kramscan 0.2.0 → 0.3.1

package/dist/plugins/vulnerabilities/CORSAnalyzerPlugin.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CORSAnalyzerPlugin = void 0;
+const types_1 = require("../types");
+class CORSAnalyzerPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "CORS Analyzer";
+    type = "header";
+    description = "Detects overly permissive Cross-Origin Resource Sharing configurations";
+    reportedHosts = new Set();
+    async analyzeHeaders(context, headers) {
+        const host = new URL(context.url).host;
+        // Only report once per host
+        if (this.reportedHosts.has(host)) {
+            return [];
+        }
+        const vulnerabilities = [];
+        const acao = headers["access-control-allow-origin"];
+        const acac = headers["access-control-allow-credentials"];
+        const acam = headers["access-control-allow-methods"];
+        const acah = headers["access-control-allow-headers"];
+        // Check for wildcard origin
+        if (acao === "*") {
+            vulnerabilities.push(this.createVulnerability("CORS: Wildcard Origin Allowed", `The server at ${host} allows requests from any origin (Access-Control-Allow-Origin: *). ` +
+                `This can expose sensitive data to malicious third-party websites.`, context.url, "medium", `Access-Control-Allow-Origin: *`, "Restrict Access-Control-Allow-Origin to trusted domains only. " +
+                "Use a whitelist of allowed origins instead of the wildcard *.", "CWE-942"));
+        }
+        // Check for wildcard with credentials (very dangerous)
+        if (acao === "*" && acac?.toLowerCase() === "true") {
+            vulnerabilities.push(this.createVulnerability("CORS: Wildcard Origin with Credentials", `The server at ${host} allows any origin AND sends credentials. ` +
+                `This is a critical misconfiguration that can lead to complete session hijacking.`, context.url, "critical", `Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true`, "Never combine wildcard origin with credentials. " +
+                "Validate the Origin header against a strict whitelist and reflect only trusted origins.", "CWE-942"));
+        }
+        // Check if origin is reflected without validation (test with a probe)
+        if (acao && acao !== "*" && acao !== "null") {
+            // If the ACAO reflects back what looks like an origin, it might be reflecting without validation
+            const isLikelyReflecting = acao.includes("://") && !acao.includes(host);
+            if (isLikelyReflecting && acac?.toLowerCase() === "true") {
+                vulnerabilities.push(this.createVulnerability("CORS: Origin Reflection with Credentials", `The server at ${host} appears to reflect the Origin header value while also allowing credentials. ` +
+                    `An attacker can make authenticated requests from any origin.`, context.url, "high", `Access-Control-Allow-Origin: ${acao}, Access-Control-Allow-Credentials: true`, "Validate the Origin header against a strict whitelist of trusted domains. " +
+                    "Never blindly reflect the Origin header.", "CWE-942"));
+            }
+        }
+        // Check for null origin allowed (can be exploited via sandboxed iframes)
+        if (acao === "null") {
+            vulnerabilities.push(this.createVulnerability("CORS: Null Origin Allowed", `The server at ${host} accepts the 'null' origin. ` +
+                `Attackers can exploit this using sandboxed iframes or data URIs.`, context.url, "medium", `Access-Control-Allow-Origin: null`, "Do not allow the 'null' origin. Sandboxed iframes and redirects can send Origin: null.", "CWE-942"));
+        }
+        // Check for dangerous methods
+        if (acam) {
+            const dangerousMethods = ["PUT", "DELETE", "PATCH"];
+            const allowedMethods = acam.toUpperCase().split(",").map(m => m.trim());
+            const exposed = dangerousMethods.filter(m => allowedMethods.includes(m));
+            if (exposed.length > 0 && acao === "*") {
+                vulnerabilities.push(this.createVulnerability("CORS: Dangerous Methods with Wildcard Origin", `The server at ${host} allows ${exposed.join(", ")} methods from any origin. ` +
+                    `This could allow unauthorized data modification from third-party sites.`, context.url, "high", `Access-Control-Allow-Methods: ${acam}; Access-Control-Allow-Origin: *`, "Restrict allowed methods to those actually needed, and never combine with wildcard origin.", "CWE-942"));
+            }
+        }
+        if (vulnerabilities.length > 0) {
+            this.reportedHosts.add(host);
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedHosts.clear();
+    }
+}
+exports.CORSAnalyzerPlugin = CORSAnalyzerPlugin;

package/dist/plugins/vulnerabilities/CookieSecurityPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class CookieSecurityPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Cookie Security Auditor";
+    readonly type: "header";
+    readonly description = "Audits cookies for missing security flags (HttpOnly, Secure, SameSite)";
+    private readonly reportedCookies;
+    analyzeHeaders(context: PluginContext, headers: Record<string, string>): Promise<Vulnerability[]>;
+    reset(): void;
+}

package/dist/plugins/vulnerabilities/CookieSecurityPlugin.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CookieSecurityPlugin = void 0;
+const types_1 = require("../types");
+class CookieSecurityPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Cookie Security Auditor";
+    type = "header";
+    description = "Audits cookies for missing security flags (HttpOnly, Secure, SameSite)";
+    reportedCookies = new Set();
+    async analyzeHeaders(context, headers) {
+        const vulnerabilities = [];
+        const host = new URL(context.url).host;
+        // Collect all set-cookie headers
+        const setCookieHeader = headers["set-cookie"];
+        if (!setCookieHeader)
+            return [];
+        // set-cookie headers might be combined with newlines in some scenarios
+        const cookies = setCookieHeader.split(/,(?=[^;]*=)/g).map(c => c.trim());
+        for (const cookie of cookies) {
+            const cookieName = cookie.split("=")[0]?.trim();
+            if (!cookieName)
+                continue;
+            const cookieKey = `${host}:${cookieName}`;
+            if (this.reportedCookies.has(cookieKey))
+                continue;
+            const cookieLower = cookie.toLowerCase();
+            const issues = [];
+            // Check HttpOnly flag
+            if (!cookieLower.includes("httponly")) {
+                issues.push("Missing HttpOnly flag (vulnerable to XSS cookie theft)");
+            }
+            // Check Secure flag
+            if (!cookieLower.includes("secure")) {
+                issues.push("Missing Secure flag (cookie sent over HTTP)");
+            }
+            // Check SameSite attribute
+            if (!cookieLower.includes("samesite")) {
+                issues.push("Missing SameSite attribute (vulnerable to CSRF)");
+            }
+            else if (cookieLower.includes("samesite=none")) {
+                if (!cookieLower.includes("secure")) {
+                    issues.push("SameSite=None without Secure flag (browser will reject)");
+                }
+                issues.push("SameSite=None allows cross-site requests (verify this is intentional)");
+            }
+            // Check for session-like cookies with missing flags
+            const isSessionCookie = /^(sess|session|sid|token|auth|jwt|csrf|xsrf|connect\.sid|phpsessid|jsessionid|asp\.net_sessionid)/i.test(cookieName);
+            if (issues.length > 0) {
+                const severity = isSessionCookie
+                    ? (issues.some(i => i.includes("HttpOnly")) ? "high" : "medium")
+                    : "low";
+                this.reportedCookies.add(cookieKey);
+                vulnerabilities.push(this.createVulnerability(`Insecure Cookie: ${cookieName}`, `The cookie '${cookieName}' on ${host} has security issues:\n` +
+                    issues.map(i => `  • ${i}`).join("\n"), context.url, severity, `Set-Cookie: ${cookie.substring(0, 200)}`, "Set all cookies with: HttpOnly (prevents JS access), " +
+                    "Secure (HTTPS only), SameSite=Lax or Strict (CSRF protection). " +
+                    "Example: Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax; Path=/", "CWE-614"));
+            }
+            // Check for overly broad domain
+            const domainMatch = cookie.match(/domain=([^;]+)/i);
+            if (domainMatch) {
+                const domain = domainMatch[1].trim();
+                if (domain.startsWith(".") && domain.split(".").length <= 2) {
+                    this.reportedCookies.add(cookieKey + ":domain");
+                    vulnerabilities.push(this.createVulnerability(`Cookie Domain Too Broad: ${cookieName}`, `The cookie '${cookieName}' has domain set to '${domain}', which allows ` +
+                        `any subdomain to read this cookie. This increases the attack surface.`, context.url, "low", `Domain=${domain}`, "Set the cookie domain to the most specific subdomain possible.", "CWE-1275"));
+                }
+            }
+            // Check for missing expiry on session cookies (persistent session)
+            if (isSessionCookie && !cookieLower.includes("expires") && !cookieLower.includes("max-age")) {
+                // This is actually good practice (session cookie dies with browser close)
+                // But if there's _no_ expiry and it's NOT a session cookie, flag it
+            }
+            else if (isSessionCookie && cookieLower.includes("max-age")) {
+                const maxAgeMatch = cookie.match(/max-age=(\d+)/i);
+                if (maxAgeMatch) {
+                    const maxAge = parseInt(maxAgeMatch[1], 10);
+                    const thirtyDays = 30 * 24 * 60 * 60;
+                    if (maxAge > thirtyDays) {
+                        vulnerabilities.push(this.createVulnerability(`Long-Lived Session Cookie: ${cookieName}`, `The session cookie '${cookieName}' has a very long lifetime (${Math.round(maxAge / 86400)} days). ` +
+                            `Long-lived session tokens increase the window for token theft.`, context.url, "low", `Max-Age=${maxAge} (${Math.round(maxAge / 86400)} days)`, "Set session cookie lifetime to the minimum needed (e.g., 24 hours for most apps).", "CWE-613"));
+                    }
+                }
+            }
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedCookies.clear();
+    }
+}
+exports.CookieSecurityPlugin = CookieSecurityPlugin;

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.d.ts

@@ -0,0 +1,15 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class DebugEndpointPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Debug Endpoint Detector";
+    readonly type: "info";
+    readonly description = "Probes for common debug, admin, and development endpoints left exposed";
+    private readonly reportedPaths;
+    /**
+     * Common debug/dev endpoints that developers forget to disable before deployment.
+     * Each entry has a path, a human-readable name, and expected severity.
+     */
+    private readonly debugEndpoints;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+    reset(): void;
+}

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.js

@@ -0,0 +1,222 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DebugEndpointPlugin = void 0;
+const types_1 = require("../types");
+class DebugEndpointPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Debug Endpoint Detector";
+    type = "info";
+    description = "Probes for common debug, admin, and development endpoints left exposed";
+    reportedPaths = new Set();
+    /**
+     * Common debug/dev endpoints that developers forget to disable before deployment.
+     * Each entry has a path, a human-readable name, and expected severity.
+     */
+    debugEndpoints = [
+        {
+            path: "/debug",
+            name: "Debug Panel",
+            severity: "high",
+            indicators: ["debug", "stack", "trace", "error"],
+            remediation: "Remove or protect the /debug endpoint behind authentication.",
+        },
+        {
+            path: "/__debug__",
+            name: "Django Debug Panel",
+            severity: "high",
+            indicators: ["django", "debug", "toolbar"],
+            remediation: "Set DEBUG=False in Django settings for production.",
+        },
+        {
+            path: "/phpinfo.php",
+            name: "PHP Info Page",
+            severity: "high",
+            indicators: ["phpinfo", "PHP Version", "Configuration"],
+            remediation: "Remove phpinfo.php from production servers.",
+        },
+        {
+            path: "/server-status",
+            name: "Apache Server Status",
+            severity: "medium",
+            indicators: ["Apache", "Server Version", "Current Time"],
+            remediation: "Restrict /server-status to internal IPs only.",
+        },
+        {
+            path: "/server-info",
+            name: "Apache Server Info",
+            severity: "medium",
+            indicators: ["Apache", "Server Information"],
+            remediation: "Disable mod_info or restrict access to internal IPs.",
+        },
+        {
+            path: "/graphql",
+            name: "GraphQL Endpoint (Introspection)",
+            severity: "medium",
+            indicators: ["graphql", "__schema", "query"],
+            remediation: "Disable GraphQL introspection in production.",
+        },
+        {
+            path: "/graphiql",
+            name: "GraphiQL IDE",
+            severity: "high",
+            indicators: ["graphiql", "GraphiQL"],
+            remediation: "Remove GraphiQL from production deployments.",
+        },
+        {
+            path: "/swagger",
+            name: "Swagger UI",
+            severity: "medium",
+            indicators: ["swagger", "api-docs", "openapi"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/swagger-ui.html",
+            name: "Swagger UI HTML",
+            severity: "medium",
+            indicators: ["swagger", "api-docs"],
+            remediation: "Protect Swagger UI behind authentication or remove from production.",
+        },
+        {
+            path: "/api-docs",
+            name: "API Documentation",
+            severity: "low",
+            indicators: ["api", "docs", "openapi", "swagger"],
+            remediation: "Restrict API docs to authenticated users in production.",
+        },
+        {
+            path: "/actuator",
+            name: "Spring Boot Actuator",
+            severity: "high",
+            indicators: ["actuator", "beans", "health", "info"],
+            remediation: "Secure Spring Boot Actuator endpoints with authentication.",
+        },
+        {
+            path: "/actuator/env",
+            name: "Spring Boot Environment",
+            severity: "critical",
+            indicators: ["property", "source", "value"],
+            remediation: "Never expose /actuator/env publicly. It reveals environment variables and secrets.",
+        },
+        {
+            path: "/actuator/heapdump",
+            name: "Spring Boot Heap Dump",
+            severity: "critical",
+            indicators: [],
+            remediation: "Disable heap dump endpoint. It can expose sensitive memory contents.",
+        },
+        {
+            path: "/elmah.axd",
+            name: "ELMAH Error Log (.NET)",
+            severity: "high",
+            indicators: ["elmah", "error", "exception"],
+            remediation: "Restrict ELMAH access to authenticated administrators.",
+        },
+        {
+            path: "/trace.axd",
+            name: ".NET Trace Page",
+            severity: "high",
+            indicators: ["trace", "request", "response"],
+            remediation: "Disable tracing in production web.config.",
+        },
+        {
+            path: "/.env",
+            name: "Environment File",
+            severity: "critical",
+            indicators: ["=", "KEY", "SECRET", "PASSWORD", "DATABASE"],
+            remediation: "Never serve .env files. Add them to .gitignore and configure your server to deny access.",
+        },
+        {
+            path: "/wp-config.php",
+            name: "WordPress Config",
+            severity: "critical",
+            indicators: ["DB_NAME", "DB_PASSWORD", "AUTH_KEY"],
+            remediation: "Ensure wp-config.php is not accessible via HTTP.",
+        },
+        {
+            path: "/.git/config",
+            name: "Git Repository Config",
+            severity: "critical",
+            indicators: ["[core]", "[remote", "repositoryformatversion"],
+            remediation: "Block access to .git directory. Your source code is exposed.",
+        },
+        {
+            path: "/.git/HEAD",
+            name: "Git HEAD Reference",
+            severity: "high",
+            indicators: ["ref:", "refs/heads/"],
+            remediation: "Block access to the entire .git directory in your web server configuration.",
+        },
+        {
+            path: "/config.json",
+            name: "JSON Config File",
+            severity: "medium",
+            indicators: ["apiKey", "secret", "password", "database", "connection"],
+            remediation: "Do not serve config files via HTTP. Move them outside the web root.",
+        },
+        {
+            path: "/test",
+            name: "Test Endpoint",
+            severity: "low",
+            indicators: ["test", "debug", "hello"],
+            remediation: "Remove test endpoints before deploying to production.",
+        },
+        {
+            path: "/health",
+            name: "Health Check (Verbose)",
+            severity: "low",
+            indicators: ["database", "connection", "redis", "memory", "uptime"],
+            remediation: "Limit health check responses to simple status. Do not expose internal service details.",
+        },
+        {
+            path: "/metrics",
+            name: "Prometheus Metrics",
+            severity: "medium",
+            indicators: ["process_", "http_", "nodejs_", "go_"],
+            remediation: "Protect /metrics endpoint behind authentication or restrict to internal networks.",
+        },
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const baseUrl = new URL(context.url).origin;
+        for (const endpoint of this.debugEndpoints) {
+            const fullPath = `${baseUrl}${endpoint.path}`;
+            if (this.reportedPaths.has(fullPath))
+                continue;
+            try {
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 2000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, fullPath);
+                // Check if the endpoint exists and contains debug indicators
+                if (response.status >= 200 && response.status < 400) {
+                    const bodyLower = response.body.toLowerCase();
+                    // For endpoints with no indicators (like heap dumps), 200 status is enough
+                    const hasIndicators = endpoint.indicators.length === 0 ||
+                        endpoint.indicators.some(ind => bodyLower.includes(ind.toLowerCase()));
+                    if (hasIndicators) {
+                        this.reportedPaths.add(fullPath);
+                        vulnerabilities.push(this.createVulnerability(`Exposed ${endpoint.name}`, `The ${endpoint.name} endpoint is accessible at ${endpoint.path}. ` +
+                            `This can expose sensitive internal information, configuration details, or debug data.`, fullPath, endpoint.severity, `HTTP ${response.status} at ${endpoint.path} (${response.body.substring(0, 100)}...)`, endpoint.remediation, "CWE-215"));
+                    }
+                }
+            }
+            catch {
+                // Endpoint not reachable, skip silently
+            }
+        }
+        return vulnerabilities;
+    }
+    reset() {
+        this.reportedPaths.clear();
+    }
+}
+exports.DebugEndpointPlugin = DebugEndpointPlugin;

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.d.ts

@@ -0,0 +1,13 @@
+import { BaseVulnerabilityPlugin, PluginContext, VulnerabilityTestResult } from "../types";
+export declare class DirectoryTraversalPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Directory Traversal / LFI Detector";
+    readonly type: "lfi";
+    readonly description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    private readonly payloads;
+    testParameter(context: PluginContext, param: string, value: string): Promise<VulnerabilityTestResult>;
+    private buildTestUrl;
+}

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DirectoryTraversalPlugin = void 0;
+const types_1 = require("../types");
+class DirectoryTraversalPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Directory Traversal / LFI Detector";
+    type = "lfi";
+    description = "Tests for path traversal and local file inclusion vulnerabilities";
+    /**
+     * Payloads designed to detect directory traversal / LFI.
+     * Each payload targets a well-known file with distinctive content markers.
+     */
+    payloads = [
+        // Linux/Unix path traversal
+        {
+            payload: "../../../etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh", "nobody:"],
+            os: "linux",
+        },
+        {
+            payload: "....//....//....//etc/passwd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "..%2F..%2F..%2Fetc%2Fpasswd",
+            markers: ["root:", "/bin/bash", "/bin/sh"],
+            os: "linux",
+        },
+        {
+            payload: "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        {
+            payload: "....\\\\....\\\\....\\\\etc\\\\passwd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Windows path traversal
+        {
+            payload: "..\\..\\..\\windows\\win.ini",
+            markers: ["[fonts]", "[extensions]", "[mci extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "..%5C..%5C..%5Cwindows%5Cwin.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        {
+            payload: "../../../windows/win.ini",
+            markers: ["[fonts]", "[extensions]"],
+            os: "windows",
+        },
+        // Null byte injection (legacy PHP)
+        {
+            payload: "../../../etc/passwd%00",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+        // Double encoding
+        {
+            payload: "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd",
+            markers: ["root:", "/bin/bash"],
+            os: "linux",
+        },
+    ];
+    async testParameter(context, param, value) {
+        for (const { payload, markers, os } of this.payloads) {
+            try {
+                const testUrl = this.buildTestUrl(context.url, param, payload);
+                const response = await context.page.evaluate(async (url) => {
+                    try {
+                        const res = await fetch(url, {
+                            method: "GET",
+                            redirect: "follow",
+                            credentials: "omit",
+                        });
+                        const text = await res.text();
+                        return { status: res.status, body: text.substring(0, 5000) };
+                    }
+                    catch {
+                        return { status: 0, body: "" };
+                    }
+                }, testUrl);
+                if (response.status >= 200 && response.status < 500) {
+                    const bodyLower = response.body.toLowerCase();
+                    const matchedMarkers = markers.filter(m => bodyLower.includes(m.toLowerCase()));
+                    if (matchedMarkers.length >= 2) {
+                        return this.success(this.createVulnerability("Directory Traversal / Local File Inclusion", `The parameter '${param}' is vulnerable to directory traversal. ` +
+                            `An attacker can read arbitrary files from the server filesystem (${os}).`, context.url, "critical", `Payload: ${param}=${payload} — matched markers: ${matchedMarkers.join(", ")}`, "Validate and sanitize all file path inputs. Use a whitelist of allowed files/directories. " +
+                            "Never pass user input directly to file system operations. " +
+                            "Use path.resolve() and verify the resolved path starts with the expected base directory.", "CWE-22"));
+                    }
+                }
+            }
+            catch {
+                // Skip this payload, try next
+            }
+        }
+        return this.failure();
+    }
+    buildTestUrl(baseUrl, param, payload) {
+        const url = new URL(baseUrl);
+        url.searchParams.set(param, payload);
+        return url.toString();
+    }
+}
+exports.DirectoryTraversalPlugin = DirectoryTraversalPlugin;

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.d.ts

@@ -0,0 +1,10 @@
+import { BaseVulnerabilityPlugin, PluginContext } from "../types";
+import { Vulnerability } from "../../core/vulnerability-detector";
+export declare class OpenRedirectPlugin extends BaseVulnerabilityPlugin {
+    readonly name = "Open Redirect Detector";
+    readonly type: "redirect";
+    readonly description = "Detects open redirect vulnerabilities in URL parameters";
+    private readonly redirectParams;
+    private readonly testDomains;
+    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+}

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenRedirectPlugin = void 0;
+const types_1 = require("../types");
+class OpenRedirectPlugin extends types_1.BaseVulnerabilityPlugin {
+    name = "Open Redirect Detector";
+    type = "redirect";
+    description = "Detects open redirect vulnerabilities in URL parameters";
+    redirectParams = [
+        "url", "redirect", "redirect_url", "redirect_uri", "return", "return_url",
+        "returnTo", "next", "next_url", "goto", "target", "dest", "destination",
+        "rurl", "redir", "out", "continue", "forward", "callback", "callback_url",
+        "path", "ref", "site", "view", "to", "link", "logout_redirect",
+    ];
+    testDomains = [
+        "https://evil.com",
+        "//evil.com",
+        "https://evil.com%2f%2f",
+        "/\\evil.com",
+        "https:evil.com",
+    ];
+    async analyzeContent(context, content) {
+        const vulnerabilities = [];
+        const url = new URL(context.url);
+        // Check if the current URL uses any redirect-like parameters
+        for (const param of this.redirectParams) {
+            const value = url.searchParams.get(param);
+            if (value) {
+                // Current URL has a redirect param — test it
+                for (const testDomain of this.testDomains) {
+                    try {
+                        const testUrl = new URL(context.url);
+                        testUrl.searchParams.set(param, testDomain);
+                        const result = await context.page.evaluate(async (targetUrl) => {
+                            try {
+                                const res = await fetch(targetUrl, {
+                                    method: "GET",
+                                    redirect: "manual",
+                                    credentials: "omit",
+                                });
+                                const location = res.headers.get("location") || "";
+                                return {
+                                    status: res.status,
+                                    location,
+                                };
+                            }
+                            catch {
+                                return { status: 0, location: "" };
+                            }
+                        }, testUrl.toString());
+                        if (result.status >= 300 && result.status < 400 &&
+                            result.location.includes("evil.com")) {
+                            vulnerabilities.push(this.createVulnerability("Open Redirect", `The parameter '${param}' allows redirection to arbitrary external URLs. ` +
+                                `Attackers can use this for phishing by crafting legitimate-looking URLs that redirect to malicious sites.`, context.url, "medium", `${param}=${testDomain} → Location: ${result.location}`, "Validate redirect URLs against a whitelist of allowed domains. " +
+                                "Use relative paths instead of full URLs. " +
+                                "Never redirect to user-supplied URLs without validation.", "CWE-601"));
+                            break; // One proof is enough for this param
+                        }
+                    }
+                    catch {
+                        // Skip this test
+                    }
+                }
+            }
+        }
+        return vulnerabilities;
+    }
+}
+exports.OpenRedirectPlugin = OpenRedirectPlugin;

package/dist/reports/PdfGenerator.js

@@ -40,7 +40,17 @@ exports.pdfGenerator = exports.PdfGenerator = void 0;
 const puppeteer_1 = __importDefault(require("puppeteer"));
 const scan_storage_1 = require("../core/scan-storage");
 const path_1 = __importDefault(require("path"));
-function escapeHtml(text) { return text; }
+function escapeHtml(text) {
+    if (!text)
+        return "";
+    return text
+        .toString()
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
 function sanitizeFilenamePart(value) {
     return value
         .replace(/[<>:"\/\\|?*\x00-\x1F]/g, "_")
@@ -307,6 +317,21 @@ function buildPdfHtml(data) {
     </div>
 
     <div class="sub">Crawled URLs: <span class="mono">${scanResult.metadata.crawledUrls}</span> | Forms tested: <span class="mono">${scanResult.metadata.testedForms}</span> | Requests: <span class="mono">${scanResult.metadata.requestsMade}</span> | Duration: <span class="mono">${(scanResult.duration / 1000).toFixed(2)}s</span></div>
+    
+    <div style="margin-top: 20px; display: flex; align-items: center; gap: 15px; background: rgba(17,26,51,0.55); padding: 15px; border-radius: 12px; border: 1px solid var(--line);">
+        <div style="font-size: 24px; font-weight: 900; color: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};">
+            ${scanResult.score}/100
+        </div>
+        <div style="flex-grow: 1;">
+            <div style="font-size: 11px; text-transform: uppercase; color: var(--muted); letter-spacing: 0.5px; margin-bottom: 5px;">Security Posture</div>
+            <div style="height: 6px; background: rgba(255,255,255,0.1); border-radius: 3px; overflow: hidden;">
+                <div style="width: ${scanResult.score}%; height: 100%; background: ${scanResult.score > 80 ? "#52c41a" : (scanResult.score > 50 ? "#faad14" : "#ff4d4f")};"></div>
+            </div>
+        </div>
+        <div style="font-size: 12px; font-weight: 700; color: var(--muted);">
+            ${scanResult.score > 80 ? "EXCELLENT" : (scanResult.score > 50 ? "FAIR" : "POOR")}
+        </div>
+    </div>
 
     <div class="cards">
       ${rows || `<div class="card"><div class="title">No vulnerabilities found</div><div class="v">The scanner did not detect issues in the tested scope.</div></div>`}