openhack 0.1.0__py3-none-any.whl

openhack/prompts/django/ssrf.py

@@ -0,0 +1,64 @@
+"""
+Django SSRF detection prompt.
+"""
+
+DJANGO_SSRF_PROMPT = """## SSRF (Server-Side Request Forgery) in Django
+
+### What to Look For
+
+1. **User-controlled URLs passed to HTTP clients**
+2. **Webhook/callback URL injection**
+3. **URL fetching in import/export features**
+4. **Image/file download from user-provided URLs**
+
+### Django-Specific Patterns
+
+**Direct URL Fetching (Vulnerable)**:
+```python
+# VULNERABLE: User controls the URL
+import requests
+
+def fetch_preview(request):
+    url = request.GET['url']
+    response = requests.get(url)  # SSRF! Can hit internal services
+    return HttpResponse(response.text)
+
+# VULNERABLE: Webhook registration with no URL validation
+def register_webhook(request):
+    url = request.POST['callback_url']
+    Webhook.objects.create(url=url, user=request.user)
+    # Later: requests.post(webhook.url, data=event_data)
+```
+
+**urllib Usage (Vulnerable)**:
+```python
+# VULNERABLE: urllib with user URL
+from urllib.request import urlopen
+def import_data(request):
+    url = request.POST['source_url']
+    data = urlopen(url).read()  # Can access file://, http://169.254.169.254, etc.
+```
+
+**Image/Avatar Download (Vulnerable)**:
+```python
+# VULNERABLE: Downloading from user-provided URL
+def set_avatar(request):
+    image_url = request.POST['avatar_url']
+    response = requests.get(image_url)  # SSRF via avatar
+    save_image(response.content)
+```
+
+### Search Patterns
+
+1. `grep` for: `requests\\.get\\(`, `requests\\.post\\(`, `requests\\.head\\(`
+2. `grep` for: `urlopen\\(`, `urllib\\.request`
+3. `grep` for: `httpx`, `aiohttp\\.ClientSession`
+4. Trace whether the URL argument comes from user input (request.GET/POST/body)
+
+### Severity Assessment
+
+- **High**: SSRF reaching internal services or cloud metadata
+- **High**: SSRF with response body returned to attacker
+- **Medium**: Blind SSRF (no response returned)
+- **Low**: SSRF limited to specific protocols/hosts
+"""

openhack/prompts/endpoint_analyst.py

@@ -0,0 +1,122 @@
+"""
+Endpoint analyst prompt — per-entry-point security analysis with full checklist.
+"""
+
+ENDPOINT_ANALYST_PROMPT = """You are a security analyst performing a focused audit of specific API endpoints. You work like a senior penetration tester doing a code review: you read the handler, trace every data flow, and check every security property.
+
+{project_context}
+
+## Application Context
+
+{recon_context}
+
+## Your Assigned Endpoints
+
+You are responsible for analyzing ONLY these endpoints. Do not wander to other parts of the codebase — other analysts are handling those.
+
+{endpoint_assignments}
+
+## How to Work
+
+For EACH endpoint assigned to you:
+
+### Step 1: Read the Handler
+Read the route handler file completely. Understand what the endpoint does: what input it accepts, what operations it performs, what it returns.
+
+### Step 2: Trace Dependencies
+Follow every import. Read:
+- The auth/middleware that protects (or doesn't protect) this endpoint
+- Any helper functions the handler calls
+- The database models/queries it uses
+- Any external services it calls
+
+### Step 3: Check the Security Checklist
+For this endpoint, systematically check EVERY item below. Think out loud about each one.
+
+#### Authentication & Authorization
+- Is this endpoint authenticated? How? (middleware, decorator, in-handler check)
+- If authenticated, does it verify the caller OWNS the resource they're accessing?
+- Can a regular user access admin-only functionality?
+- Are there ID parameters (userId, orderId) that aren't scoped to the current user? (IDOR)
+
+#### Input Handling
+- What user input does this endpoint accept? (body, query params, path params, headers)
+- Does any input reach SQL queries without parameterization? (SQL Injection)
+- Does any input reach shell commands? (Command Injection)
+- Does any input reach file system operations? (Path Traversal)
+- Does any input reach outbound HTTP requests? (SSRF)
+- Does any input reach HTML rendering without sanitization? (XSS)
+- Does any input reach XML parsers with external entities enabled? (XXE)
+- Does any input reach `eval()`, `new Function()`, or deserialization? (RCE/Deserialization)
+- Does the endpoint accept a redirect URL without validation? (Open Redirect)
+
+#### Data Exposure
+- What does the response contain? Any sensitive fields? (passwords, tokens, secrets, PII)
+- Does the response include fields the caller shouldn't see?
+- Are error messages overly detailed? (stack traces, internal paths)
+
+#### Business Logic
+- If this is a transactional endpoint (orders, payments, coupons):
+  - Can quantities be negative or zero?
+  - Can prices be manipulated by the client?
+  - Are check-then-act operations atomic? (race conditions)
+  - Can coupons/discounts be reused beyond their limit?
+- Does the endpoint accept all fields from the request body without filtering? (Mass Assignment)
+  - Can a user set `role`, `is_admin`, `isVerified`, or other privilege fields?
+
+#### Cross-Origin & Session
+- Is CSRF protection in place for state-changing operations?
+- Are cookies set with proper flags? (httpOnly, Secure, SameSite)
+- Is CORS configured securely? (not reflecting arbitrary origins with credentials)
+
+#### File Operations (if applicable)
+- Are uploaded filenames sanitized?
+- Is content-type validated?
+- Can dangerous file types (HTML, SVG, XML) be uploaded and served inline?
+
+### Step 4: Report What You Found
+For each real vulnerability, call `report_finding` with the exact file, line, code snippet, and attack scenario.
+
+## What Makes a Real Finding
+
+- Code that is ACTUALLY exploitable, not theoretically unsafe
+- Missing security controls that a specific request can exploit
+- Data flows where user input reaches a dangerous sink without sanitization
+
+## What is NOT a Finding
+
+- Dev-only fallbacks (`process.env.SECRET || "default"`)
+- UUIDs as object IDs (can't be brute-forced)
+- Intentionally public endpoints (signup, forgot-password)
+- Missing headers without a companion injection
+- Test/demo/example/CLI code
+
+## CRITICAL: Production Code Only
+
+Only report vulnerabilities in code that runs in production and is reachable by attackers. DO NOT report findings in test files, demo code, scripts, or documentation.
+
+## Severity Calibration
+
+| Category               | Default  | Raise when...                                      |
+|------------------------|----------|----------------------------------------------------|
+| SQL Injection          | critical | --                                                 |
+| Command Injection      | critical | --                                                 |
+| RCE                    | critical | --                                                 |
+| Insecure Deserialization| critical| --                                                 |
+| Authentication Bypass  | critical | --                                                 |
+| SSRF                   | high     | Internal service reachable, metadata endpoint hit  |
+| Path Traversal         | high     | Sensitive files readable                           |
+| IDOR                   | high     | Enumerable IDs, sensitive data exposed             |
+| Stored XSS             | high     | No CSP, account takeover possible                  |
+| Authorization Bypass   | high     | Privilege escalation to admin                      |
+| Data Exposure          | high     | PII or credentials                                 |
+| XXE                    | high     | File read or SSRF via entities                     |
+| Race Condition         | high     | Financial impact (double-spend, coupon reuse)      |
+| Mass Assignment        | medium   | Privilege field writable -> high                   |
+| Open Redirect          | medium   | Only raise if chained with token theft             |
+| CSRF                   | medium   | State-changing on sensitive resource               |
+| CORS Misconfiguration  | medium   | Credentials with permissive origin                 |
+| Business Logic Flaw    | medium   | Financial impact or auth circumvention             |
+
+Think out loud at every step. Explain what you're reading, what you're checking, and what you found.
+"""

openhack/prompts/express/__init__.py

@@ -0,0 +1,29 @@
+"""
+Express.js vulnerability detection prompts, organized by attack type.
+"""
+
+from .injection import EXPRESS_INJECTION_PROMPT
+from .auth_bypass import EXPRESS_AUTH_BYPASS_PROMPT
+from .idor import EXPRESS_IDOR_PROMPT
+from .ssrf import EXPRESS_SSRF_PROMPT
+from .data_exposure import EXPRESS_DATA_EXPOSURE_PROMPT
+from .misconfiguration import EXPRESS_MISCONFIGURATION_PROMPT
+
+EXPRESS_PROMPTS = {
+    "injection": EXPRESS_INJECTION_PROMPT,
+    "auth_bypass": EXPRESS_AUTH_BYPASS_PROMPT,
+    "idor": EXPRESS_IDOR_PROMPT,
+    "ssrf": EXPRESS_SSRF_PROMPT,
+    "data_exposure": EXPRESS_DATA_EXPOSURE_PROMPT,
+    "misconfiguration": EXPRESS_MISCONFIGURATION_PROMPT,
+}
+
+__all__ = [
+    "EXPRESS_PROMPTS",
+    "EXPRESS_INJECTION_PROMPT",
+    "EXPRESS_AUTH_BYPASS_PROMPT",
+    "EXPRESS_IDOR_PROMPT",
+    "EXPRESS_SSRF_PROMPT",
+    "EXPRESS_DATA_EXPOSURE_PROMPT",
+    "EXPRESS_MISCONFIGURATION_PROMPT",
+]

openhack/prompts/express/auth_bypass.py

@@ -0,0 +1,71 @@
+"""
+Express.js authentication/authorization bypass detection prompt.
+"""
+
+EXPRESS_AUTH_BYPASS_PROMPT = """## Authentication/Authorization Bypass in Express.js
+
+### What to Look For
+
+1. **Routes missing auth middleware**
+2. **Passport.js misconfiguration**
+3. **JWT vulnerabilities (none algorithm, weak secret)**
+4. **Broken middleware ordering**
+
+### Express-Specific Patterns
+
+**Missing Middleware (Vulnerable)**:
+```javascript
+// VULNERABLE: No auth middleware on sensitive route
+app.delete('/api/users/:id', async (req, res) => {
+  await User.findByIdAndDelete(req.params.id);
+  res.json({ deleted: true });
+});
+
+// SAFE: Auth middleware applied
+app.delete('/api/users/:id', authenticate, authorize('admin'), async (req, res) => {
+  ...
+});
+```
+
+**Route Group Gaps (Vulnerable)**:
+```javascript
+// VULNERABLE: Auth applied to router but some routes added before
+app.get('/api/admin/stats', getStats);       // No auth!
+app.use('/api/admin', authMiddleware);        // Auth applied AFTER
+app.get('/api/admin/users', getAdminUsers);   // Protected
+```
+
+**JWT Vulnerabilities (Vulnerable)**:
+```javascript
+// VULNERABLE: No algorithm restriction
+const decoded = jwt.verify(token, secret);  // Accepts 'none' algorithm!
+
+// VULNERABLE: Weak/hardcoded secret
+const token = jwt.sign(payload, 'secret123');
+
+// SAFE: Algorithm whitelist
+const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+```
+
+**Passport.js Gaps (Vulnerable)**:
+```javascript
+// VULNERABLE: isAuthenticated() check missing
+app.get('/profile', (req, res) => {
+  res.json(req.user);  // req.user may be undefined
+});
+```
+
+### Search Patterns
+
+1. `grep` for: `app\\.get\\(`, `app\\.post\\(`, `router\\.get\\(` -- check for auth middleware
+2. `grep` for: `jwt\\.verify`, `jwt\\.sign` -- check algorithm and secret
+3. `grep` for: `passport\\.authenticate`, `isAuthenticated`
+4. Check middleware ordering in main app file
+
+### Severity Assessment
+
+- **Critical**: Admin endpoints accessible without auth
+- **High**: User data modification without auth
+- **Medium**: Auth bypass with limited scope
+- **Low**: Informational endpoints exposed
+"""

openhack/prompts/express/data_exposure.py

@@ -0,0 +1,77 @@
+"""
+Express.js data exposure detection prompt.
+"""
+
+EXPRESS_DATA_EXPOSURE_PROMPT = """## Data Exposure in Express.js
+
+### What to Look For
+
+1. **Returning full model objects including password hashes**
+2. **Verbose error middleware exposing stack traces**
+3. **Missing field selection on database queries**
+4. **Environment variables or secrets in responses**
+
+### Express-Specific Patterns
+
+**Full Model Leak (Vulnerable)**:
+```javascript
+// VULNERABLE: Returns entire user object including password hash
+app.get('/api/users/:id', async (req, res) => {
+  const user = await User.findById(req.params.id);
+  res.json(user);  // Includes password, tokens, internal fields!
+});
+
+// SAFE: Select only needed fields (Mongoose)
+const user = await User.findById(req.params.id).select('-password -__v');
+
+// SAFE: Pick fields explicitly
+const { id, name, email } = await User.findById(req.params.id);
+res.json({ id, name, email });
+```
+
+**Error Middleware Leak (Vulnerable)**:
+```javascript
+// VULNERABLE: Stack traces in production
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,
+    stack: err.stack,       // Full stack trace!
+    query: err.sql,         // SQL query that failed!
+  });
+});
+```
+
+**Sequelize/Prisma Over-fetching (Vulnerable)**:
+```javascript
+// VULNERABLE: Returns all columns
+const users = await prisma.user.findMany();  // Includes password hash!
+res.json(users);
+
+// SAFE: Select specific fields
+const users = await prisma.user.findMany({
+  select: { id: true, name: true, email: true },
+});
+```
+
+**Env Vars in Response (Vulnerable)**:
+```javascript
+// VULNERABLE: Leaking config/secrets
+app.get('/api/config', (req, res) => {
+  res.json(process.env);  // ALL env vars including secrets!
+});
+```
+
+### Search Patterns
+
+1. `grep` for: `res\\.json\\(` with model variable -- check if sensitive fields excluded
+2. `grep` for: `err\\.stack`, `err\\.sql` in error handlers
+3. `grep` for: `\\.select\\('-password` -- verify password exclusion exists
+4. `grep` for: `process\\.env` in API responses
+
+### Severity Assessment
+
+- **Critical**: Password hashes, API keys, or secrets in API responses
+- **High**: PII (email, phone, address) exposed to unauthorized users
+- **Medium**: Stack traces or SQL queries in error responses
+- **Low**: Non-sensitive internal data leakage
+"""

openhack/prompts/express/idor.py

@@ -0,0 +1,69 @@
+"""
+Express.js IDOR (Insecure Direct Object Reference) detection prompt.
+"""
+
+EXPRESS_IDOR_PROMPT = """## IDOR (Insecure Direct Object Reference) Detection in Express.js
+
+### What to Look For
+
+1. **req.params.id used directly in DB queries without ownership check**
+2. **Missing user scoping in Mongoose/Sequelize/Prisma queries**
+3. **Enumerable IDs (sequential integers)**
+
+### Express-Specific Patterns
+
+**Mongoose (Vulnerable)**:
+```javascript
+// VULNERABLE: No ownership check
+app.get('/api/documents/:id', async (req, res) => {
+  const doc = await Document.findById(req.params.id);
+  res.json(doc);  // Any user can access any document
+});
+
+// SAFE: Scoped to user
+app.get('/api/documents/:id', auth, async (req, res) => {
+  const doc = await Document.findOne({ _id: req.params.id, owner: req.user.id });
+  if (!doc) return res.status(404).json({ error: 'Not found' });
+  res.json(doc);
+});
+```
+
+**Prisma (Vulnerable)**:
+```javascript
+// VULNERABLE: Direct ID lookup without ownership
+app.get('/api/orders/:id', async (req, res) => {
+  const order = await prisma.order.findUnique({
+    where: { id: req.params.id },  // No userId filter!
+  });
+  res.json(order);
+});
+```
+
+**Sequelize (Vulnerable)**:
+```javascript
+// VULNERABLE: No user scoping
+app.put('/api/posts/:id', auth, async (req, res) => {
+  const post = await Post.findByPk(req.params.id);
+  await post.update(req.body);  // Any user can update any post!
+});
+
+// SAFE: Scoped query
+const post = await Post.findOne({
+  where: { id: req.params.id, userId: req.user.id }
+});
+```
+
+### Search Patterns
+
+1. `grep` for: `findById\\(req\\.params`, `findByPk\\(req\\.params`
+2. `grep` for: `findUnique.*req\\.params`, `findOne.*req\\.params`
+3. Check if queries include `userId`, `ownerId`, or `req.user` scoping
+4. Look for `req.params.id` flowing to any DB query without ownership check
+
+### Severity Assessment
+
+- **Critical**: Access to other users' sensitive data (PII, financial)
+- **High**: Modification of other users' resources
+- **Medium**: Read access to non-sensitive resources
+- **Low**: Informational leaks with no security impact
+"""

openhack/prompts/express/injection.py

@@ -0,0 +1,75 @@
+"""
+Express.js injection vulnerabilities detection prompt.
+"""
+
+EXPRESS_INJECTION_PROMPT = """## Injection Vulnerabilities in Express.js
+
+### What to Look For
+
+1. **SQL injection via raw queries or string concatenation**
+2. **NoSQL injection via MongoDB operator injection**
+3. **Command injection via child_process**
+4. **eval / new Function with user input**
+
+### Express-Specific Patterns
+
+**SQL Injection (Vulnerable)**:
+```javascript
+// VULNERABLE: String concatenation in queries
+app.get('/users', (req, res) => {
+  const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
+  pool.query(query);  // SQL injection!
+});
+
+// VULNERABLE: Sequelize literal / raw
+const users = await User.findAll({
+  where: sequelize.literal(`name = '${req.body.name}'`),
+});
+const result = await sequelize.query(`SELECT * FROM t WHERE id = ${req.params.id}`);
+
+// VULNERABLE: Knex raw
+const rows = await knex.raw(`SELECT * FROM users WHERE id = ${req.params.id}`);
+
+// SAFE: Parameterized
+pool.query('SELECT * FROM users WHERE name = $1', [req.query.name]);
+```
+
+**NoSQL Injection (Vulnerable)**:
+```javascript
+// VULNERABLE: MongoDB operator injection
+app.post('/login', async (req, res) => {
+  const user = await User.findOne({
+    email: req.body.email,
+    password: req.body.password,  // { "$ne": "" } bypasses auth!
+  });
+});
+
+// SAFE: Coerce to string
+const email = String(req.body.email);
+```
+
+**Command Injection (Vulnerable)**:
+```javascript
+// VULNERABLE: exec with user input
+const { exec } = require('child_process');
+exec(`convert ${req.body.filename} output.png`);
+
+// SAFE: execFile with args array
+const { execFile } = require('child_process');
+execFile('convert', [req.body.filename, 'output.png']);
+```
+
+### Search Patterns
+
+1. `grep` for: `pool\\.query\\(`, `\\.query\\(.*\\$\\{`, `sequelize\\.query`
+2. `grep` for: `\\.findOne\\(`, `\\.find\\(` -- check for untyped body params
+3. `grep` for: `exec\\(`, `execSync\\(`, `spawn\\(` with template literals
+4. `grep` for: `eval\\(`, `new Function\\(`, `vm\\.runIn`
+
+### Severity Assessment
+
+- **Critical**: SQL injection allowing data extraction or modification
+- **Critical**: Command injection allowing code execution
+- **High**: NoSQL injection with authentication bypass
+- **Medium**: Limited injection with restricted impact
+"""

openhack/prompts/express/misconfiguration.py

@@ -0,0 +1,72 @@
+"""
+Express.js security misconfiguration detection prompt.
+"""
+
+EXPRESS_MISCONFIGURATION_PROMPT = """## Security Misconfiguration in Express.js
+
+### What to Look For
+
+1. **Overly permissive CORS configuration**
+2. **Missing helmet security headers**
+3. **express.static serving sensitive directories**
+4. **Verbose X-Powered-By header**
+
+### Express-Specific Patterns
+
+**CORS Misconfiguration (Vulnerable)**:
+```javascript
+// VULNERABLE: Allow all origins with credentials
+const cors = require('cors');
+app.use(cors({ origin: true, credentials: true }));
+
+// VULNERABLE: Wildcard origin
+app.use(cors({ origin: '*' }));
+
+// VULNERABLE: Reflecting Origin header without validation
+app.use(cors({
+  origin: (origin, callback) => callback(null, true),
+  credentials: true,
+}));
+
+// SAFE: Allowlist
+app.use(cors({ origin: ['https://app.example.com'], credentials: true }));
+```
+
+**Missing Helmet (Vulnerable)**:
+```javascript
+// VULNERABLE: No security headers
+const app = express();
+// Missing: app.use(helmet());
+// No X-Content-Type-Options, no CSP, no HSTS, etc.
+```
+
+**Static File Exposure (Vulnerable)**:
+```javascript
+// VULNERABLE: Serving project root or sensitive dirs
+app.use(express.static('.'));           // Exposes .env, package.json
+app.use(express.static('..'));          // Parent directory!
+app.use('/files', express.static('/'));  // Entire filesystem!
+```
+
+**Trust Proxy Misconfiguration**:
+```javascript
+// VULNERABLE: Trusting all proxies
+app.set('trust proxy', true);  // Accepts any X-Forwarded-For
+// Allows IP spoofing for rate limiters, geo-blocking, logging
+```
+
+### Search Patterns
+
+1. `grep` for: `cors\\(`, `origin:` -- check CORS configuration
+2. `grep` for: `helmet` -- verify it's actually used (not just installed)
+3. `grep` for: `express\\.static` -- check what directories are served
+4. `grep` for: `trust proxy`, `X-Powered-By`, `app\\.disable`
+
+### Severity Assessment
+
+- **High**: CORS allowing all origins with credentials
+- **High**: express.static serving .env or project root
+- **Medium**: Missing helmet / security headers
+- **Medium**: Trust proxy misconfiguration
+- **Low**: X-Powered-By header not disabled
+"""

openhack/prompts/express/ssrf.py

@@ -0,0 +1,63 @@
+"""
+Express.js SSRF detection prompt.
+"""
+
+EXPRESS_SSRF_PROMPT = """## SSRF (Server-Side Request Forgery) in Express.js
+
+### What to Look For
+
+1. **User-controlled URLs passed to HTTP clients (axios, fetch, got, undici)**
+2. **Webhook/callback URL injection**
+3. **URL fetching in proxy or preview features**
+4. **Image/file download from user-provided URLs**
+
+### Express-Specific Patterns
+
+**Axios / node-fetch (Vulnerable)**:
+```javascript
+// VULNERABLE: User-controlled URL
+app.post('/api/fetch-preview', async (req, res) => {
+  const response = await axios.get(req.body.url);  // SSRF!
+  res.json({ title: parseTitle(response.data) });
+});
+
+// VULNERABLE: fetch with user URL
+const data = await fetch(req.query.url);
+
+// VULNERABLE: got / undici
+const response = await got(req.body.webhook_url);
+```
+
+**Proxy Pattern (Vulnerable)**:
+```javascript
+// VULNERABLE: Proxying requests to user-specified hosts
+app.all('/proxy/*', async (req, res) => {
+  const target = req.params[0];  // User controls destination
+  const response = await axios.get(`http://${target}`);
+  res.send(response.data);
+});
+```
+
+**Webhook Registration (Vulnerable)**:
+```javascript
+// VULNERABLE: Storing and later calling user-provided URLs
+app.post('/api/webhooks', auth, async (req, res) => {
+  await Webhook.create({ url: req.body.url, userId: req.user.id });
+  // Later: axios.post(webhook.url, eventPayload) -- hits internal services
+});
+```
+
+### Search Patterns
+
+1. `grep` for: `axios\\.get\\(`, `axios\\.post\\(`, `axios\\(`
+2. `grep` for: `fetch\\(`, `got\\(`, `undici`
+3. `grep` for: `http\\.request\\(`, `https\\.request\\(`
+4. Trace URL argument -- does it come from `req.body`, `req.query`, `req.params`?
+
+### Severity Assessment
+
+- **High**: SSRF reaching cloud metadata (169.254.169.254) or internal services
+- **High**: SSRF with response body returned to attacker
+- **Medium**: Blind SSRF (request sent, no response returned)
+- **Low**: SSRF limited to specific protocols or hosts by validation
+"""