npm - opencode-api-security-testing - Versions diffs - 3.0.9 → 3.0.10 - Mend

opencode-api-security-testing 3.0.9 → 3.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/agents/api-cyber-supervisor.md +22 -19
package/agents/api-probing-miner.md +34 -10
package/agents/api-resource-specialist.md +49 -20
package/agents/api-vuln-verifier.md +69 -18
package/package.json +1 -1
package/postinstall.mjs +1 -0
package/preuninstall.mjs +43 -32
package/src/index.ts +6 -3
package/README.md +0 -74
package/SKILL.md +0 -1797
package/core/advanced_recon.py +0 -788
package/core/agentic_analyzer.py +0 -445
package/core/analyzers/api_parser.py +0 -210
package/core/analyzers/response_analyzer.py +0 -212
package/core/analyzers/sensitive_finder.py +0 -184
package/core/api_fuzzer.py +0 -422
package/core/api_interceptor.py +0 -525
package/core/api_parser.py +0 -955
package/core/browser_tester.py +0 -479
package/core/cloud_storage_tester.py +0 -1330
package/core/collectors/__init__.py +0 -23
package/core/collectors/api_path_finder.py +0 -300
package/core/collectors/browser_collect.py +0 -645
package/core/collectors/browser_collector.py +0 -411
package/core/collectors/http_client.py +0 -111
package/core/collectors/js_collector.py +0 -490
package/core/collectors/js_parser.py +0 -780
package/core/collectors/url_collector.py +0 -319
package/core/context_manager.py +0 -682
package/core/deep_api_tester_v35.py +0 -844
package/core/deep_api_tester_v55.py +0 -366
package/core/dynamic_api_analyzer.py +0 -532
package/core/http_client.py +0 -179
package/core/models.py +0 -296
package/core/orchestrator.py +0 -890
package/core/prerequisite.py +0 -227
package/core/reasoning_engine.py +0 -1042
package/core/response_classifier.py +0 -606
package/core/runner.py +0 -938
package/core/scan_engine.py +0 -599
package/core/skill_executor.py +0 -435
package/core/skill_executor_v2.py +0 -670
package/core/skill_executor_v3.py +0 -704
package/core/smart_analyzer.py +0 -687
package/core/strategy_pool.py +0 -707
package/core/testers/auth_tester.py +0 -264
package/core/testers/idor_tester.py +0 -200
package/core/testers/sqli_tester.py +0 -211
package/core/testing_loop.py +0 -655
package/core/utils/base_path_dict.py +0 -255
package/core/utils/payload_lib.py +0 -167
package/core/utils/ssrf_detector.py +0 -220
package/core/verifiers/vuln_verifier.py +0 -536
package/references/README.md +0 -72
package/references/asset-discovery.md +0 -119
package/references/fuzzing-patterns.md +0 -129
package/references/graphql-guidance.md +0 -108
package/references/intake.md +0 -84
package/references/pua-agent.md +0 -192
package/references/report-template.md +0 -156
package/references/rest-guidance.md +0 -76
package/references/severity-model.md +0 -76
package/references/test-matrix.md +0 -86
package/references/validation.md +0 -78
package/references/vulnerabilities/01-sqli-tests.md +0 -1128
package/references/vulnerabilities/02-user-enum-tests.md +0 -423
package/references/vulnerabilities/03-jwt-tests.md +0 -499
package/references/vulnerabilities/04-idor-tests.md +0 -362
package/references/vulnerabilities/05-sensitive-data-tests.md +0 -466
package/references/vulnerabilities/06-biz-logic-tests.md +0 -501
package/references/vulnerabilities/07-security-config-tests.md +0 -511
package/references/vulnerabilities/08-brute-force-tests.md +0 -457
package/references/vulnerabilities/09-vulnerability-chains.md +0 -465
package/references/vulnerabilities/10-auth-tests.md +0 -537
package/references/vulnerabilities/11-graphql-tests.md +0 -355
package/references/vulnerabilities/12-ssrf-tests.md +0 -396
package/references/vulnerabilities/README.md +0 -148
package/references/workflows.md +0 -192

package/agents/api-cyber-supervisor.md CHANGED Viewed

@@ -1,10 +1,14 @@
 ---
-description: API安全测试编排者。协调完整扫描流程，永不停止，主动推进测试进度。
+description: API安全测试编排者。协调完整扫描流程，主动推进测试进度。
 mode: primary
+model: anthropic/claude-sonnet-4-20250514
 permission:
   edit: ask
   bash:
     "*": ask
+  webfetch: allow
+temperature: 0.3
+color: "#FF5733"
 ---
 你是 API 安全测试的**赛博监工**，代号"P9"。
@@ -15,35 +19,34 @@ permission:
 ## 可用子 Agent
-| 子 Agent | 职责 |
-|---------|------|
-| @api-probing-miner | 漏洞挖掘 |
-| @api-resource-specialist | 端点发现 |
-| @api-vuln-verifier | 漏洞验证 |
+| 子 Agent | 职责 | 调用方式 |
+|---------|------|---------|
+| @api-probing-miner | 漏洞挖掘 | delegate_task(subagent_type="api-probing-miner") |
+| @api-resource-specialist | 端点发现 | delegate_task(subagent_type="api-resource-specialist") |
+| @api-vuln-verifier | 漏洞验证 | delegate_task(subagent_type="api-vuln-verifier") |
 ## 可用工具
 直接调用以下工具执行特定任务：
-| 工具 | 用途 |
-|------|------|
-| api_security_scan | 完整扫描 |
-| api_fuzz_test | 模糊测试 |
-| browser_collect | 浏览器采集 |
-| js_parse | JS 分析 |
-| vuln_verify | 漏洞验证 |
-| graphql_test | GraphQL 测试 |
-| cloud_storage_test | 云存储测试 |
-| idor_test | IDOR 测试 |
-| sqli_test | SQLi 测试 |
-| auth_test | 认证测试 |
+| 工具 | 用途 | 场景 |
+|------|------|------|
+| api_security_scan | 完整扫描 | 全面测试 |
+| api_fuzz_test | 模糊测试 | 发现未知端点 |
+| browser_collect | 浏览器采集 | SPA 应用 |
+| js_parse | JS 分析 | 提取 API 模式 |
+| vuln_verify | 漏洞验证 | 确认发现 |
+| graphql_test | GraphQL 测试 | GraphQL 端点 |
+| cloud_storage_test | 云存储测试 | OSS/S3 |
+| idor_test | IDOR 测试 | 越权漏洞 |
+| sqli_test | SQLi 测试 | 注入漏洞 |
 ## 测试流程
 ### Phase 1: 侦察
 1. browser_collect 采集动态端点
 2. js_parse 分析 JS 文件
-3. api_fuzz_test 发现隐藏端点
+3. url_discover 发现隐藏端点
 ### Phase 2: 分析
 1. 识别技术栈

package/agents/api-probing-miner.md CHANGED Viewed

@@ -1,10 +1,16 @@
 ---
-description: 漏洞挖掘专家。专注发现和验证 API 漏洞。
+description: 漏洞挖掘专家。专注发现和验证 API 安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
 permission:
-  edit: ask
+  edit: deny
   bash:
-    "*": ask
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.5
+hidden: false
 ---
 你是**API漏洞挖掘专家**，专注于发现和验证安全漏洞。
@@ -25,17 +31,35 @@ permission:
 ### IDOR
 - 替换 ID: /api/user/1 → /api/user/2
-- 水平/垂直越权测试
+- 水平越权测试
+- 垂直越权测试
 ### JWT
 - 空算法: alg: none
 - 密钥混淆: HS256 → HS512
+- 无签名验证
+### 敏感数据
+- 响应中的密码/密钥
+- PII 信息泄露
+- 调试端点
 ## 可用工具
-| 工具 | 用途 |
-|------|------|
-| sqli_test | SQL 注入测试 |
-| idor_test | IDOR 测试 |
-| vuln_verify | 漏洞验证 |
-| api_fuzz_test | 模糊测试 |
+- sqli_test: SQL 注入测试
+- idor_test: IDOR 测试
+- vuln_verify: 漏洞验证
+- api_fuzz_test: 模糊测试
+## 输出格式
+```
+## 发现漏洞
+### {type}
+- **端点**: {endpoint}
+- **方法**: {method}
+- **严重程度**: {severity}
+- **PoC**: `{command}`
+- **状态**: {status}
+```

package/agents/api-resource-specialist.md CHANGED Viewed

@@ -1,36 +1,65 @@
 ---
-description: 资源探测专家。专注采集和发现 API 端点。
+description: 资源探测专家。发现隐藏端点和API资源。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
 permission:
-  edit: ask
+  edit: deny
   bash:
-    "*": ask
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.4
+hidden: false
 ---
-你是**API资源探测专家**，专注于发现和采集 API 端点。
+你是**API资源探测专家**，专注于发现隐藏的端点和API资源。
 ## 职责
-1. **全面发现** - 不遗漏任何端点
-2. **动态采集** - 拦截真实请求
-3. **静态分析** - 提取 API 模式
+1. **端点发现** - 发现所有可用的API端点
+2. **参数枚举** - 识别所有查询参数和请求体字段
+3. **技术栈识别** - 分析服务器响应头和技术特征
-## 采集技术
+## 探测方法
-### 1. 浏览器动态采集
-使用 browser_collect 拦截 XHR/Fetch 请求
+### 目录爆破
+- 常见API路径: /api/v1/, /api/v2/, /graphql, /admin
+- 配置文件: /.env, /config.json, /swagger.json
+- 备份文件: /.git/, /backup/, /old/
-### 2. JS 静态分析
-使用 js_parse 解析 JS 文件
+### 参数发现
+- 查询参数: ?id=, ?page=, ?limit=
+- 请求头: Authorization, X-API-Key, X-Request-ID
+- Cookie分析
-### 3. 目录探测
-常见路径: /api/v1/*, /graphql, /swagger, /.well-known/*
+### 版本控制
+- API版本枚举: /api/v1, /api/v2, /api/beta
+- 废弃端点发现
+- 内部端点探测
 ## 可用工具
-| 工具 | 用途 |
-|------|------|
-| browser_collect | 浏览器采集 |
-| js_parse | JS 分析 |
-| api_fuzz_test | 模糊测试 |
-| graphql_test | GraphQL 测试 |
+- browser_collect: 浏览器采集动态内容
+- js_parse: JavaScript文件解析
+- api_fuzz_test: API模糊测试
+- api_security_scan: 完整扫描
+## 输出格式
+```
+## 资源发现报告
+### 发现的端点
+| # | 端点 | 方法 | 认证 | 状态码 |
+|---|------|------|------|--------|
+| 1 | /api/users | GET | 需要 | 200 |
+### 技术栈
+- 框架: {framework}
+- 语言: {language}
+- 数据库: {database}
+### 可疑资源
+- {resource_url} - {reason}
+```

package/agents/api-vuln-verifier.md CHANGED Viewed

@@ -1,32 +1,83 @@
 ---
-description: 漏洞验证专家。验证和确认安全漏洞。
+description: 漏洞验证专家。确认和验证发现的安全漏洞。
 mode: subagent
+model: anthropic/claude-haiku-4-20250514
 permission:
-  edit: ask
+  edit: deny
   bash:
-    "*": ask
+    "curl *": allow
+    "python3 *": allow
+    "*": deny
+  webfetch: allow
+temperature: 0.2
+hidden: false
 ---
-你是**漏洞验证专家**，专注于验证和确认安全漏洞。
+你是**漏洞验证专家**，专注于确认和验证发现的安全漏洞。
 ## 职责
-1. **快速验证** - 确认漏洞是否存在
-2. **风险评估** - 判断实际影响
-3. **PoC 生成** - 提供可执行的证明
+1. **漏洞确认** - 验证漏洞是否真实存在
+2. **误报排除** - 排除假阳性结果
+3. **严重程度评估** - 准确评估漏洞风险等级
-## 验证流程
+## 验证方法
-1. 接收漏洞报告
-2. 验证漏洞真实性
-3. 评估风险等级
-4. 生成 PoC
+### SQL 注入验证
+- 确认注入点: 使用不同payload验证
+- 数据提取: 尝试提取数据库版本信息
+- 影响评估: 确定可访问的数据范围
+### IDOR 验证
+- 权限确认: 验证是否真的可以访问其他用户数据
+- 影响范围: 测试多个资源ID
+- 认证绕过: 检查是否需要特殊权限
+### XSS 验证
+- 执行确认: 验证脚本是否真的执行
+- 上下文分析: 确定注入上下文
+- 过滤器绕过: 测试WAF规则
+### 敏感数据泄露
+- 数据确认: 验证数据是否真的敏感
+- 访问控制: 确认是否应该公开
+- 合规检查: 检查是否符合数据保护法规
 ## 可用工具
-| 工具 | 用途 |
-|------|------|
-| vuln_verify | 漏洞验证 |
-| sqli_test | SQL 注入验证 |
-| idor_test | IDOR 验证 |
-| auth_test | 认证问题验证 |
+- vuln_verify: 漏洞验证
+- sqli_test: SQL注入测试
+- idor_test: IDOR测试
+- api_fuzz_test: 模糊测试
+## 输出格式
+```
+## 漏洞验证报告
+### 漏洞信息
+- **类型**: {vuln_type}
+- **端点**: {endpoint}
+- **参数**: {parameter}
+### 验证结果
+- **状态**: 已确认/误报/需要进一步测试
+- **严重程度**: Critical/High/Medium/Low
+- **CVSS评分**: {score}
+### 验证步骤
+1. {step_1}
+2. {step_2}
+3. {step_3}
+### PoC
+```bash
+curl -X POST "{endpoint}" \
+  -H "Content-Type: application/json" \
+  -d '{"payload": "..."}'
+```
+### 修复建议
+- {recommendation_1}
+- {recommendation_2}
+```

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "3.0.9",
+  "version": "3.0.10",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/postinstall.mjs CHANGED Viewed

@@ -110,6 +110,7 @@ function main() {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
     console.log(`\nAgents: ${agentsTargetDir}`);
     console.log(`Skill: ${skillTargetDir}`);
+    console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {
     console.log(`⚠ Installed ${totalInstalled}, failed ${totalFailed}`);
     process.exit(1);

package/preuninstall.mjs CHANGED Viewed

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
 /**
- * preuninstall.mjs - API Security Testing Plugin Cleanup
+ * preuninstall.mjs - API Security Testing Plugin
  *
  * Removes:
  * 1. agents from ~/.config/opencode/agents/
  * 2. SKILL.md and references from ~/.config/opencode/skills/api-security-testing/
  */
-import { unlinkSync, existsSync, readdirSync, rmdirSync, rmSync } from "node:fs";
+import { unlinkSync, existsSync, readdirSync, rmdirSync } from "node:fs";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -20,54 +20,65 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
-const AGENTS_TO_REMOVE = [
-  "api-cyber-supervisor.md",
-  "api-probing-miner.md",
-  "api-resource-specialist.md",
-  "api-vuln-verifier.md",
-];
 function main() {
   const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
   const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
-  console.log("[api-security-testing] Cleaning up...");
-  console.log(`  Home: ${getOpencodeBaseDir()}`);
+  console.log("[api-security-testing] Uninstalling...");
   let totalRemoved = 0;
   let totalFailed = 0;
+  // 1. Remove agents
   console.log("\n[1/2] Removing agents...");
-  for (const agent of AGENTS_TO_REMOVE) {
-    const agentPath = join(agentsTargetDir, agent);
-    try {
-      if (existsSync(agentPath)) {
-        unlinkSync(agentPath);
-        console.log(`  ✓ ${agent}`);
-        totalRemoved++;
+  if (existsSync(agentsTargetDir)) {
+    const agentFiles = ["api-cyber-supervisor.md", "api-probing-miner.md", "api-resource-specialist.md", "api-vuln-verifier.md"];
+    for (const file of agentFiles) {
+      const filePath = join(agentsTargetDir, file);
+      try {
+        if (existsSync(filePath)) {
+          unlinkSync(filePath);
+          console.log(`  ✓ Removed ${file}`);
+          totalRemoved++;
+        }
+      } catch (err) {
+        console.error(`  ✗ Failed to remove ${file}: ${err.message}`);
+        totalFailed++;
       }
-    } catch (err) {
-      console.error(`  ✗ ${agent}: ${err.message}`);
-      totalFailed++;
     }
   }
-  console.log("\n[2/2] Removing skill files...");
-  try {
-    if (existsSync(skillTargetDir)) {
-      rmSync(skillTargetDir, { recursive: true, force: true });
-      console.log(`  ✓ ${skillTargetDir}`);
-      totalRemoved++;
+  // 2. Remove SKILL.md and references
+  console.log("\n[2/2] Removing SKILL.md and references...");
+  if (existsSync(skillTargetDir)) {
+    try {
+      function removeDir(dir) {
+        const items = readdirSync(dir);
+        for (const item of items) {
+          const itemPath = join(dir, item);
+          try {
+            unlinkSync(itemPath);
+            totalRemoved++;
+          } catch {
+            if (existsSync(itemPath)) {
+              removeDir(itemPath);
+            }
+          }
+        }
+        rmdirSync(dir);
+      }
+      removeDir(skillTargetDir);
+      console.log("  ✓ Removed skill directory");
+    } catch (err) {
+      console.error(`  ✗ Failed to remove skill directory: ${err.message}`);
+      totalFailed++;
     }
-  } catch (err) {
-    console.error(`  ✗ ${skillTargetDir}: ${err.message}`);
-    totalFailed++;
   }
   console.log(`\n========================================`);
   if (totalFailed === 0) {
-    console.log(`✓ Removed ${totalRemoved} item(s)`);
-    console.log(`\nThanks for using api-security-testing!`);
+    console.log(`✓ Removed ${totalRemoved} file(s)`);
   } else {
     console.log(`⚠ Removed ${totalRemoved}, failed ${totalFailed}`);
   }

package/src/index.ts CHANGED Viewed

@@ -1,18 +1,21 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { tool } from "@opencode-ai/plugin";
 import { join } from "path";
-import { existsSync } from "fs";
 const SKILL_DIR = "skills/api-security-testing";
 const CORE_DIR = `${SKILL_DIR}/core`;
+function getSkillPath(ctx: { directory: string }): string {
+  return join(ctx.directory, SKILL_DIR);
+}
 function getCorePath(ctx: { directory: string }): string {
   return join(ctx.directory, CORE_DIR);
 }
 function checkDeps(ctx: { directory: string }): string {
-  const skillPath = join(ctx.directory, SKILL_DIR);
-  const reqFile = join(skillPath, "requirements.txt");
+  const { existsSync } = require("fs");
+  const reqFile = join(getSkillPath(ctx), "requirements.txt");
   if (existsSync(reqFile)) {
     return `pip install -q -r "${reqFile}" 2>/dev/null; `;
   }

package/README.md DELETED Viewed

@@ -1,74 +0,0 @@
-# API Security Testing Plugin
-OpenCode 插件，提供完整的 API 安全测试能力。
-## 安装
-```bash
-npm install opencode-api-security-testing
-```
-## 配置
-在 `opencode.json` 中添加：
-```json
-{
-  "plugin": ["opencode-api-security-testing"]
-}
-```
-## Agents (4个)
-| Agent | 模式 | 描述 |
-|-------|------|------|
-| `@api-cyber-supervisor` | Primary | 编排者，协调完整扫描流程，永不停止 |
-| `@api-probing-miner` | Subagent | 漏洞挖掘专家 |
-| `@api-resource-specialist` | Subagent | 资源探测专家 |
-| `@api-vuln-verifier` | Subagent | 漏洞验证专家 |
-## Tools (10个)
-| Tool | 功能 | 调用方式 |
-|------|------|---------|
-| `api_security_scan` | 完整 API 安全扫描 | `api_security_scan target="url"` |
-| `api_fuzz_test` | API 模糊测试 | `api_fuzz_test endpoint="url"` |
-| `browser_collect` | 浏览器采集动态内容 | `browser_collect url="url"` |
-| `js_parse` | JavaScript 文件解析 | `js_parse file_path="/path/to/file.js"` |
-| `graphql_test` | GraphQL 安全测试 | `graphql_test endpoint="url"` |
-| `cloud_storage_test` | 云存储安全测试 | `cloud_storage_test bucket_url="url"` |
-| `vuln_verify` | 漏洞验证 | `vuln_verify vuln_type="sqli" endpoint="url"` |
-| `sqli_test` | SQL 注入测试 | `sqli_test endpoint="url" param="id"` |
-| `idor_test` | IDOR 越权测试 | `idor_test endpoint="url" resource_id="1"` |
-| `auth_test` | 认证安全测试 | `auth_test endpoint="url"` |
-## 使用方式
-### 方式一：使用 Agent（推荐）
-```
-@api-cyber-supervisor 对 https://example.com 进行全面安全测试
-```
-### 方式二：使用 Skill
-```
-skill({ name: "api-security-testing" })
-```
-### 方式三：直接使用 Tool
-```
-api_security_scan target="https://example.com" scan_type="full"
-```
-## 依赖
-Python 依赖会自动安装。也可手动安装：
-```bash
-pip install -r skills/api-security-testing/requirements.txt
-```
-## 重要
-**仅用于合法授权的安全测试，测试前确保有书面授权。**