redgun-security 1.0.0 → 1.2.0

package/src/local/csrf.js

@@ -0,0 +1,75 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCsrf(projectPath, spinner) {
+  spinner.text = 'Analyzing CSRF token implementation...';
+  const files = getFiles(projectPath);
+  let hasCsrfLib = false;
+  let hasSameSite = false;
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      if (/csurf|csrf|lusca|csrf-token|csrf_token/i.test(content)) hasCsrfLib = true;
+      if (/sameSite\s*[:=]\s*['"](?:strict|lax)['"]/i.test(content)) hasSameSite = true;
+
+      const patterns = [
+        { pattern: /(?:csrf|_token).*\s*=\s*(?:Math\.random|Date\.now|uuid)/gi, name: 'CSRF token from predictable source', severity: 'HIGH' },
+        { pattern: /(?:csrf|token).*\s*=\s*['"][a-zA-Z0-9]{1,8}['"]/gi, name: 'Short CSRF token (< 8 chars, brute-forceable)', severity: 'HIGH' },
+        { pattern: /csrf\s*=\s*(?:null|undefined|false|skip|disabled?)/gi, name: 'CSRF protection disabled', severity: 'HIGH' },
+        { pattern: /(?:bypass|ignore|skip).*csrf/gi, name: 'CSRF bypass condition', severity: 'MEDIUM' },
+        { pattern: /csrf\s*\(\)\s*:\s*(?:false|disabled)/gi, name: 'CSRF middleware disabled', severity: 'HIGH' },
+        { pattern: /sameSite\s*[:=]\s*['"]none['"]/gi, name: 'SameSite=None with Secure flag?', severity: 'LOW' },
+        { pattern: /X-CSRF-Token|X-CSRFToken|X-XSRF-TOKEN/gi, name: 'CSRF token in custom header (SOP-safe)', severity: 'INFO' },
+        { pattern: /csrf\s*:\s*false/gi, name: 'CSRF explicitly disabled', severity: 'CRITICAL' },
+        { pattern: /csrf\s*\(\s*\)\s*\{[^}]*ignore:/gi, name: 'CSRF with ignore list', severity: 'MEDIUM' },
+        { pattern: /csrf.*ignoreMethods\s*:\s*\[['"]GET['"]\s*,\s*['"]HEAD['"]/gi, name: 'CSRF ignores GET/HEAD (standard)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'CSRF Analysis',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 100)}`,
+            'Use cryptographically secure random CSRF tokens (64+ bits). Use SameSite=Lax or Strict cookies. Send CSRF tokens in custom headers (not cookies). Use Double Submit Cookie pattern: match cookie & header token values.'
+          );
+        }
+      }
+    } catch {}
+  }
+
+  if (!hasCsrfLib) {
+    addFinding('HIGH', 'CSRF Analysis', 'No CSRF library detected', 'No CSRF protection package (csurf, csrf, lusca) found in code', 'Install csurf/lusca and add CSRF middleware to all state-changing routes');
+  }
+
+  if (!hasSameSite) {
+    addFinding('LOW', 'CSRF Analysis', 'No SameSite cookie attribute configured', 'SameSite not set on session cookies', 'Set SameSite=Lax or SameSite=Strict on session cookies');
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/index.js

@@ -12,6 +12,18 @@ import { auditJwt } from './jwt.js';
 import { auditPathTraversal } from './path-traversal.js';
 import { auditCommandInjection } from './command-injection.js';
 import { auditCrypto } from './crypto.js';
+import { auditXxe } from './xxe.js';
+import { auditAccessControl } from './access-control.js';
+import { auditOauth } from './oauth.js';
+import { auditBusinessLogic } from './business-logic.js';
+import { auditSaml } from './saml.js';
+import { auditLdap } from './ldap.js';
+import { auditCsrf } from './csrf.js';
+import { auditAto } from './ato.js';
+import { auditCloud } from './cloud.js';
+import { auditCicd } from './cicd.js';
+import { auditMobile } from './mobile.js';
+import { auditWeb3 } from './web3.js';
 
 export const LOCAL_MODULES = [
   { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
@@ -20,14 +32,26 @@ export const LOCAL_MODULES = [
   { name: 'Code Vulnerabilities (SQLi, XSS)', value: 'codevuln', fn: auditCodeVulnerabilities },
   { name: 'Auth & Middleware', value: 'auth', fn: auditAuth },
   { name: 'Headers Config (CSP/HSTS)', value: 'headers', fn: auditHeadersConfig },
-  { name: 'SSRF Detection (HackTricks)', value: 'ssrf', fn: auditSsrf },
-  { name: 'SSTI Detection (HackTricks)', value: 'ssti', fn: auditSsti },
-  { name: 'Insecure Deserialization (HackTricks)', value: 'deser', fn: auditDeserialization },
-  { name: 'Prototype Pollution (HackTricks)', value: 'proto', fn: auditPrototypePollution },
-  { name: 'JWT Vulnerabilities (HackTricks)', value: 'jwt', fn: auditJwt },
-  { name: 'Path Traversal / LFI (HackTricks)', value: 'lfi', fn: auditPathTraversal },
-  { name: 'Command Injection (HackTricks)', value: 'cmdi', fn: auditCommandInjection },
-  { name: 'Weak Cryptography (HackTricks)', value: 'crypto', fn: auditCrypto },
+  { name: 'SSRF Detection', value: 'ssrf', fn: auditSsrf },
+  { name: 'SSTI Detection', value: 'ssti', fn: auditSsti },
+  { name: 'Insecure Deserialization', value: 'deser', fn: auditDeserialization },
+  { name: 'Prototype Pollution', value: 'proto', fn: auditPrototypePollution },
+  { name: 'JWT Vulnerabilities', value: 'jwt', fn: auditJwt },
+  { name: 'Path Traversal / LFI', value: 'lfi', fn: auditPathTraversal },
+  { name: 'Command Injection', value: 'cmdi', fn: auditCommandInjection },
+  { name: 'Weak Cryptography', value: 'crypto', fn: auditCrypto },
+  { name: 'XXE - XML External Entity (PortSwigger)', value: 'xxe', fn: auditXxe },
+  { name: 'Access Control / IDOR (PortSwigger)', value: 'idor', fn: auditAccessControl },
+  { name: 'OAuth / OIDC Flaws (PortSwigger)', value: 'oauth', fn: auditOauth },
+  { name: 'Business Logic Flaws (PortSwigger)', value: 'bizlogic', fn: auditBusinessLogic },
+  { name: 'SAML / SSO Attacks', value: 'saml', fn: auditSaml },
+  { name: 'LDAP Injection', value: 'ldap', fn: auditLdap },
+  { name: 'CSRF Token Analysis', value: 'csrf', fn: auditCsrf },
+  { name: 'Account Takeover (ATO)', value: 'ato', fn: auditAto },
+  { name: 'Cloud Misconfig (S3/IAM)', value: 'cloud', fn: auditCloud },
+  { name: 'CI/CD Pipeline', value: 'cicd', fn: auditCicd },
+  { name: 'Mobile Security', value: 'mobile', fn: auditMobile },
+  { name: 'Web3 / Smart Contracts', value: 'web3', fn: auditWeb3 },
 ];
 
 export async function runLocalAudit(projectPath, spinner, modules = null) {

package/src/local/ldap.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditLdap(projectPath, spinner) {
+  spinner.text = 'Scanning for LDAP injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /ldap\.(?:search|query|compare|modify)\s*\(\s*[^,]*,\s*(?:req|request|params|query|body|user|input|data)/gi, name: 'LDAP query with user input', severity: 'CRITICAL' },
+        { pattern: /LDAP.*(?:filter|query)\s*[:=]\s*(?:req|request|params|query|body|user)\s*\+/gi, name: 'LDAP filter concatenation with user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\$\{/gi, name: 'LDAP search with template literal user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\+/gi, name: 'LDAP search with concatenated input', severity: 'CRITICAL' },
+        { pattern: /(?:authenticate|ldap_auth|ldapauth|active.?directory)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'LDAP auth with user-controlled filter', severity: 'CRITICAL' },
+        { pattern: /ldap\.escape\s*\(\s*\)|ldap\.escapeFilter/gi, name: 'LDAP escaping used (good practice)', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:filter|query|search).*['"`]\s*\+/gi, name: 'LDAP filter concatenation detected', severity: 'HIGH' },
+        { pattern: /(?:uid|cn|mail|samaccountname)\s*=\s*(?:req|request|params|query|body)/gi, name: 'LDAP attribute from user input', severity: 'HIGH' },
+        { pattern: /ActiveDirectory\s*\(\s*\{/gi, name: 'Active Directory configuration', severity: 'INFO' },
+        { pattern: /ldapjs|passport-ldap|ldapts|node-ldap/gi, name: 'LDAP library usage', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:URI|URL|host|server)\s*[:=]\s*['"][^'"]*['"]/gi, name: 'LDAP server config hardcoded', severity: 'LOW' },
+        { pattern: /(?:ssl|tls|starttls|ldaps).*(?:false|disabled?|no|none)/gi, name: 'LDAP without TLS/SSL', severity: 'HIGH' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'LDAP Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never concatenate user input into LDAP filters. Use parameterized LDAP queries or a safe LDAP query builder. Escape special characters (*, (, ), \\, /, &, |, !, =, <, >, ~, #) with ldap.escapeFilter(). Use LDAPS (LDAP over TLS) instead of plain LDAP.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/mobile.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.xml', '.kt', '.swift', '.dart', '.json', '.plist'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'android', 'ios'];
+
+export async function auditMobile(projectPath, spinner) {
+  spinner.text = 'Scanning for mobile security issues...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:firebase|supabase|API|SECRET|TOKEN|KEY).*\s*=\s*['"][A-Za-z0-9_\-\+=\/]{20,}['"]/gi, name: 'API key/secret exposed in mobile code', severity: 'CRITICAL' },
+        { pattern: /android:allowBackup\s*=\s*"true"/gi, name: 'Android allowBackup=true (data extraction)', severity: 'MEDIUM' },
+        { pattern: /android:debuggable\s*=\s*"true"/gi, name: 'Android debuggable=true in release', severity: 'HIGH' },
+        { pattern: /android:usesCleartextTraffic\s*=\s*"true"/gi, name: 'Android cleartext (HTTP) traffic allowed', severity: 'HIGH' },
+        { pattern: /NSAppTransportSecurity.*NSAllowsArbitraryLoads/gi, name: 'iOS ATS disabled (HTTP allowed)', severity: 'HIGH' },
+        { pattern: /android:networkSecurityConfig/gi, name: 'Android custom network security config', severity: 'MEDIUM' },
+        { pattern: /(?:NSAllowsLocalNetworking|NSTemporaryExceptionAllowsInsecureHTTPLoads)/gi, name: 'iOS ATS exceptions enabled', severity: 'MEDIUM' },
+        { pattern: /android:exported\s*=\s*"true"/gi, name: 'Android component exported (IPC risk)', severity: 'MEDIUM' },
+        { pattern: /android:protectionLevel\s*=\s*"normal"/gi, name: 'Android permission protectionLevel normal', severity: 'LOW' },
+        { pattern: /deeplink|intent-filter.*data.*android:scheme/gi, name: 'Deep link / intent filter configured', severity: 'MEDIUM' },
+        { pattern: /(?:React\.Native|flutter|ionic|cordova|capacitor)/gi, name: 'Cross-platform framework usage', severity: 'INFO' },
+        { pattern: /(?:AsyncStorage|SharedPreferences|NSUserDefaults|Keychain|Keystore)/gi, name: 'Local storage usage (check encryption)', severity: 'INFO' },
+        { pattern: /ssl.*pinning|certificate.*pinning|SSLPinningPlugin|TrustKit|certificatePinner/gi, name: 'Certificate pinning implemented', severity: 'INFO' },
+        { pattern: /firebase\.io\.com|google-services\.json|GoogleService-Info\.plist/gi, name: 'Firebase config file referenced', severity: 'MEDIUM' },
+        { pattern: /(?:root|jailbreak).*detect|isRooted|isJailbroken|rootbeer|safety.?net/gi, name: 'Root/jailbreak detection', severity: 'INFO' },
+        { pattern: /(?:WebView|WKWebView).*(?:setJavaScriptEnabled|javaScriptEnabled)/gi, name: 'WebView JS enabled (XSS surface)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('<!--')) continue;
+
+          addFinding(
+            severity,
+            'Mobile Security',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never hardcode API keys/secrets in mobile apps. Use server-side proxying. Enable certificate pinning. Set debuggable=false for release builds. Disable allowBackup unless encrypted. Use Network Security Config to restrict cleartext traffic. Enable minify/obfuscation for production.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/oauth.js

@@ -0,0 +1,68 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java', '.env'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditOauth(projectPath, spinner) {
+  spinner.text = 'Scanning for OAuth/OIDC vulnerabilities (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /redirect_uri\s*[:=]\s*(?:req|params|query|body|request)/gi, name: 'OAuth redirect_uri from user input (open redirect → token theft)', severity: 'CRITICAL' },
+        { pattern: /state\s*[:=]\s*(?:null|undefined|''|"")|(?:!state|state\s*===?\s*(?:null|undefined))/gi, name: 'OAuth state parameter missing/null (CSRF)', severity: 'HIGH' },
+        { pattern: /response_type\s*[:=]\s*['"]token['"]/gi, name: 'OAuth implicit flow (token in URL fragment)', severity: 'MEDIUM' },
+        { pattern: /client_secret\s*[:=]\s*['"][^'"]{5,}['"]/gi, name: 'OAuth client_secret hardcoded', severity: 'HIGH' },
+        { pattern: /grant_type\s*[:=]\s*['"]password['"]/gi, name: 'OAuth Resource Owner Password grant (insecure)', severity: 'MEDIUM' },
+        { pattern: /(?:GOOGLE|GITHUB|FACEBOOK|TWITTER|OAUTH)_CLIENT_SECRET\s*=\s*['"]?[A-Za-z0-9_-]{10,}/gi, name: 'OAuth provider secret in source', severity: 'HIGH' },
+        { pattern: /(?:openid|oauth|oidc).*(?:nonce|at_hash)\s*.*(?:skip|ignore|false)/gi, name: 'OAuth nonce/at_hash validation disabled', severity: 'HIGH' },
+        { pattern: /(?:verify|validate).*(?:state|nonce)\s*.*(?:false|skip|disabled)/gi, name: 'OAuth state/nonce verification disabled', severity: 'CRITICAL' },
+        { pattern: /scope\s*[:=]\s*['"].*(?:admin|write|delete|manage)/gi, name: 'OAuth requesting elevated scopes', severity: 'LOW' },
+        { pattern: /token_endpoint_auth_method\s*[:=]\s*['"]none['"]/gi, name: 'OAuth no client authentication', severity: 'HIGH' },
+        { pattern: /id_token.*(?:decode|parse).*(?:!verify|verify\s*[:=]\s*false)/gi, name: 'OIDC id_token not verified', severity: 'CRITICAL' },
+        { pattern: /(?:access_token|refresh_token)\s*[:=].*(?:localStorage|sessionStorage)/gi, name: 'OAuth tokens stored in browser storage (XSS theft)', severity: 'HIGH' },
+        { pattern: /PKCE|code_challenge|code_verifier/gi, name: 'PKCE usage detected (good practice)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#')) continue;
+
+          addFinding(
+            severity,
+            'OAuth/OIDC (PortSwigger)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use Authorization Code flow with PKCE. Validate state parameter to prevent CSRF. Whitelist redirect_uris server-side. Never expose client_secret in client-side code. Store tokens in httpOnly cookies, not localStorage.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/saml.js

@@ -0,0 +1,72 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.xml', '.env', '.conf', '.yml', '.yaml'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditSaml(projectPath, spinner) {
+  spinner.text = 'Scanning for SAML/SSO vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /signature\s*.*(?:skip|disabled?|false|none)/gi, name: 'SAML signature validation disabled/skipped', severity: 'CRITICAL' },
+        { pattern: /(?:validate|verify|check).*signature\s*.*(?:false|null|undefined|skip)/gi, name: 'Signature verification disabled', severity: 'CRITICAL' },
+        { pattern: /wantAssertionsSigned\s*[:=]\s*false/gi, name: 'Assertions signing not required', severity: 'HIGH' },
+        { pattern: /wantAuthnRequestsSigned\s*[:=]\s*false/gi, name: 'AuthnRequest signing not required', severity: 'HIGH' },
+        { pattern: /(?:IDP|idp|identityProvider).*(?:metadata|config|cert|certificate).*url\s*=.*(?:http:\/\/|request)/gi, name: 'IdP metadata from dynamic/untrusted URL', severity: 'HIGH' },
+        { pattern: /saml2\.validatePostResponse\s*\(/gi, name: 'SAML response validation (check for XSW)', severity: 'MEDIUM' },
+        { pattern: /saml2\.validateRedirect\s*\(/gi, name: 'SAML redirect binding', severity: 'INFO' },
+        { pattern: /(?:audience|AudienceRestriction)\s*.*(?:skip|disabled?|false)/gi, name: 'Audience restriction disabled', severity: 'HIGH' },
+        { pattern: /(?:entityID|issuer)\s*.*(?:check|validate)\s*.*(?:false|skip)/gi, name: 'Entity ID validation skipped', severity: 'MEDIUM' },
+        { pattern: /(?:notBefore|NotOnOrAfter|notOnOrAfter|clockSkew|skew)\s*[:=]\s*\d{4,}/gi, name: 'Large SAML clock skew (replay risk)', severity: 'LOW' },
+        { pattern: /NameID\s*.*(?:req|request|input|body|query|params|user)/gi, name: 'NameID from user input', severity: 'CRITICAL' },
+        { pattern: /(?:attributes?|AttributeStatement)\s*.*(?:req|request|input|body)/gi, name: 'SAML attributes from user input', severity: 'CRITICAL' },
+        { pattern: /InResponseTo\s*.*(?:skip|disabled?|false|null)/gi, name: 'InResponseTo validation skipped', severity: 'HIGH' },
+        { pattern: /(?:SP|serviceProvider|SAML).*(?:cert|certificate)\s*[:=]\s*['"]/gi, name: 'SAML certificate hardcoded in code', severity: 'LOW' },
+        { pattern: /XMLSignature\s*\(\s*\)/gi, name: 'XML signature object (check for XSW bypass)', severity: 'MEDIUM' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"]\/*\/(?:\w+:)?Assertion['"]\s*\)/gi, name: 'XPath query for Assertion (XSW vulnerability)', severity: 'HIGH' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"](?:\w+:)?(?:AttributeStatement|NameID|Subject)['"]\s*\)/gi, name: 'XPath query for SAML elements (check for XSW)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'SAML/SSO Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Validate SAML signatures with trusted Identity Provider certificates. Never accept unsigned assertions. Use XML Signature Wrapping (XSW) defenses: validate the exact XPath of signed elements. Always enforce audience restriction and InResponseTo. Do not accept NameID or attributes from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 1024 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/web3.js

@@ -0,0 +1,73 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.sol', '.rs', '.js', '.ts', '.jsx', '.tsx', '.py', '.vy', '.move'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'out'];
+
+export async function auditWeb3(projectPath, spinner) {
+  spinner.text = 'Scanning for Web3/smart contract vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /reentrancy|re-?entrant|nonReentrant/gi, name: 'Reentrancy guard pattern', severity: 'INFO' },
+        { pattern: /\.call\s*\(\s*\{\s*value:|\.transfer\s*\(|\.send\s*\(/gi, name: 'ETH transfer method (check reentrancy)', severity: 'HIGH' },
+        { pattern: /(?:transfer|send)\s*\(\s*(?:msg\.value|address\(this\)\.balance)/gi, name: 'Full balance transfer (reentrancy risk)', severity: 'CRITICAL' },
+        { pattern: /(?:balances?|mapping).*\s*\[.*\s*\]\s*[-+]=?\s*/gi, name: 'Balance update (check CEI pattern)', severity: 'MEDIUM' },
+        { pattern: /delegatecall|delegatecall\s*\(/gi, name: 'delegatecall usage (storage collision risk)', severity: 'CRITICAL' },
+        { pattern: /selfdestruct|suicide\s*\(/gi, name: 'selfdestruct usage', severity: 'HIGH' },
+        { pattern: /tx\.origin\s*={2,3}|require\s*\(\s*tx\.origin/gi, name: 'tx.origin used for auth (phishing risk)', severity: 'CRITICAL' },
+        { pattern: /block\.timestamp.*==|block\.timestamp.*<=|block\.timestamp.*>=/gi, name: 'block.timestamp in strict comparison', severity: 'MEDIUM' },
+        { pattern: /blockhash\s*\(|block\.blockhash/gi, name: 'Blockhash usage (predictable in multi-block context)', severity: 'MEDIUM' },
+        { pattern: /onlyOwner|Ownable|owner\s*=\s*msg\.sender/gi, name: 'Ownable pattern (single point of failure)', severity: 'MEDIUM' },
+        { pattern: /mint\s*\(\s*.*address|_mint\s*\(/gi, name: 'Mint function (check access control)', severity: 'HIGH' },
+        { pattern: /proxy|implementation|upgrade|initialize/gi, name: 'Upgradeable/proxy pattern', severity: 'INFO' },
+        { pattern: /storage\s+|assembly\s*\{.*sload|sstore/gi, name: 'Inline assembly with storage access', severity: 'HIGH' },
+        { pattern: /unchecked\s*\{|unchecked\s*\(/gi, name: 'unchecked block (integer overflow risk)', severity: 'MEDIUM' },
+        { pattern: /uint\d+\s*\+\s*|uint\d+\s*-\s*|uint\d+\s*\*\s*/gi, name: 'Integer arithmetic (check overflow/underflow if Solidity < 0.8)', severity: 'MEDIUM' },
+        { pattern: /msg\.value\s*>=\s*0|msg\.value\s*==\s*0/gi, name: 'msg.value comparison (check edge cases)', severity: 'LOW' },
+        { pattern: /(?:constructor|init)\s*\([^)]*(?:_proxy|_impl|_implementation)/gi, name: 'Proxy initialization (check for double-init)', severity: 'HIGH' },
+        { pattern: /(?:deadline|expiry|expires).*(?:require|if|assert)\s*\(/gi, name: 'Deadline check (frontrunning protection)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Web3 / Smart Contracts',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use Checks-Effects-Interactions pattern. Use ReentrancyGuard from OpenZeppelin. Verify proxy initializer is only called once. Use msg.sender instead of tx.origin for auth. Use block.timestamp >= for time comparisons. Run slither/aderyn for deeper analysis.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 256 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/xxe.js

@@ -0,0 +1,74 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.cs', '.go', '.xml', '.svg'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'target'];
+
+export async function auditXxe(projectPath, spinner) {
+  spinner.text = 'Scanning for XXE vulnerabilities (PortSwigger)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const xxePatterns = [
+        { pattern: /DOMParser\s*\(\s*\)/gi, name: 'DOMParser without disabling entities', severity: 'HIGH' },
+        { pattern: /parseString\s*\(\s*(?:req|params|query|body|user|data|input)/gi, name: 'XML parsing user input (xml2js)', severity: 'CRITICAL' },
+        { pattern: /xml2js|fast-xml-parser|libxmljs|sax\s*\./gi, name: 'XML parser library usage', severity: 'INFO' },
+        { pattern: /DocumentBuilderFactory/gi, name: 'Java XML DocumentBuilderFactory', severity: 'MEDIUM' },
+        { pattern: /SAXParserFactory/gi, name: 'Java SAXParserFactory', severity: 'MEDIUM' },
+        { pattern: /XMLReader/gi, name: 'XMLReader usage', severity: 'MEDIUM' },
+        { pattern: /etree\.parse\s*\(\s*(?:req|request|data|input|file)/gi, name: 'Python lxml parse user input', severity: 'CRITICAL' },
+        { pattern: /etree\.fromstring\s*\(\s*(?:req|request|data|input)/gi, name: 'Python lxml fromstring user input', severity: 'CRITICAL' },
+        { pattern: /simplexml_load_string\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP simplexml_load_string user input', severity: 'CRITICAL' },
+        { pattern: /DOMDocument.*loadXML\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP DOMDocument loadXML user input', severity: 'CRITICAL' },
+        { pattern: /LIBXML_NOENT/gi, name: 'PHP LIBXML_NOENT (entity substitution enabled)', severity: 'HIGH' },
+        { pattern: /resolve_entities\s*[:=]\s*true/gi, name: 'Entity resolution enabled', severity: 'HIGH' },
+        { pattern: /external_entities\s*[:=]\s*true/gi, name: 'External entities enabled', severity: 'CRITICAL' },
+        { pattern: /setFeature\s*\(\s*['"]http:\/\/xml\.org\/sax\/features\/external-general-entities['"]\s*,\s*true/gi, name: 'Java external entities enabled', severity: 'CRITICAL' },
+        { pattern: /DOCTYPE|ENTITY|SYSTEM/g, name: 'DOCTYPE/ENTITY declaration in file', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of xxePatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (isComment(line)) continue;
+
+          addFinding(
+            severity,
+            'XXE (PortSwigger)',
+            `${name}`,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Disable external entity processing: set disallow-doctype-decl=true, external-general-entities=false. Use JSON instead of XML where possible. For Java: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function isComment(line) {
+  return line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('<!--');
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}