tryassay 0.33.1 → 0.34.0

package/dist/hunt/templates/hardcoded-credentials.js

@@ -0,0 +1,109 @@
+export const hardcodedCredentials = {
+    id: 'hardcoded-credentials',
+    name: 'Hardcoded Credentials',
+    cwe: 'CWE-798',
+    filePatterns: ['config', 'env', 'secret', 'credential', 'api-key', 'password', 'token', 'connection', 'auth', 'key'],
+    negativePatterns: ['test', 'fixture', 'example', 'sample', 'mock', 'stub', '__tests__', 'spec'],
+    triagePrompt: `You are a security researcher hunting for hardcoded credentials in source code.
+
+Analyze the code for secrets that should never be committed to a repository. Focus on:
+1. API keys — look for strings matching known provider formats (AWS: AKIA..., Stripe: sk_live_..., GitHub: ghp_..., Slack: xoxb-...)
+2. Passwords in connection strings — postgres://user:PASSWORD@host, mongodb+srv://user:PASSWORD@host, redis://:PASSWORD@host
+3. JWT signing secrets — hardcoded strings passed to jwt.sign(), jsonwebtoken.verify(), or HMAC functions
+4. OAuth client secrets — client_secret, app_secret, consumer_secret assigned to string literals
+5. Private keys — BEGIN RSA PRIVATE KEY, BEGIN EC PRIVATE KEY, BEGIN OPENSSH PRIVATE KEY embedded as strings
+6. Base64-encoded tokens — long base64 strings (40+ chars) assigned to auth-related variables
+7. Cloud provider credentials — AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET, GCP_SERVICE_ACCOUNT_KEY as string literals
+
+DETECTION PATTERNS:
+- Variable names: password, passwd, pwd, secret, token, apiKey, api_key, apiSecret, authToken, accessToken, privateKey
+- String assignments: const API_KEY = "sk-..." or export const SECRET = "..."
+- Config objects: { password: "literal", apiKey: "literal" }
+- Template literals with secrets: \`Bearer \${hardcodedToken}\`
+- Environment variable fallbacks: process.env.SECRET || "hardcoded-fallback"
+
+FALSE POSITIVE FILTERS:
+- process.env.VARIABLE_NAME (reading from env is correct — not a finding)
+- Placeholder values: "YOUR_API_KEY_HERE", "changeme", "xxx", "TODO"
+- Schema definitions or type annotations that mention "password" as a field name
+- Documentation strings or comments explaining credential formats
+- Test files using obviously fake values (unless they look like real rotated keys)
+
+KNOWN BYPASS TECHNIQUES:
+- Obfuscated secrets: Buffer.from('base64secret', 'base64').toString()
+- Split strings: const key = 'sk-' + 'live_' + 'abc123...'
+- Reversed strings: const key = '...321cba_evil_ks'.split('').reverse().join('')
+- Hex-encoded: const key = Buffer.from('736b2d6c697665', 'hex').toString()
+- Config files committed but in .gitignore (still in git history)
+
+RELEVANT SPECIFICATIONS:
+- OWASP Top 10 2021 A07: Identification and Authentication Failures
+- CWE-798: Use of Hard-coded Credentials
+- CWE-259: Use of Hard-coded Password
+- NIST SP 800-63B: Digital Identity Guidelines (credential storage)
+
+For each finding, cite the EXACT line number and the credential pattern matched. Rate severity based on:
+- Critical: Production API keys, database passwords, signing secrets with real-looking values
+- High: OAuth secrets, cloud credentials, private keys
+- Medium: Internal service tokens, development-only credentials in production code
+- Low: Placeholder values that hint at poor credential hygiene`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for hardcoded credentials.
+
+Given the hypothesis below, verify whether the credentials are real and exploitable.
+
+VERIFICATION STEPS:
+1. Is the credential a real secret or a placeholder? Check:
+   - Length and entropy — real API keys have high entropy, placeholders are short/obvious
+   - Format match — does it match a known provider's key format exactly?
+   - Context — is it in production code or genuinely test-only code?
+2. What does the credential grant access to?
+   - Database: full read/write? specific schema only?
+   - API: billing access? admin access? read-only?
+   - Cloud: IAM role privileges? metadata access?
+3. Is the credential still valid?
+   - Check git history — was it rotated? Is the current value different?
+   - Look for rotation logic — is there a key rotation mechanism?
+4. What is the blast radius?
+   - Can an attacker pivot from this credential to other systems?
+   - Does the database contain PII, payment data, or auth tokens?
+
+PROVIDER-SPECIFIC KEY FORMATS:
+- AWS Access Key: AKIA[0-9A-Z]{16}
+- AWS Secret Key: [A-Za-z0-9/+=]{40}
+- GitHub PAT: ghp_[A-Za-z0-9]{36}
+- Stripe Live: sk_live_[A-Za-z0-9]{24,}
+- Stripe Test: sk_test_[A-Za-z0-9]{24,} (lower severity but still a finding)
+- Slack Bot Token: xoxb-[0-9]{10,}-[A-Za-z0-9]{24,}
+- Google API Key: AIza[A-Za-z0-9_-]{35}
+- SendGrid: SG.[A-Za-z0-9_-]{22}.[A-Za-z0-9_-]{43}
+- Twilio: SK[a-f0-9]{32}
+
+PROOF-OF-CONCEPT:
+- For API keys: show which API endpoint the key authenticates to
+- For database creds: show the connection string that would grant access
+- For signing secrets: show how an attacker could forge JWTs or HMACs
+- Do NOT actually use the credential — demonstrate the attack path only
+
+RELEVANT SPECIFICATIONS:
+- CWE-798: Use of Hard-coded Credentials — hardcoded values that grant authentication
+- OWASP Testing Guide v4: OTG-AUTHN-007 (Testing for Weak or Unenforced Password Policy)
+
+Cite exact file paths, line numbers, and the credential pattern. Redact the actual secret value in your report (show first 4 and last 4 characters only).`,
+    knownBypasses: [
+        'Base64-encoded secrets: Buffer.from(encoded, "base64")',
+        'String concatenation to split the secret across lines',
+        'Hex-encoded credential values',
+        'Environment variable fallback: process.env.KEY || "hardcoded"',
+        'Config file committed but listed in .gitignore (still in git history)',
+        'Reversed string reassembled at runtime',
+        'Credential in build output / bundled JS not in source',
+    ],
+    specReferences: [
+        'CWE-798 (Use of Hard-coded Credentials)',
+        'CWE-259 (Use of Hard-coded Password)',
+        'OWASP Top 10 2021 A07 (Identification and Authentication Failures)',
+        'NIST SP 800-63B (Digital Identity Guidelines)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=hardcoded-credentials.js.map

package/dist/hunt/templates/hardcoded-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardcoded-credentials.js","sourceRoot":"","sources":["../../../src/hunt/templates/hardcoded-credentials.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,oBAAoB,GAA0B;IACzD,EAAE,EAAE,uBAAuB;IAC3B,IAAI,EAAE,uBAAuB;IAC7B,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,CAAC;IACpH,gBAAgB,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC;IAC/F,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+DA0C+C;IAE7D,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0JAyCwI;IAExJ,aAAa,EAAE;QACb,wDAAwD;QACxD,uDAAuD;QACvD,+BAA+B;QAC/B,+DAA+D;QAC/D,uEAAuE;QACvE,wCAAwC;QACxC,uDAAuD;KACxD;IACD,cAAc,EAAE;QACd,yCAAyC;QACzC,sCAAsC;QACtC,oEAAoE;QACpE,+CAA+C;KAChD;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/idor.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const idor: VulnerabilityTemplate;

package/dist/hunt/templates/idor.js

@@ -0,0 +1,102 @@
+export const idor = {
+    id: 'idor',
+    name: 'Insecure Direct Object Reference',
+    cwe: 'CWE-639',
+    filePatterns: ['user', 'account', 'profile', 'admin', 'permission', 'role', 'access', 'owner', 'tenant', 'organization'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for Insecure Direct Object Reference (IDOR) vulnerabilities. This is the #1 bounty-paying vulnerability class on HackerOne.
+
+Analyze the code for endpoints or functions where a user can access or modify resources belonging to another user by changing an identifier. Focus on:
+1. Missing ownership checks — does the code verify the requesting user owns the resource before returning it?
+2. Predictable identifiers — are resources keyed by auto-incrementing integers, sequential IDs, or guessable UUIDs?
+3. Parameter tampering — can a user change userId, accountId, orderId in the request to access other users' data?
+4. Horizontal privilege escalation — can user A access user B's data at the same privilege level?
+5. Vertical privilege escalation — can a regular user access admin-only resources by guessing the endpoint/ID?
+6. Multi-tenancy leaks — in SaaS apps, can tenant A access tenant B's data by changing organizationId?
+
+CRITICAL PATTERNS TO FIND:
+- GET /api/users/:id — returns user data without checking if requester IS that user
+- PUT /api/orders/:orderId — updates order without checking if order belongs to requester
+- DELETE /api/documents/:docId — deletes document without ownership validation
+- GraphQL resolvers that take an ID argument and query directly without auth context filtering
+- Supabase/Firebase queries that don't use RLS or filter by auth.uid()
+- SQL queries: SELECT * FROM orders WHERE id = $1 (no AND user_id = $currentUser)
+
+OWNERSHIP VALIDATION PATTERNS (what CORRECT code looks like):
+- SQL: WHERE id = $1 AND user_id = $currentUser
+- Supabase RLS: CREATE POLICY ... USING (auth.uid() = user_id)
+- ORM: .where({ id, userId: req.user.id })
+- Middleware: requireOwnership(req.user, resource)
+
+WHAT MAKES THIS EXPLOITABLE:
+- The resource contains PII (names, emails, addresses, phone numbers)
+- The resource contains financial data (balances, transactions, payment methods)
+- The resource can be modified (not just read — write IDOR is higher severity)
+- The resource controls access (changing role, permissions, group membership)
+
+RELEVANT SPECIFICATIONS:
+- OWASP Top 10 2021 A01: Broken Access Control
+- OWASP ASVS V4.0 Section 4: Access Control
+- CWE-639: Authorization Bypass Through User-Controlled Key
+
+For each finding, cite the EXACT endpoint/function, the parameter that can be tampered with, and what data is exposed. Show the code path from request parameter to database query.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an IDOR vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+BUILD THE FULL ATTACK SCENARIO:
+1. Identify the vulnerable endpoint and HTTP method (GET/POST/PUT/DELETE)
+2. Identify the parameter being tampered (path param, query param, JSON body field)
+3. Trace the parameter from request intake through to the database query
+4. Confirm NO ownership check exists between parameter receipt and data access
+5. Determine what data is exposed or what action can be performed
+6. Assess the impact: PII leak? financial data? privilege escalation?
+
+PROOF-OF-CONCEPT:
+Provide two curl commands:
+1. Legitimate request: User A accessing their own resource
+2. Attack request: User A accessing User B's resource (same request, different ID)
+
+Show that the response to request #2 contains User B's data.
+
+SEVERITY ASSESSMENT:
+- Critical: Write IDOR on financial resources (transfer money, change payment method)
+- Critical: Admin-level vertical privilege escalation
+- High: Read IDOR exposing PII (emails, addresses, SSNs, medical records)
+- High: Write IDOR on any user-owned resource (modify profile, delete data)
+- Medium: Read IDOR on non-sensitive data (preferences, settings)
+- Medium: IDOR on resources with UUID identifiers (harder to enumerate but still exploitable)
+- Low: IDOR that requires additional preconditions or reveals minimal data
+
+COMMON BYPASS TECHNIQUES:
+- UUID bruteforce: if other endpoints leak UUIDs (user lists, public profiles, error messages)
+- Parameter pollution: sending userId in both path and body, one gets validated, other gets used
+- HTTP method switching: GET is protected but PUT/PATCH isn't
+- JSON nesting: top-level userId checked but nested object's userId used for query
+- GraphQL aliasing: request same field multiple times with different IDs in one query
+- Batch endpoints: /api/users/batch accepts array of IDs, only first is validated
+
+RELEVANT SPECIFICATIONS:
+- OWASP Testing Guide: OTG-AUTHZ-004 (Testing for IDOR)
+- CWE-639: Authorization Bypass Through User-Controlled Key
+- CWE-284: Improper Access Control
+
+Cite exact file paths, line numbers, and the missing authorization check.`,
+    knownBypasses: [
+        'Parameter pollution: userId in path validated, userId in body used for query',
+        'HTTP method switching: GET protected but PUT/PATCH unprotected',
+        'UUID leakage from other endpoints enabling enumeration',
+        'GraphQL aliasing to request multiple IDs in one query',
+        'Batch endpoint validates first ID only, processes all',
+        'JSON nesting: outer userId checked, inner userId.nested used',
+        'Array index manipulation: /api/users/0 vs /api/users/1',
+    ],
+    specReferences: [
+        'OWASP Top 10 2021 A01 (Broken Access Control)',
+        'OWASP ASVS V4.0 Section 4 (Access Control)',
+        'CWE-639 (Authorization Bypass Through User-Controlled Key)',
+        'CWE-284 (Improper Access Control)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=idor.js.map

package/dist/hunt/templates/idor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idor.js","sourceRoot":"","sources":["../../../src/hunt/templates/idor.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,IAAI,GAA0B;IACzC,EAAE,EAAE,MAAM;IACV,IAAI,EAAE,kCAAkC;IACxC,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,CAAC;IACxH,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oLAmCoK;IAElL,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0EAyCwD;IAExE,aAAa,EAAE;QACb,8EAA8E;QAC9E,gEAAgE;QAChE,wDAAwD;QACxD,uDAAuD;QACvD,uDAAuD;QACvD,8DAA8D;QAC9D,wDAAwD;KACzD;IACD,cAAc,EAAE;QACd,+CAA+C;QAC/C,4CAA4C;QAC5C,4DAA4D;QAC5D,mCAAmC;KACpC;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/index.d.ts

@@ -1,3 +1,3 @@
 import type { VulnerabilityTemplate } from '../../types.js';
-export declare function getAllTemplates(): VulnerabilityTemplate[];
-export declare function getTemplateById(id: string): VulnerabilityTemplate | undefined;
+export declare function getAllTemplates(projectRoot?: string): VulnerabilityTemplate[];
+export declare function getTemplateById(id: string, projectRoot?: string): VulnerabilityTemplate | undefined;

package/dist/hunt/templates/index.js

@@ -8,7 +8,25 @@ import { injection } from './injection.js';
 import { openRedirect } from './open-redirect.js';
 import { prototypePollution } from './prototype-pollution.js';
 import { timingAttack } from './timing-attack.js';
-const templates = [
+// New generic templates
+import { hardcodedCredentials } from './hardcoded-credentials.js';
+import { idor } from './idor.js';
+import { massAssignment } from './mass-assignment.js';
+import { insecureDeserialization } from './insecure-deserialization.js';
+import { fileUpload } from './file-upload.js';
+import { raceCondition } from './race-condition.js';
+import { xxe } from './xxe.js';
+import { graphqlAbuse } from './graphql-abuse.js';
+import { csvInjection } from './csv-injection.js';
+import { postmessage } from './postmessage.js';
+// Framework-specific templates
+import { nextjsMisconfig } from './nextjs-misconfig.js';
+import { expressMisconfig } from './express-misconfig.js';
+import { djangoMisconfig } from './django-misconfig.js';
+import { springMisconfig } from './spring-misconfig.js';
+// Learned templates
+import { loadLearnedTemplates } from '../finding-to-template.js';
+const builtInTemplates = [
     csrfBypass,
     ssrf,
     weakRandom,
@@ -19,11 +37,26 @@ const templates = [
     openRedirect,
     prototypePollution,
     timingAttack,
+    hardcodedCredentials,
+    idor,
+    massAssignment,
+    insecureDeserialization,
+    fileUpload,
+    raceCondition,
+    xxe,
+    graphqlAbuse,
+    csvInjection,
+    postmessage,
+    nextjsMisconfig,
+    expressMisconfig,
+    djangoMisconfig,
+    springMisconfig,
 ];
-export function getAllTemplates() {
-    return templates;
+export function getAllTemplates(projectRoot) {
+    const learned = loadLearnedTemplates(projectRoot);
+    return [...builtInTemplates, ...learned];
 }
-export function getTemplateById(id) {
-    return templates.find(t => t.id === id);
+export function getTemplateById(id, projectRoot) {
+    return getAllTemplates(projectRoot).find(t => t.id === id);
 }
 //# sourceMappingURL=index.js.map

package/dist/hunt/templates/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/hunt/templates/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,SAAS,GAA4B;IACzC,UAAU;IACV,IAAI;IACJ,UAAU;IACV,UAAU;IACV,aAAa;IACb,aAAa;IACb,SAAS;IACT,YAAY;IACZ,kBAAkB;IAClB,YAAY;CACb,CAAC;AAEF,MAAM,UAAU,eAAe;IAC7B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAU;IACxC,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC1C,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/hunt/templates/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,wBAAwB;AACxB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AACxE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,+BAA+B;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,oBAAoB;AACpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEjE,MAAM,gBAAgB,GAA4B;IAChD,UAAU;IACV,IAAI;IACJ,UAAU;IACV,UAAU;IACV,aAAa;IACb,aAAa;IACb,SAAS;IACT,YAAY;IACZ,kBAAkB;IAClB,YAAY;IACZ,oBAAoB;IACpB,IAAI;IACJ,cAAc;IACd,uBAAuB;IACvB,UAAU;IACV,aAAa;IACb,GAAG;IACH,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,eAAe;CAChB,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,WAAoB;IAClD,MAAM,OAAO,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,gBAAgB,EAAE,GAAG,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAU,EAAE,WAAoB;IAC9D,OAAO,eAAe,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7D,CAAC"}

package/dist/hunt/templates/insecure-deserialization.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const insecureDeserialization: VulnerabilityTemplate;

package/dist/hunt/templates/insecure-deserialization.js

@@ -0,0 +1,131 @@
+export const insecureDeserialization = {
+    id: 'insecure-deserialization',
+    name: 'Insecure Deserialization',
+    cwe: 'CWE-502',
+    filePatterns: ['serialize', 'deserialize', 'pickle', 'yaml', 'xml', 'marshal', 'json', 'parse', 'unserialize', 'decode', 'unmarshal'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for insecure deserialization vulnerabilities.
+
+Analyze the code for places where untrusted data is deserialized using functions that can instantiate arbitrary objects or execute code during parsing. Focus on:
+
+LANGUAGE-SPECIFIC DANGEROUS FUNCTIONS:
+Python:
+- pickle.loads(), pickle.load() — arbitrary code execution via __reduce__
+- yaml.load() without Loader=SafeLoader — arbitrary Python object instantiation
+- marshal.loads() — code execution
+- shelve.open() with untrusted data
+- jsonpickle.decode() — object instantiation
+
+JavaScript/Node.js:
+- node-serialize unserialize() — code execution via IIFE in serialized functions
+- js-yaml load() without safe option — can instantiate JS objects
+- eval(JSON.parse(...)) or new Function(deserialized) — indirect RCE
+- cryo.parse() — object instantiation
+- serialize-javascript with user input feeding eval context
+
+Java:
+- ObjectInputStream.readObject() — gadget chain RCE
+- XMLDecoder — arbitrary method calls
+- XStream.fromXML() without allowlist
+- Fastjson JSON.parseObject() with autoType — RCE
+
+PHP:
+- unserialize() — magic method exploitation (__wakeup, __destruct)
+- phar:// deserialization — unserialize via Phar metadata
+
+Ruby:
+- YAML.load() (pre-Psych 4.0) — arbitrary Ruby object creation
+- Marshal.load() — arbitrary object instantiation
+
+WHAT MAKES THIS EXPLOITABLE:
+- User-controlled input reaches the deserialization function
+- The application has classes with dangerous side effects in constructors/destructors/magic methods
+- The serialized format supports object types (not just primitive data)
+- No type allowlist restricts what classes can be instantiated
+
+SAFE ALTERNATIVES (not vulnerable):
+- JSON.parse() for plain data (no object instantiation in standard JSON)
+- yaml.safe_load() / yaml.load(Loader=SafeLoader) in Python
+- Protocol Buffers, MessagePack, FlatBuffers (schema-defined, no arbitrary types)
+- Java: ObjectInputFilter (JEP 290) with strict allowlist
+- PHP: json_decode() instead of unserialize()
+
+KNOWN BYPASS TECHNIQUES:
+- Gadget chains: combining benign classes to achieve RCE (ysoserial for Java)
+- Polyglot payloads: valid in multiple formats (JSON that's also valid YAML)
+- Nested deserialization: outer format is safe but contains inner serialized payload
+- Content-type confusion: server expects JSON but processes YAML/XML based on Content-Type header
+- Cookie/session deserialization: serialized objects in cookies parsed server-side
+
+RELEVANT SPECIFICATIONS:
+- OWASP Top 10 2021 A08: Software and Data Integrity Failures
+- CWE-502: Deserialization of Untrusted Data
+- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes
+
+For each finding, cite the EXACT deserialization call, what user input reaches it, and what language-specific exploit primitive applies.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for an insecure deserialization vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. Confirm user-controlled input reaches the deserialization function
+   - Trace from HTTP request/cookie/message queue to the deserialize call
+   - Check if any sanitization or type filtering occurs before deserialization
+2. Identify the deserialization function and its capabilities
+   - Can it instantiate arbitrary classes? (pickle, Java ObjectInputStream, PHP unserialize)
+   - Can it execute code during parsing? (YAML anchors, node-serialize IIFE)
+   - Is it limited to primitive types? (plain JSON.parse is generally safe)
+3. Identify available gadget classes
+   - What libraries are in the dependency tree?
+   - Are there classes with dangerous __reduce__, __destruct, readObject methods?
+4. Build the attack chain
+   - What object instantiation leads to code execution?
+   - What is the payload format?
+
+PROOF-OF-CONCEPT:
+Python pickle RCE:
+\`\`\`python
+import pickle, os
+class Exploit:
+    def __reduce__(self):
+        return (os.system, ('id',))
+payload = pickle.dumps(Exploit())
+# Send payload to vulnerable endpoint
+\`\`\`
+
+Node.js node-serialize:
+\`\`\`javascript
+{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('id')}()"}
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: Remote Code Execution via deserialization (pickle, Java gadgets, PHP magic methods)
+- Critical: Arbitrary file read/write via deserialization side effects
+- High: Server-Side Request Forgery via deserialized URL fetchers
+- High: Denial of Service via resource-exhausting deserialization (billion laughs, deep nesting)
+- Medium: Object injection that modifies application state without RCE
+
+RELEVANT SPECIFICATIONS:
+- CWE-502: Deserialization of Untrusted Data
+- OWASP Deserialization Cheat Sheet
+- Java JEP 290: Filter Incoming Serialization Data
+
+Cite exact file paths, line numbers, the deserialization function, and the input source.`,
+    knownBypasses: [
+        'Gadget chains: combining benign library classes to achieve RCE (ysoserial)',
+        'Polyglot payloads: data valid in multiple serialization formats simultaneously',
+        'Nested deserialization: safe outer format wrapping dangerous inner payload',
+        'Content-Type confusion: server parses YAML/XML when JSON expected',
+        'Cookie/session deserialization: serialized objects stored in client-side cookies',
+        'Phar deserialization in PHP: unserialize triggered via phar:// stream wrapper',
+        'YAML anchors and aliases: billion laughs DoS or object instantiation',
+    ],
+    specReferences: [
+        'CWE-502 (Deserialization of Untrusted Data)',
+        'OWASP Top 10 2021 A08 (Software and Data Integrity Failures)',
+        'OWASP Deserialization Cheat Sheet',
+        'Java JEP 290 (Filter Incoming Serialization Data)',
+    ],
+    severityRange: ['high', 'critical'],
+};
+//# sourceMappingURL=insecure-deserialization.js.map

package/dist/hunt/templates/insecure-deserialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-deserialization.js","sourceRoot":"","sources":["../../../src/hunt/templates/insecure-deserialization.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,uBAAuB,GAA0B;IAC5D,EAAE,EAAE,0BAA0B;IAC9B,IAAI,EAAE,0BAA0B;IAChC,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,WAAW,CAAC;IACrI,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yIA0DyH;IAEvI,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yFA+CuE;IAEvF,aAAa,EAAE;QACb,4EAA4E;QAC5E,gFAAgF;QAChF,4EAA4E;QAC5E,mEAAmE;QACnE,kFAAkF;QAClF,+EAA+E;QAC/E,sEAAsE;KACvE;IACD,cAAc,EAAE;QACd,6CAA6C;QAC7C,8DAA8D;QAC9D,mCAAmC;QACnC,mDAAmD;KACpD;IACD,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;CACpC,CAAC"}

package/dist/hunt/templates/mass-assignment.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const massAssignment: VulnerabilityTemplate;

package/dist/hunt/templates/mass-assignment.js

@@ -0,0 +1,101 @@
+export const massAssignment = {
+    id: 'mass-assignment',
+    name: 'Mass Assignment',
+    cwe: 'CWE-915',
+    filePatterns: ['assign', 'merge', 'update', 'body', 'request', 'params', 'create', 'schema', 'spread', 'extend'],
+    negativePatterns: ['prisma', 'drizzle', 'typeorm'],
+    triagePrompt: `You are a security researcher hunting for mass assignment vulnerabilities.
+
+Analyze the code for places where user-controlled input (req.body, request payload, form data) is directly spread or merged into database model updates without an explicit allowlist of permitted fields. Focus on:
+1. Object spread: User.update({ ...req.body }) — attacker can set ANY field including role, isAdmin, balance
+2. Object.assign: Object.assign(user, req.body) — same problem, all user-supplied fields are assigned
+3. Lodash/underscore merge: _.merge(model, userInput) — deep merge can set nested fields
+4. ORM create/update from raw body: Model.create(req.body), Model.findByIdAndUpdate(id, req.body)
+5. Mongoose: doc.set(req.body) without specifying allowed paths
+6. Sequelize: Model.update(req.body, { where: ... }) without specifying fields option
+7. Framework-level mass assignment: Rails strong_parameters bypassed, Django form.save() without fields
+
+CRITICAL FIELDS TO ESCALATE VIA MASS ASSIGNMENT:
+- role, isAdmin, is_admin, admin, permissions, privilege — privilege escalation
+- balance, credits, quota — financial manipulation
+- email, emailVerified, email_verified — account takeover
+- password, passwordHash, password_hash — account takeover
+- organizationId, tenantId, org_id — cross-tenant access
+- subscriptionTier, plan, isPremium — feature flag bypass
+- approved, verified, active, status — state manipulation
+
+CORRECT PATTERNS (not vulnerable):
+- Explicit field picking: { name: req.body.name, email: req.body.email }
+- Allowlist: pick(req.body, ['name', 'email', 'bio'])
+- DTO/schema validation: Zod/Joi schema that only allows specific fields
+- ORM with explicit fields: Model.update(data, { fields: ['name', 'email'] })
+- GraphQL input types that restrict allowed fields at the schema level
+
+KNOWN BYPASS TECHNIQUES:
+- Nested objects: { "profile": { "role": "admin" } } if profile is spread into user
+- Array fields: { "roles": ["admin"] } if roles array is directly assigned
+- Prototype pollution via mass assignment: { "__proto__": { "isAdmin": true } }
+- JSON field names with dots: { "user.role": "admin" } if flattened by middleware
+- Extra fields in multipart form data alongside file uploads
+
+RELEVANT SPECIFICATIONS:
+- OWASP Top 10 2021 A04: Insecure Design
+- OWASP API Security Top 10: API6 Mass Assignment
+- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+
+For each finding, cite the EXACT line where user input is spread/merged into a model, and list which dangerous fields could be set.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a mass assignment vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. Trace the data flow from request body to database write
+2. Confirm no field allowlist or DTO validation exists between input and storage
+3. Identify the database model/table schema — what fields exist that shouldn't be user-settable?
+4. Determine the highest-impact field an attacker could set
+5. Check if any middleware (Zod, Joi, class-validator) filters fields before the vulnerable line
+
+BUILD THE ATTACK:
+1. Show the legitimate request: POST /api/users with { name: "Alice", bio: "..." }
+2. Show the attack request: POST /api/users with { name: "Alice", bio: "...", role: "admin" }
+3. Prove the role field persists to the database
+4. Show what the attacker gains (admin access, balance increase, etc.)
+
+PROOF-OF-CONCEPT:
+Provide a curl command showing the malicious payload:
+\`\`\`
+curl -X PUT /api/profile \\
+  -H "Content-Type: application/json" \\
+  -H "Authorization: Bearer <user-token>" \\
+  -d '{"name": "attacker", "role": "admin", "isVerified": true}'
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: Can set role/admin/permissions fields (privilege escalation)
+- Critical: Can set financial fields (balance, credits, subscription)
+- High: Can set email/password fields (account takeover path)
+- High: Can set organizationId (cross-tenant access)
+- Medium: Can set non-critical profile fields of other users
+- Low: Can set fields that have no security impact
+
+RELEVANT SPECIFICATIONS:
+- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+- OWASP API Security Top 10: API6 Mass Assignment
+
+Cite exact file paths, line numbers, and the specific dangerous fields that can be set.`,
+    knownBypasses: [
+        'Nested object injection: { "profile": { "role": "admin" } }',
+        'Array field replacement: { "roles": ["admin"] }',
+        'Prototype pollution via mass assignment: { "__proto__": { "isAdmin": true } }',
+        'Dot-notation keys flattened by middleware: { "user.role": "admin" }',
+        'Multipart form data extra fields alongside file uploads',
+        'JSON merge patch (RFC 7396) setting unexpected fields',
+    ],
+    specReferences: [
+        'CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes)',
+        'OWASP API Security Top 10 API6 (Mass Assignment)',
+        'OWASP Top 10 2021 A04 (Insecure Design)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=mass-assignment.js.map

package/dist/hunt/templates/mass-assignment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment.js","sourceRoot":"","sources":["../../../src/hunt/templates/mass-assignment.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAA0B;IACnD,EAAE,EAAE,iBAAiB;IACrB,IAAI,EAAE,iBAAiB;IACvB,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;IAChH,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;IAClD,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oIAuCoH;IAElI,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wFAsCsE;IAEtF,aAAa,EAAE;QACb,6DAA6D;QAC7D,iDAAiD;QACjD,+EAA+E;QAC/E,qEAAqE;QACrE,yDAAyD;QACzD,uDAAuD;KACxD;IACD,cAAc,EAAE;QACd,0FAA0F;QAC1F,kDAAkD;QAClD,yCAAyC;KAC1C;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/nextjs-misconfig.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const nextjsMisconfig: VulnerabilityTemplate;