kramscan 0.2.0 → 0.3.0

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.js

@@ -0,0 +1,222 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DebugEndpointPlugin = void 0;
+const types_1 = require("../types");
+class DebugEndpointPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Debug Endpoint Detector";
+    type = "info";
+    description = "Probes for common debug, admin, and development endpoints left exposed";
+    reportedPaths = new Set();
+    /**
+     * Common debug/dev endpoints that developers forget to disable before deployment.
+     * Each entry has a path, a human-readable name, and expected severity.
+     */
+    debugEndpoints = [
+        {
+            path: "/debug",
+            name: "Debug Panel",
+            severity: "high",
+            indicators: ["debug", "stack", "trace", "error"],
+            remediation: "Remove or protect the /debug endpoint behind authentication.",
+        },
+        {
+            path: "/__debug__",
+            name: "Django Debug Panel",
+            severity: "high",
+            indicators: ["django", "debug", "toolbar"],
+            remediation: "Set DEBUG=False in Django settings for production.",
+        },
+        {
+            path: "/phpinfo.php",
+            name: "PHP Info Page",
+            severity: "high",
+            indicators: ["phpinfo", "PHP Version", "Configuration"],
+            remediation: "Remove phpinfo.php from production servers.",
+        },
+        {
+            path: "/server-status",
+            name: "Apache Server Status",
+            severity: "medium",
+            indicators: ["Apache", "Server Version", "Current Time"],
+            remediation: "Restrict /server-status to internal IPs only.",
+        },
+        {
+            path: "/server-info",
+            name: "Apache Server Info",
+            severity: "medium",
+            indicators: ["Apache", "Server Information"],
+            remediation: "Disable mod_info or restrict access to internal IPs.",
+        },
+        {
+            path: "/graphql",
+            name: "GraphQL Endpoint (Introspection)",
+            severity: "medium",
+            indicators: ["graphql", "__schema", "query"],
+            remediation: "Disable GraphQL introspection in production.",
+        },
+        {
+            path: "/graphiql",
+            name: "GraphiQL IDE",
+            severity: "high",
+            indicators: ["graphiql", "GraphiQL"],
+            remediation: "Remove GraphiQL from production deployments.",
+        },
+        {
+            path: "/swagger",
+            name: "Swagger UI",
+            severity: "medium",
+            indicators: ["swagger", "api-docs", "openapi"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/swagger-ui.html",
+            name: "Swagger UI HTML",
+            severity: "medium",
+            indicators: ["swagger", "api-docs"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/api-docs",
+            name: "API Documentation",
+            severity: "low",
+            indicators: ["api", "docs", "openapi", "swagger"],
+            remediation: "Restrict API docs to authenticated users in production.",
+        },
+        {
+            path: "/actuator",
+            name: "Spring Boot Actuator",
+            severity: "high",
+            indicators: ["actuator", "beans", "health", "info"],
+            remediation: "Secure Spring Boot Actuator endpoints with authentication.",
+        },
+        {
+            path: "/actuator/env",
+            name: "Spring Boot Environment",
+            severity: "critical",
+            indicators: ["property", "source", "value"],
+            remediation: "Never expose /actuator/env publicly. It reveals environment variables and secrets.",
+        },
+        {
+            path: "/actuator/heapdump",
+            name: "Spring Boot Heap Dump",
+            severity: "critical",
+            indicators: [],
+            remediation: "Disable heap dump endpoint. It can expose sensitive memory contents.",
+        },
+        {
+            path: "/elmah.axd",
+            name: "ELMAH Error Log (.NET)",
+            severity: "high",
+            indicators: ["elmah", "error", "exception"],
+            remediation: "Restrict ELMAH access to authenticated administrators.",
+        },
+        {
+            path: "/trace.axd",
+            name: ".NET Trace Page",
+            severity: "high",
+            indicators: ["trace", "request", "response"],
+            remediation: "Disable tracing in production web.config.",
+        },
+        {
+            path: "/.env",
+            name: "Environment File",
+            severity: "critical",
+            indicators: ["=", "KEY", "SECRET", "PASSWORD", "DATABASE"],
+            remediation: "Never serve .env files. Add them to .gitignore and configure your server to deny access.",
+        },
+        {
+            path: "/wp-config.php",
+            name: "WordPress Config",
+            severity: "critical",
+            indicators: ["DB_NAME", "DB_PASSWORD", "AUTH_KEY"],
+            remediation: "Ensure wp-config.php is not accessible via HTTP.",
+        },
+        {
+            path: "/.git/config",
+            name: "Git Repository Config",
+            severity: "critical",
+            indicators: ["[core]", "[remote", "repositoryformatversion"],
+            remediation: "Block access to .git directory. Your source code is exposed.",
+        },
+        {
+            path: "/.git/HEAD",
+            name: "Git HEAD Reference",
+            severity: "high",
+            indicators: ["ref:", "refs/heads/"],
+            remediation: "Block access to the entire .git directory in your web server configuration.",
+        },
+        {
+            path: "/config.json",
+            name: "JSON Config File",
+            severity: "medium",
+            indicators: ["apiKey", "secret", "password", "database", "connection"],
+            remediation: "Do not serve config files via HTTP. Move them outside the web root.",
+        },
+        {
+            path: "/test",
+            name: "Test Endpoint",
+            severity: "low",
+            indicators: ["test", "debug", "hello"],
+            remediation: "Remove test endpoints before deploying to production.",
+        },
+        {
+            path: "/health",
+            name: "Health Check (Verbose)",
+            severity: "low",
+            indicators: ["database", "connection", "redis", "memory", "uptime"],
+            remediation: "Limit health check responses to simple status. Do not expose internal service details.",
+        },
+        {
+            path: "/metrics",
+            name: "Prometheus Metrics",
+            severity: "medium",
+            indicators: ["process_", "http_", "nodejs_", "go_"],
+            remediation: "Protect /metrics endpoint behind authentication or restrict to internal networks.",
+        },
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const baseUrl = new URL(context.url).origin;
+        for (const endpoint of this.debugEndpoints) {
+            const fullPath = `${baseUrl}${endpoint.path}`;
+            if (this.reportedPaths.has(fullPath))
+                continue;
+            try {
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 2000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, fullPath);
+                // Check if the endpoint exists and contains debug indicators
+                if (response.status >= 200 && response.status < 400) {
+                    const bodyLower = response.body.toLowerCase();
+                    // For endpoints with no indicators (like heap dumps), 200 status is enough
+                    const hasIndicators = endpoint.indicators.length === 0 ||
+                        endpoint.indicators.some(ind => bodyLower.includes(ind.toLowerCase()));
+                    if (hasIndicators) {
+                        this.reportedPaths.add(fullPath);
+                        vulnerabilities.push(this.createVulnerability(`Exposed ${endpoint.name}`, `The ${endpoint.name} endpoint is accessible at ${endpoint.path}. ` +
+                            `This can expose sensitive internal information, configuration details, or debug data.`, fullPath, endpoint.severity, `HTTP ${response.status} at ${endpoint.path} (${response.body.substring(0, 100)}...)`, endpoint.remediation, "CWE-215"));
+                    }
+                }
+            }
+            catch {
+                // Endpoint not reachable, skip silently
+            }
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedPaths.clear();
+    }
+}
+exports.DebugEndpointPlugin = DebugEndpointPlugin;

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.d.ts

@@ -0,0 +1,13 @@
+import { BaseVulnerabilityPlugin, PluginContext, VulnerabilityTestResult } from "../types";
+export declare class DirectoryTraversalPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Directory Traversal / LFI Detector";
+    readonly type: "lfi";
+    readonly description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    private readonly payloads;
+    testParameter(context: PluginContext, param: string, value: string): Promise<VulnerabilityTestResult>;
+    private buildTestUrl;
+}

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DirectoryTraversalPlugin = void 0;
+const types_1 = require("../types");
+class DirectoryTraversalPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Directory Traversal / LFI Detector";
+    type = "lfi";
+    description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    payloads = [
+        // Linux/Unix path traversal
+        {
+            payload: "../../../etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh", "nobody:"],
+            os: "linux",
+        },
+        {
+            payload: "....//....//....//etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "..%2F..%2F..%2Fetc%2Fpasswd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        {
+            payload: "....\\\\....\\\\....\\\\etc\\\\passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Windows path traversal
+        {
+            payload: "..\\..\\..\\windows\\win.ini",
+            markers: ["[fonts]", "[extensions]", "[mci extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "..%5C..%5C..%5Cwindows%5Cwin.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "../../../windows/win.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        // Null byte injection (legacy PHP)
+        {
+            payload: "../../../etc/passwd%00",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Double encoding
+        {
+            payload: "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+    ];
+    async testParameter(context, param, value) {
+        for (const { payload, markers, os } of this.payloads) {
+            try {
+                const testUrl = this.buildTestUrl(context.url, param, payload);
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 5000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, testUrl);
+                if (response.status >= 200 && response.status < 500) {
+                    const bodyLower = response.body.toLowerCase();
+                    const matchedMarkers = markers.filter(m => bodyLower.includes(m.toLowerCase()));
+                    if (matchedMarkers.length >= 2) {
+                        return this.success(this.createVulnerability("Directory Traversal / Local File Inclusion", `The parameter '${param}' is vulnerable to directory traversal. ` +
+                            `An attacker can read arbitrary files from the server filesystem (${os}).`, context.url, "critical", `Payload: ${param}=${payload} — matched markers: ${matchedMarkers.join(", ")}`, "Validate and sanitize all file path inputs. Use a whitelist of allowed files/directories. " +
+                            "Never pass user input directly to file system operations. " +
+                            "Use path.resolve() and verify the resolved path starts with the expected base directory.", "CWE-22"));
+                    }
+                }
+            }
+            catch {
+                // Skip this payload, try next
+            }
+        }
+        return this.failure();
+    }
+    buildTestUrl(baseUrl, param, payload) {
+        const url = new URL(baseUrl);
+        url.searchParams.set(param, payload);
+        return url.toString();
+    }
+}
+exports.DirectoryTraversalPlugin = DirectoryTraversalPlugin;

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class OpenRedirectPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Open Redirect Detector";
+    readonly type: "redirect";
+    readonly description = "Detects open redirect vulnerabilities in URL parameters";
+    private readonly redirectParams;
+    private readonly testDomains;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+}

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenRedirectPlugin = void 0;
+const types_1 = require("../types");
+class OpenRedirectPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Open Redirect Detector";
+    type = "redirect";
+    description = "Detects open redirect vulnerabilities in URL parameters";
+    redirectParams = [
+        "url", "redirect", "redirect_url", "redirect_uri", "return", "return_url",
+        "returnTo", "next", "next_url", "goto", "target", "dest", "destination",
+        "rurl", "redir", "out", "continue", "forward", "callback", "callback_url",
+        "path", "ref", "site", "view", "to", "link", "logout_redirect",
+    ];
+    testDomains = [
+        "https://evil.com",
+        "//evil.com",
+        "https://evil.com%2f%2f",
+        "/\\evil.com",
+        "https:evil.com",
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const url = new URL(context.url);
+        // Check if the current URL uses any redirect-like parameters
+        for (const param of this.redirectParams) {
+            const value = url.searchParams.get(param);
+            if (value) {
+                // Current URL has a redirect param — test it
+                for (const testDomain of this.testDomains) {
+                    try {
+                        const testUrl = new URL(context.url);
+                        testUrl.searchParams.set(param, testDomain);
+                        const result = await context.page.evaluate(async (targetUrl) => {
+                            try {
+                                const res = await fetch(targetUrl, {
+                                    method: "GET",
+                                    redirect: "manual",
+                                    credentials: "omit",
+                                });
+                                const location = res.headers.get("location") || "";
+                                return {
+                                    status: res.status,
+                                    location,
+                                };
+                            }
+                            catch {
+                                return { status: 0, location: "" };
+                            }
+                        }, testUrl.toString());
+                        if (result.status >= 300 && result.status < 400 &&
+                            result.location.includes("evil.com")) {
+                            vulnerabilities.push(this.createVulnerability("Open Redirect", `The parameter '${param}' allows redirection to arbitrary external URLs. ` +
+                                `Attackers can use this for phishing by crafting legitimate-looking URLs that redirect to malicious sites.`, context.url, "medium", `${param}=${testDomain} → Location: ${result.location}`, "Validate redirect URLs against a whitelist of allowed domains. " +
+                                "Use relative paths instead of full URLs. " +
+                                "Never redirect to user-supplied URLs without validation.", "CWE-601"));
+                            break; // One proof is enough for this param
+                        }
+                    }
+                    catch {
+                        // Skip this test
+                    }
+                }
+            }
+        }
+        return vulnerabilities;
+    }
+}
+exports.OpenRedirectPlugin = OpenRedirectPlugin;

package/dist/reports/PdfGenerator.js

@@ -40,7 +40,17 @@ exports.pdfGenerator = exports.PdfGenerator = void 0;
 const puppeteer_1 = __importDefault(require("puppeteer"));
 const scan_storage_1 = require("../core/scan-storage");
 const path_1 = __importDefault(require("path"));
-function escapeHtml(text) { return text; }
+function escapeHtml(text) {
+    if (!text)
+        return "";
+    return text
+        .toString()
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
 function sanitizeFilenamePart(value) {
     return value
         .replace(/[<>:"\/\\|?*\x00-\x1F]/g, "_")
@@ -307,6 +317,21 @@ function buildPdfHtml(data) {
     </div>
 
     <div class="sub">Crawled URLs: <span class="mono">${scanResult.metadata.crawledUrls}</span> | Forms tested: <span class="mono">${scanResult.metadata.testedForms}</span> | Requests: <span class="mono">${scanResult.metadata.requestsMade}</span> | Duration: <span class="mono">${(scanResult.duration / 1000).toFixed(2)}s</span></div>
+    
+    <div style="margin-top: 20px; display: flex; align-items: center; gap: 15px; background: rgba(17,26,51,0.55); padding: 15px; border-radius: 12px; border: 1px solid var(--line);">
+        <div style="font-size: 24px; font-weight: 900; color: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};">
+            ${scanResult.score}/100
+        </div>
+        <div style="flex-grow: 1;">
+            <div style="font-size: 11px; text-transform: uppercase; color: var(--muted); letter-spacing: 0.5px; margin-bottom: 5px;">Security Posture</div>
+            <div style="height: 6px; background: rgba(255,255,255,0.1); border-radius: 3px; overflow: hidden;">
+                <div style="width: ${scanResult.score}%; height: 100%; background: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};"></div>
+            </div>
+        </div>
+        <div style="font-size: 12px; font-weight: 700; color: var(--muted);">
+            ${scanResult.score > 80 ? "EXCELLENT" : (scanResult.score > 50 ? "FAIR" : "POOR")}
+        </div>
+    </div>
 
     <div class="cards">
       ${rows || `<div class="card"><div class="title">No vulnerabilities found</div><div class="v">The scanner did not detect issues in the tested scope.</div></div>`}

package/dist/utils/theme.d.ts

@@ -43,6 +43,7 @@ export declare function displayScanSummary(result: {
         low: number;
         info: number;
     };
+    score: number;
     vulnerabilities: Array<{
         severity: string;
         title: string;

package/dist/utils/theme.js

@@ -127,7 +127,7 @@ function getSeverityColor(severity) {
 }
 // ─── Scan Summary Display ──────────────────────────────────────────
 function displayScanSummary(result) {
-    const { target, duration, metadata, summary, vulnerabilities, filepath, pdfPath } = result;
+    const { target, duration, metadata, summary, vulnerabilities, filepath, pdfPath, score } = result;
     // Scan Summary
     console.log("");
     console.log(exports.theme.brightWhite.bold("📊 Scan Summary"));
@@ -138,6 +138,12 @@ function displayScanSummary(result) {
     console.log(exports.theme.white("URLs Crawled:"), exports.theme.cyan(metadata.crawledUrls));
     console.log(exports.theme.white("Forms Tested:"), exports.theme.cyan(metadata.testedForms));
     console.log(exports.theme.white("Requests Made:"), exports.theme.cyan(metadata.requestsMade));
+    // Security Score Display
+    const scoreColor = score > 80 ? exports.theme.success : (score > 50 ? exports.theme.warning : exports.theme.error);
+    const scoreLabel = score > 80 ? "EXCELLENT" : (score > 50 ? "FAIR" : "POOR");
+    console.log("");
+    console.log(`  ${exports.theme.white("Security Score:")} ${scoreColor.bold(score + "/100")} ${exports.theme.gray(`(${scoreLabel})`)}`);
+    console.log(`  ${scoreColor("█".repeat(Math.round(score / 5)) + exports.theme.dim("█".repeat(20 - Math.round(score / 5))))}`);
     console.log("");
     // Vulnerability summary
     console.log(exports.theme.brightWhite.bold("🛡️  Vulnerabilities Found"));

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "kramscan",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "KramScan CLI — AI-powered web app security testing",
-  "author": "Akram Shaikh <akramshaikh.me>",
+  "author": "Akram Shaikh (https://akramshaikh.me)",
   "license": "MIT",
   "keywords": [
     "security",
@@ -13,6 +13,9 @@
     "web-security",
     "analysis"
   ],
+  "publishConfig": {
+    "access": "public"
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/shaikhakramshakil/kramscan.git"
@@ -45,7 +48,7 @@
     "lint": "eslint src --ext .ts",
     "lint:fix": "eslint src --ext .ts --fix",
     "format": "prettier --write \"src/**/*.ts\"",
-    "prepublishOnly": "npm run clean && npm run build"
+    "prepublishOnly": "npm test && npm run clean && npm run build"
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.31.0",