redgun-security 1.1.0 → 1.2.0

package/README.md

@@ -17,7 +17,6 @@
   <a href="https://github.com/aloc999/redgun/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="License"></a>
   <img src="https://img.shields.io/badge/node-%3E%3D18-green" alt="Node">
   <img src="https://img.shields.io/badge/modules-51-ff4444" alt="Modules">
-  <img src="https://img.shields.io/badge/HackTricks-Enhanced-critical" alt="HackTricks">
 </p>
 
 <br>

package/bin/redgun.js

@@ -19,7 +19,7 @@ const program = new Command();
 
 program
   .name('redgun')
-  .description('Black-box & white-box security auditor for web applications (HackTricks Enhanced)')
+  .description('Black-box & white-box security auditor for web applications (Enhanced)')
   .version('1.0.0');
 
 program

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -4,6 +4,7 @@ import { EXPOSED_FILES, HEADER_CHECKS, COMMON_SUBDOMAINS, COMMON_PORTS, SECRET_P
 import { runCrawler } from './src/remote/crawler.js';
 import { runProbe } from './src/remote/probe.js';
 import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDeception, scanParameterPollution, scanFileUpload, scanDomBased, scanHttp2 } from './src/remote/portswigger.js';
+import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, scanPasswordReset, scanCsrfRemote, scanDanglingDns, scanCloudRemote } from './src/remote/advanced.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -46,6 +47,14 @@ export async function runRemoteScan(url, spinner, modules = null) {
     { name: 'File Upload Testing (PortSwigger)', value: 'upload', fn: () => scanFileUpload(origin, spinner) },
     { name: 'DOM-Based Vulnerabilities (PortSwigger)', value: 'dom', fn: () => scanDomBased(origin, spinner) },
     { name: 'HTTP/2 Attacks (PortSwigger)', value: 'h2', fn: () => scanHttp2(origin, spinner) },
+    { name: 'SAML/SSO Attacks', value: 'saml', fn: () => scanSamlRemote(origin, spinner) },
+    { name: 'LDAP Injection', value: 'ldap', fn: () => scanLdapRemote(origin, spinner) },
+    { name: 'MFA Bypass Testing', value: 'mfa', fn: () => scanMfaBypass(origin, spinner) },
+    { name: 'WebSocket Replay/CSWSH', value: 'wshijack', fn: () => scanWebsocketReplay(origin, spinner) },
+    { name: 'Password Reset Security', value: 'pwdreset', fn: () => scanPasswordReset(origin, spinner) },
+    { name: 'CSRF Token Analysis (remote)', value: 'csrf', fn: () => scanCsrfRemote(origin, spinner) },
+    { name: 'Subdomain Takeover (Dangling DNS)', value: 'takeover', fn: () => scanDanglingDns(hostname, spinner) },
+    { name: 'Cloud Metadata SSRF', value: 'cloudmeta', fn: () => scanCloudRemote(origin, spinner) },
   ];
 
   const toRun = modules ? allModules.filter((m) => modules.includes(m.value)) : allModules;

package/src/core/reporter/console.js

@@ -19,7 +19,7 @@ export function printBanner() {
   ██║  ██║███████╗██████╔╝╚██████╔╝╚██████╔╝██║ ╚████║
   ╚═╝  ╚═╝╚══════╝╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═══╝
   `));
-  console.log(chalk.gray('  Black-box & white-box security auditor | HackTricks Enhanced\n'));
+  console.log(chalk.gray('  Black-box & white-box security auditor | Enhanced\n'));
 }
 
 export function printResults() {

package/src/core/reporter/html.js

@@ -89,7 +89,7 @@ export function exportHtml(outputDir = './scans') {
     <h2>Findings (${findings.length} total)</h2>
     ${findingsHtml}
     <div class="footer">
-      <p>RedGun Security Scanner v1.0.0 | HackTricks Enhanced</p>
+      <p>RedGun Security Scanner v1.1.0 | Enhanced</p>
     </div>
   </div>
 </body>

package/src/local/ato.js

@@ -0,0 +1,72 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditAto(projectPath, spinner) {
+  spinner.text = 'Scanning for Account Takeover patterns...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:password|pwd).*reset.*token\s*=\s*(?:Math\.random|Date\.now|uuid|random)/gi, name: 'Password reset token from predictable source', severity: 'CRITICAL' },
+        { pattern: /reset.*token\s*=\s*(?:hash|md5|sha1)\s*\(/gi, name: 'Reset token hashed with weak algorithm', severity: 'MEDIUM' },
+        { pattern: /reset.*token\s*.*(?:url|link|href).*\$\{.*token/gi, name: 'Reset token exposed in URL (referer leakage)', severity: 'HIGH' },
+        { pattern: /(?:email|phone)\s*.*\s*change.*\s*\((?!.*confirm|verify|reauth|password)/gi, name: 'Email/phone change without re-authentication', severity: 'HIGH' },
+        { pattern: /logout\s*\([^)]*\)\s*\{[^}]*(?:session\.destroy|clearCookie|cookie.*clear)/gi, name: 'Logout implementation (check server-side invalidation)', severity: 'INFO' },
+        { pattern: /(?:session|token|jwt)\s*.*\s*(?:invalidation|revoke|blacklist|expire|expiry)/gi, name: 'Session/token revocation', severity: 'INFO' },
+        { pattern: /otp\s*.*generate.*\s*=\s*(?:Math\.floor|Math\.random|random)/gi, name: 'OTP from predictable source', severity: 'CRITICAL' },
+        { pattern: /otp.*length\s*[<=]?\s*[0-5]/gi, name: 'Short OTP length (< 6 digits)', severity: 'HIGH' },
+        { pattern: /otp.*(?:expir|ttl|validity|valid.*for).*[>=]?\s*(?:60\d|7\d|8\d|9\d)\d*/gi, name: 'Long OTP validity (> 10 min)', severity: 'MEDIUM' },
+        { pattern: /(?:login|auth|signin)\s*.*\s*attempt.*\s*=\s*0/gi, name: 'Rate limit on login (good)', severity: 'INFO' },
+        { pattern: /(?:password|credential|account|login).*(?:lock|throttle|attempt|brute|restrict|limit)/gi, name: 'Account lockout/throttling detected', severity: 'INFO' },
+        { pattern: /(?:social|oauth|google|github|facebook).*(?:link|connect|attach).*(?!.*confirm|verify|reauth)/gi, name: 'Social account linking without re-auth', severity: 'HIGH' },
+        { pattern: /(?:MFA|2FA|two.?factor|multi.?factor).*(?:skip|disabled?|bypass|false)/gi, name: 'MFA skip/bypass condition', severity: 'CRITICAL' },
+        { pattern: /(?:MFA|2FA).*\..*secret.*\s*=.*['"][a-zA-Z0-9]{10,}['"]/gi, name: 'MFA secret hardcoded', severity: 'CRITICAL' },
+        { pattern: /(?:register|signup|create).*(?:duplicate|exist|unique).*email|username/gi, name: 'User enumeration via register endpoint', severity: 'MEDIUM' },
+        { pattern: /(?:login|signin).*(?:incorrect|wrong|invalid|not found).*(?:password|email)/gi, name: 'User enumeration via verbose login errors', severity: 'MEDIUM' },
+        { pattern: /res\.sendStatus\s*\(\s*401|res\.json.*invalid.*credentials/gi, name: 'Generic error handling (good for preventing enumeration)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Account Takeover (ATO)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use crypto.randomBytes for reset tokens. Expire tokens quickly (< 15 min). Require current password to change email/password or link social accounts. Use TOTP-based MFA (not SMS). Use generic error messages. Implement proper rate limiting and account lockout (not just IP-based).'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/cicd.js

@@ -0,0 +1,69 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.yml', '.yaml', '.js', '.ts', '.sh', '.bash'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCicd(projectPath, spinner) {
+  spinner.text = 'Scanning for CI/CD pipeline vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /pull_request_target/gi, name: 'pull_request_target event (injection risk)', severity: 'CRITICAL' },
+        { pattern: /pull_request_target.*(?:checkout|run:|script:|exec|execute)/gi, name: 'pull_request_target with code execution', severity: 'CRITICAL' },
+        { pattern: /on:\s*pull_request_target.*workflow_run/gi, name: 'workflow_run from fork PR (injection)', severity: 'CRITICAL' },
+        { pattern: /\$\{\{\s*github\.event\.pull_request\.(?:title|body|head\.ref)\s*\}\}/gi, name: 'GitHub Actions - PR body/title used unsafely', severity: 'CRITICAL' },
+        { pattern: /run:.*\${{.*github\.event\.|run:.*\${{.*inputs\./gi, name: 'GitHub Actions - user input in run step', severity: 'CRITICAL' },
+        { pattern: /secrets\.\w+\s*:\s*\$\{\{\s*inputs\./gi, name: 'Secrets exposed via workflow inputs', severity: 'HIGH' },
+        { pattern: /(?:ACCESS_TOKEN|API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIALS)\s*:\s*\$\{\{\s*secrets\./gi, name: 'Secrets in workflow environment', severity: 'INFO' },
+        { pattern: /actions\/checkout@v\d\s*$|[^/]checkout\s*:/gi, name: 'Repository checkout', severity: 'INFO' },
+        { pattern: /jenkins.*pipeline|Jenkinsfile/gi, name: 'Jenkins pipeline', severity: 'INFO' },
+        { pattern: /stage\s*\(\s*['"]Deploy|publish|release/gi, name: 'CI deployment stage', severity: 'INFO' },
+        { pattern: /docker.*build.*push|docker.*image|container.*registry/gi, name: 'Container build and push', severity: 'INFO' },
+        { pattern: /gitlab-ci\.yml|\.gitlab-ci/gi, name: 'GitLab CI configuration', severity: 'INFO' },
+        { pattern: /(?:npm|pip|maven|gradle|docker|helm)\s*(?:publish|push|deploy)/gi, name: 'Package/docker publish step', severity: 'INFO' },
+        { pattern: /needs:\s*\[.*build.*\]\s*$|if:\s*github\.ref\s*==\s*'refs\/heads\/(?:main|master)'/gi, name: 'CI gate on main branch', severity: 'INFO' },
+        { pattern: /write\s*:\s*\[\s*['"]id-token['"]\s*\]|id-token\s*:\s*write/gi, name: 'OIDC token write permission', severity: 'MEDIUM' },
+        { pattern: /actions\s*:\s*read.*contents:\s*write|actions: write/gi, name: 'Elevated pipeline permissions', severity: 'HIGH' },
+        { pattern: /(?:fetch-depth|filter)\s*:\s*0/gi, name: 'Full git history fetched', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'CI/CD Pipeline',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Never use pull_request_target with untrusted code execution. Sanitize all github.event fields used in scripts. Use OIDC instead of long-lived secrets. Apply least-privilege GitHub token permissions. Use environment protection rules for deployments.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 256 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/cloud.js

@@ -0,0 +1,73 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.tf', '.hcl', '.yml', '.yaml', '.json'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCloud(projectPath, spinner) {
+  spinner.text = 'Scanning for cloud misconfigurations...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /"Effect"\s*:\s*"Allow"\s*,\s*"Principal"\s*:\s*"\*"/gi, name: 'S3 bucket policy - public access (Principal: *)', severity: 'CRITICAL' },
+        { pattern: /"Effect"\s*:\s*"Allow"\s*,\s*"Principal"\s*:\s*{?\s*"AWS"\s*:\s*"\*"/gi, name: 'AWS IAM policy - public access', severity: 'CRITICAL' },
+        { pattern: /s3:GetObject.*Principal.*\*/gi, name: 'S3 GetObject public access', severity: 'CRITICAL' },
+        { pattern: /s3:PutObject.*Principal.*\*/gi, name: 'S3 PutObject public access (critical!)', severity: 'CRITICAL' },
+        { pattern: /block_public_acls\s*=\s*false|blockPublicPolicy\s*:\s*false/gi, name: 'S3 public access block disabled', severity: 'CRITICAL' },
+        { pattern: /access_key\s*=\s*['"][A-Za-z0-9+\/=]{20}['"]/gi, name: 'AWS access key in config', severity: 'CRITICAL' },
+        { pattern: /secret_key\s*=\s*['"][A-Za-z0-9+\/=]{40}['"]/gi, name: 'AWS secret key in config', severity: 'CRITICAL' },
+        { pattern: /primary_access_key|primary_secret_key/gi, name: 'Cloud access keys in source', severity: 'CRITICAL' },
+        { pattern: /metadata.*169\.254|instance.?metadata/gi, name: 'Cloud metadata endpoint reference', severity: 'INFO' },
+        { pattern: /"Action"\s*:\s*"\*:"\s*,\s*"Resource"\s*:\s*"\*"/gi, name: 'IAM policy - wildcard action + resource', severity: 'CRITICAL' },
+        { pattern: /"NotAction"|"NotResource"/gi, name: 'IAM NotAction/NotResource (check for over-permissiveness)', severity: 'MEDIUM' },
+        { pattern: /GCP_CREDENTIALS|GOOGLE_APPLICATION_CREDENTIALS|gcp\.json|service\.account/gi, name: 'GCP service account credentials', severity: 'CRITICAL' },
+        { pattern: /AZURE_STORAGE_CONNECTION_STRING|AZURE_CLIENT_SECRET|ARM_CLIENT_SECRET/gi, name: 'Azure credentials in source', severity: 'CRITICAL' },
+        { pattern: /terraform\.tfstate|backend\.tf/gi, name: 'Terraform state reference', severity: 'HIGH' },
+        { pattern: /(?:bucket|container)\s*.*acl\s*.*public-read/gi, name: 'Storage bucket with public-read ACL', severity: 'CRITICAL' },
+        { pattern: /(?:lambda|function_url).*auth_type\s*=\s*"NONE"/gi, name: 'AWS Lambda function URL without auth', severity: 'HIGH' },
+        { pattern: /(?:publicly_readable|publicly_writable)\s*=\s*true/gi, name: 'GCP bucket publicly accessible', severity: 'CRITICAL' },
+        { pattern: /(?:monitoring|logging|audit.?log)\s*.*(?:disabled?|false)/gi, name: 'Cloud logging/monitoring disabled', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Cloud Misconfig (S3/IAM)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Follow least privilege principle. Never use wildcard (*) for IAM actions/resources. Block all public S3 bucket access by default. Use IAM roles, not access keys. Enable CloudTrail logging. Store secrets in AWS Secrets Manager / GCP Secret Manager / Azure Key Vault.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/csrf.js

@@ -0,0 +1,75 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCsrf(projectPath, spinner) {
+  spinner.text = 'Analyzing CSRF token implementation...';
+  const files = getFiles(projectPath);
+  let hasCsrfLib = false;
+  let hasSameSite = false;
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      if (/csurf|csrf|lusca|csrf-token|csrf_token/i.test(content)) hasCsrfLib = true;
+      if (/sameSite\s*[:=]\s*['"](?:strict|lax)['"]/i.test(content)) hasSameSite = true;
+
+      const patterns = [
+        { pattern: /(?:csrf|_token).*\s*=\s*(?:Math\.random|Date\.now|uuid)/gi, name: 'CSRF token from predictable source', severity: 'HIGH' },
+        { pattern: /(?:csrf|token).*\s*=\s*['"][a-zA-Z0-9]{1,8}['"]/gi, name: 'Short CSRF token (< 8 chars, brute-forceable)', severity: 'HIGH' },
+        { pattern: /csrf\s*=\s*(?:null|undefined|false|skip|disabled?)/gi, name: 'CSRF protection disabled', severity: 'HIGH' },
+        { pattern: /(?:bypass|ignore|skip).*csrf/gi, name: 'CSRF bypass condition', severity: 'MEDIUM' },
+        { pattern: /csrf\s*\(\)\s*:\s*(?:false|disabled)/gi, name: 'CSRF middleware disabled', severity: 'HIGH' },
+        { pattern: /sameSite\s*[:=]\s*['"]none['"]/gi, name: 'SameSite=None with Secure flag?', severity: 'LOW' },
+        { pattern: /X-CSRF-Token|X-CSRFToken|X-XSRF-TOKEN/gi, name: 'CSRF token in custom header (SOP-safe)', severity: 'INFO' },
+        { pattern: /csrf\s*:\s*false/gi, name: 'CSRF explicitly disabled', severity: 'CRITICAL' },
+        { pattern: /csrf\s*\(\s*\)\s*\{[^}]*ignore:/gi, name: 'CSRF with ignore list', severity: 'MEDIUM' },
+        { pattern: /csrf.*ignoreMethods\s*:\s*\[['"]GET['"]\s*,\s*['"]HEAD['"]/gi, name: 'CSRF ignores GET/HEAD (standard)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'CSRF Analysis',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 100)}`,
+            'Use cryptographically secure random CSRF tokens (64+ bits). Use SameSite=Lax or Strict cookies. Send CSRF tokens in custom headers (not cookies). Use Double Submit Cookie pattern: match cookie & header token values.'
+          );
+        }
+      }
+    } catch {}
+  }
+
+  if (!hasCsrfLib) {
+    addFinding('HIGH', 'CSRF Analysis', 'No CSRF library detected', 'No CSRF protection package (csurf, csrf, lusca) found in code', 'Install csurf/lusca and add CSRF middleware to all state-changing routes');
+  }
+
+  if (!hasSameSite) {
+    addFinding('LOW', 'CSRF Analysis', 'No SameSite cookie attribute configured', 'SameSite not set on session cookies', 'Set SameSite=Lax or SameSite=Strict on session cookies');
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/index.js

@@ -16,6 +16,14 @@ import { auditXxe } from './xxe.js';
 import { auditAccessControl } from './access-control.js';
 import { auditOauth } from './oauth.js';
 import { auditBusinessLogic } from './business-logic.js';
+import { auditSaml } from './saml.js';
+import { auditLdap } from './ldap.js';
+import { auditCsrf } from './csrf.js';
+import { auditAto } from './ato.js';
+import { auditCloud } from './cloud.js';
+import { auditCicd } from './cicd.js';
+import { auditMobile } from './mobile.js';
+import { auditWeb3 } from './web3.js';
 
 export const LOCAL_MODULES = [
   { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
@@ -24,18 +32,26 @@ export const LOCAL_MODULES = [
   { name: 'Code Vulnerabilities (SQLi, XSS)', value: 'codevuln', fn: auditCodeVulnerabilities },
   { name: 'Auth & Middleware', value: 'auth', fn: auditAuth },
   { name: 'Headers Config (CSP/HSTS)', value: 'headers', fn: auditHeadersConfig },
-  { name: 'SSRF Detection (HackTricks)', value: 'ssrf', fn: auditSsrf },
-  { name: 'SSTI Detection (HackTricks)', value: 'ssti', fn: auditSsti },
-  { name: 'Insecure Deserialization (HackTricks)', value: 'deser', fn: auditDeserialization },
-  { name: 'Prototype Pollution (HackTricks)', value: 'proto', fn: auditPrototypePollution },
-  { name: 'JWT Vulnerabilities (HackTricks)', value: 'jwt', fn: auditJwt },
-  { name: 'Path Traversal / LFI (HackTricks)', value: 'lfi', fn: auditPathTraversal },
-  { name: 'Command Injection (HackTricks)', value: 'cmdi', fn: auditCommandInjection },
-  { name: 'Weak Cryptography (HackTricks)', value: 'crypto', fn: auditCrypto },
+  { name: 'SSRF Detection', value: 'ssrf', fn: auditSsrf },
+  { name: 'SSTI Detection', value: 'ssti', fn: auditSsti },
+  { name: 'Insecure Deserialization', value: 'deser', fn: auditDeserialization },
+  { name: 'Prototype Pollution', value: 'proto', fn: auditPrototypePollution },
+  { name: 'JWT Vulnerabilities', value: 'jwt', fn: auditJwt },
+  { name: 'Path Traversal / LFI', value: 'lfi', fn: auditPathTraversal },
+  { name: 'Command Injection', value: 'cmdi', fn: auditCommandInjection },
+  { name: 'Weak Cryptography', value: 'crypto', fn: auditCrypto },
   { name: 'XXE - XML External Entity (PortSwigger)', value: 'xxe', fn: auditXxe },
   { name: 'Access Control / IDOR (PortSwigger)', value: 'idor', fn: auditAccessControl },
   { name: 'OAuth / OIDC Flaws (PortSwigger)', value: 'oauth', fn: auditOauth },
   { name: 'Business Logic Flaws (PortSwigger)', value: 'bizlogic', fn: auditBusinessLogic },
+  { name: 'SAML / SSO Attacks', value: 'saml', fn: auditSaml },
+  { name: 'LDAP Injection', value: 'ldap', fn: auditLdap },
+  { name: 'CSRF Token Analysis', value: 'csrf', fn: auditCsrf },
+  { name: 'Account Takeover (ATO)', value: 'ato', fn: auditAto },
+  { name: 'Cloud Misconfig (S3/IAM)', value: 'cloud', fn: auditCloud },
+  { name: 'CI/CD Pipeline', value: 'cicd', fn: auditCicd },
+  { name: 'Mobile Security', value: 'mobile', fn: auditMobile },
+  { name: 'Web3 / Smart Contracts', value: 'web3', fn: auditWeb3 },
 ];
 
 export async function runLocalAudit(projectPath, spinner, modules = null) {

package/src/local/ldap.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditLdap(projectPath, spinner) {
+  spinner.text = 'Scanning for LDAP injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /ldap\.(?:search|query|compare|modify)\s*\(\s*[^,]*,\s*(?:req|request|params|query|body|user|input|data)/gi, name: 'LDAP query with user input', severity: 'CRITICAL' },
+        { pattern: /LDAP.*(?:filter|query)\s*[:=]\s*(?:req|request|params|query|body|user)\s*\+/gi, name: 'LDAP filter concatenation with user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\$\{/gi, name: 'LDAP search with template literal user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\+/gi, name: 'LDAP search with concatenated input', severity: 'CRITICAL' },
+        { pattern: /(?:authenticate|ldap_auth|ldapauth|active.?directory)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'LDAP auth with user-controlled filter', severity: 'CRITICAL' },
+        { pattern: /ldap\.escape\s*\(\s*\)|ldap\.escapeFilter/gi, name: 'LDAP escaping used (good practice)', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:filter|query|search).*['"`]\s*\+/gi, name: 'LDAP filter concatenation detected', severity: 'HIGH' },
+        { pattern: /(?:uid|cn|mail|samaccountname)\s*=\s*(?:req|request|params|query|body)/gi, name: 'LDAP attribute from user input', severity: 'HIGH' },
+        { pattern: /ActiveDirectory\s*\(\s*\{/gi, name: 'Active Directory configuration', severity: 'INFO' },
+        { pattern: /ldapjs|passport-ldap|ldapts|node-ldap/gi, name: 'LDAP library usage', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:URI|URL|host|server)\s*[:=]\s*['"][^'"]*['"]/gi, name: 'LDAP server config hardcoded', severity: 'LOW' },
+        { pattern: /(?:ssl|tls|starttls|ldaps).*(?:false|disabled?|no|none)/gi, name: 'LDAP without TLS/SSL', severity: 'HIGH' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'LDAP Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never concatenate user input into LDAP filters. Use parameterized LDAP queries or a safe LDAP query builder. Escape special characters (*, (, ), \\, /, &, |, !, =, <, >, ~, #) with ldap.escapeFilter(). Use LDAPS (LDAP over TLS) instead of plain LDAP.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/mobile.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.xml', '.kt', '.swift', '.dart', '.json', '.plist'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'android', 'ios'];
+
+export async function auditMobile(projectPath, spinner) {
+  spinner.text = 'Scanning for mobile security issues...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:firebase|supabase|API|SECRET|TOKEN|KEY).*\s*=\s*['"][A-Za-z0-9_\-\+=\/]{20,}['"]/gi, name: 'API key/secret exposed in mobile code', severity: 'CRITICAL' },
+        { pattern: /android:allowBackup\s*=\s*"true"/gi, name: 'Android allowBackup=true (data extraction)', severity: 'MEDIUM' },
+        { pattern: /android:debuggable\s*=\s*"true"/gi, name: 'Android debuggable=true in release', severity: 'HIGH' },
+        { pattern: /android:usesCleartextTraffic\s*=\s*"true"/gi, name: 'Android cleartext (HTTP) traffic allowed', severity: 'HIGH' },
+        { pattern: /NSAppTransportSecurity.*NSAllowsArbitraryLoads/gi, name: 'iOS ATS disabled (HTTP allowed)', severity: 'HIGH' },
+        { pattern: /android:networkSecurityConfig/gi, name: 'Android custom network security config', severity: 'MEDIUM' },
+        { pattern: /(?:NSAllowsLocalNetworking|NSTemporaryExceptionAllowsInsecureHTTPLoads)/gi, name: 'iOS ATS exceptions enabled', severity: 'MEDIUM' },
+        { pattern: /android:exported\s*=\s*"true"/gi, name: 'Android component exported (IPC risk)', severity: 'MEDIUM' },
+        { pattern: /android:protectionLevel\s*=\s*"normal"/gi, name: 'Android permission protectionLevel normal', severity: 'LOW' },
+        { pattern: /deeplink|intent-filter.*data.*android:scheme/gi, name: 'Deep link / intent filter configured', severity: 'MEDIUM' },
+        { pattern: /(?:React\.Native|flutter|ionic|cordova|capacitor)/gi, name: 'Cross-platform framework usage', severity: 'INFO' },
+        { pattern: /(?:AsyncStorage|SharedPreferences|NSUserDefaults|Keychain|Keystore)/gi, name: 'Local storage usage (check encryption)', severity: 'INFO' },
+        { pattern: /ssl.*pinning|certificate.*pinning|SSLPinningPlugin|TrustKit|certificatePinner/gi, name: 'Certificate pinning implemented', severity: 'INFO' },
+        { pattern: /firebase\.io\.com|google-services\.json|GoogleService-Info\.plist/gi, name: 'Firebase config file referenced', severity: 'MEDIUM' },
+        { pattern: /(?:root|jailbreak).*detect|isRooted|isJailbroken|rootbeer|safety.?net/gi, name: 'Root/jailbreak detection', severity: 'INFO' },
+        { pattern: /(?:WebView|WKWebView).*(?:setJavaScriptEnabled|javaScriptEnabled)/gi, name: 'WebView JS enabled (XSS surface)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('<!--')) continue;
+
+          addFinding(
+            severity,
+            'Mobile Security',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never hardcode API keys/secrets in mobile apps. Use server-side proxying. Enable certificate pinning. Set debuggable=false for release builds. Disable allowBackup unless encrypted. Use Network Security Config to restrict cleartext traffic. Enable minify/obfuscation for production.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/saml.js

@@ -0,0 +1,72 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.xml', '.env', '.conf', '.yml', '.yaml'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditSaml(projectPath, spinner) {
+  spinner.text = 'Scanning for SAML/SSO vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /signature\s*.*(?:skip|disabled?|false|none)/gi, name: 'SAML signature validation disabled/skipped', severity: 'CRITICAL' },
+        { pattern: /(?:validate|verify|check).*signature\s*.*(?:false|null|undefined|skip)/gi, name: 'Signature verification disabled', severity: 'CRITICAL' },
+        { pattern: /wantAssertionsSigned\s*[:=]\s*false/gi, name: 'Assertions signing not required', severity: 'HIGH' },
+        { pattern: /wantAuthnRequestsSigned\s*[:=]\s*false/gi, name: 'AuthnRequest signing not required', severity: 'HIGH' },
+        { pattern: /(?:IDP|idp|identityProvider).*(?:metadata|config|cert|certificate).*url\s*=.*(?:http:\/\/|request)/gi, name: 'IdP metadata from dynamic/untrusted URL', severity: 'HIGH' },
+        { pattern: /saml2\.validatePostResponse\s*\(/gi, name: 'SAML response validation (check for XSW)', severity: 'MEDIUM' },
+        { pattern: /saml2\.validateRedirect\s*\(/gi, name: 'SAML redirect binding', severity: 'INFO' },
+        { pattern: /(?:audience|AudienceRestriction)\s*.*(?:skip|disabled?|false)/gi, name: 'Audience restriction disabled', severity: 'HIGH' },
+        { pattern: /(?:entityID|issuer)\s*.*(?:check|validate)\s*.*(?:false|skip)/gi, name: 'Entity ID validation skipped', severity: 'MEDIUM' },
+        { pattern: /(?:notBefore|NotOnOrAfter|notOnOrAfter|clockSkew|skew)\s*[:=]\s*\d{4,}/gi, name: 'Large SAML clock skew (replay risk)', severity: 'LOW' },
+        { pattern: /NameID\s*.*(?:req|request|input|body|query|params|user)/gi, name: 'NameID from user input', severity: 'CRITICAL' },
+        { pattern: /(?:attributes?|AttributeStatement)\s*.*(?:req|request|input|body)/gi, name: 'SAML attributes from user input', severity: 'CRITICAL' },
+        { pattern: /InResponseTo\s*.*(?:skip|disabled?|false|null)/gi, name: 'InResponseTo validation skipped', severity: 'HIGH' },
+        { pattern: /(?:SP|serviceProvider|SAML).*(?:cert|certificate)\s*[:=]\s*['"]/gi, name: 'SAML certificate hardcoded in code', severity: 'LOW' },
+        { pattern: /XMLSignature\s*\(\s*\)/gi, name: 'XML signature object (check for XSW bypass)', severity: 'MEDIUM' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"]\/*\/(?:\w+:)?Assertion['"]\s*\)/gi, name: 'XPath query for Assertion (XSW vulnerability)', severity: 'HIGH' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"](?:\w+:)?(?:AttributeStatement|NameID|Subject)['"]\s*\)/gi, name: 'XPath query for SAML elements (check for XSW)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'SAML/SSO Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Validate SAML signatures with trusted Identity Provider certificates. Never accept unsigned assertions. Use XML Signature Wrapping (XSW) defenses: validate the exact XPath of signed elements. Always enforce audience restriction and InResponseTo. Do not accept NameID or attributes from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 1024 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/web3.js

@@ -0,0 +1,73 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.sol', '.rs', '.js', '.ts', '.jsx', '.tsx', '.py', '.vy', '.move'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'out'];
+
+export async function auditWeb3(projectPath, spinner) {
+  spinner.text = 'Scanning for Web3/smart contract vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /reentrancy|re-?entrant|nonReentrant/gi, name: 'Reentrancy guard pattern', severity: 'INFO' },
+        { pattern: /\.call\s*\(\s*\{\s*value:|\.transfer\s*\(|\.send\s*\(/gi, name: 'ETH transfer method (check reentrancy)', severity: 'HIGH' },
+        { pattern: /(?:transfer|send)\s*\(\s*(?:msg\.value|address\(this\)\.balance)/gi, name: 'Full balance transfer (reentrancy risk)', severity: 'CRITICAL' },
+        { pattern: /(?:balances?|mapping).*\s*\[.*\s*\]\s*[-+]=?\s*/gi, name: 'Balance update (check CEI pattern)', severity: 'MEDIUM' },
+        { pattern: /delegatecall|delegatecall\s*\(/gi, name: 'delegatecall usage (storage collision risk)', severity: 'CRITICAL' },
+        { pattern: /selfdestruct|suicide\s*\(/gi, name: 'selfdestruct usage', severity: 'HIGH' },
+        { pattern: /tx\.origin\s*={2,3}|require\s*\(\s*tx\.origin/gi, name: 'tx.origin used for auth (phishing risk)', severity: 'CRITICAL' },
+        { pattern: /block\.timestamp.*==|block\.timestamp.*<=|block\.timestamp.*>=/gi, name: 'block.timestamp in strict comparison', severity: 'MEDIUM' },
+        { pattern: /blockhash\s*\(|block\.blockhash/gi, name: 'Blockhash usage (predictable in multi-block context)', severity: 'MEDIUM' },
+        { pattern: /onlyOwner|Ownable|owner\s*=\s*msg\.sender/gi, name: 'Ownable pattern (single point of failure)', severity: 'MEDIUM' },
+        { pattern: /mint\s*\(\s*.*address|_mint\s*\(/gi, name: 'Mint function (check access control)', severity: 'HIGH' },
+        { pattern: /proxy|implementation|upgrade|initialize/gi, name: 'Upgradeable/proxy pattern', severity: 'INFO' },
+        { pattern: /storage\s+|assembly\s*\{.*sload|sstore/gi, name: 'Inline assembly with storage access', severity: 'HIGH' },
+        { pattern: /unchecked\s*\{|unchecked\s*\(/gi, name: 'unchecked block (integer overflow risk)', severity: 'MEDIUM' },
+        { pattern: /uint\d+\s*\+\s*|uint\d+\s*-\s*|uint\d+\s*\*\s*/gi, name: 'Integer arithmetic (check overflow/underflow if Solidity < 0.8)', severity: 'MEDIUM' },
+        { pattern: /msg\.value\s*>=\s*0|msg\.value\s*==\s*0/gi, name: 'msg.value comparison (check edge cases)', severity: 'LOW' },
+        { pattern: /(?:constructor|init)\s*\([^)]*(?:_proxy|_impl|_implementation)/gi, name: 'Proxy initialization (check for double-init)', severity: 'HIGH' },
+        { pattern: /(?:deadline|expiry|expires).*(?:require|if|assert)\s*\(/gi, name: 'Deadline check (frontrunning protection)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Web3 / Smart Contracts',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use Checks-Effects-Interactions pattern. Use ReentrancyGuard from OpenZeppelin. Verify proxy initializer is only called once. Use msg.sender instead of tx.origin for auth. Use block.timestamp >= for time comparisons. Run slither/aderyn for deeper analysis.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 256 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/remote/advanced.js

@@ -0,0 +1,238 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText, fetchWithTimeout } from '../utils/fetch.js';
+
+export async function scanSamlRemote(origin, spinner) {
+  spinner.text = 'Testing SAML/SSO endpoints...';
+  const samlPaths = ['/saml', '/auth/saml', '/sso', '/auth/sso', '/Shibboleth.sso', '/adfs/ls', '/saml/SSO', '/saml2', '/websso/SAML2/Metadata'];
+
+  for (const path of samlPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 || resp.status === 302) {
+        if (path.includes('Metadata') && resp.status === 200) {
+          addFinding('MEDIUM', 'SAML/SSO', `SAML metadata exposed: ${path}`, `${origin}${path} returns SAML metadata XML`, 'Review metadata for certificate info and supported bindings. Ensure entity IDs are correct.');
+        } else {
+          addFinding('INFO', 'SAML/SSO', `SAML endpoint found: ${path}`, `Status: ${resp.status}`, 'Test for XML Signature Wrapping (XSW1-XSW8), signature stripping, and comment injection in NameID.');
+        }
+      }
+    } catch {}
+  }
+
+  try {
+    const xswPayload = `<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" Version="2.0" IssueInstant="2024-01-01T00:00:00Z">
+      <saml:Issuer>evil-idp</saml:Issuer>
+      <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
+      <saml:Assertion ID="evil-assertion" Version="2.0" IssueInstant="2024-01-01T00:00:00Z">
+        <saml:Issuer>evil-idp</saml:Issuer>
+        <saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@target.com</saml:NameID></saml:Subject>
+        <saml:Conditions NotBefore="2024-01-01T00:00:00Z" NotOnOrAfter="2030-01-01T00:00:00Z"/>
+        <saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z">
+          <saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext>
+        </saml:AuthnStatement>
+      </saml:Assertion>
+    </samlp:Response>`;
+
+    const encodedXsw = Buffer.from(xswPayload).toString('base64');
+    const samlConsumes = ['/saml/acs', '/auth/saml/callback', '/sso/acs', '/Shibboleth.sso/SAML2/POST'];
+
+    for (const consumer of samlConsumes) {
+      try {
+        const resp = await fetchText(`${origin}${consumer}`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+          body: `SAMLResponse=${encodeURIComponent(encodedXsw)}`,
+        }, 5000);
+
+        if (resp.status === 200 || resp.status === 302) {
+          if (!resp.body.includes('error') && !resp.body.includes('invalid signature') && !resp.body.includes('Unauthorized')) {
+            addFinding('HIGH', 'SAML/SSO', `SAML POST ACS at ${consumer} accepts unsigned assertion`, `Unsigned SAML response returned ${resp.status} without error`, 'Always validate SAML signatures. Check for XML Signature Wrapping (XSW) vulnerabilities.');
+            break;
+          }
+        }
+      } catch {}
+    }
+  } catch {}
+}
+
+export async function scanLdapRemote(origin, spinner) {
+  spinner.text = 'Testing LDAP injection...';
+  const params = ['user', 'username', 'login', 'uid', 'email', 'search', 'query', 'filter', 'cn', 'name'];
+  const payloads = ['*)(uid=*))(|(uid=*', '*', 'admin*', '*)(|(uid=*', 'admin)(|(uid=*'];
+
+  for (const param of params) {
+    for (const payload of payloads.slice(0, 3)) {
+      try {
+        const resp = await fetchText(`${origin}/?${param}=${encodeURIComponent(payload)}`, {}, 5000);
+        if (resp.status === 200 && (resp.body.toLowerCase().includes('admin') || resp.body.length > 10000)) {
+          addFinding('CRITICAL', 'LDAP Injection', `LDAP injection via ?${param}=`, `Payload "${payload}" returned sensitive data`, 'Escape LDAP special characters. Use parameterized queries.');
+          break;
+        }
+      } catch {}
+    }
+  }
+
+  try {
+    const resp = await fetchText(`${origin}/api/login`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: '*)(uid=*))(|(uid=*', password: 'anything' }),
+    }, 5000);
+
+    if (resp.status === 200) {
+      addFinding('CRITICAL', 'LDAP Injection', 'LDAP injection auth bypass at /api/login', 'Wildcard LDAP payload returned success', 'Validate and escape all inputs in LDAP filters. Never concatenate user input into LDAP queries.');
+    }
+  } catch {}
+}
+
+export async function scanMfaBypass(origin, spinner) {
+  spinner.text = 'Testing MFA/OTP bypass vectors...';
+
+  const postMfaPaths = ['/dashboard', '/account', '/settings', '/profile', '/home', '/user', '/mfa/setup', '/mfa/disable', '/2fa', '/api/me', '/api/user'];
+
+  for (const path of postMfaPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 && !resp.body.toLowerCase().includes('login') && !resp.body.toLowerCase().includes('2fa') && !resp.body.toLowerCase().includes('mfa')) {
+        addFinding('HIGH', 'MFA Bypass', `Post-login path accessible without MFA: ${path}`, `${origin}${path} returns 200 without MFA challenge`, 'Enforce MFA at middleware level, not per-route. Gate all authenticated endpoints behind MFA check.');
+      }
+    } catch {}
+  }
+
+  try {
+    const otpEndpoints = ['/api/verify-otp', '/api/mfa/verify', '/api/2fa/verify', '/api/auth/totp', '/api/otp'];
+    for (const ep of otpEndpoints) {
+      for (let i = 0; i < 3; i++) {
+        try {
+          const resp = await fetchText(`${origin}${ep}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ code: String(Math.floor(Math.random() * 1000000)).padStart(6, '0') }),
+          }, 3000);
+
+          if (resp.status !== 429 && resp.status !== 400 && resp.status !== 401) {
+            addFinding('MEDIUM', 'MFA Bypass', `OTP endpoint ${ep} may lack rate limiting`, `No rate limit response after 3 attempts`, 'Implement rate limiting on OTP verification. After 5 failed attempts, lock and require re-login.');
+          }
+        } catch {}
+      }
+    }
+  } catch {}
+}
+
+export async function scanWebsocketReplay(origin, spinner) {
+  spinner.text = 'Testing WebSocket vulnerabilities (enhanced)...';
+  const wsOrigin = origin.replace('https://', 'wss://').replace('http://', 'ws://');
+
+  addFinding('INFO', 'WebSocket (enhanced)', 'WebSocket replay/tampering check', `Check ${wsOrigin} for: CSWSH (Cross-Site WebSocket Hijacking), missing Origin validation, unauthenticated message handling, and message replay attacks`, 'Validate WebSocket Origin header. Require auth token in connect params. Implement message sequence numbers to prevent replay. Use per-message deflate compression.');
+}
+
+export async function scanPasswordReset(origin, spinner) {
+  spinner.text = 'Testing password reset security...';
+
+  let hasTargetParam = false;
+
+  try {
+    const resp = await fetchText(`${origin}/account/password/reset?email=test@example.com`, {}, 5000);
+    if (resp.status === 200) {
+      if (resp.body.includes('sent') || resp.body.includes('email') || resp.body.includes('check')) {
+        addFinding('INFO', 'Password Reset', 'Email enumeration via reset endpoint', 'Check if response differs for existing vs non-existing emails', 'Use generic messages: "If that email exists, we sent a reset link."');
+      }
+    }
+  } catch {}
+
+  const hostTest = ['evil.com', 'localhost', '127.0.0.1'];
+  for (const host of hostTest) {
+    try {
+      const resp = await fetchText(`${origin}/account/password/reset?email=target@victim.com`, {
+        headers: { Host: host, 'X-Forwarded-Host': host },
+      }, 5000);
+
+      if (resp.body.includes(host)) {
+        hasTargetParam = true;
+        addFinding('HIGH', 'Password Reset', `Host header injection in password reset (${host})`, 'Reset link URL reflects attacker-controlled Host header', 'Generate reset URLs from a configured base URL, not the request Host header.');
+        break;
+      }
+    } catch {}
+  }
+
+  if (!hasTargetParam) {
+    try {
+      const token = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa';
+      const resp = await fetchText(`${origin}/account/password/reset/verify?token=${token}`, {}, 5000);
+      if (resp.status === 200) {
+        addFinding('LOW', 'Password Reset', 'Reset token endpoint accessible', `Token: ${token.substring(0, 8)}...`, 'Ensure reset tokens are cryptographically random (32+ bytes) and expire quickly (< 15 min).');
+      }
+    } catch {}
+  }
+}
+
+export async function scanCsrfRemote(origin, spinner) {
+  spinner.text = 'CSRF token analysis (remote)...';
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    const csrfPatterns = [
+      /csrf[_-]?token|_token|<input[^>]*name=['"](?:csrf|_token|authenticity_token|__RequestVerificationToken)['"]/gi,
+    ];
+
+    let foundToken = false;
+    for (const pattern of csrfPatterns) {
+      if (pattern.test(body)) foundToken = true;
+    }
+
+    if (!foundToken) {
+      const forms = body.match(/<form[^>]*method[^>]*(?:post|put|delete|patch)/gi);
+      if (forms) {
+        addFinding('HIGH', 'CSRF (remote)', 'Forms with POST/PUT/DELETE may lack CSRF protection', `${forms.length} state-changing forms found without CSRF tokens`, 'Add CSRF tokens to all state-changing forms. Use SameSite cookies.');
+      }
+    }
+
+    const cookieTokens = body.match(/cookie\s*.*token|document\.cookie.*csrf/i);
+    if (cookieTokens) {
+      addFinding('MEDIUM', 'CSRF (remote)', 'CSRF token from cookies detected (vulnerable to cookie jar overflow)', 'CSRF token is read from cookies — not safe for SPA CSRF protection', 'Use custom header (X-CSRF-Token) with token from meta tag, not cookie. Implement Double Submit Cookie only with SameSite=Strict.');
+    }
+  } catch {}
+}
+
+export async function scanDanglingDns(hostname, spinner) {
+  spinner.text = 'Checking for dangling DNS subdomain takeover...';
+
+  const services = [
+    { pattern: /\.cloudfront\.net/i, name: 'AWS CloudFront', indicator: 'The request could not be satisfied' },
+    { pattern: /\.s3\.amazonaws\.com/i, name: 'AWS S3', indicator: 'NoSuchBucket' },
+    { pattern: /\.azurewebsites\.net/i, name: 'Azure Web Apps', indicator: '404 Web Site not found' },
+    { pattern: /\.herokuapp\.com/i, name: 'Heroku', indicator: 'No such app' },
+    { pattern: /\.github\.io/i, name: 'GitHub Pages', indicator: 'There isnt a GitHub Pages site here' },
+    { pattern: /\.netlify\.app|\.netlify\.com/i, name: 'Netlify', indicator: 'Not Found' },
+    { pattern: /\.vercel\.app/i, name: 'Vercel', indicator: 'DEPLOYMENT_NOT_FOUND' },
+    { pattern: /\.firebaseapp\.com/i, name: 'Firebase Hosting', indicator: 'Site Not Found' },
+    { pattern: /\.surge\.sh/i, name: 'Surge.sh', indicator: 'project not found' },
+  ];
+
+  addFinding('INFO', 'Subdomain Takeover', 'Dangling CNAME check', 'Check DNS records for dangling CNAMEs to cloud services (CloudFront, S3, Heroku, GitHub Pages, Netlify, Vercel)', 'Remove DNS records pointing to decommissioned cloud resources to prevent subdomain takeover');
+}
+
+export async function scanCloudRemote(origin, spinner) {
+  spinner.text = 'Testing cloud metadata access via SSRF...';
+
+  const metadataUrls = [
+    'http://169.254.169.254/latest/meta-data/',
+    'http://metadata.google.internal/computeMetadata/v1/',
+    'http://169.254.169.254/metadata/instance?api-version=2021-02-01',
+  ];
+
+  const ssrfParams = ['url', 'link', 'src', 'callback', 'webhook', 'fetch', 'proxy', 'redirect'];
+
+  for (const url of metadataUrls.slice(0, 1)) {
+    for (const param of ssrfParams) {
+      try {
+        const resp = await fetchText(`${origin}/?${param}=${encodeURIComponent(url)}`, {}, 5000);
+        if (resp.body.includes('instance-id') || resp.body.includes('ami-id') || resp.body.includes('local-hostname')) {
+          addFinding('CRITICAL', 'Cloud Metadata', `Cloud metadata accessible via ?${param}= SSRF`, 'AWS IMDSv1 instance metadata exposed', 'Upgrade to IMDSv2 (uses session tokens). Block 169.254.169.254 at network level.');
+          return;
+        }
+      } catch {}
+    }
+  }
+}