mpx-scan 1.0.0

package/src/scanners/redirects.js

@@ -0,0 +1,120 @@
+/**
+ * Open Redirect Scanner
+ * 
+ * Tests for open redirect vulnerabilities by checking if the site
+ * redirects to arbitrary external domains via URL parameters.
+ * 
+ * Open redirects are used in phishing attacks — attackers craft URLs
+ * that look legitimate but redirect to malicious sites.
+ */
+
+const https = require('https');
+const http = require('http');
+
+// Common parameter names used for redirects
+const REDIRECT_PARAMS = [
+  'url', 'redirect', 'redirect_url', 'redirect_uri', 'return', 'return_url',
+  'returnTo', 'return_to', 'next', 'goto', 'dest', 'destination', 'redir',
+  'out', 'continue', 'target', 'path', 'callback', 'cb', 'ref',
+];
+
+const EVIL_DOMAIN = 'https://evil.example.com';
+
+async function scanRedirects(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 0;
+
+  // Test each redirect parameter
+  const vulnParams = [];
+  const safeParams = [];
+  const testedCount = Math.min(REDIRECT_PARAMS.length, options.maxRedirectTests || 10);
+  maxScore = testedCount;
+
+  const testPromises = REDIRECT_PARAMS.slice(0, testedCount).map(async (param) => {
+    try {
+      const testUrl = new URL(parsedUrl.href);
+      testUrl.searchParams.set(param, EVIL_DOMAIN);
+      
+      const result = await followRedirect(testUrl, options);
+      
+      if (result.redirectsToExternal) {
+        vulnParams.push({ param, redirectedTo: result.location });
+        return { param, vulnerable: true };
+      } else {
+        safeParams.push(param);
+        return { param, vulnerable: false };
+      }
+    } catch {
+      return { param, vulnerable: false };
+    }
+  });
+
+  const results = await Promise.all(testPromises);
+
+  // Score
+  const vulnCount = results.filter(r => r.vulnerable).length;
+  score = testedCount - vulnCount;
+
+  if (vulnCount === 0) {
+    checks.push({ name: 'Open Redirects', status: 'pass', message: `Tested ${testedCount} common redirect parameters — none vulnerable` });
+  } else {
+    checks.push({ name: 'Open Redirects', status: 'fail', 
+      message: `${vulnCount} open redirect(s) found! Attackers can craft phishing URLs using your domain.`,
+      recommendation: 'Validate redirect destinations against an allowlist of trusted domains. Never redirect to user-supplied URLs without validation.'
+    });
+    
+    for (const vuln of vulnParams) {
+      checks.push({ name: `Redirect: ?${vuln.param}=`, status: 'fail', 
+        message: `Redirects to external domain via "${vuln.param}" parameter`,
+        value: vuln.redirectedTo
+      });
+    }
+  }
+
+  return { score, maxScore, checks };
+}
+
+function followRedirect(testUrl, options = {}) {
+  return new Promise((resolve) => {
+    const timeout = options.timeout || 5000;
+    const protocol = testUrl.protocol === 'https:' ? https : http;
+    let resolved = false;
+    const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
+    const timer = setTimeout(() => done({ redirectsToExternal: false }), timeout + 1000);
+
+    const req = protocol.request(testUrl.href, {
+      method: 'GET',
+      timeout,
+      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      rejectUnauthorized: false,
+    }, (res) => {
+      res.resume(); // Consume body
+      clearTimeout(timer);
+      
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        const location = res.headers.location;
+        try {
+          const redirectTarget = new URL(location, testUrl.href);
+          // Check if redirect goes to our test domain OR any external domain
+          // that wasn't the original host (indicates the param controls redirect target)
+          const originalHost = testUrl.hostname;
+          const isExternal = redirectTarget.hostname !== originalHost && 
+                            (redirectTarget.hostname.includes('evil.example.com') ||
+                             redirectTarget.href.includes('evil.example.com'));
+          done({ redirectsToExternal: isExternal, location });
+        } catch {
+          done({ redirectsToExternal: false });
+        }
+      } else {
+        done({ redirectsToExternal: false });
+      }
+    });
+
+    req.on('error', () => { clearTimeout(timer); done({ redirectsToExternal: false }); });
+    req.on('timeout', () => { clearTimeout(timer); req.destroy(); done({ redirectsToExternal: false }); });
+    req.end();
+  });
+}
+
+module.exports = { scanRedirects };

package/src/scanners/server.js

@@ -0,0 +1,146 @@
+/**
+ * Server Configuration Scanner
+ * 
+ * Checks server-level security:
+ * - HTTP to HTTPS redirect
+ * - Server information leakage
+ * - CORS configuration
+ * - HTTP methods allowed
+ */
+
+const https = require('https');
+const http = require('http');
+
+async function scanServer(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 0;
+
+  // --- HTTP to HTTPS redirect ---
+  maxScore += 2;
+  if (parsedUrl.protocol === 'https:') {
+    try {
+      const httpUrl = new URL(parsedUrl.href);
+      httpUrl.protocol = 'http:';
+      const redirectsToHttps = await checkRedirectToHttps(httpUrl, options);
+      if (redirectsToHttps) {
+        checks.push({ name: 'HTTP → HTTPS Redirect', status: 'pass', message: 'HTTP requests redirect to HTTPS' });
+        score += 2;
+      } else {
+        checks.push({ name: 'HTTP → HTTPS Redirect', status: 'warn', message: 'HTTP does not redirect to HTTPS. Users can access insecure version.', recommendation: 'Configure server to redirect all HTTP traffic to HTTPS (301 redirect)' });
+      }
+    } catch {
+      checks.push({ name: 'HTTP → HTTPS Redirect', status: 'info', message: 'Could not test HTTP redirect (port 80 may be closed)' });
+      score += 1; // Benefit of doubt — port 80 closed is actually fine
+    }
+  } else {
+    checks.push({ name: 'HTTPS', status: 'fail', message: 'Site served over HTTP. All traffic is unencrypted.' });
+  }
+
+  // --- CORS headers ---
+  maxScore += 1;
+  try {
+    const corsHeaders = await fetchWithOrigin(parsedUrl, options);
+    const acao = corsHeaders['access-control-allow-origin'];
+    if (!acao) {
+      checks.push({ name: 'CORS Policy', status: 'pass', message: 'No Access-Control-Allow-Origin header (default same-origin policy)' });
+      score += 1;
+    } else if (acao === '*') {
+      checks.push({ name: 'CORS Policy', status: 'warn', message: 'Access-Control-Allow-Origin: * — allows any origin to read responses', value: acao });
+      score += 0.25;
+    } else {
+      checks.push({ name: 'CORS Policy', status: 'pass', message: `CORS restricted to: ${acao}`, value: acao });
+      score += 1;
+    }
+  } catch {
+    checks.push({ name: 'CORS Policy', status: 'info', message: 'Could not test CORS configuration' });
+  }
+
+  // --- Allowed HTTP methods ---
+  maxScore += 1;
+  try {
+    const methods = await checkMethods(parsedUrl, options);
+    if (methods.length === 0) {
+      checks.push({ name: 'HTTP Methods', status: 'info', message: 'Server did not disclose allowed methods (OPTIONS returned no Allow header)' });
+      score += 0.5; // Benefit of doubt
+    } else {
+      const dangerous = methods.filter(m => ['PUT', 'DELETE', 'TRACE', 'TRACK'].includes(m));
+      if (dangerous.length > 0) {
+        checks.push({ name: 'HTTP Methods', status: 'warn', message: `Potentially dangerous methods enabled: ${dangerous.join(', ')}`, value: methods.join(', ') });
+        score += 0.5;
+      } else {
+        checks.push({ name: 'HTTP Methods', status: 'pass', message: `Allowed: ${methods.join(', ')}`, value: methods.join(', ') });
+        score += 1;
+      }
+    }
+  } catch {
+    checks.push({ name: 'HTTP Methods', status: 'info', message: 'Could not determine allowed methods' });
+    score += 0.5;
+  }
+
+  return { score, maxScore, checks };
+}
+
+function checkRedirectToHttps(httpUrl, options = {}) {
+  return new Promise((resolve, reject) => {
+    const timeout = options.timeout || 5000;
+    const req = http.request(httpUrl.href, {
+      method: 'HEAD',
+      timeout,
+      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+    }, (res) => {
+      if (res.statusCode >= 300 && res.statusCode < 400) {
+        const location = res.headers.location || '';
+        resolve(location.startsWith('https://'));
+      } else {
+        resolve(false);
+      }
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Timeout')); });
+    req.end();
+  });
+}
+
+function fetchWithOrigin(parsedUrl, options = {}) {
+  return new Promise((resolve, reject) => {
+    const timeout = options.timeout || 5000;
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    const req = protocol.request(parsedUrl.href, {
+      method: 'HEAD',
+      timeout,
+      headers: {
+        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'Origin': 'https://evil.example.com'
+      },
+      rejectUnauthorized: false,
+    }, (res) => {
+      resolve(res.headers);
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Timeout')); });
+    req.end();
+  });
+}
+
+function checkMethods(parsedUrl, options = {}) {
+  return new Promise((resolve, reject) => {
+    const timeout = options.timeout || 5000;
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    const req = protocol.request(parsedUrl.href, {
+      method: 'OPTIONS',
+      timeout,
+      headers: { 'User-Agent': 'SiteGuard/0.1 Security Scanner' },
+      rejectUnauthorized: false,
+    }, (res) => {
+      const allow = res.headers.allow || '';
+      const methods = allow ? allow.split(',').map(m => m.trim().toUpperCase()) : [];
+      resolve(methods);
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Timeout')); });
+    req.end();
+  });
+}
+
+module.exports = { scanServer };

package/src/scanners/sri.js

@@ -0,0 +1,162 @@
+/**
+ * Subresource Integrity (SRI) Scanner
+ * 
+ * Checks that external scripts and stylesheets use integrity attributes
+ * to prevent supply-chain attacks (e.g., compromised CDNs).
+ */
+
+const https = require('https');
+const http = require('http');
+
+async function scanSRI(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 0;
+
+  const html = await fetchBody(parsedUrl, options);
+  
+  if (!html) {
+    checks.push({ name: 'Subresource Integrity', status: 'error', message: 'Could not fetch page HTML' });
+    return { score: 0, maxScore: 1, checks };
+  }
+
+  // Find external scripts
+  const scriptRegex = /<script[^>]+src\s*=\s*["']([^"']+)["'][^>]*>/gi;
+  const linkRegex = /<link[^>]+href\s*=\s*["']([^"']+)["'][^>]*rel\s*=\s*["']stylesheet["'][^>]*>|<link[^>]*rel\s*=\s*["']stylesheet["'][^>]*href\s*=\s*["']([^"']+)["'][^>]*>/gi;
+
+  const externalScripts = [];
+  const externalStyles = [];
+  let match;
+
+  while ((match = scriptRegex.exec(html)) !== null) {
+    const src = match[1];
+    const fullTag = match[0];
+    if (isExternal(src, parsedUrl.hostname)) {
+      externalScripts.push({ src, tag: fullTag, hasIntegrity: /integrity\s*=\s*["']/i.test(fullTag) });
+    }
+  }
+
+  while ((match = linkRegex.exec(html)) !== null) {
+    const href = match[1] || match[2];
+    const fullTag = match[0];
+    if (href && isExternal(href, parsedUrl.hostname)) {
+      externalStyles.push({ src: href, tag: fullTag, hasIntegrity: /integrity\s*=\s*["']/i.test(fullTag) });
+    }
+  }
+
+  const allExternal = [...externalScripts, ...externalStyles];
+
+  if (allExternal.length === 0) {
+    checks.push({ name: 'Subresource Integrity', status: 'pass', message: 'No external scripts or stylesheets found (self-hosted resources)' });
+    return { score: 1, maxScore: 1, checks };
+  }
+
+  maxScore = allExternal.length;
+  let withSRI = 0;
+  let withoutSRI = 0;
+
+  // Group by domain for cleaner output
+  const byDomain = {};
+  for (const resource of [...externalScripts, ...externalStyles]) {
+    const isScript = externalScripts.includes(resource);
+    let domain;
+    try { domain = new URL(resource.src.startsWith('//') ? 'https:' + resource.src : resource.src).hostname; } 
+    catch { domain = 'unknown'; }
+    if (!byDomain[domain]) byDomain[domain] = { scripts: 0, styles: 0, withSRI: 0, withoutSRI: 0 };
+    if (isScript) byDomain[domain].scripts++; else byDomain[domain].styles++;
+    if (resource.hasIntegrity) { byDomain[domain].withSRI++; withSRI++; score += 1; }
+    else { byDomain[domain].withoutSRI++; withoutSRI++; if (!isScript) score += 0.25; }
+  }
+
+  // Output per-domain summary (max 10 domains shown)
+  const domains = Object.entries(byDomain).sort((a, b) => b[1].withoutSRI - a[1].withoutSRI);
+  for (const [domain, counts] of domains.slice(0, 10)) {
+    const total = counts.withSRI + counts.withoutSRI;
+    if (counts.withoutSRI === 0) {
+      checks.push({ name: `SRI: ${domain}`, status: 'pass', message: `All ${total} resources have integrity attributes` });
+    } else if (counts.scripts > 0 && counts.withoutSRI > 0) {
+      checks.push({ name: `SRI: ${domain}`, status: 'fail', message: `${counts.withoutSRI} of ${total} resources missing integrity (${counts.scripts} scripts)`, recommendation: 'Add integrity="sha384-..." and crossorigin="anonymous" to external script/link tags' });
+    } else {
+      checks.push({ name: `SRI: ${domain}`, status: 'warn', message: `${counts.withoutSRI} of ${total} stylesheets missing integrity`, recommendation: 'Add integrity="sha384-..." attribute' });
+    }
+  }
+  if (domains.length > 10) {
+    checks.push({ name: 'SRI', status: 'info', message: `...and ${domains.length - 10} more external domains` });
+  }
+
+  // Summary check at top
+  if (withoutSRI === 0) {
+    checks.unshift({ name: 'Subresource Integrity', status: 'pass', message: `All ${allExternal.length} external resources have integrity attributes` });
+  } else {
+    checks.unshift({ name: 'Subresource Integrity', status: withoutSRI > withSRI ? 'fail' : 'warn', message: `${withoutSRI} of ${allExternal.length} external resources missing integrity (${Object.keys(byDomain).length} domains)` });
+  }
+
+  return { score, maxScore, checks };
+}
+
+function isExternal(url, hostname) {
+  if (url.startsWith('//')) url = 'https:' + url;
+  if (url.startsWith('http://') || url.startsWith('https://')) {
+    try {
+      const parsed = new URL(url);
+      return parsed.hostname !== hostname;
+    } catch { return false; }
+  }
+  return false; // Relative URLs are same-origin
+}
+
+function shortenUrl(url) {
+  try {
+    const parsed = new URL(url.startsWith('//') ? 'https:' + url : url);
+    const path = parsed.pathname.split('/').pop() || parsed.pathname;
+    return `${parsed.hostname}/.../${path}`.substring(0, 60);
+  } catch { return url.substring(0, 60); }
+}
+
+function fetchBody(parsedUrl, options = {}) {
+  return new Promise((resolve) => {
+    const timeout = options.timeout || 10000;
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    let resolved = false;
+    const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
+    const timer = setTimeout(() => done(''), timeout + 2000);
+
+    const req = protocol.request(parsedUrl.href, {
+      method: 'GET',
+      timeout,
+      headers: { 
+        'User-Agent': 'SiteGuard/0.1 Security Scanner',
+        'Accept': 'text/html'
+      },
+      rejectUnauthorized: false,
+    }, (res) => {
+      // Follow redirects
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        clearTimeout(timer);
+        const redirectUrl = new URL(res.headers.location, parsedUrl.href);
+        fetchBody(redirectUrl, options).then(done);
+        res.resume();
+        return;
+      }
+      
+      let body = '';
+      res.setEncoding('utf-8');
+      res.on('data', (chunk) => {
+        body += chunk;
+        if (body.length > 500000) { // 500KB max
+          res.destroy();
+          clearTimeout(timer);
+          done(body);
+        }
+      });
+      res.on('end', () => { clearTimeout(timer); done(body); });
+      res.on('error', () => { clearTimeout(timer); done(body); });
+    });
+
+    req.on('error', () => { clearTimeout(timer); done(''); });
+    req.on('timeout', () => { clearTimeout(timer); req.destroy(); done(''); });
+    req.end();
+  });
+}
+
+module.exports = { scanSRI, fetchBody };

package/src/scanners/ssl.js

@@ -0,0 +1,160 @@
+/**
+ * SSL/TLS Scanner
+ * 
+ * Checks certificate validity, protocol support, and configuration.
+ * Uses Node.js tls module — zero external dependencies.
+ */
+
+const tls = require('tls');
+const https = require('https');
+
+async function scanSSL(parsedUrl, options = {}) {
+  const checks = [];
+  let score = 0;
+  let maxScore = 0;
+
+  if (parsedUrl.protocol !== 'https:') {
+    checks.push({ name: 'HTTPS', status: 'fail', message: 'Site does not use HTTPS. All data transmitted in cleartext.' });
+    return { score: 0, maxScore: 5, checks };
+  }
+
+  const hostname = parsedUrl.hostname;
+  const port = parsedUrl.port || 443;
+
+  try {
+    const certInfo = await getCertificateInfo(hostname, port, options);
+
+    // --- Certificate validity ---
+    maxScore += 2;
+    const now = new Date();
+    const validFrom = new Date(certInfo.valid_from);
+    const validTo = new Date(certInfo.valid_to);
+    const daysRemaining = Math.floor((validTo - now) / (1000 * 60 * 60 * 24));
+
+    if (daysRemaining < 0) {
+      checks.push({ name: 'Certificate Validity', status: 'fail', message: `EXPIRED ${Math.abs(daysRemaining)} days ago`, value: validTo.toISOString().split('T')[0] });
+    } else if (daysRemaining < 7) {
+      checks.push({ name: 'Certificate Validity', status: 'fail', message: `Expires in ${daysRemaining} days!`, value: validTo.toISOString().split('T')[0] });
+      score += 0.5;
+    } else if (daysRemaining < 30) {
+      checks.push({ name: 'Certificate Validity', status: 'warn', message: `Expires in ${daysRemaining} days`, value: validTo.toISOString().split('T')[0] });
+      score += 1;
+    } else {
+      checks.push({ name: 'Certificate Validity', status: 'pass', message: `Valid for ${daysRemaining} more days (expires ${validTo.toISOString().split('T')[0]})`, value: `${daysRemaining} days` });
+      score += 2;
+    }
+
+    // --- Certificate issuer ---
+    maxScore += 0.5;
+    const issuer = certInfo.issuer?.O || certInfo.issuer?.CN || 'Unknown';
+    const isSelfSigned = certInfo.issuer?.CN === certInfo.subject?.CN && !certInfo.issuer?.O;
+    if (isSelfSigned) {
+      checks.push({ name: 'Certificate Issuer', status: 'warn', message: `Self-signed certificate (${issuer})`, value: issuer });
+    } else {
+      checks.push({ name: 'Certificate Issuer', status: 'pass', message: `Issued by ${issuer}`, value: issuer });
+      score += 0.5;
+    }
+
+    // --- Subject match ---
+    maxScore += 1;
+    const altNames = (certInfo.subjectaltname || '').split(',').map(s => s.trim().replace('DNS:', ''));
+    const subjectCN = certInfo.subject?.CN || '';
+    const matchesHostname = altNames.some(name => matchesDomain(name, hostname)) || matchesDomain(subjectCN, hostname);
+    
+    if (matchesHostname) {
+      checks.push({ name: 'Hostname Match', status: 'pass', message: `Certificate covers ${hostname}`, value: altNames.slice(0, 5).join(', ') });
+      score += 1;
+    } else {
+      checks.push({ name: 'Hostname Match', status: 'fail', message: `Certificate does NOT match ${hostname}. Subject: ${subjectCN}`, value: altNames.slice(0, 5).join(', ') });
+    }
+
+    // --- TLS version ---
+    maxScore += 1.5;
+    const tlsVersion = certInfo.protocol;
+    if (tlsVersion === 'TLSv1.3') {
+      checks.push({ name: 'TLS Version', status: 'pass', message: 'TLS 1.3 — latest and most secure', value: tlsVersion });
+      score += 1.5;
+    } else if (tlsVersion === 'TLSv1.2') {
+      checks.push({ name: 'TLS Version', status: 'pass', message: 'TLS 1.2 — acceptable', value: tlsVersion });
+      score += 1;
+    } else {
+      checks.push({ name: 'TLS Version', status: 'fail', message: `${tlsVersion || 'Unknown'} — outdated and insecure`, value: tlsVersion });
+    }
+
+    // --- Cipher suite ---
+    maxScore += 1;
+    const cipher = certInfo.cipher;
+    if (cipher) {
+      const isStrong = /AES.*(256|GCM)|CHACHA20/i.test(cipher.name || '');
+      if (isStrong) {
+        checks.push({ name: 'Cipher Suite', status: 'pass', message: cipher.name, value: `${cipher.name} (${cipher.standardName || ''})` });
+        score += 1;
+      } else {
+        checks.push({ name: 'Cipher Suite', status: 'warn', message: `${cipher.name} — consider stronger cipher`, value: cipher.name });
+        score += 0.5;
+      }
+    }
+
+  } catch (err) {
+    maxScore = 5;
+    if (err.code === 'CERT_HAS_EXPIRED') {
+      checks.push({ name: 'Certificate', status: 'fail', message: 'Certificate has expired' });
+    } else if (err.code === 'ERR_TLS_CERT_ALTNAME_INVALID') {
+      checks.push({ name: 'Certificate', status: 'fail', message: 'Certificate hostname mismatch' });
+    } else {
+      checks.push({ name: 'SSL/TLS Connection', status: 'error', message: `Failed: ${err.message}` });
+    }
+  }
+
+  return { score, maxScore, checks };
+}
+
+function getCertificateInfo(hostname, port, options = {}) {
+  return new Promise((resolve, reject) => {
+    const timeout = options.timeout || 10000;
+    
+    const socket = tls.connect({
+      host: hostname,
+      port,
+      servername: hostname,
+      rejectUnauthorized: false, // We want to inspect even bad certs
+      timeout,
+    }, () => {
+      const cert = socket.getPeerCertificate(true);
+      const protocol = socket.getProtocol();
+      const cipher = socket.getCipher();
+      
+      socket.destroy();
+      resolve({
+        ...cert,
+        protocol,
+        cipher,
+        authorized: socket.authorized
+      });
+    });
+
+    socket.on('error', (err) => {
+      socket.destroy();
+      reject(err);
+    });
+
+    socket.on('timeout', () => {
+      socket.destroy();
+      reject(new Error('TLS connection timeout'));
+    });
+  });
+}
+
+function matchesDomain(pattern, hostname) {
+  if (!pattern) return false;
+  pattern = pattern.toLowerCase();
+  hostname = hostname.toLowerCase();
+  if (pattern === hostname) return true;
+  if (pattern.startsWith('*.')) {
+    const suffix = pattern.slice(2);
+    return hostname.endsWith(suffix) && hostname.split('.').length === pattern.split('.').length;
+  }
+  return false;
+}
+
+module.exports = { scanSSL };