redgun-security 1.4.1 → 2.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.4.1",
+  "version": "2.0.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -7,6 +7,7 @@ import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDe
 import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, scanPasswordReset, scanCsrfRemote, scanDanglingDns, scanCloudRemote } from './src/remote/advanced.js';
 import { scanSsrfBypassChains, scanJwtRemoteAdvanced, scanGrpc, scanOpenApi, scanWebrtc, scanStoredDomXss, scanSsiRemote, scanXpathRemote, scanTimingRemote } from './src/remote/complete.js';
 import { scanLlmRemote, scanCssInjectionRemote, scanPostMessageRemote, scanEsiRemote, scanHttp3, scanHpackBomb, scanSmtpRemote, scanDkimReplay } from './src/remote/modern.js';
+import { validateFindings } from './src/core/validator.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -85,6 +86,9 @@ export async function runRemoteScan(url, spinner, modules = null) {
       // Module failed silently
     }
   }
+
+  spinner.text = '[Validation] Verifying findings...';
+  await validateFindings(origin, spinner);
 }
 
 async function scanHeaders(origin, spinner) {

package/src/core/findings.js

@@ -8,9 +8,19 @@ export function addFinding(severity, module, title, details, fix) {
     details,
     fix,
     timestamp: new Date().toISOString(),
+    validated: false,
+    confidence: 0,
+    exploitability: null,
+    validationNote: null,
   });
 }
 
+export function updateFinding(index, updates) {
+  if (findings[index]) {
+    Object.assign(findings[index], updates);
+  }
+}
+
 export function getFindings() {
   return [...findings];
 }
@@ -27,6 +37,14 @@ export function getFindingsByModule(module) {
   return findings.filter((f) => f.module === module);
 }
 
+export function removeFalsePositives() {
+  for (let i = findings.length - 1; i >= 0; i--) {
+    if (findings[i].validated && findings[i].confidence < 30) {
+      findings.splice(i, 1);
+    }
+  }
+}
+
 export function getSeverityCounts() {
   return {
     critical: findings.filter((f) => f.severity === 'CRITICAL').length,
@@ -36,3 +54,12 @@ export function getSeverityCounts() {
     info: findings.filter((f) => f.severity === 'INFO').length,
   };
 }
+
+export function getValidationStats() {
+  const total = findings.length;
+  const validated = findings.filter((f) => f.validated).length;
+  const confirmed = findings.filter((f) => f.validated && f.exploitability === 'confirmed').length;
+  const inconclusive = findings.filter((f) => f.validated && f.exploitability === 'inconclusive').length;
+  const rejected = findings.filter((f) => f.validated && f.exploitability === 'rejected').length;
+  return { total, validated, confirmed, inconclusive, rejected };
+}

package/src/core/reporter/console.js

@@ -1,5 +1,5 @@
 import chalk from 'chalk';
-import { getFindings, getSeverityCounts } from '../findings.js';
+import { getFindings, getSeverityCounts, getValidationStats } from '../findings.js';
 import { calculateScore, getGrade } from '../score.js';
 
 const SEVERITY_COLORS = {
@@ -28,6 +28,7 @@ export function printResults() {
   const score = calculateScore();
   const grade = getGrade(score);
   const counts = getSeverityCounts();
+  const vstats = getValidationStats();
 
   console.log('\n' + chalk.bold('═══════════════════════════════════════════════════════'));
   console.log(chalk.bold('  SCAN RESULTS'));
@@ -43,6 +44,18 @@ export function printResults() {
   console.log(`  ${SEVERITY_COLORS.INFO(' INFO ')} ${counts.info}`);
   console.log('');
 
+  if (vstats.validated > 0) {
+    console.log(chalk.bold('  VALIDATION RESULTS'));
+    console.log(`  ${chalk.green('✓ Confirmed')}: ${vstats.confirmed}  ` +
+      `${chalk.yellow('? Inconclusive')}: ${vstats.inconclusive}  ` +
+      `${chalk.red('✗ Rejected')}: ${vstats.rejected}`);
+    console.log(`  ${chalk.gray('False positives eliminated:')} ${vstats.total - findings.length}`);
+    if (vstats.rejected > 0) {
+      console.log(`  ${chalk.red.bold('  ' + vstats.rejected + ' findings downgraded/removed after validation')}`);
+    }
+    console.log('');
+  }
+
   const grouped = {};
   for (const finding of findings) {
     if (!grouped[finding.module]) grouped[finding.module] = [];
@@ -53,8 +66,22 @@ export function printResults() {
     console.log(chalk.bold(`\n  ┌─ ${module}`));
     for (const f of moduleFindings) {
       const color = SEVERITY_COLORS[f.severity] || chalk.white;
-      console.log(`  │ ${color(`[${f.severity}]`)} ${f.title}`);
+      let confidenceBar = '';
+      if (f.validated && f.confidence > 0) {
+        const barWidth = Math.round(f.confidence / 10);
+        const barColor = f.confidence >= 70 ? chalk.green : f.confidence >= 40 ? chalk.yellow : chalk.red;
+        confidenceBar = `  ${barColor('█'.repeat(barWidth) + '░'.repeat(10 - barWidth))} ${f.confidence}%`;
+      }
+      const badge = f.validated
+        ? (f.exploitability === 'confirmed' ? chalk.green.bold(' ✓CONFIRMED') :
+           f.exploitability === 'rejected' ? chalk.red.bold(' ✗REJECTED') : chalk.yellow.bold(' ?INCONCLUSIVE'))
+        : chalk.gray(' UNVERIFIED');
+      console.log(`  │ ${color(`[${f.severity}]`)} ${f.title}${badge}`);
+      if (confidenceBar) console.log(`  │  ${confidenceBar}`);
       if (f.details) console.log(`  │   ${chalk.gray(f.details.substring(0, 120))}`);
+      if (f.validationNote && f.validated) {
+        console.log(`  │   ${chalk.magenta('Validation:')} ${f.validationNote.substring(0, 120)}`);
+      }
       if (f.fix) console.log(`  │   ${chalk.green('Fix:')} ${f.fix.substring(0, 120)}`);
     }
     console.log('  └─');

package/src/core/reporter/html.js

@@ -1,6 +1,6 @@
 import { writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join } from 'path';
-import { getFindings, getSeverityCounts } from '../findings.js';
+import { getFindings, getSeverityCounts, getValidationStats } from '../findings.js';
 import { calculateScore, getGrade, getGradeColor } from '../score.js';
 
 export function exportHtml(outputDir = './scans') {
@@ -15,6 +15,7 @@ export function exportHtml(outputDir = './scans') {
   const grade = getGrade(score);
   const gradeColor = getGradeColor(grade);
   const counts = getSeverityCounts();
+  const vstats = getValidationStats();
   const findings = getFindings();
 
   const grouped = {};
@@ -37,10 +38,20 @@ export function exportHtml(outputDir = './scans') {
     if (!grouped[sev] || grouped[sev].length === 0) continue;
     findingsHtml += `<h3 style="color:${severityColors[sev]}">${sev} (${grouped[sev].length})</h3>`;
     for (const f of grouped[sev]) {
+      const vBadge = f.validated
+        ? (f.exploitability === 'confirmed' ? '<span style="background:#238636;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">CONFIRMED</span>'
+          : f.exploitability === 'rejected' ? '<span style="background:#da3633;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">REJECTED</span>'
+          : '<span style="background:#d29922;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">INCONCLUSIVE</span>')
+        : '';
+      const confidenceBar = f.validated && f.confidence > 0
+        ? `<div style="margin:4px 0;background:#21262d;border-radius:4px;height:6px"><div style="width:${f.confidence}%;height:6px;border-radius:4px;background:${f.confidence >= 70 ? '#238636' : f.confidence >= 40 ? '#d29922' : '#da3633'}"></div></div><span style="font-size:0.8em;color:#8b949e">Confidence: ${f.confidence}%</span>`
+        : '';
       findingsHtml += `
         <div class="finding" style="border-left:4px solid ${severityColors[sev]}">
-          <strong>[${f.module}]</strong> ${escapeHtml(f.title)}
+          <strong>[${f.module}]</strong> ${escapeHtml(f.title)} ${vBadge}
+          ${confidenceBar}
           ${f.details ? `<p class="details">${escapeHtml(f.details)}</p>` : ''}
+          ${f.validationNote && f.validated ? `<p class="valnote" style="color:#d2a8ff;font-size:0.9em">Validation: ${escapeHtml(f.validationNote)}</p>` : ''}
           ${f.fix ? `<p class="fix"><strong>Fix:</strong> ${escapeHtml(f.fix)}</p>` : ''}
         </div>`;
     }
@@ -86,6 +97,15 @@ export function exportHtml(outputDir = './scans') {
         <div class="count-item"><div class="count-num" style="color:#9e9e9e">${counts.info}</div>Info</div>
       </div>
     </div>
+    ${vstats.validated > 0 ? `
+    <div style="background:#161b22;border-radius:12px;padding:1rem;margin:1rem 0;text-align:center">
+      <strong style="color:#58a6ff">Validation Results</strong>
+      <div class="counts" style="margin-top:0.5rem">
+        <div class="count-item"><div class="count-num" style="color:#238636">${vstats.confirmed}</div>Confirmed</div>
+        <div class="count-item"><div class="count-num" style="color:#d29922">${vstats.inconclusive}</div>Inconclusive</div>
+        <div class="count-item"><div class="count-num" style="color:#da3633">${vstats.rejected}</div>Rejected</div>
+      </div>
+    </div>` : ''}
     <h2>Findings (${findings.length} total)</h2>
     ${findingsHtml}
     <div class="footer">

package/src/core/validator.js

@@ -0,0 +1,375 @@
+import { getFindings, updateFinding, removeFalsePositives } from './findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function validateFindings(origin, spinner) {
+  const findings = getFindings();
+  let validated = 0;
+  let fpRemoved = 0;
+
+  for (let i = 0; i < findings.length; i++) {
+    const f = findings[i];
+    spinner.text = `Validating: ${f.module} [${validated + 1}/${findings.length}]`;
+
+    try {
+      switch (true) {
+        case f.title.toLowerCase().includes('sql injection'):
+          await validateSqli(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('xss'):
+          await validateXss(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('ssrf'):
+          await validateSsrf(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('lfi') || f.title.toLowerCase().includes('path traversal'):
+          await validateLfi(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('jwt') && f.title.toLowerCase().includes('none'):
+          await validateJwtNone(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('open redirect'):
+          await validateOpenRedirect(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('cors'):
+          await validateCors(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('nosql injection'):
+          await validateNosql(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('command injection'):
+          await validateCommandInjection(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('no clickjacking') || f.title.toLowerCase().includes('x-frame-options'):
+          await validateClickjacking(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('missing') && f.module === 'HTTP Headers':
+          await validateHeaders(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('accessible') && f.module === 'Exposed Files':
+          await validateExposedFile(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('saml'):
+          await validateSaml(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('ldap'):
+          await validateLdap(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('no csrf'):
+          await validateCsrf(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('http method') && f.title.toLowerCase().includes('trace'):
+          await validateTrace(origin, f, i);
+          break;
+        default:
+          await genericValidation(origin, f, i);
+      }
+    } catch {}
+
+    validated++;
+  }
+
+  fpRemoved = findings.length - getFindings().length;
+  removeFalsePositives();
+
+  spinner.text = `Validation complete: ${validated}d ${fpRemoved} FP removed`;
+  return { validated, falsePositivesRemoved: fpRemoved };
+}
+
+async function validateSqli(origin, f, idx) {
+  const testUrl = origin + '/?id=1%27%20UNION%20SELECT%20NULL--';
+  try {
+    const resp = await fetchText(testUrl, {}, 8000);
+    if (/UNION|SELECT|syntax|error.*SQL|mysql|postgresql|sqlite|ORA-|Microsoft SQL/i.test(resp.body)) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'Database error confirmed via UNION SELECT probe' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 45, validationNote: 'No database error on UNION probe — may be parameterized or WAF-blocked' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Validation request failed (timeout/connection error)' });
+  }
+}
+
+async function validateXss(origin, f, idx) {
+  const testUrl = origin + '/?q=<script>alert(1)<%2fscript>';
+  try {
+    const resp = await fetchText(testUrl, {}, 5000);
+    if (resp.body.includes('<script>alert(1)')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'XSS payload reflected unescaped in response' });
+    } else if (resp.body.includes('alert(1)')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: 'alert(1) reflected but script tags may be stripped' });
+    } else if (resp.body.includes('&lt;script&gt;') || resp.body.includes('&lt;')) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 15, validationNote: 'Input properly HTML-encoded — XSS unlikely' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'Payload not reflected — may be parameter-specific' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'Validation request failed' });
+  }
+}
+
+async function validateSsrf(origin, f, idx) {
+  try {
+    const startTime = Date.now();
+    await fetchText(origin + '/?url=http://169.254.169.254/latest/meta-data/', {}, 8000);
+    const elapsed = Date.now() - startTime;
+
+    if (elapsed < 1000) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: `Metadata endpoint responded quickly (${elapsed}ms) — SSRF likely` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 50, validationNote: `Response took ${elapsed}ms — may be blocked or timing out` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'SSRF probe timed out or connection refused' });
+  }
+}
+
+async function validateLfi(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/?file=../../../etc/passwd', {}, 5000);
+    if (resp.body.includes('root:x:0:')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 98, validationNote: '/etc/passwd file retrieved successfully' });
+    } else if (resp.body.includes('root') && resp.body.includes('/bin/')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: 'File contents contain system paths — LFI likely' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: 'No passwd data returned — try different encoding bypasses' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'LFI probe failed' });
+  }
+}
+
+async function validateJwtNone(origin, f, idx) {
+  const header = btoa(JSON.stringify({ alg: 'none', typ: 'JWT' }));
+  const payload = btoa(JSON.stringify({ sub: 'admin', role: 'admin', exp: 9999999999 }));
+  const token = `${header}.${payload}.`;
+
+  try {
+    const resp = await fetchText(origin + '/api/me', {
+      headers: { Authorization: `Bearer ${token}` },
+    }, 5000);
+
+    if (resp.status === 200) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 99, validationNote: 'JWT alg=none accepted — complete auth bypass' });
+    } else if (resp.status === 401 || resp.status === 403) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: 'Server rejected unsigned JWT — "none" attack blocked' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: `Unexpected response ${resp.status}` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'JWT validation failed' });
+  }
+}
+
+async function validateOpenRedirect(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/?redirect=https://evil.com', { redirect: 'manual' }, 5000);
+    const location = resp.headers['location'] || '';
+
+    if (location.includes('evil.com')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'Redirect to external domain confirmed' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 20, validationNote: 'Redirect blocked or sanitized' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Redirect validation failed' });
+  }
+}
+
+async function validateCors(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin, { headers: { Origin: 'https://evil.com' } });
+    const acao = resp.headers['access-control-allow-origin'] || '';
+    const acac = resp.headers['access-control-allow-credentials'] || '';
+
+    if (acao === '*' && acac === 'true') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 98, validationNote: 'CORS wildcard with credentials — full cross-origin data theft' });
+    } else if (acao === 'https://evil.com') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'CORS reflects arbitrary origin' });
+    } else if (acao === 'null') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 75, validationNote: 'CORS allows null origin' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 15, validationNote: 'CORS does not reflect test origin' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'CORS validation failed' });
+  }
+}
+
+async function validateNosql(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/api/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: { $ne: '' }, password: { $ne: '' } }),
+    }, 5000);
+
+    if (resp.status === 200 && /token|session|success|welcome|user/i.test(resp.body)) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'NoSQL auth bypass confirmed — $ne operator accepted' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'NoSQL auth bypass not directly confirmed' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'NoSQL validation failed' });
+  }
+}
+
+async function validateCommandInjection(origin, f, idx) {
+  const startTime = Date.now();
+  try {
+    await fetchText(origin + '/?cmd=sleep+3', {}, 8000);
+    const elapsed = Date.now() - startTime;
+
+    if (elapsed > 2500) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: `sleep 3 confirmed — response took ${elapsed}ms` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: `Response was ${elapsed}ms — sleep did not trigger` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'Command injection validation failed' });
+  }
+}
+
+async function validateClickjacking(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const xfo = resp.headers['x-frame-options'] || '';
+    const csp = resp.headers['content-security-policy'] || '';
+
+    if (!xfo && !csp.includes('frame-ancestors')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: 'Confirmed — no X-Frame-Options or frame-ancestors CSP' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: 'Clickjacking protection found on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Could not verify clickjacking' });
+  }
+}
+
+async function validateHeaders(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const headerName = f.title.toLowerCase().match(/missing ([\w-]+)/)?.[1] || '';
+
+    if (headerName && resp.headers[headerName]) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: `${headerName} found on re-check — false positive` });
+    } else if (headerName && !resp.headers[headerName]) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: `Confirmed — ${headerName} still missing` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 50, validationNote: 'Header presence could not be verified' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Header validation failed' });
+  }
+}
+
+async function validateExposedFile(origin, f, idx) {
+  const pathMatch = f.title.match(/Accessible: (.+)/);
+  if (!pathMatch) {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'Could not parse path from finding' });
+    return;
+  }
+
+  try {
+    const resp = await fetchText(origin + pathMatch[1], {}, 5000);
+    if (resp.status === 200 && resp.body.length > 10) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: `Confirmed — ${pathMatch[1]} still accessible (${resp.body.length}B)` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: `${pathMatch[1]} no longer accessible on re-check` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'File access validation failed' });
+  }
+}
+
+async function validateSaml(origin, f, idx) {
+  const acsEndpoints = ['/saml/acs', '/auth/saml/callback', '/sso/acs', '/Shibboleth.sso/SAML2/POST'];
+  let confirmed = false;
+
+  const unsignedResponse = `<?xml version="1.0"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="test" Version="2.0"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"><saml:Subject><saml:NameID>admin@target.com</saml:NameID></saml:Subject></saml:Assertion></samlp:Response>`;
+  const encoded = Buffer.from(unsignedResponse).toString('base64');
+
+  for (const acs of acsEndpoints) {
+    try {
+      const resp = await fetchText(origin + acs, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: `SAMLResponse=${encodeURIComponent(encoded)}`,
+      }, 5000);
+
+      if (resp.status === 200 || resp.status === 302) {
+        confirmed = true;
+        break;
+      }
+    } catch {}
+  }
+
+  if (confirmed) {
+    updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: 'Unsigned SAML response accepted — XSW attack confirmed' });
+  } else {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'SAML ACS did not accept unsigned response' });
+  }
+}
+
+async function validateLdap(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/api/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: '*)(uid=*))(|(uid=*', password: 'test' }),
+    }, 5000);
+
+    if (resp.status === 200) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'LDAP auth bypass confirmed via wildcard injection' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: 'LDAP auth bypass not confirmed on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'LDAP validation failed' });
+  }
+}
+
+async function validateCsrf(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const forms = (resp.body.match(/<form[^>]*method\s*=\s*['"](?:post|put|delete)['"][^>]*>/gi) || []);
+    let missingCsrf = 0;
+
+    for (const form of forms) {
+      if (!/csrf|_token|authenticity_token/i.test(form)) missingCsrf++;
+    }
+
+    if (missingCsrf > 0) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: `${missingCsrf} forms missing CSRF tokens confirmed` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: 'CSRF tokens found in all forms on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'CSRF validation failed' });
+  }
+}
+
+async function validateTrace(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin, { method: 'TRACE' }, 5000);
+    if (resp.status === 200 && resp.body.includes('TRACE')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'TRACE method confirmed enabled — XST attack vector' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: 'TRACE method blocked or disabled' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'TRACE validation failed' });
+  }
+}
+
+async function genericValidation(origin, f, idx) {
+  updateFinding(idx, {
+    validated: true,
+    exploitability: 'inconclusive',
+    confidence: 50,
+    validationNote: 'Auto-validation not supported for this finding type — manual verification recommended',
+  });
+}
+
+function btoa(str) {
+  return Buffer.from(str).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
+}

package/src/utils/fetch.js

@@ -1,7 +1,24 @@
 import https from 'https';
 import http from 'http';
 
+const RATE_LIMIT = 5;
+let lastRequestTime = 0;
+
+async function waitForSlot() {
+  const now = Date.now();
+  const minInterval = 1000 / RATE_LIMIT;
+  const timeSinceLast = now - lastRequestTime;
+
+  if (timeSinceLast < minInterval) {
+    await new Promise((r) => setTimeout(r, minInterval - timeSinceLast));
+  }
+
+  lastRequestTime = Date.now();
+}
+
 export async function fetchWithTimeout(url, options = {}, timeout = 10000) {
+  await waitForSlot();
+
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeout);