openhack 0.1.0__py3-none-any.whl

openhack/prompts/nextjs/csrf.py

@@ -0,0 +1,71 @@
+"""
+Next.js CSRF (Cross-Site Request Forgery) detection prompt.
+"""
+
+NEXTJS_CSRF_PROMPT = """## CSRF (Cross-Site Request Forgery) Detection in Next.js
+
+### What to Look For
+
+1. **State-changing operations without CSRF tokens**
+2. **Server Actions without proper validation**
+3. **API routes accepting mutations without origin checks**
+
+### Next.js Specific Patterns
+
+**Server Actions (Next.js 14+)**:
+Server Actions have built-in CSRF protection via the `next-action` header, BUT:
+
+```typescript
+'use server'
+// POTENTIALLY VULNERABLE: If called via direct POST without header check
+async function deleteAccount() {
+  const session = await getSession();
+  await db.user.delete({ where: { id: session.userId } });
+}
+```
+
+**API Routes (Vulnerable)**:
+```typescript
+// pages/api/user/delete.ts
+export default async function handler(req, res) {
+  if (req.method !== 'POST') return res.status(405).end();
+  
+  // VULNERABLE: No CSRF token validation
+  const session = await getSession(req);
+  await db.user.delete({ where: { id: session.userId } });
+  res.json({ success: true });
+}
+```
+
+**Route Handlers (App Router)**:
+```typescript
+// app/api/transfer/route.ts
+export async function POST(req: Request) {
+  // VULNERABLE: No origin/referer check, no CSRF token
+  const { to, amount } = await req.json();
+  await transferMoney(to, amount);
+  return Response.json({ success: true });
+}
+```
+
+### Protection Checks
+
+1. Look for CSRF token validation in forms/API calls
+2. Check for `SameSite` cookie attributes
+3. Verify origin/referer header checks on sensitive endpoints
+4. Check if using libraries like `csrf` or `next-auth` (which handles CSRF)
+
+### Search Patterns
+
+1. `grep` for: state-changing operations (delete, update, create, transfer)
+2. Check if they validate CSRF tokens
+3. Look for `SameSite` in cookie configuration
+4. Check `next-auth` config for CSRF settings
+
+### Severity Assessment
+
+- **Critical**: Financial transactions, account deletion without CSRF
+- **High**: Data modification affecting user security
+- **Medium**: Non-sensitive data modification
+- **Low**: Actions with limited impact
+"""

openhack/prompts/nextjs/data_exposure.py

@@ -0,0 +1,88 @@
+"""
+Next.js sensitive data exposure detection prompt.
+"""
+
+NEXTJS_DATA_EXPOSURE_PROMPT = """## Sensitive Data Exposure in Next.js
+
+### What to Look For
+
+1. **Secrets in client bundles**
+2. **Sensitive data in server component props**
+3. **Verbose error messages**
+4. **Exposed environment variables**
+
+### Client Bundle Leaks
+
+**Exposed Env Variables**:
+```typescript
+// VULNERABLE: NEXT_PUBLIC_ exposes to client
+// .env
+NEXT_PUBLIC_API_KEY=secret123  // Exposed in browser!
+DATABASE_URL=...               // Safe, server only
+
+// next.config.js
+module.exports = {
+  env: {
+    SECRET_KEY: process.env.SECRET_KEY, // EXPOSED to client!
+  },
+};
+```
+
+**Server-to-Client Data Leak**:
+```tsx
+// VULNERABLE: Server component passing sensitive data to client
+async function Page() {
+  const user = await db.user.findUnique({
+    where: { id: session.userId },
+    include: { password: true } // Oops!
+  });
+  return <ClientComponent user={user} />; // Password sent to client!
+}
+```
+
+### API Response Leaks
+
+```typescript
+// VULNERABLE: Returning full user object
+export async function GET() {
+  const users = await db.user.findMany();
+  return Response.json(users); // Includes passwords, tokens, etc!
+}
+
+// SAFE: Select specific fields
+export async function GET() {
+  const users = await db.user.findMany({
+    select: { id: true, name: true, email: true }
+  });
+  return Response.json(users);
+}
+```
+
+### Error Information Leaks
+
+```typescript
+// VULNERABLE: Exposing stack traces
+export async function GET() {
+  try {
+    // ...
+  } catch (error) {
+    return Response.json({ error: error.stack }); // Stack trace exposed!
+  }
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `NEXT_PUBLIC_` env vars (check what's exposed)
+2. Check `next.config.js` for `env` configuration
+3. `grep` for: `.env` file reads
+4. Look for full model objects passed to client components
+5. Check error handlers for verbose messages
+
+### Severity Assessment
+
+- **Critical**: API keys, database credentials exposed
+- **High**: User passwords, tokens, PII exposed
+- **Medium**: Internal paths, versions exposed
+- **Low**: Non-sensitive debug information
+"""

openhack/prompts/nextjs/idor.py

@@ -0,0 +1,64 @@
+"""
+Next.js IDOR (Insecure Direct Object Reference) detection prompt.
+"""
+
+NEXTJS_IDOR_PROMPT = """## IDOR (Insecure Direct Object Reference) Detection in Next.js
+
+### What to Look For
+
+1. **Route parameters used directly in database queries**
+   - App Router: `params.id` in route handlers or server components
+   - Pages Router: `req.query.id` in API routes
+   
+2. **Missing ownership verification**
+   - User can access resources belonging to other users
+   - No check that `resource.userId === session.userId`
+
+3. **Predictable IDs**
+   - Sequential numeric IDs (1, 2, 3...)
+   - UUIDs are safer but not sufficient alone
+
+### Next.js Specific Patterns
+
+**App Router (Vulnerable)**:
+```typescript
+// app/api/users/[id]/route.ts
+export async function GET(req: Request, { params }: { params: { id: string } }) {
+  // VULNERABLE: No auth check, direct ID usage
+  const user = await db.user.findUnique({ where: { id: params.id } });
+  return Response.json(user);
+}
+```
+
+**Pages Router (Vulnerable)**:
+```typescript
+// pages/api/posts/[id].ts
+export default async function handler(req, res) {
+  // VULNERABLE: Anyone can access any post by ID
+  const post = await prisma.post.findUnique({ where: { id: req.query.id } });
+  res.json(post);
+}
+```
+
+**Server Actions (Vulnerable)**:
+```typescript
+'use server'
+async function getDocument(documentId: string) {
+  // VULNERABLE: No ownership check
+  return await db.document.findUnique({ where: { id: documentId } });
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `params\\.\\w+`, `req\\.query`, `searchParams\\.get`
+2. Check if these values go directly to database queries
+3. Look for missing session/auth checks before the query
+
+### Severity Assessment
+
+- **Critical**: Access to other users' sensitive data (PII, financial)
+- **High**: Access to other users' content/resources
+- **Medium**: Access to metadata or non-sensitive resources
+- **Low**: Informational leaks with no security impact
+"""

openhack/prompts/nextjs/injection.py

@@ -0,0 +1,65 @@
+"""
+Next.js injection vulnerabilities detection prompt.
+"""
+
+NEXTJS_INJECTION_PROMPT = """## Injection Vulnerabilities in Next.js
+
+### SQL Injection
+
+**Prisma (Usually Safe)**:
+```typescript
+// SAFE: Parameterized query
+await prisma.user.findMany({ where: { email: userInput } });
+
+// VULNERABLE: Raw query with interpolation
+await prisma.$queryRaw`SELECT * FROM users WHERE email = '${userInput}'`;
+await prisma.$executeRawUnsafe(`DELETE FROM users WHERE id = ${id}`);
+```
+
+**Raw Database Drivers**:
+```typescript
+// VULNERABLE: String concatenation
+const result = await pool.query(`SELECT * FROM users WHERE id = '${userId}'`);
+
+// SAFE: Parameterized
+const result = await pool.query('SELECT * FROM users WHERE id = $1', [userId]);
+```
+
+### NoSQL Injection (MongoDB)
+
+```typescript
+// VULNERABLE: Object injection
+const user = await User.findOne({ email: req.body.email, password: req.body.password });
+// Attack: { "email": "admin@example.com", "password": { "$ne": "" } }
+
+// SAFE: Type validation
+const email = String(req.body.email);
+const password = String(req.body.password);
+```
+
+### Command Injection
+
+```typescript
+// VULNERABLE
+import { exec } from 'child_process';
+exec(`convert ${userFilename} output.png`); // Command injection!
+
+// SAFE: Use execFile with arguments array
+import { execFile } from 'child_process';
+execFile('convert', [userFilename, 'output.png']);
+```
+
+### Search Patterns
+
+1. `grep` for: `\\$queryRaw`, `\\$executeRaw`, `query\\(.*\\$\\{`
+2. `grep` for: `exec\\(`, `execSync\\(`, `spawn\\(`
+3. `grep` for: `eval\\(`, `new Function\\(`
+4. Look for string interpolation with user input in queries
+
+### Severity Assessment
+
+- **Critical**: SQL injection allowing data extraction or modification
+- **Critical**: Command injection allowing code execution
+- **High**: NoSQL injection with auth bypass
+- **Medium**: Limited injection with restricted impact
+"""

openhack/prompts/nextjs/middleware_bypass.py

@@ -0,0 +1,75 @@
+"""
+Next.js middleware bypass vulnerabilities detection prompt.
+"""
+
+NEXTJS_MIDDLEWARE_BYPASS_PROMPT = """## Next.js Middleware Bypass Vulnerabilities
+
+### Path Normalization Issues
+
+```typescript
+// middleware.ts
+export function middleware(req: NextRequest) {
+  const path = req.nextUrl.pathname;
+  
+  // VULNERABLE: Can be bypassed
+  if (path.startsWith('/admin')) {
+    // Bypass attempts:
+    // - /Admin (case sensitivity)
+    // - /admin/../admin (path traversal)
+    // - /%61dmin (URL encoding)
+    // - /admin. or /admin/ (trailing characters)
+  }
+}
+```
+
+### Matcher Pattern Gaps
+
+```typescript
+export const config = {
+  // VULNERABLE patterns:
+  matcher: '/api/:path*',           // Misses /api (no trailing path)
+  matcher: ['/dashboard', '/admin'], // Misses /dashboard/settings
+  
+  // BETTER patterns:
+  matcher: ['/api/:path*', '/api'],
+  matcher: ['/(dashboard|admin)/:path*'],
+};
+```
+
+### Static File Bypass
+
+```typescript
+// middleware.ts
+export function middleware(req) {
+  // VULNERABLE: Attackers can add _next/static to path
+  // Request: /admin?_next/static/bypass
+  if (req.nextUrl.pathname.includes('_next/static')) {
+    return NextResponse.next(); // Bypass!
+  }
+}
+```
+
+### Rewrite/Redirect Issues
+
+```typescript
+// VULNERABLE: Redirect without validation
+export function middleware(req) {
+  const redirect = req.nextUrl.searchParams.get('redirect');
+  return NextResponse.redirect(redirect); // Open redirect!
+}
+```
+
+### Search Patterns
+
+1. Read `middleware.ts` completely
+2. Check matcher patterns for gaps
+3. Look for path-based auth logic
+4. Check for redirect/rewrite with user input
+
+### Severity Assessment
+
+- **Critical**: Auth bypass to admin areas
+- **High**: Auth bypass to user data
+- **Medium**: Bypass to non-sensitive areas
+- **Low**: Minor path handling issues
+"""

openhack/prompts/nextjs/misconfiguration.py

@@ -0,0 +1,92 @@
+"""
+Next.js security misconfigurations detection prompt.
+"""
+
+NEXTJS_MISCONFIGURATION_PROMPT = """## Security Misconfigurations in Next.js
+
+### Security Headers
+
+**next.config.js**:
+```javascript
+// Check for security headers
+module.exports = {
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          // SHOULD HAVE:
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          { key: 'Content-Security-Policy', value: "default-src 'self'" },
+          { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
+        ],
+      },
+    ];
+  },
+};
+```
+
+### CORS Configuration
+
+```typescript
+// VULNERABLE: Wildcard CORS
+export async function GET(req: Request) {
+  return new Response(data, {
+    headers: {
+      'Access-Control-Allow-Origin': '*', // Too permissive!
+      'Access-Control-Allow-Credentials': 'true', // Dangerous with *
+    },
+  });
+}
+```
+
+### Exposed .next Directory
+
+Check if `.next` directory is accessible:
+- `/.next/server/pages-manifest.json`
+- `/.next/BUILD_ID`
+
+### Debug Mode in Production
+
+```javascript
+// next.config.js
+module.exports = {
+  // VULNERABLE in production:
+  reactStrictMode: false,
+  productionBrowserSourceMaps: true, // Exposes source code!
+};
+```
+
+### Insecure redirects/rewrites
+
+```javascript
+// next.config.js
+module.exports = {
+  async redirects() {
+    return [
+      {
+        source: '/redirect',
+        destination: '/:path*', // VULNERABLE: Open redirect potential
+        permanent: false,
+      },
+    ];
+  },
+};
+```
+
+### Search Patterns
+
+1. Read `next.config.js` completely
+2. Check for security headers configuration
+3. Look for CORS settings in API routes
+4. Check for `productionBrowserSourceMaps`
+5. Review redirect/rewrite rules
+
+### Severity Assessment
+
+- **High**: Missing critical security headers, wildcard CORS with credentials
+- **Medium**: Missing some headers, overly permissive CORS
+- **Low**: Missing optional headers, minor misconfigurations
+"""

openhack/prompts/nextjs/server_actions.py

@@ -0,0 +1,97 @@
+"""
+Next.js server actions security detection prompt.
+"""
+
+NEXTJS_SERVER_ACTIONS_PROMPT = """## Server Actions Security in Next.js
+
+### What to Look For
+
+1. **Missing input validation**
+2. **Missing authentication checks**
+3. **Mass assignment vulnerabilities**
+4. **Race conditions**
+
+### Authentication in Server Actions
+
+```typescript
+'use server'
+
+// VULNERABLE: No auth check
+export async function deletePost(postId: string) {
+  await db.post.delete({ where: { id: postId } });
+}
+
+// SAFE: Auth check
+export async function deletePost(postId: string) {
+  const session = await auth();
+  if (!session) throw new Error('Unauthorized');
+  
+  const post = await db.post.findUnique({ where: { id: postId } });
+  if (post.authorId !== session.user.id) throw new Error('Forbidden');
+  
+  await db.post.delete({ where: { id: postId } });
+}
+```
+
+### Input Validation
+
+```typescript
+'use server'
+
+// VULNERABLE: No validation
+export async function updateUser(data: FormData) {
+  const name = data.get('name');
+  const email = data.get('email');
+  await db.user.update({ 
+    where: { id: session.userId },
+    data: { name, email } // What if email is malicious?
+  });
+}
+
+// SAFE: Validate with Zod
+import { z } from 'zod';
+const schema = z.object({
+  name: z.string().min(1).max(100),
+  email: z.string().email(),
+});
+
+export async function updateUser(data: FormData) {
+  const validated = schema.parse({
+    name: data.get('name'),
+    email: data.get('email'),
+  });
+  // ...
+}
+```
+
+### Mass Assignment
+
+```typescript
+'use server'
+
+// VULNERABLE: Spreading all form data
+export async function updateProfile(data: FormData) {
+  const updates = Object.fromEntries(data);
+  await db.user.update({
+    where: { id: session.userId },
+    data: updates, // User could add: role: 'admin'!
+  });
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `'use server'` and `"use server"`
+2. Check each server action for:
+   - Session/auth validation
+   - Input validation (zod, yup, etc.)
+   - Ownership checks on resources
+3. Look for `Object.fromEntries` or spread operators with form data
+
+### Severity Assessment
+
+- **Critical**: Unauthenticated server actions modifying data
+- **High**: Missing authorization checks (IDOR via server actions)
+- **Medium**: Missing input validation with limited impact
+- **Low**: Minor validation gaps
+"""

openhack/prompts/nextjs/ssrf.py

@@ -0,0 +1,66 @@
+"""
+Next.js SSRF (Server-Side Request Forgery) detection prompt.
+"""
+
+NEXTJS_SSRF_PROMPT = """## SSRF (Server-Side Request Forgery) Detection in Next.js
+
+### What to Look For
+
+1. **User-controlled URLs in server-side fetch/axios calls**
+2. **URL parameters used in API requests**
+3. **Image/file fetching from user-provided URLs**
+
+### Next.js Specific Patterns
+
+**Route Handlers / API Routes**:
+```typescript
+// VULNERABLE: User-controlled URL
+export async function GET(req: Request) {
+  const url = new URL(req.url).searchParams.get('url');
+  const response = await fetch(url); // SSRF!
+  return Response.json(await response.json());
+}
+```
+
+**Server Components**:
+```typescript
+// VULNERABLE: URL from searchParams used in fetch
+async function Page({ searchParams }) {
+  const data = await fetch(searchParams.apiUrl); // SSRF!
+  return <div>{data}</div>;
+}
+```
+
+**Image Optimization**:
+```typescript
+// next.config.js - Check remotePatterns
+module.exports = {
+  images: {
+    // VULNERABLE: Too permissive
+    remotePatterns: [{ protocol: 'https', hostname: '**' }],
+  },
+};
+```
+
+**Webhook Handlers**:
+```typescript
+// VULNERABLE: Fetching user-provided callback URL
+async function handleWebhook(callbackUrl: string, data: any) {
+  await fetch(callbackUrl, { method: 'POST', body: JSON.stringify(data) });
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `fetch\\(.*(?:req|params|query|searchParams)`
+2. `grep` for: `axios\\.(?:get|post)\\(.*(?:req|params|query)`
+3. `grep` for: URL construction with user input
+4. Check `next.config.js` for `images.remotePatterns`
+
+### Severity Assessment
+
+- **Critical**: Can reach internal services, cloud metadata (169.254.169.254)
+- **High**: Can scan internal network, access internal APIs
+- **Medium**: Limited internal access, some filtering in place
+- **Low**: External SSRF only, minimal impact
+"""

openhack/prompts/nextjs/xss.py

@@ -0,0 +1,69 @@
+"""
+Next.js XSS (Cross-Site Scripting) detection prompt.
+"""
+
+NEXTJS_XSS_PROMPT = """## XSS (Cross-Site Scripting) Detection in Next.js
+
+### What to Look For
+
+1. **dangerouslySetInnerHTML with user input**
+2. **Unescaped rendering in non-React contexts**
+3. **DOM manipulation with user data**
+4. **URL-based XSS via searchParams/query**
+
+### Next.js Specific Patterns
+
+**React (Usually Safe)**:
+React auto-escapes by default, but watch for:
+
+```tsx
+// VULNERABLE: dangerouslySetInnerHTML with user content
+function Comment({ content }) {
+  return <div dangerouslySetInnerHTML={{ __html: content }} />;
+}
+
+// VULNERABLE: User input in href without validation
+function Link({ url }) {
+  return <a href={url}>Click</a>; // javascript: URLs are XSS
+}
+
+// VULNERABLE: User input in event handlers
+function Button({ onClick }) {
+  return <button onClick={() => eval(onClick)}>Click</button>;
+}
+```
+
+**Server Components (App Router)**:
+```tsx
+// Less XSS risk but watch for:
+async function Page({ searchParams }) {
+  // If this HTML is rendered unsafely downstream
+  const userHtml = searchParams.content;
+  return <RenderMarkdown content={userHtml} />; // Depends on RenderMarkdown implementation
+}
+```
+
+**API Routes returning HTML**:
+```typescript
+// pages/api/preview.ts
+export default function handler(req, res) {
+  // VULNERABLE: Reflecting user input as HTML
+  res.setHeader('Content-Type', 'text/html');
+  res.send(`<html><body>${req.query.content}</body></html>`);
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `dangerouslySetInnerHTML`, `innerHTML`, `__html`
+2. `grep` for: `document\\.write`, `eval\\(`, `new Function\\(`
+3. Look for user input flowing to these sinks
+4. Check markdown/rich text renderers for sanitization
+
+### Severity Assessment
+
+- **Critical**: Stored XSS affecting all users
+- **High**: Reflected XSS requiring social engineering
+- **Medium**: Self-XSS or limited scope
+- **Low**: XSS with significant barriers to exploitation
+"""