npm - opencode-api-security-testing - Versions diffs - 2.0.0 → 2.1.1 - Mend

opencode-api-security-testing 2.0.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/README.md +30 -24
package/SKILL.md +1797 -0
package/core/advanced_recon.py +788 -0
package/core/agentic_analyzer.py +445 -0
package/core/analyzers/api_parser.py +210 -0
package/core/analyzers/response_analyzer.py +212 -0
package/core/analyzers/sensitive_finder.py +184 -0
package/core/api_fuzzer.py +422 -0
package/core/api_interceptor.py +525 -0
package/core/api_parser.py +955 -0
package/core/browser_tester.py +479 -0
package/core/cloud_storage_tester.py +1330 -0
package/core/collectors/__init__.py +23 -0
package/core/collectors/api_path_finder.py +300 -0
package/core/collectors/browser_collect.py +645 -0
package/core/collectors/browser_collector.py +411 -0
package/core/collectors/http_client.py +111 -0
package/core/collectors/js_collector.py +490 -0
package/core/collectors/js_parser.py +780 -0
package/core/collectors/url_collector.py +319 -0
package/core/context_manager.py +682 -0
package/core/deep_api_tester_v35.py +844 -0
package/core/deep_api_tester_v55.py +366 -0
package/core/dynamic_api_analyzer.py +532 -0
package/core/http_client.py +179 -0
package/core/models.py +296 -0
package/core/orchestrator.py +890 -0
package/core/prerequisite.py +227 -0
package/core/reasoning_engine.py +1042 -0
package/core/response_classifier.py +606 -0
package/core/runner.py +938 -0
package/core/scan_engine.py +599 -0
package/core/skill_executor.py +435 -0
package/core/skill_executor_v2.py +670 -0
package/core/skill_executor_v3.py +704 -0
package/core/smart_analyzer.py +687 -0
package/core/strategy_pool.py +707 -0
package/core/testers/auth_tester.py +264 -0
package/core/testers/idor_tester.py +200 -0
package/core/testers/sqli_tester.py +211 -0
package/core/testing_loop.py +655 -0
package/core/utils/base_path_dict.py +255 -0
package/core/utils/payload_lib.py +167 -0
package/core/utils/ssrf_detector.py +220 -0
package/core/verifiers/vuln_verifier.py +536 -0
package/package.json +17 -13
package/references/asset-discovery.md +119 -612
package/references/graphql-guidance.md +65 -641
package/references/intake.md +84 -0
package/references/report-template.md +131 -38
package/references/rest-guidance.md +55 -526
package/references/severity-model.md +52 -264
package/references/test-matrix.md +65 -263
package/references/validation.md +53 -400
package/scripts/postinstall.js +46 -0
package/src/index.ts +259 -275
package/agents/cyber-supervisor.md +0 -55
package/agents/probing-miner.md +0 -42
package/agents/resource-specialist.md +0 -31
package/commands/api-security-testing-scan.md +0 -59
package/commands/api-security-testing-test.md +0 -49
package/commands/api-security-testing.md +0 -72
package/tsconfig.json +0 -17

package/README.md CHANGED Viewed

@@ -18,39 +18,45 @@ npm install opencode-api-security-testing
 }
 ```
-## Agents (5个)
+## Agents (4个)
-| Agent | 角色 | 说明 |
+| Agent | 模式 | 描述 |
 |-------|------|------|
-| `@api-cyber-supervisor` | 编排者 | 协调完整扫描流程，永不停止 |
-| `@api-probing-miner` | 漏洞挖掘 | 专注发现和验证 API 漏洞 |
-| `@api-resource-specialist` | 资源探测 | 专注采集和发现 API 端点 |
-| `@api-orchestrator` | 测试编排 | 协调完整测试流程 |
-| `@api-vuln-verifier` | 漏洞验证 | 验证和确认安全漏洞 |
-## Tools (9个)
-| Tool | 功能 |
-|------|------|
-| `api_security_scan` | 完整 API 安全扫描 |
-| `api_fuzz_test` | API 模糊测试 |
-| `vuln_verify` | 漏洞验证 |
-| `browser_collect` | 浏览器采集动态内容 |
-| `js_parse` | JavaScript 文件解析 |
-| `cloud_storage_test` | 云存储安全测试 |
-| `graphql_test` | GraphQL 安全测试 |
-| `idor_test` | IDOR 越权测试 |
-| `sqli_test` | SQL 注入测试 |
+| `@api-cyber-supervisor` | Primary | 编排者，协调完整扫描流程，永不停止 |
+| `@api-probing-miner` | Subagent | 漏洞挖掘专家 |
+| `@api-resource-specialist` | Subagent | 资源探测专家 |
+| `@api-vuln-verifier` | Subagent | 漏洞验证专家 |
+## Tools (10个)
+| Tool | 功能 | 调用方式 |
+|------|------|---------|
+| `api_security_scan` | 完整 API 安全扫描 | `api_security_scan target="url"` |
+| `api_fuzz_test` | API 模糊测试 | `api_fuzz_test endpoint="url"` |
+| `browser_collect` | 浏览器采集动态内容 | `browser_collect url="url"` |
+| `js_parse` | JavaScript 文件解析 | `js_parse file_path="/path/to/file.js"` |
+| `graphql_test` | GraphQL 安全测试 | `graphql_test endpoint="url"` |
+| `cloud_storage_test` | 云存储安全测试 | `cloud_storage_test bucket_url="url"` |
+| `vuln_verify` | 漏洞验证 | `vuln_verify vuln_type="sqli" endpoint="url"` |
+| `sqli_test` | SQL 注入测试 | `sqli_test endpoint="url" param="id"` |
+| `idor_test` | IDOR 越权测试 | `idor_test endpoint="url" resource_id="1"` |
+| `auth_test` | 认证安全测试 | `auth_test endpoint="url"` |
 ## 使用方式
-### 方式一：使用 Agent
+### 方式一：使用 Agent（推荐）
 ```
 @api-cyber-supervisor 对 https://example.com 进行全面安全测试
 ```
-### 方式二：直接使用 Tool
+### 方式二：使用 Skill
+```
+skill({ name: "api-security-testing" })
+```
+### 方式三：直接使用 Tool
 ```
 api_security_scan target="https://example.com" scan_type="full"
@@ -58,7 +64,7 @@ api_security_scan target="https://example.com" scan_type="full"
 ## 依赖
-Python 依赖会自动安装（如果需要手动安装）：
+Python 依赖会自动安装。也可手动安装：
 ```bash
 pip install -r skills/api-security-testing/requirements.txt
 ```