kramscan 0.1.1 → 0.3.0

package/dist/plugins/vulnerabilities/XSSPlugin.d.ts

@@ -0,0 +1,15 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+export declare class XSSPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "XSS Detector";
+    readonly type: "xss";
+    readonly description = "Detects Cross-Site Scripting vulnerabilities";
+    private readonly payloads;
+    private getPayloads;
+    testParameter(context: PluginContext, param: string, _value: string): Promise<import("../types").VulnerabilityTestResult>;
+    testFormInput(context: PluginContext, formData: {
+        inputs: Array<{
+            name: string;
+            type: string;
+        }>;
+    }): Promise<import("../types").VulnerabilityTestResult>;
+}

package/dist/plugins/vulnerabilities/XSSPlugin.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XSSPlugin = void 0;
+const types_1 = require("../types");
+class XSSPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "XSS Detector";
+    type = "xss";
+    description = "Detects Cross-Site Scripting vulnerabilities";
+    payloads = [
+        "<script>alert('XSS')</script>",
+        '"><script>alert(1)</script>',
+        "<img src=x onerror=alert(1)>",
+        "'-alert(1)-'",
+        "<svg/onload=alert(1)>",
+    ];
+    async getPayloads(context, param) {
+        if (context.payloadGenerator) {
+            const aiPayloads = await context.payloadGenerator.generatePayloads("xss", {
+                parameterName: param,
+                url: context.url,
+                // We could extract more context from the page here if needed
+            });
+            if (aiPayloads.length > 0) {
+                return [...aiPayloads, ...this.payloads];
+            }
+        }
+        return this.payloads;
+    }
+    async testParameter(context, param, _value) {
+        const payloads = await this.getPayloads(context, param);
+        for (const payload of payloads) {
+            try {
+                const url = new URL(context.url);
+                url.searchParams.set(param, payload);
+                await context.page.goto(url.toString(), {
+                    waitUntil: "networkidle2",
+                    timeout: context.timeout
+                });
+                const content = await context.page.content();
+                if (content.includes(payload)) {
+                    return this.success(this.createVulnerability("Reflected Cross-Site Scripting (XSS)", `The parameter '${param}' reflects user input without proper encoding, allowing script injection.`, context.url, "high", `Payload: ${payload}`, "Implement input validation, output encoding, and Content Security Policy (CSP) headers.", "CWE-79"));
+                }
+            }
+            catch (error) {
+                return this.failure(error.message);
+            }
+        }
+        return this.failure();
+    }
+    async testFormInput(context, formData) {
+        for (const input of formData.inputs) {
+            if (input.type === "hidden" || input.type === "submit")
+                continue;
+            const payloads = await this.getPayloads(context, input.name);
+            for (const payload of payloads) {
+                try {
+                    await context.page.goto(context.url, {
+                        waitUntil: "networkidle2",
+                        timeout: context.timeout
+                    });
+                    const inputSelector = `input[name="${input.name}"], textarea[name="${input.name}"]`;
+                    await context.page.type(inputSelector, payload);
+                    const submitButton = await context.page.$("input[type=submit], button[type=submit]");
+                    if (submitButton) {
+                        await submitButton.click();
+                        await context.page.waitForNavigation({ timeout: context.timeout }).catch(() => { });
+                    }
+                    const content = await context.page.content();
+                    if (content.includes(payload)) {
+                        return this.success(this.createVulnerability("Reflected Cross-Site Scripting (XSS)", `The form input '${input.name}' reflects user input without proper encoding.`, context.url, "high", `Payload: ${payload}`, "Implement input validation, output encoding, and Content Security Policy (CSP) headers.", "CWE-79"));
+                    }
+                }
+                catch (error) {
+                    return this.failure(error.message);
+                }
+            }
+        }
+        return this.failure();
+    }
+}
+exports.XSSPlugin = XSSPlugin;

package/dist/reports/PdfGenerator.d.ts

@@ -0,0 +1,36 @@
+import { ScanResult } from "../core/vulnerability-detector";
+import type { ScanError } from "../core/scanner";
+export interface PdfGenerationOptions {
+    filename?: string;
+    format?: "A4" | "Letter" | "Legal";
+    margin?: {
+        top: string;
+        bottom: string;
+        left: string;
+        right: string;
+    };
+}
+export interface PdfReportData {
+    scanResult: ScanResult;
+    scanErrors?: ScanError[];
+    pluginErrors?: Map<string, Array<{
+        url: string;
+        error: string;
+    }>>;
+}
+export interface HtmlReportOptions {
+    filename?: string;
+    includeStyles?: boolean;
+    minify?: boolean;
+}
+export declare class PdfGenerator {
+    generate(data: PdfReportData, options?: PdfGenerationOptions): Promise<string>;
+    /**
+     * Generate a standalone HTML report
+     * @param data - The scan result data
+     * @param options - Options for HTML generation
+     * @returns Path to the generated HTML file
+     */
+    generateHtml(data: PdfReportData, options?: HtmlReportOptions): Promise<string>;
+}
+export declare const pdfGenerator: PdfGenerator;

package/dist/reports/PdfGenerator.js

@@ -0,0 +1,404 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pdfGenerator = exports.PdfGenerator = void 0;
+const puppeteer_1 = __importDefault(require("puppeteer"));
+const scan_storage_1 = require("../core/scan-storage");
+const path_1 = __importDefault(require("path"));
+function escapeHtml(text) {
+    if (!text)
+        return "";
+    return text
+        .toString()
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
+function sanitizeFilenamePart(value) {
+    return value
+        .replace(/[<>:"\/\\|?*\x00-\x1F]/g, "_")
+        .replace(/\s+/g, "_")
+        .replace(/_+/g, "_")
+        .replace(/^_+|_+$/g, "");
+}
+function severityBadge(severity) {
+    const s = severity.toLowerCase();
+    if (s === "critical")
+        return "badge badge-critical";
+    if (s === "high")
+        return "badge badge-high";
+    if (s === "medium")
+        return "badge badge-medium";
+    if (s === "low")
+        return "badge badge-low";
+    return "badge badge-info";
+}
+function buildPdfHtml(data) {
+    const { scanResult, scanErrors = [], pluginErrors = new Map() } = data;
+    const rows = scanResult.vulnerabilities
+        .map((v, i) => {
+        const sev = escapeHtml(v.severity.toUpperCase());
+        const title = escapeHtml(v.title);
+        const url = escapeHtml(v.url);
+        const type = escapeHtml(v.type);
+        const desc = escapeHtml(v.description);
+        const evidence = v.evidence ? escapeHtml(v.evidence) : "";
+        const remediation = v.remediation ? escapeHtml(v.remediation) : "";
+        const cwe = v.cwe ? escapeHtml(v.cwe) : "";
+        return `
+      <div class="card">
+        <div class="card-h">
+          <div class="idx">${i + 1}.</div>
+          <div class="title">${title}</div>
+          <div class="${severityBadge(v.severity)}">${sev}</div>
+        </div>
+        <div class="meta">
+          <div><span class="k">URL:</span> <span class="v mono">${url}</span></div>
+          <div><span class="k">Type:</span> <span class="v mono">${type}</span></div>
+          ${cwe ? `<div><span class="k">CWE:</span> <span class="v mono">${cwe}</span></div>` : ""}
+        </div>
+        <div class="section">
+          <div class="k">Description</div>
+          <div class="v">${desc}</div>
+        </div>
+        ${evidence ? `<div class="section"><div class="k">Evidence</div><div class="v mono pre">${evidence}</div></div>` : ""}
+        ${remediation ? `<div class="section"><div class="k">Remediation</div><div class="v">${remediation}</div></div>` : ""}
+      </div>`;
+    })
+        .join("\n");
+    const summary = scanResult.summary;
+    // Build errors section
+    let errorsHtml = "";
+    if (scanErrors.length > 0 || pluginErrors.size > 0) {
+        const errorRows = scanErrors.map((e) => `
+            <tr>
+                <td class="mono">${escapeHtml(e.url)}</td>
+                <td>Crawl Error</td>
+                <td>${escapeHtml(e.error)}</td>
+            </tr>
+        `).join("");
+        const pluginErrorRows = [];
+        pluginErrors.forEach((errors, pluginName) => {
+            errors.forEach((e) => {
+                pluginErrorRows.push(`
+                    <tr>
+                        <td class="mono">${escapeHtml(e.url)}</td>
+                        <td>${escapeHtml(pluginName)}</td>
+                        <td>${escapeHtml(e.error)}</td>
+                    </tr>
+                `);
+            });
+        });
+        const totalErrors = scanErrors.length + pluginErrorRows.length;
+        errorsHtml = `
+        <div class="section-header">
+            <h2>⚠️ Scan Errors & Skipped Items</h2>
+            <span class="badge badge-warning">${totalErrors} items</span>
+        </div>
+        <div class="error-table-container">
+            <table class="error-table">
+                <thead>
+                    <tr>
+                        <th>URL</th>
+                        <th>Source</th>
+                        <th>Error</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    ${errorRows}
+                    ${pluginErrorRows.join("")}
+                </tbody>
+            </table>
+        </div>`;
+    }
+    return `<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>KramScan Security Report</title>
+    <style>
+      :root {
+        --bg: #0b1020;
+        --panel: #111a33;
+        --panel2: #0e1630;
+        --text: #e9eefc;
+        --muted: #a9b6e5;
+        --line: rgba(233,238,252,0.14);
+        --critical: #ff4d4f;
+        --high: #ff7a45;
+        --medium: #fadb14;
+        --low: #40a9ff;
+        --info: #8c8c8c;
+        --warning: #faad14;
+      }
+      * { box-sizing: border-box; }
+      body {
+        margin: 0;
+        padding: 28px;
+        font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial, "Noto Sans", "Helvetica Neue", sans-serif;
+        color: var(--text);
+        background: radial-gradient(1000px 600px at 20% 10%, rgba(64,169,255,0.20), transparent 60%),
+                    radial-gradient(900px 500px at 70% 0%, rgba(255,77,79,0.18), transparent 55%),
+                    linear-gradient(180deg, var(--bg), #070a14 70%);
+      }
+      .top {
+        display: flex;
+        justify-content: space-between;
+        align-items: flex-end;
+        gap: 16px;
+        padding-bottom: 14px;
+        border-bottom: 1px solid var(--line);
+      }
+      .brand {
+        display: flex;
+        flex-direction: column;
+        gap: 6px;
+      }
+      .h1 { font-size: 22px; font-weight: 800; letter-spacing: 0.3px; }
+      .sub { color: var(--muted); font-size: 12px; }
+      .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace; }
+      .pill {
+        padding: 6px 10px;
+        border: 1px solid var(--line);
+        border-radius: 999px;
+        background: rgba(17,26,51,0.55);
+        color: var(--muted);
+        font-size: 12px;
+        white-space: nowrap;
+      }
+      .grid {
+        display: grid;
+        grid-template-columns: 1fr 1fr 1fr 1fr 1fr;
+        gap: 10px;
+        margin: 16px 0 10px;
+      }
+      .stat {
+        border: 1px solid var(--line);
+        background: rgba(17,26,51,0.55);
+        border-radius: 12px;
+        padding: 10px 12px;
+      }
+      .stat .k { color: var(--muted); font-size: 11px; }
+      .stat .v { font-size: 18px; font-weight: 800; margin-top: 6px; }
+      .cards { margin-top: 14px; display: flex; flex-direction: column; gap: 12px; }
+      .card {
+        border: 1px solid var(--line);
+        background: linear-gradient(180deg, rgba(17,26,51,0.70), rgba(14,22,48,0.70));
+        border-radius: 14px;
+        padding: 12px 12px 10px;
+        page-break-inside: avoid;
+      }
+      .card-h {
+        display: grid;
+        grid-template-columns: auto 1fr auto;
+        align-items: center;
+        gap: 10px;
+      }
+      .idx { color: var(--muted); font-weight: 700; }
+      .title { font-weight: 800; }
+      .badge {
+        padding: 4px 8px;
+        border-radius: 999px;
+        font-size: 11px;
+        font-weight: 800;
+        border: 1px solid var(--line);
+      }
+      .badge-critical { background: rgba(255,77,79,0.18); color: #ffd1d1; border-color: rgba(255,77,79,0.45); }
+      .badge-high { background: rgba(255,122,69,0.18); color: #ffe1d2; border-color: rgba(255,122,69,0.45); }
+      .badge-medium { background: rgba(250,219,20,0.16); color: #fff3bf; border-color: rgba(250,219,20,0.40); }
+      .badge-low { background: rgba(64,169,255,0.16); color: #d6ecff; border-color: rgba(64,169,255,0.40); }
+      .badge-info { background: rgba(140,140,140,0.16); color: #eee; border-color: rgba(140,140,140,0.35); }
+      .badge-warning { background: rgba(250,173,20,0.16); color: #fffbe6; border-color: rgba(250,173,20,0.40); }
+      .meta { margin-top: 10px; display: grid; gap: 6px; }
+      .section { margin-top: 10px; border-top: 1px dashed rgba(233,238,252,0.20); padding-top: 10px; }
+      .section-header {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        margin: 24px 0 12px;
+        padding-bottom: 8px;
+        border-bottom: 1px solid var(--line);
+      }
+      .section-header h2 { 
+        margin: 0; 
+        font-size: 16px; 
+        color: var(--warning);
+      }
+      .error-table-container {
+        border: 1px solid var(--line);
+        border-radius: 12px;
+        overflow: hidden;
+        background: rgba(17,26,51,0.55);
+      }
+      .error-table {
+        width: 100%;
+        border-collapse: collapse;
+        font-size: 12px;
+      }
+      .error-table th {
+        background: rgba(17,26,51,0.80);
+        padding: 10px 12px;
+        text-align: left;
+        color: var(--muted);
+        font-weight: 600;
+        border-bottom: 1px solid var(--line);
+      }
+      .error-table td {
+        padding: 8px 12px;
+        border-bottom: 1px solid rgba(233,238,252,0.10);
+        color: var(--text);
+      }
+      .error-table tr:last-child td {
+        border-bottom: none;
+      }
+      .error-table tr:hover td {
+        background: rgba(255,255,255,0.03);
+      }
+      .k { color: var(--muted); font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.6px; }
+      .v { margin-top: 6px; font-size: 12px; line-height: 1.45; }
+      .pre { white-space: pre-wrap; }
+      .footer { margin-top: 18px; color: var(--muted); font-size: 11px; border-top: 1px solid var(--line); padding-top: 12px; }
+    </style>
+  </head>
+  <body>
+    <div class="top">
+      <div class="brand">
+        <div class="h1">KramScan Security Report</div>
+        <div class="sub">Target: <span class="mono">${escapeHtml(scanResult.target)}</span></div>
+        <div class="sub">Timestamp: <span class="mono">${escapeHtml(scanResult.timestamp)}</span></div>
+      </div>
+      <div class="pill">Automated PDF generated after scan</div>
+    </div>
+
+    <div class="grid">
+      <div class="stat"><div class="k">Total</div><div class="v">${summary.total}</div></div>
+      <div class="stat"><div class="k">Critical</div><div class="v">${summary.critical}</div></div>
+      <div class="stat"><div class="k">High</div><div class="v">${summary.high}</div></div>
+      <div class="stat"><div class="k">Medium</div><div class="v">${summary.medium}</div></div>
+      <div class="stat"><div class="k">Low</div><div class="v">${summary.low}</div></div>
+    </div>
+
+    <div class="sub">Crawled URLs: <span class="mono">${scanResult.metadata.crawledUrls}</span> | Forms tested: <span class="mono">${scanResult.metadata.testedForms}</span> | Requests: <span class="mono">${scanResult.metadata.requestsMade}</span> | Duration: <span class="mono">${(scanResult.duration / 1000).toFixed(2)}s</span></div>
+    
+    <div style="margin-top: 20px; display: flex; align-items: center; gap: 15px; background: rgba(17,26,51,0.55); padding: 15px; border-radius: 12px; border: 1px solid var(--line);">
+        <div style="font-size: 24px; font-weight: 900; color: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};">
+            ${scanResult.score}/100
+        </div>
+        <div style="flex-grow: 1;">
+            <div style="font-size: 11px; text-transform: uppercase; color: var(--muted); letter-spacing: 0.5px; margin-bottom: 5px;">Security Posture</div>
+            <div style="height: 6px; background: rgba(255,255,255,0.1); border-radius: 3px; overflow: hidden;">
+                <div style="width: ${scanResult.score}%; height: 100%; background: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};"></div>
+            </div>
+        </div>
+        <div style="font-size: 12px; font-weight: 700; color: var(--muted);">
+            ${scanResult.score > 80 ? "EXCELLENT" : (scanResult.score > 50 ? "FAIR" : "POOR")}
+        </div>
+    </div>
+
+    <div class="cards">
+      ${rows || `<div class="card"><div class="title">No vulnerabilities found</div><div class="v">The scanner did not detect issues in the tested scope.</div></div>`}
+    </div>
+
+    ${errorsHtml}
+
+    <div class="footer">Generated by KramScan</div>
+  </body>
+</html>`;
+}
+class PdfGenerator {
+    async generate(data, options = {}) {
+        const reportsDir = await (0, scan_storage_1.ensureReportsDirectory)();
+        const targetUrl = new URL(data.scanResult.target);
+        const host = sanitizeFilenamePart(targetUrl.hostname || "unknown");
+        const timestamp = new Date(data.scanResult.timestamp || new Date().toISOString())
+            .toISOString()
+            .replace(/[:.]/g, "-");
+        const pdfFilename = options.filename || `scanreport_${host}_${timestamp}.pdf`;
+        const pdfPath = path_1.default.join(reportsDir, pdfFilename);
+        const browser = await puppeteer_1.default.launch({
+            headless: true,
+            args: ["--no-sandbox", "--disable-setuid-sandbox"],
+        });
+        try {
+            const page = await browser.newPage();
+            const html = buildPdfHtml(data);
+            await page.setContent(html, { waitUntil: "networkidle0" });
+            await page.pdf({
+                path: pdfPath,
+                format: options.format || "A4",
+                printBackground: true,
+                margin: options.margin || {
+                    top: "12mm",
+                    bottom: "12mm",
+                    left: "10mm",
+                    right: "10mm",
+                },
+            });
+        }
+        finally {
+            await browser.close();
+        }
+        return pdfPath;
+    }
+    /**
+     * Generate a standalone HTML report
+     * @param data - The scan result data
+     * @param options - Options for HTML generation
+     * @returns Path to the generated HTML file
+     */
+    async generateHtml(data, options = {}) {
+        const reportsDir = await (0, scan_storage_1.ensureReportsDirectory)();
+        const targetUrl = new URL(data.scanResult.target);
+        const host = sanitizeFilenamePart(targetUrl.hostname || "unknown");
+        const timestamp = new Date(data.scanResult.timestamp || new Date().toISOString())
+            .toISOString()
+            .replace(/[:.]/g, "-");
+        const htmlFilename = options.filename || `scanreport_${host}_${timestamp}.html`;
+        const htmlPath = path_1.default.join(reportsDir, htmlFilename);
+        const html = buildPdfHtml(data);
+        // Write the HTML file
+        const fs = await Promise.resolve().then(() => __importStar(require("fs/promises")));
+        await fs.writeFile(htmlPath, html, "utf-8");
+        return htmlPath;
+    }
+}
+exports.PdfGenerator = PdfGenerator;
+exports.pdfGenerator = new PdfGenerator();

package/dist/utils/logger.d.ts

@@ -1,9 +1,41 @@
 import { Ora } from "ora";
+export declare enum LogLevel {
+    DEBUG = 0,
+    INFO = 1,
+    SUCCESS = 2,
+    WARN = 3,
+    ERROR = 4
+}
+export interface LogEntry {
+    timestamp: string;
+    level: string;
+    message: string;
+    context?: Record<string, unknown>;
+}
+export interface LoggerOptions {
+    level?: LogLevel;
+    jsonOutput?: boolean;
+    includeTimestamp?: boolean;
+    includeContext?: boolean;
+}
 export declare const logger: {
     info: (message: string) => void;
     success: (message: string) => void;
     warn: (message: string) => void;
     error: (message: string) => void;
-    debug: (message: string) => void;
+    debug: (message: string, context?: Record<string, unknown>) => void;
     spinner: (text: string) => Ora;
 };
+export declare const structuredLogger: {
+    debug: (message: string, context?: Record<string, unknown>) => void;
+    info: (message: string, context?: Record<string, unknown>) => void;
+    warn: (message: string, context?: Record<string, unknown>) => void;
+    error: (message: string, context?: Record<string, unknown>) => void;
+    log: (level: LogLevel, message: string, context?: Record<string, unknown>) => void;
+};
+export declare function createChildLogger(defaultContext: Record<string, unknown>): {
+    debug: (message: string, context?: Record<string, unknown>) => void;
+    info: (message: string, context?: Record<string, unknown>) => void;
+    warn: (message: string, context?: Record<string, unknown>) => void;
+    error: (message: string, context?: Record<string, unknown>) => void;
+};