securl 1.4.1

package/dist/compromiseSignals.js

@@ -0,0 +1,183 @@
+import { unique } from "./utils.js";
+const COLLECTION_BOUNDARY = "Public indicators only: visible HTML, public script and form destinations, public CT/DNS-derived observations, exposed public paths, and advisory metadata from detected client libraries. Reputation lookups are opt-in and are not run unless a provider is configured.";
+const envValue = (key) => {
+    if (typeof process === "undefined" || !process.env) {
+        return undefined;
+    }
+    return process.env[key];
+};
+const configuredReputationChecks = () => [
+    {
+        provider: "google_safe_browsing",
+        status: envValue("GOOGLE_SAFE_BROWSING_API_KEY") ? "not_checked" : "not_configured",
+        summary: envValue("GOOGLE_SAFE_BROWSING_API_KEY")
+            ? "Google Safe Browsing key is configured, but live reputation lookup is not enabled in this passive engine build."
+            : "Google Safe Browsing/Web Risk lookup is not configured.",
+    },
+    {
+        provider: "urlhaus",
+        status: envValue("URLHAUS_API_KEY") ? "not_checked" : "not_configured",
+        summary: envValue("URLHAUS_API_KEY")
+            ? "URLhaus key is configured, but live reputation lookup is not enabled in this passive engine build."
+            : "URLhaus lookup is not configured.",
+    },
+    {
+        provider: "virustotal",
+        status: envValue("VIRUSTOTAL_API_KEY") ? "not_checked" : "not_configured",
+        summary: envValue("VIRUSTOTAL_API_KEY")
+            ? "VirusTotal key is configured, but live reputation lookup is not enabled in this passive engine build."
+            : "VirusTotal lookup is not configured.",
+    },
+];
+const addIndicator = (indicators, indicator) => {
+    const key = `${indicator.category}:${indicator.title}:${indicator.evidence.join("|")}`;
+    if (!indicators.some((existing) => `${existing.category}:${existing.title}:${existing.evidence.join("|")}` === key)) {
+        indicators.push(indicator);
+    }
+};
+const severityRank = {
+    info: 0,
+    watch: 1,
+    warning: 2,
+    critical: 3,
+};
+const indicatorSort = (a, b) => severityRank[b.severity] - severityRank[a.severity] || a.title.localeCompare(b.title);
+const toSummary = (indicators) => {
+    if (!indicators.length) {
+        return "No public indicators of compromise or abuse were inferred from the passive evidence collected.";
+    }
+    const critical = indicators.filter((item) => item.severity === "critical").length;
+    const warning = indicators.filter((item) => item.severity === "warning").length;
+    if (critical) {
+        return `${critical} critical public abuse indicator${critical === 1 ? "" : "s"} should be reviewed immediately.`;
+    }
+    if (warning) {
+        return `${warning} suspicious public indicator${warning === 1 ? "" : "s"} should be reviewed before treating the target as clean.`;
+    }
+    return `${indicators.length} low-confidence public signal${indicators.length === 1 ? "" : "s"} may be useful for triage.`;
+};
+export const emptyCompromiseSignals = (summary = "Compromise and abuse indicators were not assessed.") => ({
+    posture: "not_assessed",
+    summary,
+    indicators: [],
+    reputationChecks: configuredReputationChecks(),
+    issues: [],
+    strengths: [],
+    collectionBoundary: COLLECTION_BOUNDARY,
+});
+export function buildCompromiseSignals({ finalUrl, htmlSecurity, ctDiscovery, exposure, }) {
+    const indicators = [];
+    for (const form of htmlSecurity.forms) {
+        if (form.hasPasswordField && form.offOriginSubmission) {
+            addIndicator(indicators, {
+                category: "credential_collection",
+                severity: "critical",
+                title: "Password form posts off-origin",
+                detail: "A visible password form appears to submit to a different origin. This can be legitimate for hosted identity flows, but it is also a high-value compromise/phishing signal.",
+                confidence: "medium",
+                source: "html",
+                evidence: [form.resolvedAction],
+                action: "Confirm the destination is an expected identity provider or owned service before trusting the page.",
+            });
+        }
+        else if (form.offOriginSubmission && form.method !== "GET") {
+            addIndicator(indicators, {
+                category: "credential_collection",
+                severity: "watch",
+                title: "Form posts off-origin",
+                detail: "A visible form submits data to a different origin. Review whether this is expected for payment, CRM, newsletter, or identity workflows.",
+                confidence: "medium",
+                source: "html",
+                evidence: [form.resolvedAction],
+                action: "Validate the form destination and data handling path.",
+            });
+        }
+    }
+    for (const signal of htmlSecurity.suspiciousScriptSignals) {
+        addIndicator(indicators, {
+            category: "script_anomaly",
+            severity: signal.severity === "warning" ? "warning" : "info",
+            title: signal.title,
+            detail: signal.detail,
+            confidence: signal.severity === "warning" ? "medium" : "low",
+            source: "html",
+            evidence: signal.evidence,
+            action: "Review whether the script pattern is expected, especially if CSP is weak or the host is unfamiliar.",
+        });
+    }
+    for (const signal of htmlSecurity.passiveLeakSignals) {
+        if (signal.category === "source_map" || signal.category === "public_token") {
+            addIndicator(indicators, {
+                category: "exposure",
+                severity: signal.severity === "warning" ? "warning" : "watch",
+                title: signal.title,
+                detail: signal.detail,
+                confidence: "medium",
+                source: "html",
+                evidence: signal.evidence,
+                action: "Review whether the exposed artifact contains internal paths, secrets, or debugging details.",
+            });
+        }
+    }
+    for (const library of htmlSecurity.libraryRiskSignals) {
+        const aliases = unique(library.vulnerabilities.flatMap((item) => item.aliases)).slice(0, 4);
+        const hasHigh = library.vulnerabilities.some((item) => item.severity === "critical" || item.severity === "high");
+        addIndicator(indicators, {
+            category: "supply_chain",
+            severity: hasHigh ? "warning" : "watch",
+            title: "Known vulnerable client library visible",
+            detail: `${library.packageName} ${library.version} matched ${library.vulnerabilities.length} OSV advisory match${library.vulnerabilities.length === 1 ? "" : "es"}.`,
+            confidence: library.confidence,
+            source: "asset",
+            evidence: [library.sourceUrl, ...aliases].slice(0, 6),
+            action: "Confirm whether the visible library is actually executed and update or remove it where possible.",
+        });
+    }
+    for (const host of ctDiscovery.sampledHosts.filter((entry) => entry.suspectedTakeover)) {
+        addIndicator(indicators, {
+            category: "infrastructure",
+            severity: "critical",
+            title: "Possible subdomain takeover signal",
+            detail: host.suspectedTakeover?.evidence || "A sampled CT host matched an unclaimed service pattern.",
+            confidence: host.suspectedTakeover?.confidence || "medium",
+            source: "ct",
+            evidence: [host.host, ...(host.cnameTargets || [])].slice(0, 6),
+            action: "Verify DNS ownership and remove or claim dangling service targets.",
+        });
+    }
+    for (const probe of exposure.probes.filter((item) => item.finding === "exposed")) {
+        addIndicator(indicators, {
+            category: "exposure",
+            severity: "warning",
+            title: "Sensitive public path appears exposed",
+            detail: probe.detail,
+            confidence: "medium",
+            source: "public_record",
+            evidence: [new URL(probe.path, finalUrl.origin).toString(), String(probe.statusCode)],
+            action: "Confirm whether this path should be public and restrict access if it exposes operational detail.",
+        });
+    }
+    const sortedIndicators = indicators.sort(indicatorSort);
+    const reputationChecks = configuredReputationChecks();
+    const reputationFlagged = reputationChecks.some((check) => check.status === "flagged");
+    const posture = reputationFlagged
+        ? "reputation_flagged"
+        : sortedIndicators.some((item) => item.severity === "critical")
+            ? "suspicious"
+            : sortedIndicators.length
+                ? "review_recommended"
+                : "no_public_ioc";
+    return {
+        posture,
+        summary: toSummary(sortedIndicators),
+        indicators: sortedIndicators,
+        reputationChecks,
+        issues: sortedIndicators
+            .filter((item) => item.severity === "critical" || item.severity === "warning")
+            .map((item) => item.title),
+        strengths: sortedIndicators.length
+            ? []
+            : ["No passive public IOC-style indicators were inferred from the collected evidence."],
+        collectionBoundary: COLLECTION_BOUNDARY,
+    };
+}

package/dist/cookie-analysis.d.ts

@@ -0,0 +1,2 @@
+import type { CookieResult } from "./types.js";
+export declare const parseSetCookie: (setCookieHeaders: string[] | undefined) => CookieResult[];

package/dist/cookie-analysis.js

@@ -0,0 +1,41 @@
+export const parseSetCookie = (setCookieHeaders) => (setCookieHeaders || []).map((cookieLine) => {
+    const parts = cookieLine.split(";").map((item) => item.trim());
+    const [nameValue, ...attributes] = parts;
+    const [rawName, ...rawValue] = nameValue.split("=");
+    const attributeMap = Object.fromEntries(attributes.map((attribute) => {
+        const [key, ...value] = attribute.split("=");
+        return [key.toLowerCase(), value.join("=") || true];
+    }));
+    const sameSiteValue = typeof attributeMap.samesite === "string"
+        ? attributeMap.samesite
+        : null;
+    const sameSite = sameSiteValue
+        ? sameSiteValue.charAt(0).toUpperCase() + sameSiteValue.slice(1).toLowerCase()
+        : null;
+    const issues = [];
+    if (!attributeMap.secure) {
+        issues.push("Missing Secure flag");
+    }
+    if (!attributeMap.httponly) {
+        issues.push("Missing HttpOnly flag");
+    }
+    if (!sameSite) {
+        issues.push("Missing SameSite attribute");
+    }
+    else if (sameSite === "None" && !attributeMap.secure) {
+        issues.push("SameSite=None should be paired with Secure");
+    }
+    return {
+        name: rawName,
+        valuePreview: rawValue.join("="),
+        secure: Boolean(attributeMap.secure),
+        httpOnly: Boolean(attributeMap.httponly),
+        sameSite,
+        domain: typeof attributeMap.domain === "string" ? attributeMap.domain : null,
+        path: typeof attributeMap.path === "string" ? attributeMap.path : null,
+        expires: typeof attributeMap.expires === "string" ? attributeMap.expires : null,
+        maxAge: typeof attributeMap["max-age"] === "string" ? attributeMap["max-age"] : null,
+        issues,
+        risk: issues.length >= 2 ? "high" : issues.length === 1 ? "medium" : "low",
+    };
+});

package/dist/cookieAnalysis.d.ts

@@ -0,0 +1,2 @@
+import type { CookieAnalysisInfo } from "./types.js";
+export declare function analyzeCookieHeaders(setCookieHeaders: string[] | undefined): CookieAnalysisInfo | null;

package/dist/cookieAnalysis.js

@@ -0,0 +1,82 @@
+import { parseSetCookie } from "./cookie-analysis.js";
+const normalizeSameSite = (value) => {
+    if (!value)
+        return "missing";
+    const normalized = value.toLowerCase();
+    if (normalized === "strict")
+        return "Strict";
+    if (normalized === "lax")
+        return "Lax";
+    if (normalized === "none")
+        return "None";
+    return "missing";
+};
+export function analyzeCookieHeaders(setCookieHeaders) {
+    const parsedCookies = parseSetCookie(setCookieHeaders);
+    if (!parsedCookies.length) {
+        return null;
+    }
+    const cookies = parsedCookies.map((cookie) => {
+        const hasHostPrefix = cookie.name.startsWith("__Host-");
+        const hasSecurePrefix = cookie.name.startsWith("__Secure-");
+        return {
+            name: cookie.name,
+            hasSecure: cookie.secure,
+            hasHttpOnly: cookie.httpOnly,
+            sameSite: normalizeSameSite(cookie.sameSite),
+            hasHostPrefix,
+            hasSecurePrefix,
+            isSessionCookie: !cookie.expires && !cookie.maxAge,
+            domain: cookie.domain,
+            path: cookie.path,
+        };
+    });
+    const publicCookies = cookies.map(({ domain: _domain, path: _path, ...cookie }) => cookie);
+    const cookiesWithoutSecure = publicCookies.filter((cookie) => !cookie.hasSecure).length;
+    const cookiesWithoutHttpOnly = publicCookies.filter((cookie) => !cookie.hasHttpOnly).length;
+    const cookiesWithSameSiteNone = publicCookies.filter((cookie) => cookie.sameSite === "None").length;
+    const cookiesWithoutSameSite = publicCookies.filter((cookie) => cookie.sameSite === "missing").length;
+    const issues = [];
+    const strengths = [];
+    if (cookiesWithoutSecure) {
+        issues.push(`${cookiesWithoutSecure} cookie${cookiesWithoutSecure === 1 ? "" : "s"} missing Secure.`);
+    }
+    if (cookiesWithoutHttpOnly) {
+        issues.push(`${cookiesWithoutHttpOnly} cookie${cookiesWithoutHttpOnly === 1 ? "" : "s"} missing HttpOnly.`);
+    }
+    if (cookiesWithSameSiteNone) {
+        const noneWithoutSecure = publicCookies.filter((cookie) => cookie.sameSite === "None" && !cookie.hasSecure).length;
+        issues.push(noneWithoutSecure
+            ? `${noneWithoutSecure} SameSite=None cookie${noneWithoutSecure === 1 ? "" : "s"} missing Secure.`
+            : `${cookiesWithSameSiteNone} cookie${cookiesWithSameSiteNone === 1 ? "" : "s"} allow cross-site use with SameSite=None.`);
+    }
+    if (cookiesWithoutSameSite) {
+        issues.push(`${cookiesWithoutSameSite} cookie${cookiesWithoutSameSite === 1 ? "" : "s"} missing SameSite.`);
+    }
+    for (const cookie of cookies) {
+        if (cookie.hasHostPrefix && (!cookie.hasSecure || cookie.domain || cookie.path !== "/")) {
+            issues.push(`__Host- cookie ${cookie.name} does not meet Secure, Path=/, and no Domain requirements.`);
+        }
+        if (cookie.hasSecurePrefix && !cookie.hasSecure) {
+            issues.push(`__Secure- cookie ${cookie.name} does not include Secure.`);
+        }
+    }
+    if (!issues.length) {
+        strengths.push("Cookies include the expected Secure, HttpOnly, and SameSite protections.");
+    }
+    if (publicCookies.some((cookie) => cookie.hasHostPrefix)) {
+        strengths.push("__Host- cookie prefix is in use.");
+    }
+    if (publicCookies.some((cookie) => cookie.hasSecurePrefix)) {
+        strengths.push("__Secure- cookie prefix is in use.");
+    }
+    return {
+        cookies: publicCookies,
+        cookiesWithoutSecure,
+        cookiesWithoutHttpOnly,
+        cookiesWithSameSiteNone,
+        cookiesWithoutSameSite,
+        issues,
+        strengths,
+    };
+}

package/dist/ctDiscovery.d.ts

@@ -0,0 +1,19 @@
+import type { CtDiscoveryInfo } from "./types.js";
+interface JsonResponse<T = unknown> {
+    statusCode: number;
+    json: T | null;
+}
+interface TextResponse {
+    statusCode: number;
+    headers: Record<string, string | string[] | undefined>;
+    body: string;
+}
+type RequestJsonFn = (targetUrl: URL, extraHeaders?: Record<string, string>) => Promise<JsonResponse>;
+type RequestTextFn = (targetUrl: URL, extraHeaders?: Record<string, string>) => Promise<TextResponse>;
+export declare const fetchCtDiscovery: (host: string, requestJson: RequestJsonFn, requestText: RequestTextFn, options?: {
+    sampleHosts?: boolean;
+    subdomainLimit?: number;
+    wildcardLimit?: number;
+    sampleLimit?: number;
+}) => Promise<CtDiscoveryInfo>;
+export {};