type = "header";
+    description = "Analyzes HTTP security headers";
+    reportedHosts = new Set();
+    requiredHeaders = {
+        "content-security-policy": {
+            title: "Missing Content-Security-Policy",
+            severity: "low",
+            remediation: "Implement a strict CSP to prevent XSS and data injection attacks.",
+        },
+        "x-frame-options": {
+            title: "Missing X-Frame-Options",
+            severity: "low",
+            remediation: "Set X-Frame-Options to DENY or SAMEORIGIN to prevent clickjacking.",
+        },
+        "strict-transport-security": {
+            title: "Missing Strict-Transport-Security (HSTS)",
+            severity: "low",
+            remediation: "Enable HSTS with max-age of at least 31536000 seconds.",
+        },
+        "x-content-type-options": {
+            title: "Missing X-Content-Type-Options",
+            severity: "info",
+            remediation: "Set X-Content-Type-Options to 'nosniff'.",
+        },
+        "referrer-policy": {
+            title: "Missing Referrer-Policy",
+            severity: "info",
+            remediation: "Set Referrer-Policy to 'strict-origin-when-cross-origin'.",
+        },
+        "permissions-policy": {
+            title: "Missing Permissions-Policy",
+            severity: "info",
+            remediation: "Restrict browser features using Permissions-Policy header.",
+        },
+    };
+    async analyzeHeaders(context, headers) {
+        const host = new URL(context.url).host;
+        // Only report once per host
+        if (this.reportedHosts.has(host)) {
+            return [];
+        }
+        const vulnerabilities = [];
+        for (const [header, config] of Object.entries(this.requiredHeaders)) {
+            if (!headers[header.toLowerCase()]) {
+                vulnerabilities.push(this.createVulnerability(config.title, `The ${header} security header is not set on ${host}.`, context.url, config.severity, undefined, config.remediation));
+            }
+        }
+        if (vulnerabilities.length > 0) {
+            this.reportedHosts.add(host);
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedHosts.clear();
+    }
+}
+exports.SecurityHeadersPlugin = SecurityHeadersPlugin;

package/dist/plugins/vulnerabilities/SensitiveDataPlugin.d.ts

@@ -0,0 +1,9 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class SensitiveDataPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Sensitive Data Detector";
+    readonly type: "sensitive_data";
+    readonly description = "Detects exposed sensitive data in responses";
+    private readonly patterns;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+}

package/dist/plugins/vulnerabilities/SensitiveDataPlugin.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SensitiveDataPlugin = void 0;
+const types_1 = require("../types");
+class SensitiveDataPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Sensitive Data Detector";
+    type = "sensitive_data";
+    description = "Detects exposed sensitive data in responses";
+    patterns = [
+        { regex: /sk-[a-zA-Z0-9]{48}/g, name: "OpenAI API Key", severity: "critical" },
+        { regex: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token", severity: "critical" },
+        { regex: /AKIA[0-9A-Z]{16}/g, name: "AWS Access Key", severity: "critical" },
+        { regex: /xox[baprs]-[0-9a-zA-Z]{10,}/g, name: "Slack Token", severity: "high" },
+        { regex: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*/g, name: "JWT Token", severity: "high" },
+        { regex: /AIza[0-9A-Za-z_-]{35}/g, name: "Google API Key", severity: "high" },
+        { regex: /password["\s:=]+[^\s"]{6,}/gi, name: "Hardcoded Password", severity: "high" },
+        { regex: /api[_-]?key["\s:=]+[\w-]{20,}/gi, name: "Generic API Key", severity: "medium" },
+        { regex: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/g, name: "Private Key", severity: "critical" },
+        { regex: /database[_-]?url["\s:=]+.*(?:mysql|postgres|mongodb):\/\//gi, name: "Database Connection String", severity: "high" },
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        for (const pattern of this.patterns) {
+            const matches = content.match(pattern.regex);
+            if (matches && matches.length > 0) {
+                vulnerabilities.push(this.createVulnerability(`Exposed ${pattern.name}`, `Sensitive ${pattern.name} found in response. This could lead to account compromise or data breach.`, context.url, pattern.severity, `Found: ${matches[0].substring(0, 30)}...`, "Remove sensitive data from client-side code. Use environment variables and secure secret management.", "CWE-200"));
+            }
+        }
+        return vulnerabilities;
+    }
+}
+exports.SensitiveDataPlugin = SensitiveDataPlugin;