npm - opencode-api-security-testing - Versions diffs - 3.0.10 → 3.0.11 - Mend

opencode-api-security-testing 3.0.10 → 3.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/README.md +74 -0
package/SKILL.md +1797 -0
package/core/advanced_recon.py +788 -0
package/core/agentic_analyzer.py +445 -0
package/core/analyzers/api_parser.py +210 -0
package/core/analyzers/response_analyzer.py +212 -0
package/core/analyzers/sensitive_finder.py +184 -0
package/core/api_fuzzer.py +422 -0
package/core/api_interceptor.py +525 -0
package/core/api_parser.py +955 -0
package/core/browser_tester.py +479 -0
package/core/cloud_storage_tester.py +1330 -0
package/core/collectors/__init__.py +23 -0
package/core/collectors/api_path_finder.py +300 -0
package/core/collectors/browser_collect.py +645 -0
package/core/collectors/browser_collector.py +411 -0
package/core/collectors/http_client.py +111 -0
package/core/collectors/js_collector.py +490 -0
package/core/collectors/js_parser.py +780 -0
package/core/collectors/url_collector.py +319 -0
package/core/context_manager.py +682 -0
package/core/deep_api_tester_v35.py +844 -0
package/core/deep_api_tester_v55.py +366 -0
package/core/dynamic_api_analyzer.py +532 -0
package/core/http_client.py +179 -0
package/core/models.py +296 -0
package/core/orchestrator.py +890 -0
package/core/prerequisite.py +227 -0
package/core/reasoning_engine.py +1042 -0
package/core/response_classifier.py +606 -0
package/core/runner.py +938 -0
package/core/scan_engine.py +599 -0
package/core/skill_executor.py +435 -0
package/core/skill_executor_v2.py +670 -0
package/core/skill_executor_v3.py +704 -0
package/core/smart_analyzer.py +687 -0
package/core/strategy_pool.py +707 -0
package/core/testers/auth_tester.py +264 -0
package/core/testers/idor_tester.py +200 -0
package/core/testers/sqli_tester.py +211 -0
package/core/testing_loop.py +655 -0
package/core/utils/base_path_dict.py +255 -0
package/core/utils/payload_lib.py +167 -0
package/core/utils/ssrf_detector.py +220 -0
package/core/verifiers/vuln_verifier.py +536 -0
package/package.json +1 -1
package/references/README.md +72 -0
package/references/asset-discovery.md +119 -0
package/references/fuzzing-patterns.md +129 -0
package/references/graphql-guidance.md +108 -0
package/references/intake.md +84 -0
package/references/pua-agent.md +192 -0
package/references/report-template.md +156 -0
package/references/rest-guidance.md +76 -0
package/references/severity-model.md +76 -0
package/references/test-matrix.md +86 -0
package/references/validation.md +78 -0
package/references/vulnerabilities/01-sqli-tests.md +1128 -0
package/references/vulnerabilities/02-user-enum-tests.md +423 -0
package/references/vulnerabilities/03-jwt-tests.md +499 -0
package/references/vulnerabilities/04-idor-tests.md +362 -0
package/references/vulnerabilities/05-sensitive-data-tests.md +466 -0
package/references/vulnerabilities/06-biz-logic-tests.md +501 -0
package/references/vulnerabilities/07-security-config-tests.md +511 -0
package/references/vulnerabilities/08-brute-force-tests.md +457 -0
package/references/vulnerabilities/09-vulnerability-chains.md +465 -0
package/references/vulnerabilities/10-auth-tests.md +537 -0
package/references/vulnerabilities/11-graphql-tests.md +355 -0
package/references/vulnerabilities/12-ssrf-tests.md +396 -0
package/references/vulnerabilities/README.md +148 -0
package/references/workflows.md +192 -0

package/README.md ADDED Viewed

@@ -0,0 +1,74 @@
+# API Security Testing Plugin
+OpenCode 插件，提供完整的 API 安全测试能力。
+## 安装
+```bash
+npm install opencode-api-security-testing
+```
+## 配置
+在 `opencode.json` 中添加：
+```json
+{
+  "plugin": ["opencode-api-security-testing"]
+}
+```
+## Agents (4个)
+| Agent | 模式 | 描述 |
+|-------|------|------|
+| `@api-cyber-supervisor` | Primary | 编排者，协调完整扫描流程，永不停止 |
+| `@api-probing-miner` | Subagent | 漏洞挖掘专家 |
+| `@api-resource-specialist` | Subagent | 资源探测专家 |
+| `@api-vuln-verifier` | Subagent | 漏洞验证专家 |
+## Tools (10个)
+| Tool | 功能 | 调用方式 |
+|------|------|---------|
+| `api_security_scan` | 完整 API 安全扫描 | `api_security_scan target="url"` |
+| `api_fuzz_test` | API 模糊测试 | `api_fuzz_test endpoint="url"` |
+| `browser_collect` | 浏览器采集动态内容 | `browser_collect url="url"` |
+| `js_parse` | JavaScript 文件解析 | `js_parse file_path="/path/to/file.js"` |
+| `graphql_test` | GraphQL 安全测试 | `graphql_test endpoint="url"` |
+| `cloud_storage_test` | 云存储安全测试 | `cloud_storage_test bucket_url="url"` |
+| `vuln_verify` | 漏洞验证 | `vuln_verify vuln_type="sqli" endpoint="url"` |
+| `sqli_test` | SQL 注入测试 | `sqli_test endpoint="url" param="id"` |
+| `idor_test` | IDOR 越权测试 | `idor_test endpoint="url" resource_id="1"` |
+| `auth_test` | 认证安全测试 | `auth_test endpoint="url"` |
+## 使用方式
+### 方式一：使用 Agent（推荐）
+```
+@api-cyber-supervisor 对 https://example.com 进行全面安全测试
+```
+### 方式二：使用 Skill
+```
+skill({ name: "api-security-testing" })
+```
+### 方式三：直接使用 Tool
+```
+api_security_scan target="https://example.com" scan_type="full"
+```
+## 依赖
+Python 依赖会自动安装。也可手动安装：
+```bash
+pip install -r skills/api-security-testing/requirements.txt
+```
+## 重要
+**仅用于合法授权的安全测试，测试前确保有书面授权。**