redgun-security 1.0.0 → 1.1.0

package/README.md

@@ -10,13 +10,13 @@
 </p>
 
 <p align="center">
-  <strong>Black-box & white-box security auditor for web applications — HackTricks Enhanced.</strong>
+  <strong>Black-box & white-box security auditor for web applications — Enhanced.</strong>
 </p>
 
 <p align="center">
   <a href="https://github.com/aloc999/redgun/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="License"></a>
   <img src="https://img.shields.io/badge/node-%3E%3D18-green" alt="Node">
-  <img src="https://img.shields.io/badge/modules-39-ff4444" alt="Modules">
+  <img src="https://img.shields.io/badge/modules-51-ff4444" alt="Modules">
   <img src="https://img.shields.io/badge/HackTricks-Enhanced-critical" alt="HackTricks">
 </p>
 
@@ -24,11 +24,11 @@
 
 ## What is RedGun?
 
-RedGun is a security auditing CLI tool that finds vulnerabilities in your web applications. It includes **39 security modules** covering techniques from [HackTricks](https://book.hacktricks.wiki). Two modes:
+RedGun is a security auditing CLI tool that finds vulnerabilities in your web applications. It includes **51 security modules** covering techniques from [HackTricks](https://book.hacktricks.wiki), [PortSwigger Web Security Academy](https://portswigger.net/web-security), [Katana](https://github.com/projectdiscovery/katana), and [httpx](https://github.com/projectdiscovery/httpx). Two modes:
 
-**Remote scan** (black-box): Give it a URL. It tests your site from the outside — XSS, SQLi, SSRF, CORS, CRLF injection, cache poisoning, host header injection, HTTP request smuggling, GraphQL introspection, path traversal, NoSQL injection, and more.
+**Remote scan** (black-box): Give it a URL. It crawls with Katana-style JS parsing, fingerprints with httpx-style probing, then tests — XSS, SQLi, SSRF, CORS, XXE, OAuth, IDOR, cache deception, DOM-based, HTTP smuggling, CRLF, parameter pollution, file upload, and more.
 
-**Local audit** (white-box): Point it at your project directory. It reads your source code checking for secrets, SSTI, insecure deserialization, prototype pollution, JWT vulnerabilities, command injection, weak crypto, path traversal, and more.
+**Local audit** (white-box): Point it at your project directory. It reads your source code checking for secrets, SSTI, XXE, insecure deserialization, prototype pollution, JWT attacks, OAuth flaws, IDOR, business logic, command injection, weak crypto, and more.
 
 <br>
 
@@ -51,10 +51,12 @@ redgun modules                    # List all modules
 
 <br>
 
-## Remote Scan Modules (25 — Black-box)
+## Remote Scan Modules (33 — Black-box)
 
 | Module | What it tests | Source |
 |---|---|---|
+| **Probe & Fingerprint** | Status code, title, technologies (40+), CDN/WAF detection, favicon hash, response time, virtual host discovery | httpx |
+| **Crawl & Extract** | JS file parsing, endpoint extraction, form discovery, parameter mining, email harvesting, secret detection in bundles | Katana |
 | **HTTP Headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP | OWASP |
 | **Exposed Files** | `.env`, `.git/config`, `package.json`, `.DS_Store`, source maps, actuator, swagger, phpinfo, Docker files, backups | HackTricks |
 | **Secrets Detection** | API keys (AWS, Stripe, Firebase, Supabase, OpenAI, Anthropic), tokens, passwords in page source | HackTricks |
@@ -80,10 +82,18 @@ redgun modules                    # List all modules
 | **WebSocket Security** | Origin validation, authentication checks | HackTricks |
 | **Cache Poisoning** | Unkeyed headers (X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL) | HackTricks |
 | **Race Conditions** | Detection guidance for concurrent request attacks | HackTricks |
+| **XXE Injection** | XML entity injection at upload/import/SOAP endpoints | PortSwigger |
+| **OAuth Misconfiguration** | redirect_uri validation, OIDC config exposure, implicit flow detection | PortSwigger |
+| **Access Control Bypass** | Admin panel exposure, 403 bypass via X-Original-URL/X-Forwarded-For, robots.txt disclosure | PortSwigger |
+| **Web Cache Deception** | Static extension cache deception, path normalization inconsistency | PortSwigger |
+| **Parameter Pollution** | HTTP Parameter Pollution, null byte truncation, duplicate params | PortSwigger |
+| **File Upload Testing** | Upload endpoint discovery, OPTIONS probing | PortSwigger |
+| **DOM-Based Vulnerabilities** | DOM sinks (document.write, innerHTML, eval, postMessage), source-to-sink flow | PortSwigger |
+| **HTTP/2 Attacks** | H2.CL/H2.TE smuggling indicators, HPACK injection surface | PortSwigger |
 
 <br>
 
-## Local Audit Modules (14 — White-box)
+## Local Audit Modules (18 — White-box)
 
 | Module | What it checks | Source |
 |---|---|---|
@@ -101,6 +111,10 @@ redgun modules                    # List all modules
 | **Path Traversal / LFI** | User input in file paths, readFile, sendFile, include/require | HackTricks |
 | **Command Injection** | exec, spawn, child_process, system, subprocess with user input, shell interpolation | HackTricks |
 | **Weak Cryptography** | MD5, SHA1, DES, RC4, ECB mode, Math.random, hardcoded keys/IVs | HackTricks |
+| **XXE Detection** | XML parsers without entity disabled, DOMParser, lxml, simplexml with user input | PortSwigger |
+| **Access Control / IDOR** | Direct object reference, role from user input, admin headers, ownership checks | PortSwigger |
+| **OAuth / OIDC Flaws** | redirect_uri manipulation, missing state, client_secret exposure, token storage | PortSwigger |
+| **Business Logic** | Price manipulation, negative quantity, workflow step skipping, race conditions, referral abuse | PortSwigger |
 
 <br>
 
@@ -209,9 +223,9 @@ Create a `.redgunignore` file to exclude files from local audit:
 
 <br>
 
-## HackTricks Techniques Included
+## Techniques & Sources
 
-RedGun integrates techniques documented in [HackTricks](https://book.hacktricks.wiki):
+### HackTricks Techniques
 
 - **SSRF** — AWS/GCP metadata, internal IP bypass, DNS rebinding indicators
 - **SSTI** — Template engine detection and exploitation patterns
@@ -231,6 +245,37 @@ RedGun integrates techniques documented in [HackTricks](https://book.hacktricks.
 - **Subdomain Takeover** — Dangling CNAME detection
 - **Weak Cryptography** — Deprecated algorithms and hardcoded key detection
 
+### PortSwigger Web Security Academy Techniques
+
+- **XXE (XML External Entity)** — Entity injection, DTD-based file read, blind OOB XXE, parameter entities
+- **Access Control** — Horizontal/vertical privilege escalation, IDOR, 403 bypass via headers (X-Original-URL, X-Rewrite-URL), referer-based control
+- **OAuth 2.0 Vulnerabilities** — redirect_uri manipulation, state CSRF, implicit flow token theft, client_secret exposure, PKCE bypass
+- **Business Logic** — Price manipulation, negative quantity, workflow step skipping, race condition exploitation, referral abuse, trial abuse
+- **Web Cache Deception** — Static extension deception, path normalization inconsistency, cache key manipulation
+- **DOM-Based Vulnerabilities** — Source-to-sink analysis, document.write, innerHTML, eval, postMessage hijacking
+- **HTTP Parameter Pollution** — Duplicate parameters, server-side truncation, null byte injection
+- **File Upload** — Unrestricted upload, extension bypass, content-type manipulation, polyglot files
+- **HTTP/2 Attacks** — H2.CL smuggling, H2.TE smuggling, HPACK header injection, request tunneling
+
+### Katana (ProjectDiscovery) Techniques
+
+- **JavaScript Crawling** — Parse all JS bundles including lazy-loaded chunks for endpoints
+- **Endpoint Extraction** — API routes, fetch/axios calls, URL patterns from source
+- **Form Discovery** — Automatic form detection with CSRF and sensitive field analysis
+- **Parameter Mining** — Extract all parameters from URLs, forms, and JS source
+- **Secret Extraction** — API keys, tokens, and credentials from JS bundles
+- **Email Harvesting** — Email addresses from page source for social engineering
+
+### httpx (ProjectDiscovery) Techniques
+
+- **Technology Detection** — 40+ technologies fingerprinted (frameworks, CMS, servers, BaaS, analytics)
+- **CDN/WAF Detection** — Cloudflare, AWS CloudFront, Fastly, Akamai, Imperva, Sucuri, Azure, Vercel, Netlify
+- **WAF Fingerprinting** — ModSecurity, Wordfence, F5 BIG-IP, Cloudflare WAF, Incapsula
+- **Favicon Hashing** — MD5 hash for Shodan-style fingerprinting
+- **Virtual Host Discovery** — Host header manipulation to find hidden vhosts
+- **Response Analysis** — Status codes, content-length, response time, title extraction
+- **TLS/Certificate Info** — Protocol detection, certificate validation
+
 <br>
 
 ## Project Structure
@@ -247,7 +292,7 @@ redgun/
 │   │       ├── console.js           # Terminal output
 │   │       ├── json.js              # JSON + SARIF export
 │   │       └── html.js              # HTML report
-│   ├── local/                       # White-box modules (14)
+│   ├── local/                       # White-box modules (18)
 │   │   ├── index.js                 # Module orchestrator
 │   │   ├── secrets.js               # Source code secrets
 │   │   ├── env.js                   # .env audit
@@ -255,18 +300,26 @@ redgun/
 │   │   ├── code-vulnerabilities.js  # SQLi, XSS, eval, ReDoS
 │   │   ├── auth.js                  # Auth & middleware
 │   │   ├── headers-config.js        # CSP/HSTS config
-│   │   ├── ssrf.js                  # SSRF detection
-│   │   ├── ssti.js                  # SSTI detection
-│   │   ├── deserialization.js       # Insecure deserialization
-│   │   ├── prototype-pollution.js   # Prototype pollution
-│   │   ├── jwt.js                   # JWT vulnerabilities
-│   │   ├── path-traversal.js        # LFI/path traversal
-│   │   ├── command-injection.js     # OS command injection
-│   │   └── crypto.js               # Weak cryptography
+│   │   ├── ssrf.js                  # SSRF (HackTricks)
+│   │   ├── ssti.js                  # SSTI (HackTricks)
+│   │   ├── deserialization.js       # Insecure deserialization (HackTricks)
+│   │   ├── prototype-pollution.js   # Prototype pollution (HackTricks)
+│   │   ├── jwt.js                   # JWT vulnerabilities (HackTricks)
+│   │   ├── path-traversal.js        # LFI/path traversal (HackTricks)
+│   │   ├── command-injection.js     # OS command injection (HackTricks)
+│   │   ├── crypto.js               # Weak cryptography (HackTricks)
+│   │   ├── xxe.js                   # XXE detection (PortSwigger)
+│   │   ├── access-control.js        # IDOR/access control (PortSwigger)
+│   │   ├── oauth.js                 # OAuth/OIDC flaws (PortSwigger)
+│   │   └── business-logic.js        # Business logic (PortSwigger)
+│   ├── remote/                      # Black-box enhanced modules
+│   │   ├── crawler.js               # Katana-style JS crawler
+│   │   ├── probe.js                 # httpx-style fingerprinting
+│   │   └── portswigger.js           # PortSwigger remote tests
 │   └── utils/
 │       ├── fetch.js                 # HTTP with timeout
 │       └── patterns.js              # Shared regex patterns
-├── scan.js                          # Remote scan engine (25 modules)
+├── scan.js                          # Remote scan engine (33 modules)
 ├── action.yml                       # GitHub Action definition
 ├── .github/workflows/security.yml
 └── package.json

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",
@@ -20,10 +20,16 @@
     "vulnerability",
     "audit",
     "hacktricks",
+    "portswigger",
+    "katana",
+    "httpx",
     "xss",
     "sqli",
     "ssrf",
     "ssti",
+    "xxe",
+    "idor",
+    "oauth",
     "web-security"
   ],
   "author": "aloc999",

package/scan.js

@@ -1,6 +1,9 @@
 import { addFinding } from './src/core/findings.js';
 import { fetchText, checkUrl } from './src/utils/fetch.js';
 import { EXPOSED_FILES, HEADER_CHECKS, COMMON_SUBDOMAINS, COMMON_PORTS, SECRET_PATTERNS } from './src/utils/patterns.js';
+import { runCrawler } from './src/remote/crawler.js';
+import { runProbe } from './src/remote/probe.js';
+import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDeception, scanParameterPollution, scanFileUpload, scanDomBased, scanHttp2 } from './src/remote/portswigger.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -8,6 +11,8 @@ export async function runRemoteScan(url, spinner, modules = null) {
   const origin = target.origin;
 
   const allModules = [
+    { name: 'Probe & Fingerprint (httpx)', value: 'probe', fn: () => runProbe(origin, spinner) },
+    { name: 'Crawl & Extract (Katana)', value: 'crawl', fn: () => runCrawler(origin, spinner) },
     { name: 'HTTP Headers', value: 'headers', fn: () => scanHeaders(origin, spinner) },
     { name: 'Exposed Files & Paths', value: 'files', fn: () => scanExposedFiles(origin, spinner) },
     { name: 'Secrets in JS Bundles', value: 'secrets', fn: () => scanSecrets(origin, spinner) },
@@ -33,6 +38,14 @@ export async function runRemoteScan(url, spinner, modules = null) {
     { name: 'WebSocket Security (HackTricks)', value: 'websocket', fn: () => scanWebsocket(origin, spinner) },
     { name: 'Cache Poisoning (HackTricks)', value: 'cache', fn: () => scanCachePoisoning(origin, spinner) },
     { name: 'Race Condition Detection (HackTricks)', value: 'race', fn: () => scanRaceCondition(origin, spinner) },
+    { name: 'XXE Injection (PortSwigger)', value: 'xxe', fn: () => scanXxeRemote(origin, spinner) },
+    { name: 'OAuth Misconfiguration (PortSwigger)', value: 'oauth', fn: () => scanOauthRemote(origin, spinner) },
+    { name: 'Access Control Bypass (PortSwigger)', value: 'acl', fn: () => scanAccessControlRemote(origin, spinner) },
+    { name: 'Web Cache Deception (PortSwigger)', value: 'wcd', fn: () => scanWebCacheDeception(origin, spinner) },
+    { name: 'Parameter Pollution (PortSwigger)', value: 'hpp', fn: () => scanParameterPollution(origin, spinner) },
+    { name: 'File Upload Testing (PortSwigger)', value: 'upload', fn: () => scanFileUpload(origin, spinner) },
+    { name: 'DOM-Based Vulnerabilities (PortSwigger)', value: 'dom', fn: () => scanDomBased(origin, spinner) },
+    { name: 'HTTP/2 Attacks (PortSwigger)', value: 'h2', fn: () => scanHttp2(origin, spinner) },
   ];
 
   const toRun = modules ? allModules.filter((m) => modules.includes(m.value)) : allModules;

package/src/local/access-control.js

@@ -0,0 +1,64 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditAccessControl(projectPath, spinner) {
+  spinner.text = 'Scanning for access control vulnerabilities (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:req|request)\.(?:params|query|body)\.\s*(?:user_?id|userId|uid|owner_?id|account_?id)/gi, name: 'IDOR - user ID from request parameters', severity: 'HIGH' },
+        { pattern: /(?:isAdmin|is_admin|role)\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'Role/privilege from user input', severity: 'CRITICAL' },
+        { pattern: /(?:if|when)\s*\(\s*(?:req|request)\.(?:headers|query|params)\[?\s*['"]?(?:x-admin|admin|role|is[-_]?admin)/gi, name: 'Admin check via client-controlled header/param', severity: 'CRITICAL' },
+        { pattern: /\.findById\s*\(\s*(?:req|params|query|body)\./gi, name: 'Direct object reference without ownership check', severity: 'HIGH' },
+        { pattern: /\.findOne\s*\(\s*\{\s*(?:_id|id)\s*:\s*(?:req|params|query|body)\./gi, name: 'Database lookup by user-supplied ID (potential IDOR)', severity: 'HIGH' },
+        { pattern: /\.delete\s*\(\s*['"`]\/[^'"`]*:id/gi, name: 'DELETE route with :id param (check authorization)', severity: 'MEDIUM' },
+        { pattern: /\.put\s*\(\s*['"`]\/[^'"`]*:id/gi, name: 'PUT route with :id param (check authorization)', severity: 'MEDIUM' },
+        { pattern: /(?:admin|dashboard|manage|internal).*(?:app\.get|router\.get|@app\.route)/gi, name: 'Admin route - verify middleware protection', severity: 'MEDIUM' },
+        { pattern: /res\.json\s*\(\s*(?:users|accounts|orders|payments|transactions)/gi, name: 'Bulk data exposure without filtering', severity: 'MEDIUM' },
+        { pattern: /X-Original-URL|X-Rewrite-URL/gi, name: 'URL override headers (access control bypass)', severity: 'HIGH' },
+        { pattern: /referer\s*(?:===?|!==?|includes|match)/gi, name: 'Referer-based access control (easily spoofed)', severity: 'HIGH' },
+        { pattern: /(?:hidden|type=['"]hidden['"])\s*.*(?:role|admin|privilege|permission)/gi, name: 'Hidden form field for access control', severity: 'HIGH' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'Access Control (PortSwigger)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Implement server-side authorization checks. Verify object ownership on every request. Use middleware for role-based access control. Never trust client-supplied IDs without verifying the requesting user owns that resource.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/business-logic.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditBusinessLogic(projectPath, spinner) {
+  spinner.text = 'Scanning for business logic flaws (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:price|amount|total|cost|quantity|qty)\s*[:=]\s*(?:req|params|query|body|request)\./gi, name: 'Price/amount from client input (price manipulation)', severity: 'CRITICAL' },
+        { pattern: /(?:discount|coupon|promo|voucher).*(?:apply|use|redeem)/gi, name: 'Discount/coupon logic (test for race conditions & reuse)', severity: 'MEDIUM' },
+        { pattern: /(?:quantity|qty)\s*[:=]\s*(?:parseInt|Number)\s*\(\s*(?:req|body)/gi, name: 'Quantity from user input (negative quantity attack)', severity: 'HIGH' },
+        { pattern: /(?:transfer|withdraw|send)\s*.*(?:amount|value)\s*[:=]/gi, name: 'Financial transfer logic (check for negative amounts, overflow)', severity: 'HIGH' },
+        { pattern: /(?:limit|max|threshold)\s*.*(?:parseInt|Number|parseFloat)\s*\(\s*(?:req|body|query)/gi, name: 'Limit/threshold from user input', severity: 'MEDIUM' },
+        { pattern: /(?:step|stage|phase|state)\s*[:=]\s*(?:req|params|query|body)/gi, name: 'Workflow step from user input (step skipping)', severity: 'HIGH' },
+        { pattern: /(?:if|when).*(?:balance|credits?|points?)\s*(?:>=?|<=?|>|<)\s*(?:0|amount|price)/gi, name: 'Balance check (test for race conditions)', severity: 'MEDIUM' },
+        { pattern: /(?:verify|validate|check).*(?:email|phone|identity)\s*.*(?:skip|bypass|false)/gi, name: 'Verification bypass flag', severity: 'HIGH' },
+        { pattern: /(?:free[-_]?trial|trial[-_]?period).*(?:extend|reset|create)/gi, name: 'Trial logic (test for unlimited trial abuse)', severity: 'MEDIUM' },
+        { pattern: /(?:referral|invite|bonus).*(?:credit|reward|points)/gi, name: 'Referral/bonus logic (test for self-referral abuse)', severity: 'MEDIUM' },
+        { pattern: /parseInt\s*\(\s*(?:req|body|query).*10\s*\)|Number\s*\(\s*(?:req|body|query)/gi, name: 'Numeric input parsing (test integer overflow, NaN, Infinity)', severity: 'LOW' },
+        { pattern: /(?:vote|like|upvote|rate|review).*(?:req|body|params)/gi, name: 'Voting/rating logic (test for multiple votes)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#')) continue;
+
+          addFinding(
+            severity,
+            'Business Logic (PortSwigger)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never trust client-supplied values for prices, quantities, or workflow states. Validate all business rules server-side. Use database transactions with proper isolation levels for financial operations. Implement idempotency keys to prevent double-processing.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/index.js

@@ -12,6 +12,10 @@ import { auditJwt } from './jwt.js';
 import { auditPathTraversal } from './path-traversal.js';
 import { auditCommandInjection } from './command-injection.js';
 import { auditCrypto } from './crypto.js';
+import { auditXxe } from './xxe.js';
+import { auditAccessControl } from './access-control.js';
+import { auditOauth } from './oauth.js';
+import { auditBusinessLogic } from './business-logic.js';
 
 export const LOCAL_MODULES = [
   { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
@@ -28,6 +32,10 @@ export const LOCAL_MODULES = [
   { name: 'Path Traversal / LFI (HackTricks)', value: 'lfi', fn: auditPathTraversal },
   { name: 'Command Injection (HackTricks)', value: 'cmdi', fn: auditCommandInjection },
   { name: 'Weak Cryptography (HackTricks)', value: 'crypto', fn: auditCrypto },
+  { name: 'XXE - XML External Entity (PortSwigger)', value: 'xxe', fn: auditXxe },
+  { name: 'Access Control / IDOR (PortSwigger)', value: 'idor', fn: auditAccessControl },
+  { name: 'OAuth / OIDC Flaws (PortSwigger)', value: 'oauth', fn: auditOauth },
+  { name: 'Business Logic Flaws (PortSwigger)', value: 'bizlogic', fn: auditBusinessLogic },
 ];
 
 export async function runLocalAudit(projectPath, spinner, modules = null) {

package/src/local/oauth.js

@@ -0,0 +1,68 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java', '.env'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditOauth(projectPath, spinner) {
+  spinner.text = 'Scanning for OAuth/OIDC vulnerabilities (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /redirect_uri\s*[:=]\s*(?:req|params|query|body|request)/gi, name: 'OAuth redirect_uri from user input (open redirect → token theft)', severity: 'CRITICAL' },
+        { pattern: /state\s*[:=]\s*(?:null|undefined|''|"")|(?:!state|state\s*===?\s*(?:null|undefined))/gi, name: 'OAuth state parameter missing/null (CSRF)', severity: 'HIGH' },
+        { pattern: /response_type\s*[:=]\s*['"]token['"]/gi, name: 'OAuth implicit flow (token in URL fragment)', severity: 'MEDIUM' },
+        { pattern: /client_secret\s*[:=]\s*['"][^'"]{5,}['"]/gi, name: 'OAuth client_secret hardcoded', severity: 'HIGH' },
+        { pattern: /grant_type\s*[:=]\s*['"]password['"]/gi, name: 'OAuth Resource Owner Password grant (insecure)', severity: 'MEDIUM' },
+        { pattern: /(?:GOOGLE|GITHUB|FACEBOOK|TWITTER|OAUTH)_CLIENT_SECRET\s*=\s*['"]?[A-Za-z0-9_-]{10,}/gi, name: 'OAuth provider secret in source', severity: 'HIGH' },
+        { pattern: /(?:openid|oauth|oidc).*(?:nonce|at_hash)\s*.*(?:skip|ignore|false)/gi, name: 'OAuth nonce/at_hash validation disabled', severity: 'HIGH' },
+        { pattern: /(?:verify|validate).*(?:state|nonce)\s*.*(?:false|skip|disabled)/gi, name: 'OAuth state/nonce verification disabled', severity: 'CRITICAL' },
+        { pattern: /scope\s*[:=]\s*['"].*(?:admin|write|delete|manage)/gi, name: 'OAuth requesting elevated scopes', severity: 'LOW' },
+        { pattern: /token_endpoint_auth_method\s*[:=]\s*['"]none['"]/gi, name: 'OAuth no client authentication', severity: 'HIGH' },
+        { pattern: /id_token.*(?:decode|parse).*(?:!verify|verify\s*[:=]\s*false)/gi, name: 'OIDC id_token not verified', severity: 'CRITICAL' },
+        { pattern: /(?:access_token|refresh_token)\s*[:=].*(?:localStorage|sessionStorage)/gi, name: 'OAuth tokens stored in browser storage (XSS theft)', severity: 'HIGH' },
+        { pattern: /PKCE|code_challenge|code_verifier/gi, name: 'PKCE usage detected (good practice)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#')) continue;
+
+          addFinding(
+            severity,
+            'OAuth/OIDC (PortSwigger)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use Authorization Code flow with PKCE. Validate state parameter to prevent CSRF. Whitelist redirect_uris server-side. Never expose client_secret in client-side code. Store tokens in httpOnly cookies, not localStorage.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/xxe.js

@@ -0,0 +1,74 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.cs', '.go', '.xml', '.svg'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'target'];
+
+export async function auditXxe(projectPath, spinner) {
+  spinner.text = 'Scanning for XXE vulnerabilities (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const xxePatterns = [
+        { pattern: /DOMParser\s*\(\s*\)/gi, name: 'DOMParser without disabling entities', severity: 'HIGH' },
+        { pattern: /parseString\s*\(\s*(?:req|params|query|body|user|data|input)/gi, name: 'XML parsing user input (xml2js)', severity: 'CRITICAL' },
+        { pattern: /xml2js|fast-xml-parser|libxmljs|sax\s*\./gi, name: 'XML parser library usage', severity: 'INFO' },
+        { pattern: /DocumentBuilderFactory/gi, name: 'Java XML DocumentBuilderFactory', severity: 'MEDIUM' },
+        { pattern: /SAXParserFactory/gi, name: 'Java SAXParserFactory', severity: 'MEDIUM' },
+        { pattern: /XMLReader/gi, name: 'XMLReader usage', severity: 'MEDIUM' },
+        { pattern: /etree\.parse\s*\(\s*(?:req|request|data|input|file)/gi, name: 'Python lxml parse user input', severity: 'CRITICAL' },
+        { pattern: /etree\.fromstring\s*\(\s*(?:req|request|data|input)/gi, name: 'Python lxml fromstring user input', severity: 'CRITICAL' },
+        { pattern: /simplexml_load_string\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP simplexml_load_string user input', severity: 'CRITICAL' },
+        { pattern: /DOMDocument.*loadXML\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP DOMDocument loadXML user input', severity: 'CRITICAL' },
+        { pattern: /LIBXML_NOENT/gi, name: 'PHP LIBXML_NOENT (entity substitution enabled)', severity: 'HIGH' },
+        { pattern: /resolve_entities\s*[:=]\s*true/gi, name: 'Entity resolution enabled', severity: 'HIGH' },
+        { pattern: /external_entities\s*[:=]\s*true/gi, name: 'External entities enabled', severity: 'CRITICAL' },
+        { pattern: /setFeature\s*\(\s*['"]http:\/\/xml\.org\/sax\/features\/external-general-entities['"]\s*,\s*true/gi, name: 'Java external entities enabled', severity: 'CRITICAL' },
+        { pattern: /DOCTYPE|ENTITY|SYSTEM/g, name: 'DOCTYPE/ENTITY declaration in file', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of xxePatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (isComment(line)) continue;
+
+          addFinding(
+            severity,
+            'XXE (PortSwigger)',
+            `${name}`,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Disable external entity processing: set disallow-doctype-decl=true, external-general-entities=false. Use JSON instead of XML where possible. For Java: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function isComment(line) {
+  return line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('<!--');
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/remote/crawler.js

@@ -0,0 +1,234 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function runCrawler(origin, spinner) {
+  spinner.text = '[Katana] Crawling target for endpoints...';
+
+  const discovered = {
+    urls: new Set(),
+    jsFiles: new Set(),
+    forms: [],
+    params: new Set(),
+    apiEndpoints: new Set(),
+    emails: new Set(),
+    subdomains: new Set(),
+    secrets: [],
+  };
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    extractUrls(body, origin, discovered);
+    extractJsFiles(body, origin, discovered);
+    extractForms(body, discovered);
+    extractParams(body, discovered);
+    extractEmails(body, discovered);
+
+    for (const jsUrl of [...discovered.jsFiles].slice(0, 20)) {
+      try {
+        spinner.text = `[Katana] Parsing JS: ${jsUrl.substring(0, 60)}...`;
+        const jsResp = await fetchText(jsUrl, {}, 8000);
+        extractEndpointsFromJs(jsResp.body, origin, discovered);
+        extractSecretsFromJs(jsResp.body, jsUrl, discovered);
+      } catch {}
+    }
+  } catch {}
+
+  if (discovered.apiEndpoints.size > 0) {
+    addFinding(
+      'INFO',
+      'Crawler (Katana)',
+      `Discovered ${discovered.apiEndpoints.size} API endpoints from JS`,
+      `Endpoints: ${[...discovered.apiEndpoints].slice(0, 10).join(', ')}${discovered.apiEndpoints.size > 10 ? '...' : ''}`,
+      'Review discovered endpoints for authentication and authorization requirements'
+    );
+  }
+
+  if (discovered.forms.length > 0) {
+    addFinding(
+      'INFO',
+      'Crawler (Katana)',
+      `Discovered ${discovered.forms.length} forms`,
+      `Actions: ${discovered.forms.map(f => f.action).slice(0, 5).join(', ')}`,
+      'Test discovered forms for injection vulnerabilities'
+    );
+
+    for (const form of discovered.forms) {
+      if (form.method === 'GET' && form.hasSensitiveFields) {
+        addFinding(
+          'MEDIUM',
+          'Crawler (Katana)',
+          'Sensitive form uses GET method',
+          `Form action: ${form.action} - sends sensitive data in URL`,
+          'Use POST method for forms that submit sensitive data (passwords, tokens, etc.)'
+        );
+      }
+      if (!form.hasCsrf && form.method === 'POST') {
+        addFinding(
+          'MEDIUM',
+          'Crawler (Katana)',
+          'POST form without CSRF token',
+          `Form action: ${form.action}`,
+          'Add CSRF token to all state-changing forms'
+        );
+      }
+    }
+  }
+
+  if (discovered.params.size > 0) {
+    addFinding(
+      'INFO',
+      'Crawler (Katana)',
+      `Discovered ${discovered.params.size} unique parameters`,
+      `Parameters: ${[...discovered.params].slice(0, 20).join(', ')}`,
+      'Fuzz discovered parameters for injection vulnerabilities'
+    );
+  }
+
+  if (discovered.secrets.length > 0) {
+    for (const secret of discovered.secrets.slice(0, 5)) {
+      addFinding(
+        'HIGH',
+        'Crawler (Katana)',
+        `Secret found in JS bundle: ${secret.type}`,
+        `File: ${secret.file}\nValue: ${secret.value.substring(0, 20)}...`,
+        'Remove secrets from client-side JavaScript. Use server-side proxying for API calls.'
+      );
+    }
+  }
+
+  if (discovered.emails.size > 0) {
+    addFinding(
+      'LOW',
+      'Crawler (Katana)',
+      `${discovered.emails.size} email addresses discovered`,
+      `Emails: ${[...discovered.emails].slice(0, 5).join(', ')}`,
+      'Email addresses can be used for phishing and social engineering'
+    );
+  }
+
+  return discovered;
+}
+
+function extractUrls(html, origin, discovered) {
+  const urlPatterns = [
+    /href\s*=\s*['"]([^'"#]+)['"]/gi,
+    /src\s*=\s*['"]([^'"]+)['"]/gi,
+    /action\s*=\s*['"]([^'"]+)['"]/gi,
+    /url\s*\(\s*['"]?([^'")]+)['"]?\s*\)/gi,
+    /window\.location\s*=\s*['"]([^'"]+)['"]/gi,
+  ];
+
+  for (const pattern of urlPatterns) {
+    let match;
+    while ((match = pattern.exec(html)) !== null) {
+      let url = match[1];
+      if (url.startsWith('/')) url = origin + url;
+      else if (!url.startsWith('http')) continue;
+      if (url.startsWith(origin)) discovered.urls.add(url);
+    }
+  }
+}
+
+function extractJsFiles(html, origin, discovered) {
+  const jsPattern = /src\s*=\s*['"]([^'"]*\.(?:js|mjs|chunk\.js|bundle\.js)[^'"]*)['"]/gi;
+  let match;
+  while ((match = jsPattern.exec(html)) !== null) {
+    let url = match[1];
+    if (url.startsWith('/')) url = origin + url;
+    else if (url.startsWith('./')) url = origin + url.substring(1);
+    else if (!url.startsWith('http')) url = origin + '/' + url;
+    discovered.jsFiles.add(url);
+  }
+}
+
+function extractForms(html, discovered) {
+  const formPattern = /<form[^>]*>([\s\S]*?)<\/form>/gi;
+  let match;
+  while ((match = formPattern.exec(html)) !== null) {
+    const formHtml = match[0];
+    const action = formHtml.match(/action\s*=\s*['"]([^'"]*)['"]/i)?.[1] || '';
+    const method = (formHtml.match(/method\s*=\s*['"]([^'"]*)['"]/i)?.[1] || 'GET').toUpperCase();
+    const hasCsrf = /csrf|_token|authenticity_token|__RequestVerificationToken/i.test(formHtml);
+    const hasSensitiveFields = /type\s*=\s*['"]password['"]|name\s*=\s*['"](?:password|secret|token|card|ssn|credit)/i.test(formHtml);
+
+    const inputPattern = /name\s*=\s*['"]([^'"]+)['"]/gi;
+    let inputMatch;
+    while ((inputMatch = inputPattern.exec(formHtml)) !== null) {
+      discovered.params.add(inputMatch[1]);
+    }
+
+    discovered.forms.push({ action, method, hasCsrf, hasSensitiveFields });
+  }
+}
+
+function extractParams(html, discovered) {
+  const paramPatterns = [
+    /[?&]([a-zA-Z_][a-zA-Z0-9_]*)=/g,
+    /name\s*=\s*['"]([a-zA-Z_][a-zA-Z0-9_]*)['"]/g,
+  ];
+
+  for (const pattern of paramPatterns) {
+    let match;
+    while ((match = pattern.exec(html)) !== null) {
+      discovered.params.add(match[1]);
+    }
+  }
+}
+
+function extractEmails(html, discovered) {
+  const emailPattern = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
+  let match;
+  while ((match = emailPattern.exec(html)) !== null) {
+    if (!match[0].includes('example.com') && !match[0].includes('test.com')) {
+      discovered.emails.add(match[0]);
+    }
+  }
+}
+
+function extractEndpointsFromJs(jsContent, origin, discovered) {
+  const endpointPatterns = [
+    /['"`](\/api\/[^'"`\s{]+)['"`]/g,
+    /['"`](\/v[0-9]+\/[^'"`\s{]+)['"`]/g,
+    /['"`](\/(?:users?|admin|auth|login|register|graphql|webhook|upload|download|export|import|config|settings|profile|account|payment|order|cart|search|notify|message)[^'"`\s{]*)['"`]/g,
+    /(?:fetch|axios|http|request|ajax)\s*\(\s*['"`]([^'"`]+)['"`]/g,
+    /(?:url|endpoint|path|route|href)\s*[:=]\s*['"`](\/[^'"`]+)['"`]/g,
+  ];
+
+  for (const pattern of endpointPatterns) {
+    let match;
+    while ((match = pattern.exec(jsContent)) !== null) {
+      const endpoint = match[1];
+      if (endpoint.length > 2 && endpoint.length < 200 && !endpoint.includes('${')) {
+        discovered.apiEndpoints.add(endpoint);
+      }
+    }
+  }
+
+  const paramPattern = /['"`]\?([a-zA-Z_]+)=|['"`]&([a-zA-Z_]+)=/g;
+  let paramMatch;
+  while ((paramMatch = paramPattern.exec(jsContent)) !== null) {
+    discovered.params.add(paramMatch[1] || paramMatch[2]);
+  }
+}
+
+function extractSecretsFromJs(jsContent, fileUrl, discovered) {
+  const secretPatterns = [
+    { pattern: /AKIA[0-9A-Z]{16}/g, type: 'AWS Access Key' },
+    { pattern: /sk_live_[0-9a-zA-Z]{24,}/g, type: 'Stripe Secret Key' },
+    { pattern: /ghp_[A-Za-z0-9_]{36,}/g, type: 'GitHub Token' },
+    { pattern: /sk-[a-zA-Z0-9]{48}/g, type: 'OpenAI Key' },
+    { pattern: /xox[baprs]-[0-9a-zA-Z-]{10,}/g, type: 'Slack Token' },
+    { pattern: /AIza[0-9A-Za-z\-_]{35}/g, type: 'Google API Key' },
+    { pattern: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g, type: 'Private Key' },
+  ];
+
+  for (const { pattern, type } of secretPatterns) {
+    let match;
+    while ((match = pattern.exec(jsContent)) !== null) {
+      discovered.secrets.push({ type, value: match[0], file: fileUrl });
+      break;
+    }
+  }
+}

package/src/remote/portswigger.js

@@ -0,0 +1,235 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function scanXxeRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing XXE injection...';
+  const xxePayloads = [
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><foo>&xxe;</foo>',
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burpcollaborator.net/xxe">%xxe;]><foo>test</foo>',
+  ];
+
+  const xmlEndpoints = ['/api/upload', '/api/import', '/xmlrpc.php', '/soap', '/wsdl', '/api/parse'];
+
+  for (const endpoint of xmlEndpoints) {
+    for (const payload of xxePayloads.slice(0, 1)) {
+      try {
+        const resp = await fetchText(`${origin}${endpoint}`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/xml' },
+          body: payload,
+        }, 5000);
+
+        if (/root:x:0|ami-id|instance-id/i.test(resp.body)) {
+          addFinding('CRITICAL', 'XXE (PortSwigger)', `XXE at ${endpoint} - file disclosure`, `Payload: ${payload.substring(0, 50)}... returned sensitive data`, 'Disable external entity processing in XML parser');
+          break;
+        }
+        if (resp.status === 200 && !resp.body.includes('error') && resp.body.includes('xml')) {
+          addFinding('LOW', 'XXE (PortSwigger)', `XML endpoint accepts input: ${endpoint}`, `Status: ${resp.status}`, 'Ensure XML parsing has external entities disabled');
+        }
+      } catch {}
+    }
+  }
+}
+
+export async function scanOauthRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing OAuth misconfigurations...';
+
+  const oauthPaths = ['/oauth/authorize', '/auth/callback', '/login/oauth', '/oauth2/authorize', '/.well-known/openid-configuration', '/oauth/token'];
+
+  for (const path of oauthPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 || resp.status === 302 || resp.status === 400) {
+        if (path.includes('well-known') && resp.status === 200) {
+          addFinding('INFO', 'OAuth (PortSwigger)', `OpenID Configuration exposed: ${path}`, `${origin}${path} returns OIDC metadata`, 'Review exposed OAuth configuration for sensitive details');
+
+          try {
+            const config = JSON.parse(resp.body);
+            if (config.grant_types_supported?.includes('implicit')) {
+              addFinding('MEDIUM', 'OAuth (PortSwigger)', 'OAuth implicit flow supported', 'Implicit grant type enabled in OIDC configuration', 'Disable implicit flow. Use authorization code with PKCE instead.');
+            }
+          } catch {}
+        }
+
+        const redirectTest = `${origin}${path}?redirect_uri=https://evil.com/callback&response_type=code&client_id=test`;
+        try {
+          const redirResp = await fetchText(redirectTest, { redirect: 'manual' }, 5000);
+          const location = redirResp.headers['location'] || '';
+          if (location.includes('evil.com')) {
+            addFinding('CRITICAL', 'OAuth (PortSwigger)', 'OAuth redirect_uri not validated', `Redirects to attacker domain: ${location.substring(0, 80)}`, 'Strictly validate redirect_uri against a whitelist of registered URIs');
+          }
+        } catch {}
+      }
+    } catch {}
+  }
+}
+
+export async function scanAccessControlRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing access control...';
+
+  const adminPaths = ['/admin', '/admin/', '/administrator', '/manage', '/dashboard', '/panel',
+    '/api/admin', '/api/users', '/api/admin/users', '/internal', '/_admin', '/system'];
+  const bypassHeaders = [
+    { 'X-Original-URL': '/admin' },
+    { 'X-Rewrite-URL': '/admin' },
+    { 'X-Custom-IP-Authorization': '127.0.0.1' },
+    { 'X-Forwarded-For': '127.0.0.1' },
+    { 'X-Real-IP': '127.0.0.1' },
+    { 'X-Forwarded-Host': 'localhost' },
+  ];
+
+  for (const path of adminPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200) {
+        addFinding('HIGH', 'Access Control (PortSwigger)', `Admin panel accessible without auth: ${path}`, `${origin}${path} returns 200 OK`, 'Protect admin endpoints with authentication and role-based access control');
+      } else if (resp.status === 403) {
+        for (const headers of bypassHeaders) {
+          try {
+            const bypassResp = await fetchText(`${origin}${path}`, { headers }, 5000);
+            if (bypassResp.status === 200) {
+              addFinding('CRITICAL', 'Access Control (PortSwigger)', `403 bypass via ${Object.keys(headers)[0]}`, `${path} accessible with header: ${JSON.stringify(headers)}`, 'Do not rely on headers for access control. Implement server-side session-based authorization.');
+              break;
+            }
+          } catch {}
+        }
+      }
+    } catch {}
+  }
+
+  try {
+    const resp = await fetchText(`${origin}/robots.txt`, {}, 5000);
+    if (resp.status === 200) {
+      const disallowed = resp.body.match(/Disallow:\s*(.+)/gi) || [];
+      for (const line of disallowed) {
+        const path = line.replace(/Disallow:\s*/i, '').trim();
+        if (/admin|internal|private|secret|backup|config/i.test(path)) {
+          addFinding('LOW', 'Access Control (PortSwigger)', `Sensitive path in robots.txt: ${path}`, 'robots.txt reveals restricted paths', 'Robots.txt is not access control. Protect paths with authentication.');
+        }
+      }
+    }
+  } catch {}
+}
+
+export async function scanWebCacheDeception(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing Web Cache Deception...';
+
+  const staticExtensions = ['.css', '.js', '.png', '.jpg', '.gif', '.ico', '.svg', '.woff'];
+  const testPaths = ['/account', '/profile', '/settings', '/dashboard', '/my-account'];
+
+  for (const path of testPaths) {
+    for (const ext of staticExtensions.slice(0, 3)) {
+      try {
+        const resp = await fetchText(`${origin}${path}${ext}`, {}, 5000);
+        const cacheHeaders = resp.headers['x-cache'] || resp.headers['cf-cache-status'] || resp.headers['age'] || '';
+
+        if (resp.status === 200 && cacheHeaders) {
+          addFinding('HIGH', 'Cache Deception (PortSwigger)', `Potential Web Cache Deception: ${path}${ext}`, `Cached response for path with static extension. Cache header: ${cacheHeaders}`, 'Configure cache to respect Content-Type, not URL extension. Use Cache-Control: no-store for authenticated pages.');
+          break;
+        }
+      } catch {}
+    }
+  }
+
+  try {
+    const pathConfusion = await fetchText(`${origin}/static/..%2f..%2fadmin`, {}, 5000);
+    if (pathConfusion.status === 200 && pathConfusion.body.length > 500) {
+      addFinding('HIGH', 'Cache Deception (PortSwigger)', 'Path normalization inconsistency detected', 'Double-encoded path traversal may bypass caching rules', 'Normalize paths consistently between cache and origin');
+    }
+  } catch {}
+}
+
+export async function scanParameterPollution(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing Server-Side Parameter Pollution...';
+
+  const params = ['id', 'user', 'email', 'role', 'action', 'page'];
+
+  for (const param of params) {
+    try {
+      const normalResp = await fetchText(`${origin}/?${param}=test`, {}, 5000);
+      const pollutedResp = await fetchText(`${origin}/?${param}=test&${param}=admin`, {}, 5000);
+
+      if (normalResp.body !== pollutedResp.body && pollutedResp.status === 200) {
+        addFinding('MEDIUM', 'Parameter Pollution (PortSwigger)', `HTTP Parameter Pollution on ?${param}=`, 'Duplicate parameter produces different response', 'Handle duplicate parameters consistently. Use the first occurrence only.');
+      }
+    } catch {}
+  }
+
+  try {
+    const truncation = await fetchText(`${origin}/api/search?q=test%00admin&category=1`, {}, 5000);
+    if (truncation.status === 200 && truncation.body.includes('admin')) {
+      addFinding('HIGH', 'Parameter Pollution (PortSwigger)', 'Null byte parameter truncation', 'Server-side parameter truncation detected', 'Reject null bytes in input. Validate parameter boundaries.');
+    }
+  } catch {}
+}
+
+export async function scanFileUpload(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing file upload endpoints...';
+
+  const uploadPaths = ['/upload', '/api/upload', '/api/files', '/api/images', '/api/avatar', '/media/upload', '/attachments'];
+
+  for (const path of uploadPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, { method: 'OPTIONS' }, 5000);
+      if (resp.status !== 404 && resp.status !== 405) {
+        addFinding('INFO', 'File Upload (PortSwigger)', `Upload endpoint found: ${path}`, `${origin}${path} responds to OPTIONS (status: ${resp.status})`, 'Test for unrestricted file upload: PHP/JSP shells, SVG XSS, polyglot files, double extensions (.php.jpg), null bytes (.php%00.jpg)');
+      }
+    } catch {}
+  }
+}
+
+export async function scanDomBased(origin, spinner) {
+  spinner.text = '[PortSwigger] Checking DOM-based vulnerability indicators...';
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    const domSinks = [
+      { pattern: /document\.write\s*\(/g, name: 'document.write()' },
+      { pattern: /\.innerHTML\s*=/g, name: 'innerHTML assignment' },
+      { pattern: /\.outerHTML\s*=/g, name: 'outerHTML assignment' },
+      { pattern: /eval\s*\(/g, name: 'eval()' },
+      { pattern: /setTimeout\s*\(\s*['"`]/g, name: 'setTimeout with string' },
+      { pattern: /setInterval\s*\(\s*['"`]/g, name: 'setInterval with string' },
+      { pattern: /location\s*=|location\.href\s*=/g, name: 'location assignment' },
+      { pattern: /\.src\s*=\s*(?:location|document\.URL|window\.name)/g, name: 'src from DOM source' },
+      { pattern: /jQuery\s*\(\s*(?:location|document\.URL)/g, name: 'jQuery selector from URL' },
+      { pattern: /\$\s*\(\s*(?:location|document\.URL|window\.location)/g, name: '$ selector from location' },
+      { pattern: /postMessage\s*\(/g, name: 'postMessage (check origin validation)' },
+      { pattern: /addEventListener\s*\(\s*['"]message['"]/g, name: 'message event listener (DOM XSS via postMessage)' },
+    ];
+
+    const domSources = [
+      /location\.(?:hash|search|href|pathname)/g,
+      /document\.(?:URL|documentURI|referrer|cookie)/g,
+      /window\.(?:name|location)/g,
+      /document\.getElementById\s*\([^)]*\)\.(?:value|innerHTML|textContent)/g,
+    ];
+
+    let sourceCount = 0;
+    for (const pattern of domSources) {
+      const matches = body.match(pattern);
+      if (matches) sourceCount += matches.length;
+    }
+
+    for (const { pattern, name } of domSinks) {
+      const matches = body.match(pattern);
+      if (matches && matches.length > 0) {
+        addFinding(
+          'MEDIUM',
+          'DOM-Based (PortSwigger)',
+          `DOM sink detected: ${name} (${matches.length} occurrences)`,
+          `Found in page source. ${sourceCount} DOM sources also detected.`,
+          'Audit DOM sinks for user-controllable input flow. Use DOMPurify for HTML assignment. Avoid eval/setTimeout with strings.'
+        );
+      }
+    }
+  } catch {}
+}
+
+export async function scanHttp2(origin, spinner) {
+  spinner.text = '[PortSwigger] Checking HTTP/2 indicators...';
+  addFinding('INFO', 'HTTP/2 (PortSwigger)', 'HTTP/2 attack surface note', 'Test for H2.CL smuggling, H2.TE smuggling, HPACK header injection, and HTTP/2 exclusive vectors', 'Use Burp Suite HTTP/2 features to test for request smuggling via HTTP/2 downgrade');
+}

package/src/remote/probe.js

@@ -0,0 +1,217 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText, fetchWithTimeout } from '../utils/fetch.js';
+import crypto from 'crypto';
+
+export async function runProbe(origin, spinner) {
+  spinner.text = '[httpx] Probing target...';
+
+  const results = {
+    statusCode: null,
+    title: '',
+    technologies: [],
+    server: '',
+    contentLength: 0,
+    responseTime: 0,
+    tls: {},
+    cdn: null,
+    waf: null,
+    faviconHash: null,
+    headers: {},
+  };
+
+  try {
+    const start = Date.now();
+    const resp = await fetchText(origin);
+    results.responseTime = Date.now() - start;
+    results.statusCode = resp.status;
+    results.headers = resp.headers;
+    results.contentLength = resp.body.length;
+
+    results.title = extractTitle(resp.body);
+    results.server = resp.headers['server'] || '';
+    results.technologies = detectTechnologies(resp.headers, resp.body);
+    results.cdn = detectCdn(resp.headers);
+    results.waf = detectWaf(resp.headers, resp.body);
+
+    spinner.text = '[httpx] Checking favicon hash...';
+    results.faviconHash = await getFaviconHash(origin);
+
+    spinner.text = '[httpx] Analyzing TLS certificate...';
+    results.tls = await getTlsInfo(origin);
+
+    spinner.text = '[httpx] Virtual host discovery...';
+    await vhostDiscovery(origin, resp.body.length, spinner);
+
+  } catch {}
+
+  addFinding(
+    'INFO',
+    'Probe (httpx)',
+    `Target fingerprint: ${results.title || 'N/A'}`,
+    `Status: ${results.statusCode} | Server: ${results.server || 'hidden'} | Size: ${results.contentLength}B | Time: ${results.responseTime}ms\nTechnologies: ${results.technologies.join(', ') || 'none detected'}\nCDN: ${results.cdn || 'none'} | WAF: ${results.waf || 'none'} | Favicon hash: ${results.faviconHash || 'N/A'}`,
+    'Technology fingerprinting helps identify version-specific vulnerabilities'
+  );
+
+  if (results.waf) {
+    addFinding(
+      'INFO',
+      'Probe (httpx)',
+      `WAF detected: ${results.waf}`,
+      `Web Application Firewall identified via response headers/behavior`,
+      'WAF may need bypass techniques for testing. Try encoding, case variation, and chunked payloads.'
+    );
+  }
+
+  if (results.cdn) {
+    addFinding(
+      'INFO',
+      'Probe (httpx)',
+      `CDN detected: ${results.cdn}`,
+      'Content Delivery Network fronts the origin server',
+      'Consider testing the origin server directly if IP can be found (via DNS history, email headers, or certificate transparency)'
+    );
+  }
+
+  if (results.responseTime > 5000) {
+    addFinding(
+      'LOW',
+      'Probe (httpx)',
+      'Slow response time detected',
+      `Response took ${results.responseTime}ms`,
+      'Slow responses may indicate resource exhaustion vulnerability potential'
+    );
+  }
+
+  return results;
+}
+
+function extractTitle(html) {
+  const match = html.match(/<title[^>]*>([^<]+)<\/title>/i);
+  return match ? match[1].trim().substring(0, 100) : '';
+}
+
+function detectTechnologies(headers, body) {
+  const techs = [];
+  const checks = [
+    { test: () => headers['x-powered-by']?.includes('Express'), name: 'Express.js' },
+    { test: () => headers['x-powered-by']?.includes('PHP'), name: 'PHP' },
+    { test: () => headers['x-powered-by']?.includes('ASP.NET'), name: 'ASP.NET' },
+    { test: () => headers['x-aspnet-version'], name: `ASP.NET ${headers['x-aspnet-version'] || ''}` },
+    { test: () => headers['x-drupal-cache'], name: 'Drupal' },
+    { test: () => headers['x-generator']?.includes('WordPress'), name: 'WordPress' },
+    { test: () => headers['x-shopify-stage'], name: 'Shopify' },
+    { test: () => body.includes('__next'), name: 'Next.js' },
+    { test: () => body.includes('__nuxt') || body.includes('nuxt'), name: 'Nuxt.js' },
+    { test: () => body.includes('ng-version') || body.includes('ng-app'), name: 'Angular' },
+    { test: () => body.includes('data-reactroot') || body.includes('__NEXT_DATA__'), name: 'React' },
+    { test: () => body.includes('data-v-') || body.includes('Vue.js'), name: 'Vue.js' },
+    { test: () => body.includes('svelte'), name: 'Svelte' },
+    { test: () => body.includes('data-astro'), name: 'Astro' },
+    { test: () => body.includes('wp-content') || body.includes('wp-includes'), name: 'WordPress' },
+    { test: () => body.includes('Joomla'), name: 'Joomla' },
+    { test: () => body.includes('laravel'), name: 'Laravel' },
+    { test: () => body.includes('django') || headers['x-frame-options'] === 'SAMEORIGIN' && body.includes('csrfmiddlewaretoken'), name: 'Django' },
+    { test: () => body.includes('rails') || headers['x-request-id'] && headers['x-runtime'], name: 'Ruby on Rails' },
+    { test: () => body.includes('spring') || headers['x-application-context'], name: 'Spring Boot' },
+    { test: () => headers['server']?.toLowerCase().includes('nginx'), name: 'Nginx' },
+    { test: () => headers['server']?.toLowerCase().includes('apache'), name: 'Apache' },
+    { test: () => headers['server']?.toLowerCase().includes('iis'), name: 'IIS' },
+    { test: () => headers['server']?.toLowerCase().includes('gunicorn'), name: 'Gunicorn' },
+    { test: () => headers['server']?.toLowerCase().includes('uvicorn'), name: 'Uvicorn (ASGI)' },
+    { test: () => body.includes('firebase') || body.includes('firebaseapp'), name: 'Firebase' },
+    { test: () => body.includes('supabase'), name: 'Supabase' },
+    { test: () => body.includes('tailwind') || body.includes('tw-'), name: 'Tailwind CSS' },
+    { test: () => body.includes('bootstrap'), name: 'Bootstrap' },
+    { test: () => body.includes('jquery') || body.includes('jQuery'), name: 'jQuery' },
+    { test: () => body.includes('gtag') || body.includes('google-analytics'), name: 'Google Analytics' },
+    { test: () => body.includes('hotjar'), name: 'Hotjar' },
+    { test: () => body.includes('sentry'), name: 'Sentry' },
+    { test: () => body.includes('stripe'), name: 'Stripe' },
+    { test: () => body.includes('recaptcha'), name: 'reCAPTCHA' },
+    { test: () => body.includes('cloudflare'), name: 'Cloudflare' },
+    { test: () => body.includes('vercel'), name: 'Vercel' },
+    { test: () => body.includes('netlify'), name: 'Netlify' },
+    { test: () => body.includes('graphql'), name: 'GraphQL' },
+    { test: () => body.includes('socket.io'), name: 'Socket.IO' },
+    { test: () => body.includes('webpack'), name: 'Webpack' },
+    { test: () => body.includes('vite'), name: 'Vite' },
+  ];
+
+  for (const { test, name } of checks) {
+    try { if (test()) techs.push(name); } catch {}
+  }
+
+  return [...new Set(techs)];
+}
+
+function detectCdn(headers) {
+  if (headers['cf-ray'] || headers['cf-cache-status']) return 'Cloudflare';
+  if (headers['x-amz-cf-id'] || headers['x-amz-cf-pop']) return 'AWS CloudFront';
+  if (headers['x-fastly-request-id']) return 'Fastly';
+  if (headers['x-akamai-transformed']) return 'Akamai';
+  if (headers['x-cdn'] === 'Imperva') return 'Imperva';
+  if (headers['x-sucuri-id']) return 'Sucuri';
+  if (headers['x-azure-ref']) return 'Azure CDN';
+  if (headers['x-vercel-cache']) return 'Vercel Edge';
+  if (headers['x-nf-request-id']) return 'Netlify';
+  if (headers['server']?.includes('KeyCDN')) return 'KeyCDN';
+  if (headers['server']?.includes('bunny')) return 'BunnyCDN';
+  return null;
+}
+
+function detectWaf(headers, body) {
+  if (headers['cf-ray'] && headers['cf-mitigated']) return 'Cloudflare WAF';
+  if (headers['x-sucuri-id']) return 'Sucuri WAF';
+  if (headers['x-powered-by-anquanbao']) return 'Anquanbao WAF';
+  if (headers['x-wa-info']) return 'AWS WAF';
+  if (headers['server']?.includes('Wordfence')) return 'Wordfence';
+  if (headers['server']?.includes('BigIP') || headers['x-cnection']) return 'F5 BIG-IP';
+  if (headers['x-denied-reason'] || headers['x-dotdefender-denied']) return 'dotDefender';
+  if (body.includes('mod_security') || body.includes('ModSecurity')) return 'ModSecurity';
+  if (body.includes('access denied') && body.includes('incapsula')) return 'Imperva Incapsula';
+  if (headers['server']?.includes('AkamaiGHost')) return 'Akamai Ghost';
+  if (headers['x-protected-by']?.includes('Sqreen')) return 'Sqreen';
+  return null;
+}
+
+async function getFaviconHash(origin) {
+  try {
+    const resp = await fetchWithTimeout(`${origin}/favicon.ico`, {}, 5000);
+    if (resp.status === 200) {
+      const buffer = await resp.arrayBuffer();
+      const b64 = Buffer.from(buffer).toString('base64');
+      const hash = crypto.createHash('md5').update(b64).digest('hex');
+      return hash;
+    }
+  } catch {}
+  return null;
+}
+
+async function getTlsInfo(origin) {
+  if (!origin.startsWith('https://')) return { secure: false };
+  return { secure: true, protocol: 'TLS' };
+}
+
+async function vhostDiscovery(origin, baseSize, spinner) {
+  const vhosts = ['dev', 'staging', 'internal', 'admin', 'api', 'test', 'beta', 'old', 'backup'];
+  const hostname = new URL(origin).hostname;
+
+  for (const vhost of vhosts) {
+    try {
+      const testHost = `${vhost}.${hostname}`;
+      const resp = await fetchText(origin, {
+        headers: { Host: testHost },
+      }, 3000);
+
+      if (resp.status === 200 && Math.abs(resp.body.length - baseSize) > 100) {
+        addFinding(
+          'MEDIUM',
+          'Probe (httpx)',
+          `Virtual host responds differently: ${testHost}`,
+          `Host header ${testHost} returns different content (size diff: ${Math.abs(resp.body.length - baseSize)}B)`,
+          'Virtual host may expose internal applications. Investigate further.'
+        );
+      }
+    } catch {}
+  }
+}