opencode-api-security-testing 4.0.1 → 5.0.0

package/package.json

@@ -1,47 +1,48 @@
-{
-  "name": "opencode-api-security-testing",
-  "version": "4.0.1",
-  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
-  "type": "module",
-  "main": "src/index.ts",
-  "files": [
-    "src/",
-    "agents/",
-    "core/",
-    "references/",
-    "SKILL.md",
-    "postinstall.mjs",
-    "preuninstall.mjs"
-  ],
-  "scripts": {
-    "postinstall": "node postinstall.mjs",
-    "preuninstall": "node preuninstall.mjs"
-  },
-  "keywords": [
-    "opencode",
-    "opencode-plugin",
-    "security",
-    "api-security",
-    "pentest",
-    "vulnerability-scanning"
-  ],
-  "author": "steveopen1",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/steveopen1/skill-play"
-  },
-  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
-  "peerDependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "dependencies": {
-    "@opencode-ai/plugin": "^1.1.19",
-    "@opencode-ai/sdk": "^1.1.19"
-  },
-  "devDependencies": {
-    "@types/node": "^25.5.2",
-    "typescript": "^6.0.2"
-  }
-}
+{
+  "name": "opencode-api-security-testing",
+  "version": "5.0.0",
+  "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
+  "type": "module",
+  "main": "src/index.ts",
+  "files": [
+    "src/",
+    "agents/",
+    "core/",
+    "references/",
+    "SKILL.md",
+    "postinstall.mjs",
+    "preuninstall.mjs"
+  ],
+"scripts": {
+  "postinstall": "node postinstall.mjs",
+  "preuninstall": "node preuninstall.mjs",
+  "init": "node init.mjs"
+},
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "security",
+    "api-security",
+    "pentest",
+    "vulnerability-scanning"
+  ],
+  "author": "steveopen1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/steveopen1/skill-play"
+  },
+  "homepage": "https://github.com/steveopen1/skill-play/tree/main/agent-plugins/OPENCODE/api-security-testing",
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.1.19",
+    "@opencode-ai/sdk": "^1.1.19"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}

package/postinstall.mjs

@@ -1,11 +1,10 @@
-#!/usr/bin/env node
-
 /**
  * postinstall.mjs - API Security Testing Plugin
  * 
  * Installs:
- * 1. agents to ~/.config/opencode/agents/
- * 2. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
+ * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
+ * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
  */
 
 import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
@@ -20,11 +19,42 @@ function getOpencodeBaseDir() {
   return join(home, ".config", "opencode");
 }
 
+function getClaudeBaseDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || "/root";
+  return join(home, ".claude");
+}
+
+function copyDirRecursive(src, dest) {
+  if (!existsSync(dest)) {
+    mkdirSync(dest, { recursive: true });
+  }
+  const items = readdirSync(src, { withFileTypes: true });
+  let count = 0;
+  for (const item of items) {
+    const srcPath = join(src, item.name);
+    const destPath = join(dest, item.name);
+    try {
+      if (item.isDirectory()) {
+        copyDirRecursive(srcPath, destPath);
+      } else {
+        copyFileSync(srcPath, destPath);
+        count++;
+      }
+    } catch (err) {
+      console.error(`  ✗ ${item.name}: ${err.message}`);
+    }
+  }
+  return count;
+}
+
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
-  const agentsTargetDir = join(getOpencodeBaseDir(), "agents");
-  const skillTargetDir = join(getOpencodeBaseDir(), "skills", "api-security-testing");
+  const opencodeBaseDir = getOpencodeBaseDir();
+  const claudeBaseDir = getClaudeBaseDir();
+  const opencodeAgentsDir = join(opencodeBaseDir, "agents");
+  const claudeAgentsDir = join(claudeBaseDir, "agents");
+  const skillTargetDir = join(opencodeBaseDir, "skills", "api-security-testing");
   
   console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
@@ -32,17 +62,17 @@ function main() {
   let totalInstalled = 0;
   let totalFailed = 0;
 
-  // 1. Install agents
-  console.log("\n[1/3] Installing agents...");
+  // 1. Install agents to BOTH locations (oh-my-opencode + OpenCode native)
+  console.log("\n[1/4] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
   if (existsSync(agentsSourceDir)) {
-    if (!existsSync(agentsTargetDir)) {
-      mkdirSync(agentsTargetDir, { recursive: true });
+    if (!existsSync(claudeAgentsDir)) {
+      mkdirSync(claudeAgentsDir, { recursive: true });
     }
     
     const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
     for (const file of files) {
       try {
-        copyFileSync(join(agentsSourceDir, file), join(agentsTargetDir, file));
+        copyFileSync(join(agentsSourceDir, file), join(claudeAgentsDir, file));
         console.log(`  ✓ ${file}`);
         totalInstalled++;
       } catch (err) {
@@ -52,8 +82,27 @@ function main() {
     }
   }
 
-  // 2. Install SKILL.md
-  console.log("\n[2/3] Installing SKILL.md...");
+  console.log("\n[2/4] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
+  if (existsSync(agentsSourceDir)) {
+    if (!existsSync(opencodeAgentsDir)) {
+      mkdirSync(opencodeAgentsDir, { recursive: true });
+    }
+    
+    const files = readdirSync(agentsSourceDir).filter(f => f.endsWith(".md"));
+    for (const file of files) {
+      try {
+        copyFileSync(join(agentsSourceDir, file), join(opencodeAgentsDir, file));
+        console.log(`  ✓ ${file}`);
+        totalInstalled++;
+      } catch (err) {
+        console.error(`  ✗ ${file}: ${err.message}`);
+        totalFailed++;
+      }
+    }
+  }
+
+  // 3. Install SKILL.md
+  console.log("\n[3/4] Installing SKILL.md...");
   const skillSource = join(packageRoot, "SKILL.md");
   if (existsSync(skillSource)) {
     if (!existsSync(skillTargetDir)) {
@@ -69,36 +118,15 @@ function main() {
     }
   }
 
-  // 3. Install references
-  console.log("\n[3/3] Installing references...");
+  // 4. Install references
+  console.log("\n[4/4] Installing references...");
   const refsSourceDir = join(packageRoot, "references");
   const refsTargetDir = join(skillTargetDir, "references");
   if (existsSync(refsSourceDir)) {
-    if (!existsSync(refsTargetDir)) {
-      mkdirSync(refsTargetDir, { recursive: true });
-    }
-    
-    function copyDir(src, dest) {
-      const items = readdirSync(src);
-      for (const item of items) {
-        const srcPath = join(src, item);
-        const destPath = join(dest, item);
-        try {
-          copyFileSync(srcPath, destPath);
-          totalInstalled++;
-        } catch {
-          if (existsSync(srcPath) && !srcPath.endsWith(".md")) {
-            mkdirSync(destPath, { recursive: true });
-            copyDir(srcPath, destPath);
-          }
-        }
-      }
-    }
-    
     try {
-      copyDir(refsSourceDir, refsTargetDir);
-      console.log("  ✓ references/");
-      totalInstalled++;
+      const count = copyDirRecursive(refsSourceDir, refsTargetDir);
+      totalInstalled += count;
+      console.log(`  ✓ references/ (${count} files)`);
     } catch (err) {
       console.error(`  ✗ references/: ${err.message}`);
       totalFailed++;
@@ -108,7 +136,8 @@ function main() {
   console.log(`\n========================================`);
   if (totalFailed === 0) {
     console.log(`✓ Installed ${totalInstalled} file(s)`);
-    console.log(`\nAgents: ${agentsTargetDir}`);
+    console.log(`\nAgents (oh-my-opencode): ${claudeAgentsDir}`);
+    console.log(`Agents (OpenCode native): ${opencodeAgentsDir}`);
     console.log(`Skill: ${skillTargetDir}`);
     console.log(`\n⚠️  IMPORTANT: Restart OpenCode to discover new agents`);
   } else {

package/references/references/README.md

@@ -0,0 +1,72 @@
+# API Security Testing 参考资源
+
+## 核心文件
+
+| 文件 | 内容 |
+|------|------|
+| `pua-agent.md` | PUA自动测试Agent，强制深入不放弃 |
+| `fuzzing-patterns.md` | API Fuzzing字典 |
+| `report-template.md` | 安全测试报告模板 |
+
+## vulnerabilities/ 漏洞测试方法
+
+| 文件 | 内容 |
+|------|------|
+| `vulnerabilities/01-sqli-tests.md` | SQL注入测试 + WAF绕过 |
+| `vulnerabilities/02-user-enum-tests.md` | 用户枚举测试 |
+| `vulnerabilities/03-jwt-tests.md` | JWT认证测试 |
+| `vulnerabilities/04-idor-tests.md` | IDOR越权测试 |
+| `vulnerabilities/05-sensitive-data-tests.md` | 敏感信息泄露 |
+| `vulnerabilities/06-biz-logic-tests.md` | 业务逻辑漏洞 |
+| `vulnerabilities/07-security-config-tests.md` | 安全配置漏洞 |
+| `vulnerabilities/08-brute-force-tests.md` | 暴力破解测试 |
+| `vulnerabilities/09-vulnerability-chains.md` | 漏洞关联联想 |
+| `vulnerabilities/10-auth-tests.md` | OAuth/SAML/2FA测试 |
+| `vulnerabilities/11-graphql-tests.md` | GraphQL安全测试 |
+| `vulnerabilities/12-ssrf-tests.md` | SSRF测试 |
+
+## PUA Agent 使用
+
+### 核心思想
+
+```
+【PUA自动模式】
+- 发现线索 → 自动深入
+- 不等待用户指令
+- 压力升级直到完成
+```
+
+### 压力升级机制
+
+| 失败次数 | 级别 | 行动 |
+|---------|------|------|
+| 1次 | L1 | 换方法继续 |
+| 2次 | L2 | 强制检查清单 |
+| 3次 | L3 | 报告进度并继续 |
+| 4次+ | L4 | 尝试其他方向 |
+
+### 不放弃原则
+
+```
+遇到以下情况必须继续：
+□ 端点404 → 尝试POST方法
+□ 被WAF拦截 → 换payload
+□ 返回HTML → 继续API测试
+□ 找不到配置 → 搜索其他JS
+□ 一个端点失败 → 测试同类端点
+□ 说"无法测试" → 必须穷举所有方法
+```
+
+### 进度追踪表
+
+```
+阶段1: [████████░░] 80%
+阶段2: [████░░░░░░░] 40%
+阶段3: [░░░░░░░░░░░] 0%
+阶段4: [░░░░░░░░░░░] 0%
+
+发现:
+├─ CORS漏洞: 18个端点
+├─ SQL注入: 待测试
+└─ 新线索: /ipark-wxlite/*
+```

package/references/references/asset-discovery.md

@@ -0,0 +1,119 @@
+# Asset Discovery Guidance
+
+将原始 API 材料转换为紧凑的安全相关清单。
+
+## 目标
+
+识别对安全测试最重要的 API 部分。
+
+## 核心表面
+
+- base URL(s)
+- versioning scheme
+- routes 或 operations
+- methods
+- content types
+- auth schemes
+
+## 信任边界
+
+- public vs authenticated endpoints
+- user vs admin operations
+- internal vs external APIs
+- service-to-service 或 callback flows
+- tenant 或 organization 边界
+
+## 敏感对象
+
+关注以下对象：
+- users
+- roles
+- teams
+- organizations
+- invoices
+- payments
+- orders
+- files
+- secrets
+- API keys
+- tokens
+- audit logs
+- exports
+- configuration objects
+
+## 高风险操作模式
+
+标记与以下相关的 endpoints 或 mutations：
+- create/update/delete user
+- role assignment
+- permission change
+- password reset
+- token issue 或 refresh
+- export 或 bulk download
+- import 或 bulk update
+- file upload
+- webhook registration
+- callback URL configuration
+- search 或 filter on sensitive entities
+- internal admin dashboards 或 debug endpoints
+
+## REST 提示
+
+优先包含模式的 endpoints：
+- `/admin`
+- `/internal`
+- `/users`
+- `/roles`
+- `/permissions`
+- `/export`
+- `/import`
+- `/search`
+- `/upload`
+- `/files`
+- `/billing`
+- `/settings`
+- `/token`
+- `/auth`
+- `/debug`
+
+同时注意：
+- bulk 操作
+- object IDs in path 或 query
+- 同一资源上隐藏的替代方法
+- 不一致的版本化 endpoints
+
+## GraphQL 提示
+
+优先：
+- 变更 roles、permissions 或 state 的 mutations
+- 暴露嵌套对象遍历的 fields
+- admin-only resolvers
+- schema introspection 暴露
+- 带敏感链接数据的宽对象图
+- 可能意外扩展访问的 connection 或 pagination 模式
+
+## 资产摘要格式
+
+优先简洁输出：
+
+```
+- Base URLs:
+- API type:
+- Auth schemes:
+- Roles observed or assumed:
+- Sensitive objects:
+- High-risk operations:
+- Trust boundaries:
+- Unknown areas:
+```
+
+## 优先级规则
+
+当表面较大时，优先深度在：
+1. auth 和 role 变更
+2. user 和 tenant 数据
+3. export/import 和 bulk 操作
+4. file 和 callback 流程
+5. 金融或行政操作
+
+不要在低风险的只读 metadata endpoints 上浪费空间，除非它们支持更广泛的滥用路径。

package/references/references/fuzzing-patterns.md

@@ -0,0 +1,129 @@
+# Fuzzing 字典
+
+## API前缀字典
+
+```python
+common_api_prefixes = [
+    # 协议/网关
+    "/gateway", "/proxy", "/route", "/ingress",
+    "/api-gateway", "/openapi", "/open/api",
+    # 版本前缀
+    "/v1", "/v2", "/v3", "/v4", "/v5",
+    "/api/v1", "/api/v2", "/api/v3",
+    "/rest", "/rest/api", "/graphql",
+    # 管理后台
+    "/admin", "/admin/api", "/manager", "/backend",
+    "/backoffice", "/cms",
+    # 业务模块
+    "/user", "/users", "/member", "/members",
+    "/order", "/orders", "/trade", "/transaction",
+    "/product", "/goods", "/shop", "/store",
+    "/payment", "/pay", "/finance", "/account",
+    "/file", "/upload", "/oss", "/storage",
+    "/message", "/notify", "/sms", "/email",
+    "/admin", "/authority", "/system", "/config",
+    # 微服务
+    "/service", "/services", "/rpc", "/grpc",
+    "/auth", "/oauth", "/sso", "/cas",
+    # 移动端
+    "/mobile", "/app", "/ios", "/android",
+    "/miniapp", "/wechat", "/applet",
+]
+```
+
+## API端点字典
+
+```python
+common_api_endpoints = [
+    # 通用CRUD
+    "login", "logout", "register", "list", "add", "delete", "modify",
+    "getList", "getListOfPage", "detail", "getInfo", "profile",
+    # 用户相关
+    "user", "user/list", "user/add", "user/delete", "user/modify",
+    "user/profile", "user/restPassword", "user/enable", "user/disable",
+    # 角色权限
+    "role", "role/list", "role/add", "role/delete", "role/modify",
+    "menu", "menu/list", "menu/add", "menu/delete", "menu/modify",
+    # 文件操作
+    "file", "upload", "download", "import", "export",
+    "imgUpload", "avatar", "attachment",
+]
+```
+
+## Fuzzing测试流程
+
+```python
+for prefix in common_api_prefixes:
+    for endpoint in common_api_endpoints:
+        url = target + prefix + "/" + endpoint
+        response = requests.get(url)
+        # 记录返回200的接口
+```
+
+## API根路径探测
+
+```python
+root_paths = [
+    "/", "/login", "/auth", "/oauth", "/sso", "/cas",
+    "/health", "/healthz", "/ready", "/status", "/info",
+    "/metrics", "/ping", "/actuator",
+]
+
+for path in root_paths:
+    url = api_base + path
+    response = requests.get(url)
+    if "json" in response.headers.get("Content-Type", ""):
+        # 发现可访问的接口
+```
+
+## 业务端点模板扩展
+
+```
+发现的模式: /{module}/{operation}
+可能存在的端点:
+- /{module}/list          → 列表查询
+- /{module}/add          → 新增创建
+- /{module}/modify       → 修改更新
+- /{module}/delete       → 删除操作
+- /{module}/detail       → 详情查看
+- /{module}/getInfo      → 信息获取
+- /{module}/export       → 导出数据
+- /{module}/import       → 导入数据
+
+RESTful风格:
+- GET  /{resource}/{id}     → 获取详情
+- PUT  /{resource}/{id}     → 完整更新
+- DELETE /{resource}/{id}   → 删除资源
+- PATCH /{resource}/{id}   → 部分更新
+```
+
+## 非通用base_path字典
+
+```python
+extended_base_paths = [
+    # 协议/网关
+    "/gateway", "/proxy", "/route", "/ingress",
+    "/api-gateway", "/openapi", "/open/api",
+    # 版本前缀
+    "/v1", "/v2", "/v3", "/v4", "/v5",
+    "/api/v1", "/api/v2", "/api/v3",
+    "/rest", "/rest/api", "/graphql",
+    # 管理后台
+    "/admin", "/manager", "/manage", "/console",
+    "/backend", "/backoffice", "/cms",
+    # 业务模块
+    "/user", "/users", "/member", "/members",
+    "/order", "/orders", "/trade", "/transaction",
+    "/product", "/goods", "/shop", "/store",
+    "/payment", "/pay", "/finance", "/account",
+    "/file", "/upload", "/oss", "/storage",
+    "/message", "/notify", "/sms", "/email",
+    "/admin", "/authority", "/system", "/config",
+    # 微服务
+    "/service", "/services", "/rpc", "/grpc",
+    "/auth", "/oauth", "/sso", "/cas",
+    # 移动端
+    "/mobile", "/app", "/ios", "/android",
+    "/miniapp", "/wechat", "/applet",
+]
+```

package/references/references/graphql-guidance.md

@@ -0,0 +1,108 @@
+# GraphQL Guidance
+
+分析 GraphQL API 时使用。
+
+## 关注领域
+
+### 字段级授权
+
+- resolver 是否正确检查权限
+- 嵌套查询是否泄露数据
+- 是否缺少 admin-only 字段
+
+### 嵌套遍历
+
+- `type User { friends: [User!]! }` 可导致递归查询
+- `type Post { author: User }` 允许遍历
+- 是否限制遍历深度
+
+### Resolver 边界
+
+- 一个 resolver 是否调用另一个 service
+- 是否存在 SSRF 风险
+- 是否有命令注入点
+
+### Mutation 滥用
+
+- 未经授权的状态变更
+- 条件 mutation（如 admin-only mutation）
+- 批量 mutation 导致的问题
+
+### Introspection 暴露
+
+- 是否禁用 introspection
+- 是否暴露敏感字段
+- Schema 文档是否包含敏感信息
+
+## 常见风险信号
+
+- ` IntrospectionQuery` 可访问
+- 缺少 query 复杂度限制
+- 缺少 query 深度限制
+- 缺少字段权限检查
+- mutation 接受任意输入
+- 嵌套查询无限制
+
+## 测试重点
+
+### 1. 枚举攻击
+
+```graphql
+# 枚举所有用户
+query {
+  users {
+    id
+    username
+    email
+  }
+}
+```
+
+### 2. 嵌套遍历
+
+```graphql
+# 递归遍历 friendships
+query {
+  user(id: 1) {
+    friends {
+      friends {
+        friends {
+          id
+        }
+      }
+    }
+  }
+}
+```
+
+### 3. 权限绕过
+
+```graphql
+# 尝试 admin 字段
+query {
+  user(id: 1) {
+    isAdmin
+    role
+  }
+}
+```
+
+### 4. mutation 滥用
+
+```graphql
+# 未经授权的 mutation
+mutation {
+  updateUser(id: 1, role: "admin") {
+    id
+    role
+  }
+}
+```
+
+## 防护检查
+
+- [ ] 是否限制查询复杂度
+- [ ] 是否限制查询深度
+- [ ] 是否禁用 introspection
+- [ ] resolver 是否有权限检查
+- [ ] 是否过滤敏感字段