redgun-security 1.4.2 → 2.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "1.4.2",
+  "version": "2.1.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -7,6 +7,8 @@ import { scanXxeRemote, scanOauthRemote, scanAccessControlRemote, scanWebCacheDe
 import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, scanPasswordReset, scanCsrfRemote, scanDanglingDns, scanCloudRemote } from './src/remote/advanced.js';
 import { scanSsrfBypassChains, scanJwtRemoteAdvanced, scanGrpc, scanOpenApi, scanWebrtc, scanStoredDomXss, scanSsiRemote, scanXpathRemote, scanTimingRemote } from './src/remote/complete.js';
 import { scanLlmRemote, scanCssInjectionRemote, scanPostMessageRemote, scanEsiRemote, scanHttp3, scanHpackBomb, scanSmtpRemote, scanDkimReplay } from './src/remote/modern.js';
+import { validateFindings } from './src/core/validator.js';
+import { runBrowserEngine } from './src/remote/browser.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -14,6 +16,7 @@ export async function runRemoteScan(url, spinner, modules = null) {
   const origin = target.origin;
 
   const allModules = [
+    { name: 'Browser Engine (Puppeteer)', value: 'browser', fn: () => runBrowserEngine(origin, spinner) },
     { name: 'Probe & Fingerprint (httpx)', value: 'probe', fn: () => runProbe(origin, spinner) },
     { name: 'Crawl & Extract (Katana)', value: 'crawl', fn: () => runCrawler(origin, spinner) },
     { name: 'HTTP Headers', value: 'headers', fn: () => scanHeaders(origin, spinner) },
@@ -85,6 +88,9 @@ export async function runRemoteScan(url, spinner, modules = null) {
       // Module failed silently
     }
   }
+
+  spinner.text = '[Validation] Verifying findings...';
+  await validateFindings(origin, spinner);
 }
 
 async function scanHeaders(origin, spinner) {

package/src/core/findings.js

@@ -8,9 +8,19 @@ export function addFinding(severity, module, title, details, fix) {
     details,
     fix,
     timestamp: new Date().toISOString(),
+    validated: false,
+    confidence: 0,
+    exploitability: null,
+    validationNote: null,
   });
 }
 
+export function updateFinding(index, updates) {
+  if (findings[index]) {
+    Object.assign(findings[index], updates);
+  }
+}
+
 export function getFindings() {
   return [...findings];
 }
@@ -27,6 +37,14 @@ export function getFindingsByModule(module) {
   return findings.filter((f) => f.module === module);
 }
 
+export function removeFalsePositives() {
+  for (let i = findings.length - 1; i >= 0; i--) {
+    if (findings[i].validated && findings[i].confidence < 30) {
+      findings.splice(i, 1);
+    }
+  }
+}
+
 export function getSeverityCounts() {
   return {
     critical: findings.filter((f) => f.severity === 'CRITICAL').length,
@@ -36,3 +54,12 @@ export function getSeverityCounts() {
     info: findings.filter((f) => f.severity === 'INFO').length,
   };
 }
+
+export function getValidationStats() {
+  const total = findings.length;
+  const validated = findings.filter((f) => f.validated).length;
+  const confirmed = findings.filter((f) => f.validated && f.exploitability === 'confirmed').length;
+  const inconclusive = findings.filter((f) => f.validated && f.exploitability === 'inconclusive').length;
+  const rejected = findings.filter((f) => f.validated && f.exploitability === 'rejected').length;
+  return { total, validated, confirmed, inconclusive, rejected };
+}

package/src/core/reporter/console.js

@@ -1,5 +1,5 @@
 import chalk from 'chalk';
-import { getFindings, getSeverityCounts } from '../findings.js';
+import { getFindings, getSeverityCounts, getValidationStats } from '../findings.js';
 import { calculateScore, getGrade } from '../score.js';
 
 const SEVERITY_COLORS = {
@@ -28,6 +28,7 @@ export function printResults() {
   const score = calculateScore();
   const grade = getGrade(score);
   const counts = getSeverityCounts();
+  const vstats = getValidationStats();
 
   console.log('\n' + chalk.bold('═══════════════════════════════════════════════════════'));
   console.log(chalk.bold('  SCAN RESULTS'));
@@ -43,6 +44,18 @@ export function printResults() {
   console.log(`  ${SEVERITY_COLORS.INFO(' INFO ')} ${counts.info}`);
   console.log('');
 
+  if (vstats.validated > 0) {
+    console.log(chalk.bold('  VALIDATION RESULTS'));
+    console.log(`  ${chalk.green('✓ Confirmed')}: ${vstats.confirmed}  ` +
+      `${chalk.yellow('? Inconclusive')}: ${vstats.inconclusive}  ` +
+      `${chalk.red('✗ Rejected')}: ${vstats.rejected}`);
+    console.log(`  ${chalk.gray('False positives eliminated:')} ${vstats.total - findings.length}`);
+    if (vstats.rejected > 0) {
+      console.log(`  ${chalk.red.bold('  ' + vstats.rejected + ' findings downgraded/removed after validation')}`);
+    }
+    console.log('');
+  }
+
   const grouped = {};
   for (const finding of findings) {
     if (!grouped[finding.module]) grouped[finding.module] = [];
@@ -53,8 +66,22 @@ export function printResults() {
     console.log(chalk.bold(`\n  ┌─ ${module}`));
     for (const f of moduleFindings) {
       const color = SEVERITY_COLORS[f.severity] || chalk.white;
-      console.log(`  │ ${color(`[${f.severity}]`)} ${f.title}`);
+      let confidenceBar = '';
+      if (f.validated && f.confidence > 0) {
+        const barWidth = Math.round(f.confidence / 10);
+        const barColor = f.confidence >= 70 ? chalk.green : f.confidence >= 40 ? chalk.yellow : chalk.red;
+        confidenceBar = `  ${barColor('█'.repeat(barWidth) + '░'.repeat(10 - barWidth))} ${f.confidence}%`;
+      }
+      const badge = f.validated
+        ? (f.exploitability === 'confirmed' ? chalk.green.bold(' ✓CONFIRMED') :
+           f.exploitability === 'rejected' ? chalk.red.bold(' ✗REJECTED') : chalk.yellow.bold(' ?INCONCLUSIVE'))
+        : chalk.gray(' UNVERIFIED');
+      console.log(`  │ ${color(`[${f.severity}]`)} ${f.title}${badge}`);
+      if (confidenceBar) console.log(`  │  ${confidenceBar}`);
       if (f.details) console.log(`  │   ${chalk.gray(f.details.substring(0, 120))}`);
+      if (f.validationNote && f.validated) {
+        console.log(`  │   ${chalk.magenta('Validation:')} ${f.validationNote.substring(0, 120)}`);
+      }
       if (f.fix) console.log(`  │   ${chalk.green('Fix:')} ${f.fix.substring(0, 120)}`);
     }
     console.log('  └─');

package/src/core/reporter/html.js

@@ -1,6 +1,6 @@
 import { writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join } from 'path';
-import { getFindings, getSeverityCounts } from '../findings.js';
+import { getFindings, getSeverityCounts, getValidationStats } from '../findings.js';
 import { calculateScore, getGrade, getGradeColor } from '../score.js';
 
 export function exportHtml(outputDir = './scans') {
@@ -15,6 +15,7 @@ export function exportHtml(outputDir = './scans') {
   const grade = getGrade(score);
   const gradeColor = getGradeColor(grade);
   const counts = getSeverityCounts();
+  const vstats = getValidationStats();
   const findings = getFindings();
 
   const grouped = {};
@@ -37,10 +38,20 @@ export function exportHtml(outputDir = './scans') {
     if (!grouped[sev] || grouped[sev].length === 0) continue;
     findingsHtml += `<h3 style="color:${severityColors[sev]}">${sev} (${grouped[sev].length})</h3>`;
     for (const f of grouped[sev]) {
+      const vBadge = f.validated
+        ? (f.exploitability === 'confirmed' ? '<span style="background:#238636;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">CONFIRMED</span>'
+          : f.exploitability === 'rejected' ? '<span style="background:#da3633;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">REJECTED</span>'
+          : '<span style="background:#d29922;color:#fff;padding:1px 6px;border-radius:3px;font-size:0.8em">INCONCLUSIVE</span>')
+        : '';
+      const confidenceBar = f.validated && f.confidence > 0
+        ? `<div style="margin:4px 0;background:#21262d;border-radius:4px;height:6px"><div style="width:${f.confidence}%;height:6px;border-radius:4px;background:${f.confidence >= 70 ? '#238636' : f.confidence >= 40 ? '#d29922' : '#da3633'}"></div></div><span style="font-size:0.8em;color:#8b949e">Confidence: ${f.confidence}%</span>`
+        : '';
       findingsHtml += `
         <div class="finding" style="border-left:4px solid ${severityColors[sev]}">
-          <strong>[${f.module}]</strong> ${escapeHtml(f.title)}
+          <strong>[${f.module}]</strong> ${escapeHtml(f.title)} ${vBadge}
+          ${confidenceBar}
           ${f.details ? `<p class="details">${escapeHtml(f.details)}</p>` : ''}
+          ${f.validationNote && f.validated ? `<p class="valnote" style="color:#d2a8ff;font-size:0.9em">Validation: ${escapeHtml(f.validationNote)}</p>` : ''}
           ${f.fix ? `<p class="fix"><strong>Fix:</strong> ${escapeHtml(f.fix)}</p>` : ''}
         </div>`;
     }
@@ -86,6 +97,15 @@ export function exportHtml(outputDir = './scans') {
         <div class="count-item"><div class="count-num" style="color:#9e9e9e">${counts.info}</div>Info</div>
       </div>
     </div>
+    ${vstats.validated > 0 ? `
+    <div style="background:#161b22;border-radius:12px;padding:1rem;margin:1rem 0;text-align:center">
+      <strong style="color:#58a6ff">Validation Results</strong>
+      <div class="counts" style="margin-top:0.5rem">
+        <div class="count-item"><div class="count-num" style="color:#238636">${vstats.confirmed}</div>Confirmed</div>
+        <div class="count-item"><div class="count-num" style="color:#d29922">${vstats.inconclusive}</div>Inconclusive</div>
+        <div class="count-item"><div class="count-num" style="color:#da3633">${vstats.rejected}</div>Rejected</div>
+      </div>
+    </div>` : ''}
     <h2>Findings (${findings.length} total)</h2>
     ${findingsHtml}
     <div class="footer">

package/src/core/validator.js

@@ -0,0 +1,375 @@
+import { getFindings, updateFinding, removeFalsePositives } from './findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function validateFindings(origin, spinner) {
+  const findings = getFindings();
+  let validated = 0;
+  let fpRemoved = 0;
+
+  for (let i = 0; i < findings.length; i++) {
+    const f = findings[i];
+    spinner.text = `Validating: ${f.module} [${validated + 1}/${findings.length}]`;
+
+    try {
+      switch (true) {
+        case f.title.toLowerCase().includes('sql injection'):
+          await validateSqli(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('xss'):
+          await validateXss(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('ssrf'):
+          await validateSsrf(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('lfi') || f.title.toLowerCase().includes('path traversal'):
+          await validateLfi(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('jwt') && f.title.toLowerCase().includes('none'):
+          await validateJwtNone(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('open redirect'):
+          await validateOpenRedirect(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('cors'):
+          await validateCors(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('nosql injection'):
+          await validateNosql(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('command injection'):
+          await validateCommandInjection(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('no clickjacking') || f.title.toLowerCase().includes('x-frame-options'):
+          await validateClickjacking(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('missing') && f.module === 'HTTP Headers':
+          await validateHeaders(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('accessible') && f.module === 'Exposed Files':
+          await validateExposedFile(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('saml'):
+          await validateSaml(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('ldap'):
+          await validateLdap(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('no csrf'):
+          await validateCsrf(origin, f, i);
+          break;
+        case f.title.toLowerCase().includes('http method') && f.title.toLowerCase().includes('trace'):
+          await validateTrace(origin, f, i);
+          break;
+        default:
+          await genericValidation(origin, f, i);
+      }
+    } catch {}
+
+    validated++;
+  }
+
+  fpRemoved = findings.length - getFindings().length;
+  removeFalsePositives();
+
+  spinner.text = `Validation complete: ${validated}d ${fpRemoved} FP removed`;
+  return { validated, falsePositivesRemoved: fpRemoved };
+}
+
+async function validateSqli(origin, f, idx) {
+  const testUrl = origin + '/?id=1%27%20UNION%20SELECT%20NULL--';
+  try {
+    const resp = await fetchText(testUrl, {}, 8000);
+    if (/UNION|SELECT|syntax|error.*SQL|mysql|postgresql|sqlite|ORA-|Microsoft SQL/i.test(resp.body)) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'Database error confirmed via UNION SELECT probe' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 45, validationNote: 'No database error on UNION probe — may be parameterized or WAF-blocked' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Validation request failed (timeout/connection error)' });
+  }
+}
+
+async function validateXss(origin, f, idx) {
+  const testUrl = origin + '/?q=<script>alert(1)<%2fscript>';
+  try {
+    const resp = await fetchText(testUrl, {}, 5000);
+    if (resp.body.includes('<script>alert(1)')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'XSS payload reflected unescaped in response' });
+    } else if (resp.body.includes('alert(1)')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: 'alert(1) reflected but script tags may be stripped' });
+    } else if (resp.body.includes('&lt;script&gt;') || resp.body.includes('&lt;')) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 15, validationNote: 'Input properly HTML-encoded — XSS unlikely' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'Payload not reflected — may be parameter-specific' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'Validation request failed' });
+  }
+}
+
+async function validateSsrf(origin, f, idx) {
+  try {
+    const startTime = Date.now();
+    await fetchText(origin + '/?url=http://169.254.169.254/latest/meta-data/', {}, 8000);
+    const elapsed = Date.now() - startTime;
+
+    if (elapsed < 1000) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: `Metadata endpoint responded quickly (${elapsed}ms) — SSRF likely` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 50, validationNote: `Response took ${elapsed}ms — may be blocked or timing out` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'SSRF probe timed out or connection refused' });
+  }
+}
+
+async function validateLfi(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/?file=../../../etc/passwd', {}, 5000);
+    if (resp.body.includes('root:x:0:')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 98, validationNote: '/etc/passwd file retrieved successfully' });
+    } else if (resp.body.includes('root') && resp.body.includes('/bin/')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: 'File contents contain system paths — LFI likely' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: 'No passwd data returned — try different encoding bypasses' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'LFI probe failed' });
+  }
+}
+
+async function validateJwtNone(origin, f, idx) {
+  const header = btoa(JSON.stringify({ alg: 'none', typ: 'JWT' }));
+  const payload = btoa(JSON.stringify({ sub: 'admin', role: 'admin', exp: 9999999999 }));
+  const token = `${header}.${payload}.`;
+
+  try {
+    const resp = await fetchText(origin + '/api/me', {
+      headers: { Authorization: `Bearer ${token}` },
+    }, 5000);
+
+    if (resp.status === 200) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 99, validationNote: 'JWT alg=none accepted — complete auth bypass' });
+    } else if (resp.status === 401 || resp.status === 403) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: 'Server rejected unsigned JWT — "none" attack blocked' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: `Unexpected response ${resp.status}` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'JWT validation failed' });
+  }
+}
+
+async function validateOpenRedirect(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/?redirect=https://evil.com', { redirect: 'manual' }, 5000);
+    const location = resp.headers['location'] || '';
+
+    if (location.includes('evil.com')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'Redirect to external domain confirmed' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 20, validationNote: 'Redirect blocked or sanitized' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Redirect validation failed' });
+  }
+}
+
+async function validateCors(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin, { headers: { Origin: 'https://evil.com' } });
+    const acao = resp.headers['access-control-allow-origin'] || '';
+    const acac = resp.headers['access-control-allow-credentials'] || '';
+
+    if (acao === '*' && acac === 'true') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 98, validationNote: 'CORS wildcard with credentials — full cross-origin data theft' });
+    } else if (acao === 'https://evil.com') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'CORS reflects arbitrary origin' });
+    } else if (acao === 'null') {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 75, validationNote: 'CORS allows null origin' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 15, validationNote: 'CORS does not reflect test origin' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'CORS validation failed' });
+  }
+}
+
+async function validateNosql(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/api/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: { $ne: '' }, password: { $ne: '' } }),
+    }, 5000);
+
+    if (resp.status === 200 && /token|session|success|welcome|user/i.test(resp.body)) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'NoSQL auth bypass confirmed — $ne operator accepted' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'NoSQL auth bypass not directly confirmed' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'NoSQL validation failed' });
+  }
+}
+
+async function validateCommandInjection(origin, f, idx) {
+  const startTime = Date.now();
+  try {
+    await fetchText(origin + '/?cmd=sleep+3', {}, 8000);
+    const elapsed = Date.now() - startTime;
+
+    if (elapsed > 2500) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: `sleep 3 confirmed — response took ${elapsed}ms` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: `Response was ${elapsed}ms — sleep did not trigger` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'Command injection validation failed' });
+  }
+}
+
+async function validateClickjacking(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const xfo = resp.headers['x-frame-options'] || '';
+    const csp = resp.headers['content-security-policy'] || '';
+
+    if (!xfo && !csp.includes('frame-ancestors')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 85, validationNote: 'Confirmed — no X-Frame-Options or frame-ancestors CSP' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: 'Clickjacking protection found on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Could not verify clickjacking' });
+  }
+}
+
+async function validateHeaders(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const headerName = f.title.toLowerCase().match(/missing ([\w-]+)/)?.[1] || '';
+
+    if (headerName && resp.headers[headerName]) {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: `${headerName} found on re-check — false positive` });
+    } else if (headerName && !resp.headers[headerName]) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: `Confirmed — ${headerName} still missing` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 50, validationNote: 'Header presence could not be verified' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'Header validation failed' });
+  }
+}
+
+async function validateExposedFile(origin, f, idx) {
+  const pathMatch = f.title.match(/Accessible: (.+)/);
+  if (!pathMatch) {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'Could not parse path from finding' });
+    return;
+  }
+
+  try {
+    const resp = await fetchText(origin + pathMatch[1], {}, 5000);
+    if (resp.status === 200 && resp.body.length > 10) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: `Confirmed — ${pathMatch[1]} still accessible (${resp.body.length}B)` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: `${pathMatch[1]} no longer accessible on re-check` });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 30, validationNote: 'File access validation failed' });
+  }
+}
+
+async function validateSaml(origin, f, idx) {
+  const acsEndpoints = ['/saml/acs', '/auth/saml/callback', '/sso/acs', '/Shibboleth.sso/SAML2/POST'];
+  let confirmed = false;
+
+  const unsignedResponse = `<?xml version="1.0"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="test" Version="2.0"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"><saml:Subject><saml:NameID>admin@target.com</saml:NameID></saml:Subject></saml:Assertion></samlp:Response>`;
+  const encoded = Buffer.from(unsignedResponse).toString('base64');
+
+  for (const acs of acsEndpoints) {
+    try {
+      const resp = await fetchText(origin + acs, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: `SAMLResponse=${encodeURIComponent(encoded)}`,
+      }, 5000);
+
+      if (resp.status === 200 || resp.status === 302) {
+        confirmed = true;
+        break;
+      }
+    } catch {}
+  }
+
+  if (confirmed) {
+    updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: 'Unsigned SAML response accepted — XSW attack confirmed' });
+  } else {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 40, validationNote: 'SAML ACS did not accept unsigned response' });
+  }
+}
+
+async function validateLdap(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin + '/api/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: '*)(uid=*))(|(uid=*', password: 'test' }),
+    }, 5000);
+
+    if (resp.status === 200) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 90, validationNote: 'LDAP auth bypass confirmed via wildcard injection' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 35, validationNote: 'LDAP auth bypass not confirmed on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'LDAP validation failed' });
+  }
+}
+
+async function validateCsrf(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin);
+    const forms = (resp.body.match(/<form[^>]*method\s*=\s*['"](?:post|put|delete)['"][^>]*>/gi) || []);
+    let missingCsrf = 0;
+
+    for (const form of forms) {
+      if (!/csrf|_token|authenticity_token/i.test(form)) missingCsrf++;
+    }
+
+    if (missingCsrf > 0) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 80, validationNote: `${missingCsrf} forms missing CSRF tokens confirmed` });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 10, validationNote: 'CSRF tokens found in all forms on re-check' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 25, validationNote: 'CSRF validation failed' });
+  }
+}
+
+async function validateTrace(origin, f, idx) {
+  try {
+    const resp = await fetchText(origin, { method: 'TRACE' }, 5000);
+    if (resp.status === 200 && resp.body.includes('TRACE')) {
+      updateFinding(idx, { validated: true, exploitability: 'confirmed', confidence: 95, validationNote: 'TRACE method confirmed enabled — XST attack vector' });
+    } else {
+      updateFinding(idx, { validated: true, exploitability: 'rejected', confidence: 5, validationNote: 'TRACE method blocked or disabled' });
+    }
+  } catch {
+    updateFinding(idx, { validated: true, exploitability: 'inconclusive', confidence: 20, validationNote: 'TRACE validation failed' });
+  }
+}
+
+async function genericValidation(origin, f, idx) {
+  updateFinding(idx, {
+    validated: true,
+    exploitability: 'inconclusive',
+    confidence: 50,
+    validationNote: 'Auto-validation not supported for this finding type — manual verification recommended',
+  });
+}
+
+function btoa(str) {
+  return Buffer.from(str).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
+}

package/src/remote/browser.js

@@ -0,0 +1,263 @@
+import { addFinding } from '../core/findings.js';
+import { writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+
+export async function runBrowserEngine(origin, spinner) {
+  spinner.text = '[Browser] Launching headless Chromium...';
+
+  let puppeteer;
+  try {
+    puppeteer = (await import('puppeteer')).default;
+  } catch {
+    spinner.warn('Puppeteer not available — browser tests skipped');
+    return;
+  }
+
+  let browser;
+  let page;
+  const results = {
+    alerts: [],
+    consoleErrors: [],
+    networkRequests: [],
+    wsConnections: [],
+    localStorage: {},
+    sessionStorage: {},
+    serviceWorkers: false,
+    postMessageListens: false,
+    screenshotPath: null,
+    xssTested: 0,
+    xssConfirmed: 0,
+    formsFound: 0,
+  };
+
+  try {
+    browser = await puppeteer.launch({
+      headless: 'new',
+      args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-web-security', '--disable-features=IsolateOrigins,site-per-process'],
+    });
+
+    page = await browser.newPage();
+    await page.setViewport({ width: 1280, height: 800 });
+
+    page.on('dialog', async (dialog) => {
+      results.alerts.push({ message: dialog.message(), type: dialog.type() });
+      await dialog.dismiss();
+    });
+
+    page.on('console', (msg) => {
+      if (msg.type() === 'error') {
+        results.consoleErrors.push(msg.text());
+      }
+    });
+
+    page.on('request', (req) => {
+      if (req.resourceType() === 'websocket') {
+        results.wsConnections.push(req.url());
+      }
+      results.networkRequests.push({
+        url: req.url(),
+        method: req.method(),
+        type: req.resourceType(),
+      });
+    });
+
+    spinner.text = '[Browser] Navigating to target...';
+    await page.goto(origin, { waitUntil: 'networkidle2', timeout: 30000 });
+
+    results.serviceWorkers = await page.evaluate(() => 'serviceWorker' in navigator && Boolean(navigator.serviceWorker.controller));
+
+    results.postMessageListens = await page.evaluate(() => {
+      let hasListener = false;
+      window.addEventListener('message', () => { hasListener = true; });
+      window.postMessage('__redgun_probe__', '*');
+      return new Promise(r => setTimeout(() => r(hasListener), 200));
+    });
+
+    results.localStorage = await page.evaluate(() => {
+      const data = {};
+      for (let i = 0; i < localStorage.length; i++) {
+        const key = localStorage.key(i);
+        data[key] = localStorage.getItem(key);
+      }
+      return data;
+    });
+
+    results.sessionStorage = await page.evaluate(() => {
+      const data = {};
+      try {
+        for (let i = 0; i < sessionStorage.length; i++) {
+          const key = sessionStorage.key(i);
+          data[key] = sessionStorage.getItem(key);
+        }
+      } catch {}
+      return data;
+    });
+
+    spinner.text = '[Browser] Scanning for forms and inputs...';
+    const inputFields = await page.evaluate(() => {
+      const fields = [];
+      document.querySelectorAll('input, textarea, select').forEach((el) => {
+        const name = el.getAttribute('name') || el.getAttribute('id') || el.getAttribute('class') || '';
+        const type = el.getAttribute('type') || el.tagName.toLowerCase();
+        fields.push({ name: name.substring(0, 60), type });
+      });
+      return fields;
+    });
+
+    results.formsFound = await page.evaluate(() => document.querySelectorAll('form').length);
+
+    spinner.text = '[Browser] Testing DOM XSS...';
+    const xssPayloads = [
+      '<img src=x onerror=alert("REDGUN_XSS") />',
+      '<svg onload=alert("REDGUN_XSS") />',
+      '" onfocus=alert("REDGUN_XSS") autofocus="',
+      '"><img src=x onerror=alert("REDGUN_XSS")>',
+      'javascript:alert("REDGUN_XSS")',
+    ];
+
+    for (const field of inputFields.slice(0, 20)) {
+      if (!field.name) continue;
+      for (const payload of xssPayloads.slice(0, 3)) {
+        try {
+          await page.evaluate((name, payload) => {
+            const el = document.querySelector(`[name="${name}"], [id="${name}"]`);
+            if (el) {
+              el.value = payload;
+              el.dispatchEvent(new Event('input', { bubbles: true }));
+              el.dispatchEvent(new Event('change', { bubbles: true }));
+            }
+          }, field.name, payload);
+          results.xssTested++;
+        } catch {}
+      }
+    }
+
+    for (const formFields of inputFields.filter(f => f.name)) {
+      try {
+        await page.evaluate((name) => {
+          const input = document.querySelector(`[name="${name}"], [id="${name}"]`);
+          const form = input?.closest('form');
+          if (form) form.submit();
+        }, formFields.name);
+        await new Promise(r => setTimeout(r, 300));
+
+        if (results.alerts.some(a => a.message.includes('REDGUN_XSS'))) {
+          results.xssConfirmed++;
+        }
+      } catch {}
+    }
+
+    const currentPageUrl = page.url();
+    if (results.alerts.some(a => a.message.includes('REDGUN_XSS')) && currentPageUrl.includes(origin)) {
+      results.xssConfirmed = Math.max(results.xssConfirmed, 1);
+    }
+
+    if (results.alerts.length > 0 || results.xssConfirmed > 0) {
+      const screenshotsDir = './scans';
+      if (!existsSync(screenshotsDir)) mkdirSync(screenshotsDir, { recursive: true });
+      const ts = Date.now();
+      results.screenshotPath = join(screenshotsDir, `redgun-xss-${ts}.png`);
+      await page.screenshot({ path: results.screenshotPath, fullPage: true });
+    }
+
+  } catch (err) {
+    spinner.text = `[Browser] Error: ${err.message}`;
+  } finally {
+    if (browser) await browser.close();
+  }
+
+  reportFindings(origin, results);
+}
+
+function reportFindings(origin, results) {
+  if (results.xssConfirmed > 0) {
+    addFinding(
+      'CRITICAL',
+      'Browser XSS',
+      `${results.xssConfirmed} DOM/Stored XSS confirmed via browser`,
+      `${results.xssTested} payloads injected into ${results.formsFound} forms — ${results.xssConfirmed} alert() triggers detected\nScreenshot: ${results.screenshotPath || 'N/A'}`,
+      'Sanitize all user input on both client and server side. Use DOMPurify, React escape, or framework auto-escaping.'
+    );
+  } else if (results.xssTested > 0) {
+    addFinding(
+      'INFO',
+      'Browser XSS',
+      `Tested ${results.xssTested} inputs — no XSS confirmed`,
+      `${results.formsFound} forms analyzed with 5 XSS payload types`,
+      'DOM/Stored XSS not confirmed — continue manual testing with application-specific payloads'
+    );
+  }
+
+  const apiRequests = results.networkRequests.filter(r => r.url.includes('/api/'));
+  if (apiRequests.length > 0) {
+    const uniqueApis = [...new Set(apiRequests.map(r => r.url).filter(u => u.startsWith(origin)))];
+
+    if (uniqueApis.length > 5) {
+      addFinding(
+        'INFO',
+        'Browser Recon',
+        `${uniqueApis.length} API endpoints captured from browser network`,
+        `APIs: ${uniqueApis.slice(0, 10).join(', ')}${uniqueApis.length > 10 ? ` +${uniqueApis.length - 10} more` : ''}`,
+        'Review captured API endpoints for auth requirements and sensitive data exposure'
+      );
+    }
+  }
+
+  if (results.wsConnections.length > 0) {
+    addFinding(
+      'MEDIUM',
+      'Browser WebSocket',
+      `${results.wsConnections.length} WebSocket connection(s) detected`,
+      `WS: ${results.wsConnections.join(', ')}`,
+      'Test WebSocket for CSWSH, missing auth, and message tampering'
+    );
+  }
+
+  if (results.serviceWorkers) {
+    addFinding(
+      'LOW',
+      'Browser Service Worker',
+      'Service Worker active on page',
+      'SW registered — test for importScripts abuse and fetch listener tampering',
+      'Validate Service Worker scope and origin. Use Subresource Integrity for imported scripts.'
+    );
+  }
+
+  if (results.postMessageListens) {
+    addFinding(
+      'MEDIUM',
+      'Browser postMessage',
+      'postMessage listener detected (runtime check)',
+      'Page has active message event handler',
+      'Audit postMessage listeners for missing origin validation. Test cross-origin iframe attacks.'
+    );
+  }
+
+  const localKeys = Object.keys(results.localStorage || {});
+  const sessionKeys = Object.keys(results.sessionStorage || {});
+  if (localKeys.length > 0 || sessionKeys.length > 0) {
+    const sensitiveStorage = [...localKeys, ...sessionKeys].filter(k =>
+      /token|secret|key|password|credential|jwt|auth|session|user/i.test(k)
+    );
+
+    if (sensitiveStorage.length > 0) {
+      addFinding(
+        'HIGH',
+        'Browser Storage',
+        `${sensitiveStorage.length} sensitive items in browser storage`,
+        `Keys: ${sensitiveStorage.join(', ')}`,
+        'Never store tokens, secrets, or credentials in localStorage/sessionStorage. Use httpOnly cookies for session management.'
+      );
+    }
+  }
+
+  if (results.consoleErrors.length > 5) {
+    addFinding(
+      'LOW',
+      'Browser Console',
+      `${results.consoleErrors.length} console errors detected`,
+      `Sample: ${results.consoleErrors.slice(0, 3).join(' | ')}`,
+      'Console errors may reveal internal paths, CSP violations, or API error messages'
+    );
+  }
+}