kramscan 0.1.1 → 0.3.0

package/dist/core/ai-payloads.d.ts

@@ -0,0 +1,17 @@
+import { AIClient } from "./ai-client";
+export type PayloadType = "xss" | "sqli" | "cmdi" | "lfi";
+export interface ContextInfo {
+    htmlContext?: string;
+    tagName?: string;
+    attributeName?: string;
+    parameterName: string;
+    url: string;
+}
+export declare class PayloadGenerator {
+    private aiClient;
+    constructor(aiClient: AIClient);
+    /**
+     * Generates a list of contextual payloads based on the provided HTML context.
+     */
+    generatePayloads(type: PayloadType, context: ContextInfo): Promise<string[]>;
+}

package/dist/core/ai-payloads.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PayloadGenerator = void 0;
+class PayloadGenerator {
+    aiClient;
+    constructor(aiClient) {
+        this.aiClient = aiClient;
+    }
+    /**
+     * Generates a list of contextual payloads based on the provided HTML context.
+     */
+    async generatePayloads(type, context) {
+        const systemPrompt = `You are an expert penetration tester. Your task is to generate 5 highly effective, specialized payloads to test for ${type.toUpperCase()} vulnerabilities.
+Focus on bypass techniques relevant to the provided HTML/parameter context.
+Format your response as a simple JSON array of strings: ["payload1", "payload2", ...]
+Do not include any explanations, just the JSON array.`;
+        const prompt = `
+Generate 5 ${type.toUpperCase()} payloads for:
+Parameter: ${context.parameterName}
+URL: ${context.url}
+${context.htmlContext ? `HTML Context: ${context.htmlContext}` : ""}
+${context.tagName ? `Inside Tag: ${context.tagName}` : ""}
+${context.attributeName ? `Inside Attribute: ${context.attributeName}` : ""}
+
+Consider:
+1. Filter bypasses (WAF, sanitizers).
+2. Escape sequences if inside a string or attribute.
+3. Breaking out of tags if applicable.
+4. Non-standard encoding (URL/HTML entities) if likely needed.
+`;
+        try {
+            const response = await this.aiClient.analyze(prompt, systemPrompt);
+            const content = response.content.trim();
+            // Try to parse JSON array from the response
+            const match = content.match(/\[.*\]/s);
+            if (match) {
+                const payloads = JSON.parse(match[0]);
+                if (Array.isArray(payloads)) {
+                    return payloads.map(p => String(p));
+                }
+            }
+            // Fallback: split by newlines if JSON parsing fails
+            return content.split("\n")
+                .map(line => line.replace(/^[\d.-]\s*/, "").trim())
+                .filter(line => line.length > 0)
+                .slice(0, 5);
+        }
+        catch (error) {
+            console.error(`Error generating AI payloads: ${error.message}`);
+            return [];
+        }
+    }
+}
+exports.PayloadGenerator = PayloadGenerator;

package/dist/core/config-schema.d.ts

@@ -0,0 +1,197 @@
+import { z } from "zod";
+export declare const AiProviderNameSchema: z.ZodEnum<["openai", "anthropic", "gemini", "openrouter", "mistral", "kimi", "groq"]>;
+export declare const ReportFormatSchema: z.ZodEnum<["word", "txt", "json"]>;
+export declare const SeverityThresholdSchema: z.ZodEnum<["info", "low", "medium", "high", "critical"]>;
+export declare const ScanProfileSchema: z.ZodObject<{
+    depth: z.ZodNumber;
+    timeout: z.ZodNumber;
+    maxPages: z.ZodNumber;
+    maxLinksPerPage: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    depth: number;
+    timeout: number;
+    maxPages: number;
+    maxLinksPerPage: number;
+}, {
+    depth: number;
+    timeout: number;
+    maxPages: number;
+    maxLinksPerPage: number;
+}>;
+export type ScanProfile = z.infer<typeof ScanProfileSchema>;
+export declare const defaultScanProfiles: Record<string, ScanProfile>;
+export declare const ConfigSchema: z.ZodObject<{
+    ai: z.ZodObject<{
+        provider: z.ZodDefault<z.ZodEnum<["openai", "anthropic", "gemini", "openrouter", "mistral", "kimi", "groq"]>>;
+        apiKey: z.ZodDefault<z.ZodString>;
+        defaultModel: z.ZodDefault<z.ZodString>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        provider: "openai" | "anthropic" | "gemini" | "openrouter" | "mistral" | "kimi" | "groq";
+        apiKey: string;
+        defaultModel: string;
+        enabled: boolean;
+    }, {
+        provider?: "openai" | "anthropic" | "gemini" | "openrouter" | "mistral" | "kimi" | "groq" | undefined;
+        apiKey?: string | undefined;
+        defaultModel?: string | undefined;
+        enabled?: boolean | undefined;
+    }>;
+    scan: z.ZodObject<{
+        defaultTimeout: z.ZodDefault<z.ZodNumber>;
+        maxThreads: z.ZodDefault<z.ZodNumber>;
+        userAgent: z.ZodDefault<z.ZodString>;
+        followRedirects: z.ZodDefault<z.ZodBoolean>;
+        verifySSL: z.ZodDefault<z.ZodBoolean>;
+        rateLimitPerSecond: z.ZodDefault<z.ZodNumber>;
+        strictScope: z.ZodDefault<z.ZodBoolean>;
+        profiles: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+            depth: z.ZodNumber;
+            timeout: z.ZodNumber;
+            maxPages: z.ZodNumber;
+            maxLinksPerPage: z.ZodNumber;
+        }, "strip", z.ZodTypeAny, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }>>>;
+        defaultProfile: z.ZodDefault<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        defaultTimeout: number;
+        maxThreads: number;
+        userAgent: string;
+        followRedirects: boolean;
+        verifySSL: boolean;
+        rateLimitPerSecond: number;
+        strictScope: boolean;
+        profiles: Record<string, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }>;
+        defaultProfile: string;
+    }, {
+        defaultTimeout?: number | undefined;
+        maxThreads?: number | undefined;
+        userAgent?: string | undefined;
+        followRedirects?: boolean | undefined;
+        verifySSL?: boolean | undefined;
+        rateLimitPerSecond?: number | undefined;
+        strictScope?: boolean | undefined;
+        profiles?: Record<string, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }> | undefined;
+        defaultProfile?: string | undefined;
+    }>;
+    report: z.ZodObject<{
+        defaultFormat: z.ZodDefault<z.ZodEnum<["word", "txt", "json"]>>;
+        companyName: z.ZodDefault<z.ZodString>;
+        includeScreenshots: z.ZodDefault<z.ZodBoolean>;
+        severityThreshold: z.ZodDefault<z.ZodEnum<["info", "low", "medium", "high", "critical"]>>;
+    }, "strip", z.ZodTypeAny, {
+        defaultFormat: "word" | "txt" | "json";
+        companyName: string;
+        includeScreenshots: boolean;
+        severityThreshold: "info" | "low" | "medium" | "high" | "critical";
+    }, {
+        defaultFormat?: "word" | "txt" | "json" | undefined;
+        companyName?: string | undefined;
+        includeScreenshots?: boolean | undefined;
+        severityThreshold?: "info" | "low" | "medium" | "high" | "critical" | undefined;
+    }>;
+    skills: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        timeout: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        timeout?: number | undefined;
+    }, {
+        timeout?: number | undefined;
+        enabled?: boolean | undefined;
+    }>>>;
+    proxy: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    ai: {
+        provider: "openai" | "anthropic" | "gemini" | "openrouter" | "mistral" | "kimi" | "groq";
+        apiKey: string;
+        defaultModel: string;
+        enabled: boolean;
+    };
+    scan: {
+        defaultTimeout: number;
+        maxThreads: number;
+        userAgent: string;
+        followRedirects: boolean;
+        verifySSL: boolean;
+        rateLimitPerSecond: number;
+        strictScope: boolean;
+        profiles: Record<string, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }>;
+        defaultProfile: string;
+    };
+    report: {
+        defaultFormat: "word" | "txt" | "json";
+        companyName: string;
+        includeScreenshots: boolean;
+        severityThreshold: "info" | "low" | "medium" | "high" | "critical";
+    };
+    skills: Record<string, {
+        enabled: boolean;
+        timeout?: number | undefined;
+    }>;
+    proxy?: string | undefined;
+}, {
+    ai: {
+        provider?: "openai" | "anthropic" | "gemini" | "openrouter" | "mistral" | "kimi" | "groq" | undefined;
+        apiKey?: string | undefined;
+        defaultModel?: string | undefined;
+        enabled?: boolean | undefined;
+    };
+    scan: {
+        defaultTimeout?: number | undefined;
+        maxThreads?: number | undefined;
+        userAgent?: string | undefined;
+        followRedirects?: boolean | undefined;
+        verifySSL?: boolean | undefined;
+        rateLimitPerSecond?: number | undefined;
+        strictScope?: boolean | undefined;
+        profiles?: Record<string, {
+            depth: number;
+            timeout: number;
+            maxPages: number;
+            maxLinksPerPage: number;
+        }> | undefined;
+        defaultProfile?: string | undefined;
+    };
+    report: {
+        defaultFormat?: "word" | "txt" | "json" | undefined;
+        companyName?: string | undefined;
+        includeScreenshots?: boolean | undefined;
+        severityThreshold?: "info" | "low" | "medium" | "high" | "critical" | undefined;
+    };
+    skills?: Record<string, {
+        timeout?: number | undefined;
+        enabled?: boolean | undefined;
+    }> | undefined;
+    proxy?: string | undefined;
+}>;
+export type Config = z.infer<typeof ConfigSchema>;
+export type AiProviderName = z.infer<typeof AiProviderNameSchema>;
+export type ReportFormat = z.infer<typeof ReportFormatSchema>;
+export declare function validateConfig(config: unknown): Config;
+export declare function validateScanProfile(profile: unknown): ScanProfile;
+export { defaultScanProfiles as scanProfiles };

package/dist/core/config-schema.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanProfiles = exports.ConfigSchema = exports.defaultScanProfiles = exports.ScanProfileSchema = exports.SeverityThresholdSchema = exports.ReportFormatSchema = exports.AiProviderNameSchema = void 0;
+exports.validateConfig = validateConfig;
+exports.validateScanProfile = validateScanProfile;
+const zod_1 = require("zod");
+// ─── Zod Schemas ───────────────────────────────────────────────────
+exports.AiProviderNameSchema = zod_1.z.enum([
+    "openai",
+    "anthropic",
+    "gemini",
+    "openrouter",
+    "mistral",
+    "kimi",
+    "groq",
+]);
+exports.ReportFormatSchema = zod_1.z.enum(["word", "txt", "json"]);
+exports.SeverityThresholdSchema = zod_1.z.enum(["info", "low", "medium", "high", "critical"]);
+exports.ScanProfileSchema = zod_1.z.object({
+    depth: zod_1.z.number().int().min(1).max(5),
+    timeout: zod_1.z.number().int().min(1000),
+    maxPages: zod_1.z.number().int().min(1),
+    maxLinksPerPage: zod_1.z.number().int().min(1),
+});
+// Default scan profiles
+exports.defaultScanProfiles = {
+    quick: { depth: 1, timeout: 15000, maxPages: 10, maxLinksPerPage: 20 },
+    balanced: { depth: 2, timeout: 30000, maxPages: 30, maxLinksPerPage: 50 },
+    deep: { depth: 3, timeout: 60000, maxPages: 100, maxLinksPerPage: 100 },
+};
+exports.scanProfiles = exports.defaultScanProfiles;
+exports.ConfigSchema = zod_1.z.object({
+    ai: zod_1.z.object({
+        provider: exports.AiProviderNameSchema.default("openai"),
+        apiKey: zod_1.z.string().default(""),
+        defaultModel: zod_1.z.string().default("gpt-4"),
+        enabled: zod_1.z.boolean().default(false),
+    }),
+    scan: zod_1.z.object({
+        defaultTimeout: zod_1.z.number().int().min(1000).default(30000),
+        maxThreads: zod_1.z.number().int().min(1).max(20).default(5),
+        userAgent: zod_1.z.string().default("KramScan/0.2.0"),
+        followRedirects: zod_1.z.boolean().default(true),
+        verifySSL: zod_1.z.boolean().default(true),
+        rateLimitPerSecond: zod_1.z.number().int().min(1).max(100).default(5),
+        strictScope: zod_1.z.boolean().default(true),
+        profiles: zod_1.z.record(exports.ScanProfileSchema).default(exports.defaultScanProfiles),
+        defaultProfile: zod_1.z.string().default("balanced"),
+    }),
+    report: zod_1.z.object({
+        defaultFormat: exports.ReportFormatSchema.default("word"),
+        companyName: zod_1.z.string().default("Your Company"),
+        includeScreenshots: zod_1.z.boolean().default(false),
+        severityThreshold: exports.SeverityThresholdSchema.default("low"),
+    }),
+    skills: zod_1.z.record(zod_1.z.object({
+        enabled: zod_1.z.boolean().default(true),
+        timeout: zod_1.z.number().int().optional(),
+    })).default({}),
+    proxy: zod_1.z.string().optional(),
+});
+// Validation function
+function validateConfig(config) {
+    return exports.ConfigSchema.parse(config);
+}
+function validateScanProfile(profile) {
+    return exports.ScanProfileSchema.parse(profile);
+}

package/dist/core/config-schema.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/core/config-schema.test.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_schema_1 = require("./config-schema");
+describe("config-schema", () => {
+    // ─── validateConfig ────────────────────────────────────────────
+    describe("validateConfig", () => {
+        const validConfig = {
+            ai: {
+                provider: "openai",
+                apiKey: "sk-test",
+                defaultModel: "gpt-4",
+                enabled: true,
+            },
+            scan: {
+                defaultTimeout: 30000,
+                maxThreads: 5,
+                userAgent: "KramScan/0.1.0",
+                followRedirects: true,
+                verifySSL: true,
+                rateLimitPerSecond: 5,
+                strictScope: true,
+                profiles: {
+                    quick: { depth: 1, timeout: 15000, maxPages: 10, maxLinksPerPage: 20 },
+                },
+                defaultProfile: "balanced",
+            },
+            report: {
+                defaultFormat: "word",
+                companyName: "Test Corp",
+                includeScreenshots: false,
+                severityThreshold: "low",
+            },
+            skills: {
+                sqli: { enabled: true },
+                xss: { enabled: true },
+            },
+        };
+        it("should accept a valid config", () => {
+            const result = (0, config_schema_1.validateConfig)(validConfig);
+            expect(result.ai.provider).toBe("openai");
+            expect(result.scan.maxThreads).toBe(5);
+        });
+        it("should reject invalid AI provider", () => {
+            expect(() => (0, config_schema_1.validateConfig)({
+                ...validConfig,
+                ai: { ...validConfig.ai, provider: "invalid_provider" },
+            })).toThrow();
+        });
+        it("should reject invalid report format", () => {
+            expect(() => (0, config_schema_1.validateConfig)({
+                ...validConfig,
+                report: { ...validConfig.report, defaultFormat: "pdf" },
+            })).toThrow();
+        });
+        it("should reject timeout below minimum", () => {
+            expect(() => (0, config_schema_1.validateConfig)({
+                ...validConfig,
+                scan: { ...validConfig.scan, defaultTimeout: 500 },
+            })).toThrow();
+        });
+        it("should reject maxThreads above maximum", () => {
+            expect(() => (0, config_schema_1.validateConfig)({
+                ...validConfig,
+                scan: { ...validConfig.scan, maxThreads: 25 },
+            })).toThrow();
+        });
+        it("should reject maxThreads below minimum", () => {
+            expect(() => (0, config_schema_1.validateConfig)({
+                ...validConfig,
+                scan: { ...validConfig.scan, maxThreads: 0 },
+            })).toThrow();
+        });
+        it("should accept all valid AI providers", () => {
+            const providers = ["openai", "anthropic", "gemini", "openrouter", "mistral", "kimi", "groq"];
+            for (const provider of providers) {
+                expect(() => (0, config_schema_1.validateConfig)({
+                    ...validConfig,
+                    ai: { ...validConfig.ai, provider },
+                })).not.toThrow();
+            }
+        });
+        it("should accept all valid severity thresholds", () => {
+            const thresholds = ["info", "low", "medium", "high", "critical"];
+            for (const threshold of thresholds) {
+                expect(() => (0, config_schema_1.validateConfig)({
+                    ...validConfig,
+                    report: { ...validConfig.report, severityThreshold: threshold },
+                })).not.toThrow();
+            }
+        });
+    });
+    // ─── validateScanProfile ───────────────────────────────────────
+    describe("validateScanProfile", () => {
+        it("should accept a valid scan profile", () => {
+            const profile = (0, config_schema_1.validateScanProfile)({
+                depth: 2,
+                timeout: 30000,
+                maxPages: 50,
+                maxLinksPerPage: 30,
+            });
+            expect(profile.depth).toBe(2);
+            expect(profile.maxPages).toBe(50);
+        });
+        it("should reject depth below minimum", () => {
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 0,
+                timeout: 30000,
+                maxPages: 50,
+                maxLinksPerPage: 30,
+            })).toThrow();
+        });
+        it("should reject depth above maximum", () => {
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 6,
+                timeout: 30000,
+                maxPages: 50,
+                maxLinksPerPage: 30,
+            })).toThrow();
+        });
+        it("should reject timeout below minimum", () => {
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 2,
+                timeout: 500,
+                maxPages: 50,
+                maxLinksPerPage: 30,
+            })).toThrow();
+        });
+        it("should reject maxPages below minimum", () => {
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 2,
+                timeout: 30000,
+                maxPages: 0,
+                maxLinksPerPage: 30,
+            })).toThrow();
+        });
+        it("should accept boundary values", () => {
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 1,
+                timeout: 1000,
+                maxPages: 1,
+                maxLinksPerPage: 1,
+            })).not.toThrow();
+            expect(() => (0, config_schema_1.validateScanProfile)({
+                depth: 5,
+                timeout: 120000,
+                maxPages: 1000,
+                maxLinksPerPage: 500,
+            })).not.toThrow();
+        });
+    });
+});

package/dist/core/config.d.ts

@@ -1,33 +1,7 @@
-export type AiProviderName = "openai" | "anthropic" | "gemini" | "openrouter" | "mistral" | "kimi";
-export type ReportFormat = "word" | "txt" | "json";
-export interface Config {
-    ai: {
-        provider: AiProviderName;
-        apiKey: string;
-        defaultModel: string;
-        enabled: boolean;
-    };
-    scan: {
-        defaultTimeout: number;
-        maxThreads: number;
-        userAgent: string;
-        followRedirects: boolean;
-        verifySSL: boolean;
-        rateLimitPerSecond: number;
-        strictScope: boolean;
-    };
-    report: {
-        defaultFormat: ReportFormat;
-        companyName: string;
-        includeScreenshots: boolean;
-        severityThreshold: "info" | "low" | "medium" | "high" | "critical";
-    };
-    skills: Record<string, {
-        enabled: boolean;
-        timeout?: number;
-    }>;
-    proxy?: string;
-}
+import { Config, ScanProfile } from "./config-schema";
+export type { AiProviderName, ReportFormat, Config } from "./config-schema";
+export { defaultScanProfiles as scanProfiles, validateConfig, validateScanProfile, ScanProfile } from "./config-schema";
+export * from "./errors";
 export declare function isDebugEnabled(): boolean;
 declare class ConfigStore {
     private configPath;
@@ -40,10 +14,13 @@ declare class ConfigStore {
     set(key: string, value: unknown): Promise<void>;
     private save;
     setConfig(config: Config): Promise<void>;
+    getScanProfile(name: string): ScanProfile | undefined;
+    addScanProfile(name: string, profile: ScanProfile): Promise<void>;
 }
 export declare function getConfigStore(): ConfigStore;
 export declare function getConfig(): Promise<Config>;
 export declare function getConfigValue(key: string): Promise<unknown>;
 export declare function setConfigValue(key: string, value: unknown): Promise<void>;
 export declare function setConfig(config: Config): Promise<void>;
-export {};
+export declare function getScanProfile(name: string): Promise<ScanProfile | undefined>;
+export declare function addScanProfile(name: string, profile: ScanProfile): Promise<void>;