redgun-security 1.2.0 → 1.4.0

package/README.md

@@ -23,7 +23,7 @@
 
 ## What is RedGun?
 
-RedGun is a security auditing CLI tool that finds vulnerabilities in your web applications. It includes **51 security modules** covering techniques from [HackTricks](https://book.hacktricks.wiki), [PortSwigger Web Security Academy](https://portswigger.net/web-security), [Katana](https://github.com/projectdiscovery/katana), and [httpx](https://github.com/projectdiscovery/httpx). Two modes:
+RedGun is a security auditing CLI tool that finds vulnerabilities in your web applications. It includes **51 security modules** covering techniques from modern techniques. Two modes:
 
 **Remote scan** (black-box): Give it a URL. It crawls with Katana-style JS parsing, fingerprints with httpx-style probing, then tests — XSS, SQLi, SSRF, CORS, XXE, OAuth, IDOR, cache deception, DOM-based, HTTP smuggling, CRLF, parameter pollution, file upload, and more.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -5,6 +5,8 @@ import { runCrawler } from './src/remote/crawler.js';
 import { runProbe } from './src/remote/probe.js';
 import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDeception, scanParameterPollution, scanFileUpload, scanDomBased, scanHttp2 } from './src/remote/portswigger.js';
 import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, scanPasswordReset, scanCsrfRemote, scanDanglingDns, scanCloudRemote } from './src/remote/advanced.js';
+import { scanSsrfBypassChains, scanJwtRemoteAdvanced, scanGrpc, scanOpenApi, scanWebrtc, scanStoredDomXss, scanSsiRemote, scanXpathRemote, scanTimingRemote } from './src/remote/complete.js';
+import { scanLlmRemote, scanCssInjectionRemote, scanPostMessageRemote, scanEsiRemote, scanHttp3, scanHpackBomb, scanSmtpRemote, scanDkimReplay } from './src/remote/modern.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -55,6 +57,22 @@ export async function runRemoteScan(url, spinner, modules = null) {
     { name: 'CSRF Token Analysis (remote)', value: 'csrf', fn: () => scanCsrfRemote(origin, spinner) },
     { name: 'Subdomain Takeover (Dangling DNS)', value: 'takeover', fn: () => scanDanglingDns(hostname, spinner) },
     { name: 'Cloud Metadata SSRF', value: 'cloudmeta', fn: () => scanCloudRemote(origin, spinner) },
+    { name: 'SSRF Bypass Chains', value: 'ssrfbypass', fn: () => scanSsrfBypassChains(origin, spinner) },
+    { name: 'JWT Advanced (kid/none/JWK)', value: 'jwtadv', fn: () => scanJwtRemoteAdvanced(origin, spinner) },
+    { name: 'gRPC Reflection', value: 'grpc', fn: () => scanGrpc(origin, spinner) },
+    { name: 'OpenAPI/Swagger Fuzz', value: 'openapi', fn: () => scanOpenApi(origin, spinner) },
+    { name: 'WebRTC IP Leak', value: 'webrtc', fn: () => scanWebrtc(origin, spinner) },
+    { name: 'Stored/DOM XSS Auto', value: 'storedxss', fn: () => scanStoredDomXss(origin, spinner) },
+    { name: 'SSI Injection Remote', value: 'ssi', fn: () => scanSsiRemote(origin, spinner) },
+    { name: 'XPath Injection Remote', value: 'xpath', fn: () => scanXpathRemote(origin, spinner) },
+    { name: 'Timing Side-Channel', value: 'timing', fn: () => scanTimingRemote(origin, spinner) },
+    { name: 'AI/LLM Prompt Injection', value: 'llmai', fn: () => scanLlmRemote(origin, spinner) },
+    { name: 'CSS Injection/Exfiltration', value: 'css', fn: () => scanCssInjectionRemote(origin, spinner) },
+    { name: 'PostMessage/BroadcastChannel', value: 'postmsg', fn: () => scanPostMessageRemote(origin, spinner) },
+    { name: 'ESI Injection (CDN)', value: 'esi', fn: () => scanEsiRemote(origin, spinner) },
+    { name: 'HTTP/3 QUIC (Modern)', value: 'h3', fn: () => scanHttp3(origin, spinner) },
+    { name: 'HPACK Bomb / Header Overflow', value: 'hpack', fn: () => scanHpackBomb(origin, spinner) },
+    { name: 'SMTP / DKIM Replay', value: 'smtp', fn: () => scanSmtpRemote(origin, spinner) },
   ];
 
   const toRun = modules ? allModules.filter((m) => modules.includes(m.value)) : allModules;

package/src/local/client-proto.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditClientProto(projectPath, spinner) {
+  spinner.text = 'Scanning for client-side prototype pollution gadget chains...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /Object\.assign\s*\(\s*\{\}\s*,\s*(?:req|request|params|query|body|input|data)/gi, name: 'Object.assign with user data (proto sink)', severity: 'HIGH' },
+        { pattern: /\{\s*\.\.\.(?:req|request|params|query|body|input|data)\s*\}/gi, name: 'Spread operator from user input (proto sink)', severity: 'HIGH' },
+        { pattern: /lodash\.merge|_.merge|deepmerge|merge\(.*,\s*(?:req|request|params|body)/gi, name: 'Deep merge with user-controlled data (proto sink)', severity: 'CRITICAL' },
+        { pattern: /\$\.extend\s*\(\s*true\s*,/gi, name: 'jQuery $.extend(deep=true) with user data', severity: 'HIGH' },
+        { pattern: /angular\.merge|angular\.extend/gi, name: 'AngularJS merge/extend with user data', severity: 'HIGH' },
+        { pattern: /Object\.create\s*\(\s*(?:req|request|params|query)/gi, name: 'Object.create with user-controlled prototype', severity: 'MEDIUM' },
+        { pattern: /(?:ajax|xhr|fetch)\s*\.(?:response|send|data).*\.(?:extend|merge|assign)/gi, name: 'AJAX response merged into objects', severity: 'MEDIUM' },
+        { pattern: /JSON\.parse\s*\([^)]*\)\s*\..*(?:extend|merge|assign)/gi, name: 'Parsed JSON merged into objects', severity: 'HIGH' },
+        { pattern: /(?:location\.hash|location\.search|document\.cookie|window\.name)\s*.*(?:extend|merge|assign|parse)/gi, name: 'DOM source merged into objects (proto via URL/cookie)', severity: 'CRITICAL' },
+        { pattern: /(?:window|global|self|globalThis)\.Object\.defineProperty/gi, name: 'Object.defineProperty on global (proto tamper)', severity: 'CRITICAL' },
+        { pattern: /sanitize-html|dompurify|xss-filters/gi, name: 'XSS filter bypass via proto (gadget target)', severity: 'MEDIUM' },
+        { pattern: /Object\.freeze\s*\(\s*Object\.prototype\s*\)/gi, name: 'Object.freeze on prototype (mitigation)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Client-Side Proto Pollution',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Strip __proto__ and constructor.prototype properties before merging. Use Object.create(null) for dictionaries. Freeze Object.prototype if needing global protection. Use JSON schema validation instead of raw merging. Avoid deep merge from untrusted sources.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/css-injection.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.css', '.scss', '.less', '.html', '.htm', '.jsx', '.tsx', '.vue', '.svelte', '.astro'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCssInjection(projectPath, spinner) {
+  spinner.text = 'Scanning for CSS injection/exfiltration vectors...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /style\s*=\s*(?:req|request|params|query|body|user|input)/gi, name: 'Inline style from user input', severity: 'HIGH' },
+        { pattern: /(<style[^>]*>).*\$\{.*(?:req|params|body|input)/gi, name: 'Style tag with user input', severity: 'HIGH' },
+        { pattern: /css\s*[(`]\$\{/gi, name: 'CSS template literal with user input', severity: 'MEDIUM' },
+        { pattern: /(\[class(?:\^|\*|\$)?=(["']?)[^\]]*["']?\]|attr\(|content:\s*attr)/gi, name: 'CSS attribute selector (data exfiltration)', severity: 'MEDIUM' },
+        { pattern: /@font-face\s*\{[^}]*src:\s*url\s*\(/gi, name: '@font-face with external URL (char-by-char exfil)', severity: 'HIGH' },
+        { pattern: /@import\s+url\s*\(.*\);/gi, name: 'CSS @import (external CSS injection)', severity: 'MEDIUM' },
+        { pattern: /background(?:-image)?:\s*url\s*\(/gi, name: 'CSS background-image (exfiltration channel)', severity: 'MEDIUM' },
+        { pattern: /::?value|::-webkit-input-placeholder|::-moz-placeholder/gi, name: 'CSS pseudo-element selectors', severity: 'LOW' },
+        { pattern: /unicode-range|U\+/gi, name: 'CSS unicode-range (char exfiltration via font)', severity: 'HIGH' },
+        { pattern: /animation-name|keyframes|animation-duration/gi, name: 'CSS animations (timing-based exfiltration)', severity: 'LOW' },
+        { pattern: /content\s*:\s*attr\s*\([^)]*\)/gi, name: 'CSS content: attr() (attribute exfiltration)', severity: 'HIGH' },
+        { pattern: /input\[type=(["']?)password["']?\].*background-image|input\[type=(["']?)password["']?\].*@font-face/gi, name: 'CSS keylogger pattern (password exfiltration)', severity: 'CRITICAL' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'CSS Injection/Exfiltration',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Sanitize user input reflected in CSS/style attributes. Use strict CSP with nonce/hash (not unsafe-inline). For CSS exfiltration: limit input length, use content-based exfil detection, disable @font-face loading from external sources.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/csti.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCsti(projectPath, spinner) {
+  spinner.text = 'Scanning for client-side template injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /\{\{.+\}\}/g, name: 'AngularJS double-curly expression', severity: 'INFO' },
+        { pattern: /ng-app|ng-controller|ng-bind-html|ng-non-bindable/gi, name: 'AngularJS bindings detected', severity: 'INFO' },
+        { pattern: /\$sce\.trustAsHtml|\$sceProvider\.enabled\s*\(\s*false/gi, name: 'AngularJS SCE disabled/untrusted HTML', severity: 'HIGH' },
+        { pattern: /ng-bind-html\s*=\s*(?:req|request|params|query|body)/gi, name: 'AngularJS ng-bind-html with user input', severity: 'HIGH' },
+        { pattern: /angular\.module.*run\s*\(/gi, name: 'AngularJS module detected', severity: 'INFO' },
+        { pattern: /v-html\s*=\s*(?:req|params|query|body)/gi, name: 'Vue v-html with user input', severity: 'HIGH' },
+        { pattern: /v-bind:src|:src\s*=\s*['"`]\{\{/gi, name: 'Vue dynamic src binding', severity: 'MEDIUM' },
+        { pattern: /Vue\.compile\s*\(|new\s+Vue\s*\(|createApp\s*\(/gi, name: 'Vue instance detected', severity: 'INFO' },
+        { pattern: /React\.createElement|ReactDOM\.render|createRoot\s*\(/gi, name: 'React rendering detected', severity: 'INFO' },
+        { pattern: /dangerouslySetInnerHTML\s*:\s*\{\s*__html\s*:\s*(?:req|params|query|body)/gi, name: 'React dangerouslySetInnerHTML with user input', severity: 'HIGH' },
+        { pattern: /Svelte.*\$set|Svelte.*\$\$invalidate|Svelte.*dangerously/gi, name: 'Svelte dynamic updates', severity: 'MEDIUM' },
+        { pattern: /TemplateRef|ViewContainerRef|ComponentFactoryResolver/gi, name: 'Angular dynamic component (XSS surface)', severity: 'MEDIUM' },
+        { pattern: /bypassSecurityTrustHtml\s*\(/gi, name: 'Angular bypassSecurityTrustHtml', severity: 'HIGH' },
+        { pattern: /bypassSecurityTrustScript|bypassSecurityTrustResourceUrl/gi, name: 'Angular bypassSecurityTrust (unsafe)', severity: 'HIGH' },
+        { pattern: /ElementRef\.nativeElement\.innerHTML/gi, name: 'Angular ElementRef innerHTML', severity: 'MEDIUM' },
+        { pattern: /sanitizeHtml|DOMPurify\.sanitize/gi, name: 'HTML sanitization used (good)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Client-Side Template Injection (CSTI)',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never bind user input to v-html/dangerouslySetInnerHTML/ng-bind-html. Use DOMPurify for sanitization. Avoid bypassSecurityTrust* APIs. Use Angular default sanitizer. For Vue, use v-text instead of v-html.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/electron.js

@@ -0,0 +1,68 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm', '.json', '.env'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditElectron(projectPath, spinner) {
+  spinner.text = 'Scanning for Electron/ReactNative security issues...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /contextIsolation\s*:\s*false/gi, name: 'contextIsolation disabled (preload bridge exposed)', severity: 'CRITICAL' },
+        { pattern: /nodeIntegration\s*:\s*true/gi, name: 'nodeIntegration enabled (Node API in renderer)', severity: 'CRITICAL' },
+        { pattern: /sandbox\s*:\s*false/gi, name: 'Electron sandbox disabled', severity: 'HIGH' },
+        { pattern: /webSecurity\s*:\s*false/gi, name: 'Electron webSecurity disabled (CORS/navigation bypass)', severity: 'HIGH' },
+        { pattern: /allowRunningInsecureContent\s*:\s*true/gi, name: 'Electron mixed content allowed', severity: 'HIGH' },
+        { pattern: /preload\s*:\s*path\.join\s*\(\s*__dirname\s*,\s*['"][^'"]*['"]\s*\)/gi, name: 'preload script from user-controllable path', severity: 'CRITICAL' },
+        { pattern: /nodeIntegrationInSubFrames\s*:\s*true/gi, name: 'Node integration in iframes (XSS→RCE)', severity: 'CRITICAL' },
+        { pattern: /shell\.openExternal\s*\(\s*(?:req|request|params|user|input)/gi, name: 'shell.openExternal with user input (command injection)', severity: 'CRITICAL' },
+        { pattern: /electron\.ipcRenderer|ipcRenderer\.(?:on|send|invoke)/gi, name: 'Electron IPC usage (check handler auth)', severity: 'MEDIUM' },
+        { pattern: /dialog\.showOpenDialog|dialog\.showSaveDialog/gi, name: 'Electron file dialog (check path traversal)', severity: 'MEDIUM' },
+        { pattern: /(?:React\.Native|react-native).*(?:DEBUG|dev_mode)\s*=\s*true/gi, name: 'ReactNative debug mode enabled', severity: 'HIGH' },
+        { pattern: /enableJSCWrapper|enableHermesDebugger/gi, name: 'RN JS debugger enabled', severity: 'MEDIUM' },
+        { pattern: /(?:WebView|WKWebView).*originWhitelist|allowsInlineMediaPlayback/gi, name: 'RN WebView config (check allowlist)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Electron / React Native',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Enable contextIsolation and sandbox. Disable nodeIntegration in renderer. Sanitize all ipcRenderer.send arguments. Validate shell.openExternal URLs. Use allowlist for originWhitelist in RN WebView. Disable debug mode in production builds.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/index.js

@@ -24,6 +24,19 @@ import { auditCloud } from './cloud.js';
 import { auditCicd } from './cicd.js';
 import { auditMobile } from './mobile.js';
 import { auditWeb3 } from './web3.js';
+import { auditXpathSsi } from './xpath-ssi.js';
+import { auditTiming } from './timing.js';
+import { auditJwtAdvanced } from './jwt-advanced.js';
+import { auditCsti } from './csti.js';
+import { auditServiceWorker } from './service-worker.js';
+import { auditPaddingOracle } from './padding-oracle.js';
+import { auditLlmAi } from './llm-ai.js';
+import { auditCssInjection } from './css-injection.js';
+import { auditPostMessage } from './postmessage.js';
+import { auditElectron } from './electron.js';
+import { auditWebauthn } from './webauthn.js';
+import { auditSupplyChainAdvanced } from './supply-chain-advanced.js';
+import { auditClientProto } from './client-proto.js';
 
 export const LOCAL_MODULES = [
   { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
@@ -52,6 +65,19 @@ export const LOCAL_MODULES = [
   { name: 'CI/CD Pipeline', value: 'cicd', fn: auditCicd },
   { name: 'Mobile Security', value: 'mobile', fn: auditMobile },
   { name: 'Web3 / Smart Contracts', value: 'web3', fn: auditWeb3 },
+  { name: 'XPath / SSI Injection', value: 'xpath', fn: auditXpathSsi },
+  { name: 'Timing Side-Channels', value: 'timing', fn: auditTiming },
+  { name: 'JWT Advanced (kid, JWK, jku)', value: 'jwtadv', fn: auditJwtAdvanced },
+  { name: 'Client-Side Template Injection (CSTI)', value: 'csti', fn: auditCsti },
+  { name: 'Service Worker / WebRTC', value: 'sworker', fn: auditServiceWorker },
+  { name: 'Padding / Compression Oracle', value: 'padding', fn: auditPaddingOracle },
+  { name: 'AI/LLM Prompt Injection', value: 'llmai', fn: auditLlmAi },
+  { name: 'CSS Injection/Exfiltration', value: 'css', fn: auditCssInjection },
+  { name: 'PostMessage / BroadcastChannel', value: 'postmsg', fn: auditPostMessage },
+  { name: 'Electron / React Native', value: 'electron', fn: auditElectron },
+  { name: 'WebAuthn / Passkeys', value: 'passkey', fn: auditWebauthn },
+  { name: 'Supply Chain (dep confusion, lockfile)', value: 'supply', fn: auditSupplyChainAdvanced },
+  { name: 'Client-Side Proto Pollution Gadgets', value: 'cproto', fn: auditClientProto },
 ];
 
 export async function runLocalAudit(projectPath, spinner, modules = null) {

package/src/local/jwt-advanced.js

@@ -0,0 +1,70 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java', '.json', '.env'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditJwtAdvanced(projectPath, spinner) {
+  spinner.text = 'Scanning for advanced JWT attacks (kid, JWK, jku)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:kid|keyId|key_id)\s*[:=]\s*(?:req|request|params|query|body|input)/gi, name: 'Key ID (kid) from user input - path traversal/LFI attack', severity: 'CRITICAL' },
+        { pattern: /jwk\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'JWK from user input - key injection', severity: 'CRITICAL' },
+        { pattern: /jku\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'jku (JWK Set URL) from user input - SSRF', severity: 'CRITICAL' },
+        { pattern: /x5u\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'x5u URL from user input', severity: 'CRITICAL' },
+        { pattern: /x5c\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'x5c certificate from user input', severity: 'CRITICAL' },
+        { pattern: /algorithm\s*[:=]\s*['"]none['"]|alg\s*:\s*['"]none['"]/gi, name: 'Algorithm "none" accepted', severity: 'CRITICAL' },
+        { pattern: /algorithms\s*:\s*\[.*['"]HS256['"].*\]|algorithm\s*:\s*['"]HS256['"]/gi, name: 'HS256 algorithm (key confusion vector)', severity: 'HIGH' },
+        { pattern: /(?:verify|validate)\s*\(\s*(?:token|jwt)\s*,\s*(?:secret|key)\s*,?\s*\{[^}]*algorithms?\s*:\s*\[/gi, name: 'JWT verify with algorithm whitelist', severity: 'INFO' },
+        { pattern: /jwt\.(?:decode|sign|verify).*complete\s*:\s*true/gi, name: 'jwt.io format (complete decode)', severity: 'LOW' },
+        { pattern: /jsonwebtoken|jose|jwk-to-pem|jwt-simple|njwt/gi, name: 'JWT library usage', severity: 'INFO' },
+        { pattern: /(?:publicKey|public_key|pubkey)\s*[:=]\s*(?:req|request|params|query|body)/gi, name: 'Public key from user input (key confusion)', severity: 'CRITICAL' },
+        { pattern: /(?:jwt|token|bearer).*(?:header|payload)\s*.*(?:decode|parse|split|extract)\s*\(/gi, name: 'JWT header/payload parsing (check algorithm handling)', severity: 'MEDIUM' },
+        { pattern: /jwt\.sign\s*\(\s*[^,]*,\s*['"][a-zA-Z0-9]{1,16}['"]/gi, name: 'Weak JWT signing secret (<16 chars)', severity: 'HIGH' },
+        { pattern: /(?:secret|jwtSecret|JWT_SECRET)\s*=\s*['"]?[a-zA-Z0-9]{1,24}['"]?/gi, name: 'Short JWT secret in code', severity: 'HIGH' },
+        { pattern: /crypto\.createPublicKey|crypto\.createPrivateKey/gi, name: 'crypto key creation (check source)', severity: 'INFO' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'JWT Advanced Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Whitelist allowed algorithms (e.g., ["RS256"]). Never use "none" algorithm. Do not accept kid/jwk/jku/x5u from untrusted input. Use asymmetric signing (RS256/ES256). Validate kid against a trusted key store, not a file path. Check for key confusion: if using RS256 ensure public key is not accepted as HMAC secret.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/llm-ai.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditLlmAi(projectPath, spinner) {
+  spinner.text = 'Scanning for AI/LLM prompt injection vectors...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /system.?prompt|systemPrompt|system_message/gi, name: 'System prompt defined (extraction target)', severity: 'INFO' },
+        { pattern: /(?:chat|completion|completions|generate|ask|query).*(?:req|request|params|query|body|user|input|message)/gi, name: 'LLM completion with user input', severity: 'HIGH' },
+        { pattern: /(?:tools|functions|function_call|tool_choice).*(?:req|request|params|query|body)/gi, name: 'LLM tool call from user input', severity: 'CRITICAL' },
+        { pattern: /(?:ignore|forget|disregard).*(?:previous|above|instructions|rules|prompt)/gi, name: 'No prompt injection guard (ignore instructions)', severity: 'HIGH' },
+        { pattern: /fetch_url|open_url|read_file|execute_code|run_shell/gi, name: 'LLM tool that can fetch/execute', severity: 'CRITICAL' },
+        { pattern: /(?:RAG|retrieval|embedding|vector_store|pinecone|chroma|weaviate|qdrant)/gi, name: 'RAG pipeline (indirect injection target)', severity: 'MEDIUM' },
+        { pattern: /(?:anthropic|openai|cohere|googleai|gemini|vertex.?ai|claude|gpt)/gi, name: 'AI provider library usage', severity: 'INFO' },
+        { pattern: /(?:function_call|functionCall|tool_use|toolUse).*(?:auto|any)/gi, name: 'LLM auto-invokes tools (dangerous)', severity: 'HIGH' },
+        { pattern: /(?:system|instruction|prompt)\s*[:=]\s*['"`][^'"`]{20,}/gi, name: 'System prompt hardcoded in source', severity: 'MEDIUM' },
+        { pattern: /(?:max_tokens|maxTokens|max_completion_tokens).*(?:req|request|body)/gi, name: 'LLM token limit from user', severity: 'LOW' },
+        { pattern: /(?:assistant|agent|copilot|chatbot|llm).*(?:reply|respond|say|write|tell|send)/gi, name: 'LLM agent output pipeline', severity: 'INFO' },
+        { pattern: /\\\\u[eE][0-9a-fA-F]|unicode.*tag.*block|U\+E[0-9A-F]{4}/gi, name: 'Unicode/ASCII smuggling tech reference', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'AI/LLM Prompt Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use structured input/output separation. Do not concatenate user input into system prompts. Restrict tool-use to safe operations. Rate-limit LLM interactions. Sanitize RAG document inputs (indirect injection). Never let LLM execute code directly.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/padding-oracle.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java', '.c', '.cpp', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditPaddingOracle(projectPath, spinner) {
+  spinner.text = 'Scanning for padding/comression oracle vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:decrypt|decipher|unpad)\s*\([^)]*\)\s*(?:catch|if.*error)/gi, name: 'Decryption with error handling (padding oracle)', severity: 'HIGH' },
+        { pattern: /(?:padding|decrypt)\s*(?:bad|invalid|wrong|error|fail)/gi, name: 'Decryption error message (padding oracle indicator)', severity: 'HIGH' },
+        { pattern: /CBC|cipher\.final|cipher\.update/gi, name: 'CBC mode encryption (padding oracle vector)', severity: 'MEDIUM' },
+        { pattern: /createDecipheriv\s*\(\s*['"](?:aes|des)-.*-(?:cbc|ecb)/gi, name: 'CBC/ECB mode decrypt (potential padding oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:error|exception|err)\s*\(\s*['"](?:bad|invalid|wrong) (?:padding|decrypt|cipher)/gi, name: 'Padding error in response', severity: 'HIGH' },
+        { pattern: /OAEP|RSASSA-PSS|RSAES-OAEP/gi, name: 'RSA OAEP padding (good)', severity: 'INFO' },
+        { pattern: /PKCS|pkcs/i, name: 'PKCS padding reference', severity: 'INFO' },
+        { pattern: /gzip|deflate|compress|zlib|Content-Encoding/gi, name: 'Compression usage (CRIME/BREACH vector)', severity: 'LOW' },
+        { pattern: /(?:token|session|cookie|jwt).*(?:compress|gzip|deflate)/gi, name: 'Compression of secrets/tokens (CRIME/BREACH)', severity: 'MEDIUM' },
+        { pattern: /(?:https|tls|ssl).*(?:compress|gzip|deflate)/gi, name: 'TLS compression reference (CRIME)', severity: 'MEDIUM' },
+        { pattern: /\bcrypto\.createDecipheriv\b/gi, name: 'Node.js createDecipheriv (check error handling)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Padding / Compression Oracle',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use authenticated encryption (AES-GCM, ChaCha20-Poly1305) instead of CBC. Never leak decryption errors to clients. Add random MAC before encrypting. Disable TLS compression. Avoid compressing response bodies that contain secrets or CSRF tokens.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}