websec-validator 0.2.2__tar.gz → 0.2.3__tar.gz

{websec_validator-0.2.2/src/websec_validator.egg-info → websec_validator-0.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.2
+Version: 0.2.3
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT
@@ -171,9 +171,9 @@ the next dynamic probes (explicitly gated — they mutate).
 
 ## Validated on
 
-HugoCross (Next.js), `wu-whatsappinbox` (106-service Express/AWS monorepo), VAmPI, NodeGoat, DVGA —
-independently reproducing a hand-done pentest's findings (tenant boundary, SSO-endpoint SSRF, media
-upload, conversation-BOLA routes, roles).
+A production Next.js app, a large Express/AWS monorepo, and the VAmPI / NodeGoat / DVGA vuln-app
+corpus — independently reproducing a hand-done pentest's findings (tenant boundary, SSRF, file
+upload, cross-tenant BOLA, role/authz gaps).
 
 ## Tests
 

{websec_validator-0.2.2 → websec_validator-0.2.3}/README.md

@@ -159,9 +159,9 @@ the next dynamic probes (explicitly gated — they mutate).
 
 ## Validated on
 
-HugoCross (Next.js), `wu-whatsappinbox` (106-service Express/AWS monorepo), VAmPI, NodeGoat, DVGA —
-independently reproducing a hand-done pentest's findings (tenant boundary, SSO-endpoint SSRF, media
-upload, conversation-BOLA routes, roles).
+A production Next.js app, a large Express/AWS monorepo, and the VAmPI / NodeGoat / DVGA vuln-app
+corpus — independently reproducing a hand-done pentest's findings (tenant boundary, SSRF, file
+upload, cross-tenant BOLA, role/authz gaps).
 
 ## Tests
 

{websec_validator-0.2.2 → websec_validator-0.2.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.2"
+version = "0.2.3"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator/extractors/auth.py

@@ -47,7 +47,7 @@ class AuthExtractor(Extractor):
 
         # Detect ALL schemes present, then pick a primary by priority. A JWT app
         # that also wires Passport for SSO must read as primary=jwt, not passport
-        # (the bug the WhatsApp app exposed). Priority: nextauth > jwt > session > passport > api-key.
+        # (Passport is often SSO-only). Priority: nextauth > jwt > session > passport > api-key.
         detected = []
         if nextauth:
             detected.append("nextauth (session JWT in cookie)")

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator/probes.py

@@ -136,6 +136,11 @@ def stage(chosen: list, outdir: Path, facts: dict | None = None) -> list:
     manifest = [{"key": "_context", "file": "probes/probe-context.json",
                  "note": "the target's real routes/auth/fields — finalize the drafts against this"}]
     src_root = resources.files("websec_validator").joinpath("templates/probes")
+    # always ship the shared helper the Python probes import (load context + env auth)
+    try:
+        (dest / "_lib.py").write_text(src_root.joinpath("_lib.py").read_text())
+    except Exception:
+        pass
     for key in chosen:
         fname, attack, needs = PROBES[key]
         targets = (tgt.get(_TARGET_KEYS[key], []) if key in _TARGET_KEYS else [])[:15]

websec_validator-0.2.3/src/websec_validator/templates/probes/_lib.py

@@ -0,0 +1,90 @@
+"""Shared probe helpers — load THIS target's real surface from probe-context.json
+(written by `websec run`) and auth/ids from environment variables.
+
+Why env vars: recon gives you the real endpoints, auth scheme, and tenant key — but it
+cannot mint live tokens or know real object ids. You (or your agent, against a TEST
+instance) supply those:
+
+    TARGET=http://localhost:3000          # base URL (or set target_base_url in probe-context.json)
+    TOKEN_A=...  TOKEN_B=...               # bearer JWTs for two test accounts (different tenants)
+    COOKIE_A=...  COOKIE_B=...             # OR session cookies (e.g. NextAuth) instead of bearer
+    APIKEY=...                             # OR an API key
+    OBJ_A=...  OBJ_B=...                   # a sample object id owned by each account/tenant
+    GROUP_A=...  GROUP_B=...               # each account's tenant/group id (defaults to OBJ_* if unset)
+
+Run only against a TEST instance you're authorized to probe. Never production.
+"""
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+_HERE = Path(__file__).resolve().parent
+
+
+def context() -> dict:
+    p = _HERE / "probe-context.json"
+    if not p.is_file():
+        sys.exit("probe-context.json not found next to this probe — run `websec run <repo>` and use "
+                 "the probes/ it stages (probe-context.json holds this app's real routes/auth).")
+    return json.loads(p.read_text())
+
+
+def base_url() -> str:
+    u = os.environ.get("TARGET") or context().get("target_base_url", "")
+    if not u or u.startswith("FILL"):
+        sys.exit("Set TARGET=http://host:port (or fill target_base_url in probe-context.json).")
+    return u.rstrip("/")
+
+
+def auth_headers(role: str = "A") -> list:
+    """Auth header for a role (A/B), adapting to whatever the operator supplied."""
+    tok = os.environ.get(f"TOKEN_{role}")
+    cookie = os.environ.get(f"COOKIE_{role}")
+    apikey = os.environ.get("APIKEY")
+    if tok:
+        return ["-H", f"Authorization: Bearer {tok}"]
+    if cookie:
+        return ["-H", f"Cookie: {cookie}"]
+    if apikey:
+        return ["-H", f"X-API-Key: {apikey}"]
+    return []  # unauthenticated
+
+
+def require(*names: str) -> None:
+    missing = [n for n in names if not os.environ.get(n)]
+    if missing:
+        sys.exit(f"This probe needs these env var(s): {', '.join(missing)}. See _lib.py for the list.")
+
+
+def curl(method: str, url: str, headers=None, body=None, timeout: int = 20):
+    """Returns (status_code, body_text). Never raises on HTTP errors."""
+    cmd = ["curl", "-s", "-X", method, url, "-w", "\nHTTP_CODE:%{http_code}",
+           "--max-time", str(timeout)] + (headers or [])
+    if body is not None:
+        cmd += ["-H", "content-type: application/json", "-d", json.dumps(body)]
+    out = subprocess.run(cmd, capture_output=True, text=True).stdout
+    code = int(out.split("HTTP_CODE:")[-1].strip()) if "HTTP_CODE:" in out else 0
+    return code, out.split("\nHTTP_CODE:")[0]
+
+
+def tenant_key(default: str = "groupId") -> str:
+    keys = context().get("tenant_keys") or []
+    return keys[0] if keys else default
+
+
+def write_endpoints() -> list:
+    """[(METHOD, path), …] for this app's mutating routes, from probe-context.json."""
+    out = []
+    for ep in context().get("endpoints", {}).get("writes", []):
+        parts = ep.split(" ", 1)
+        if len(parts) == 2:
+            out.append((parts[0], parts[1]))
+    return out
+
+
+def save(name: str, findings: list) -> Path:
+    out = _HERE / f"{name}-findings.json"
+    out.write_text(json.dumps(findings, indent=2) + "\n")
+    return out

websec_validator-0.2.3/src/websec_validator/templates/probes/bola-cross-tenant.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# BOLA / cross-tenant READ probe — FACTS-driven. Role A uses its OWN token against
+# tenant B's id (and B→A), on this app's tenant-scoped routes (from probe-context.json).
+# Expect 401/403/404. A 200 that returns the OTHER tenant's data = cross-tenant BOLA
+# (OWASP API #1) — the thing an automated scanner can't tell from "just another 200".
+#
+# Env: TARGET, TOKEN_A, TOKEN_B (two accounts in DIFFERENT tenants), GROUP_A, GROUP_B
+# (each account's tenant/group id). Bearer auth; cookie users: swap the -H below.
+# Run only against a TEST instance you're authorized to probe.
+set -uo pipefail
+cd "$(dirname "$0")"
+ctx=probe-context.json
+
+BASE="${TARGET:-$(python3 -c "import json;print(json.load(open('$ctx'))['target_base_url'])" 2>/dev/null)}"
+if [ -z "${BASE:-}" ] || [ "${BASE#FILL}" != "$BASE" ]; then echo "Set TARGET=http://host:port (or fill probe-context.json)"; exit 2; fi
+: "${TOKEN_A:?set TOKEN_A=<jwt for an account in tenant A>}"
+: "${TOKEN_B:?set TOKEN_B=<jwt for an account in a DIFFERENT tenant>}"
+: "${GROUP_A:?set GROUP_A=<tenant/group id of account A>}"
+: "${GROUP_B:?set GROUP_B=<tenant/group id of account B>}"
+
+mapfile -t PATHS < <(python3 -c "
+import json
+c = json.load(open('$ctx'))['endpoints']
+cand = c.get('idor_candidates') or [w.split(' ',1)[1] for w in c.get('writes',[]) if ' ' in w]
+for p in cand:
+    print(p.split(' ',1)[1] if (' ' in p and p.split(' ',1)[0].isupper()) else p)
+" 2>/dev/null)
+[ "${#PATHS[@]}" -eq 0 ] && { echo "No tenant-scoped / IDOR-candidate routes in probe-context.json."; exit 2; }
+
+pass=0; leak=0
+attack() {  # $1=token $2=target-group-id $3=label
+  for raw in "${PATHS[@]}"; do
+    path=$(python3 -c "import re,sys; print(re.sub(r'\{[^}]+\}', sys.argv[1], sys.argv[2]))" "$2" "$raw")
+    code=$(curl -s -o /dev/null -w '%{http_code}' -m 15 -H "Authorization: Bearer $1" "$BASE$path")
+    case "$code" in
+      401|403|404) printf '  ok    %s  %-4s %s\n' "$code" "$3" "$path"; pass=$((pass+1)) ;;
+      200|206)     printf '  LEAK  %s  %-4s %s   ← returned data for the OTHER tenant? verify\n' "$code" "$3" "$path"; leak=$((leak+1)) ;;
+      *)           printf '  ??    %s  %-4s %s\n' "$code" "$3" "$path" ;;
+    esac
+  done
+}
+
+echo "=== cross-tenant BOLA vs $BASE   (expect 401/403/404) ==="
+echo "--- A → B's tenant ($GROUP_B) ---"; attack "$TOKEN_A" "$GROUP_B" "A→B"
+echo "--- B → A's tenant ($GROUP_A) ---"; attack "$TOKEN_B" "$GROUP_A" "B→A"
+echo "summary: $pass blocked · $leak potential leak(s)"
+[ "$leak" -gt 0 ] && echo "A 200 means the route served the OTHER tenant's id — confirm it's actually their data (not empty / your own), then debate-verify before reporting."
+exit "$leak"

websec_validator-0.2.3/src/websec_validator/templates/probes/bola-write-verbs.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+"""BOLA / cross-tenant WRITE probe — FACTS-driven and generic.
+
+As role A, send each mutating verb (PUT/PATCH/POST/DELETE) at tenant B's resources
+(object id OBJ_B in group/tenant GROUP_B). Expect 401/403/404. A 2xx means the
+object-level authorization check is missing (BOLA — OWASP API #1). Write verbs miss
+authz more often than GETs.
+
+Endpoints come from probe-context.json (this app's real routes). Tokens + ids come
+from env (see _lib.py): TARGET, TOKEN_A|COOKIE_A|APIKEY, OBJ_B, optional GROUP_B.
+Bodies are minimal `{}` to limit side effects, but write verbs CAN mutate — run only
+against a TEST instance you're authorized to probe.
+"""
+import os
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+import _lib  # noqa: E402
+
+BASE = _lib.base_url()
+_lib.require("OBJ_B")                       # a real object id owned by tenant B
+OBJ_B = os.environ["OBJ_B"]
+GROUP_B = os.environ.get("GROUP_B", OBJ_B)
+HDR_A = _lib.auth_headers("A")
+if not HDR_A:
+    sys.exit("Supply role-A auth: TOKEN_A=<jwt> (or COOKIE_A / APIKEY). See _lib.py.")
+
+
+def fill(path: str) -> str:
+    # tenant/group/org path param → GROUP_B; any other {param} (an id) → OBJ_B
+    return re.sub(r"\{([^}]+)\}",
+                  lambda m: GROUP_B if any(t in m.group(1).lower() for t in ("group", "tenant", "org")) else OBJ_B,
+                  path)
+
+
+eps = _lib.write_endpoints()
+if not eps:
+    sys.exit("No write endpoints in probe-context.json — nothing to probe.")
+
+print(f"=== BOLA write-verb probe vs {BASE}   (role A → tenant B's objects; expect 401/403/404) ===")
+findings = []
+for method, path in eps:
+    url = BASE + fill(path)
+    code, body = _lib.curl(method, url, headers=HDR_A, body={})
+    sev = "PASS" if code in (401, 403, 404) else ("CRITICAL" if code in (200, 201, 204) else "INVESTIGATE")
+    mark = {"PASS": "ok  ", "CRITICAL": "BOLA", "INVESTIGATE": "??  "}[sev]
+    findings.append({"method": method, "path": path, "url": url, "status": code,
+                     "severity": sev, "preview": body[:140]})
+    print(f"  [{mark}] {sev:11} {method:6} {url}  -> {code}")
+
+crit = sum(1 for f in findings if f["severity"] == "CRITICAL")
+out = _lib.save("bola-write-verbs", findings)
+print(f"\n  CRITICAL (BOLA confirmed)={crit}  ·  saved {out.name}")
+print("  A 2xx as role A against tenant B's object = object-level authz missing. Confirm the object")
+print("  really belongs to B, then debate-verify (Advocate/Challenger/…) before reporting.")
+sys.exit(1 if crit else 0)

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator/templates/probes/dlp-bypass-offline.py

@@ -13,34 +13,28 @@ Output: per-rule per-encoding match/bypass table.
 PRECONDITION: your project has a DLP / content-filtering feature with rules
 the admin can list via API. If not, this script is N/A.
 """
-import base64, json, re, subprocess, sys, urllib.parse
+import base64, json, os, re, sys, urllib.parse
 from pathlib import Path
 
-ROOT = Path(__file__).resolve().parents[2].parent
-ENV = {}
-for line in (ROOT / 'security/zap/.env').read_text().splitlines():
-    if '=' in line and not line.lstrip().startswith('#'):
-        k, v = line.split('=', 1); ENV[k.strip()] = v.strip()
-
-TARGET = ENV['ZAP_TARGET']
-# TODO: adjust login response shape if needed.
-ADMIN_TOK_RESP = subprocess.run(['curl','-fsS','-X','POST',f"{TARGET}/api/auth/login",
-                                 '-H','Content-Type: application/json',
-                                 '-d',json.dumps({'email':ENV['ZAP_ADMIN_USER'],'password':ENV['ZAP_ADMIN_PASS']})],
-                                capture_output=True, text=True).stdout
-ADMIN_TOK = json.loads(ADMIN_TOK_RESP)['tokens']['accessToken']
-
-# PROJECT-SPECIFIC START
-# TODO: adjust the DLP-rules endpoint and the rule schema. Common shapes:
-#   GET /api/dlp/rules    -> [{id, name, pattern, action, scope}]
-#   GET /api/policies     -> [{id, regex, action}]
-RULES_ENDPOINT = "/api/dlp/rules"
-# PROJECT-SPECIFIC END
-
-rules_raw = subprocess.run(['curl','-fsS',f"{TARGET}{RULES_ENDPOINT}",
-                            '-H',f"Authorization: Bearer {ADMIN_TOK}"],
-                           capture_output=True, text=True).stdout
-all_rules = json.loads(rules_raw)
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+import _lib  # noqa: E402
+
+TARGET = _lib.base_url()
+HDR = _lib.auth_headers("A")    # a privileged/admin token that can list DLP rules
+if not HDR:
+    sys.exit("Supply an admin token: TOKEN_A=<jwt> (or COOKIE_A). See _lib.py.")
+
+# DLP-rules endpoint + rule schema vary by app. Set RULES_ENDPOINT, or edit this.
+RULES_ENDPOINT = os.environ.get("RULES_ENDPOINT", "/api/dlp/rules")
+
+code, rules_raw = _lib.curl("GET", f"{TARGET}{RULES_ENDPOINT}", headers=HDR)
+if code != 200:
+    sys.exit(f"Couldn't fetch DLP rules from {RULES_ENDPOINT} (HTTP {code}). If this app has no "
+             "DLP/content-filter feature this probe is N/A; otherwise set RULES_ENDPOINT to the real path.")
+try:
+    all_rules = json.loads(rules_raw)
+except Exception:
+    sys.exit(f"DLP rules endpoint returned non-JSON (HTTP {code}).")
 
 # Filter to content (regex) rules, skipping any media/file-type-prefix rules
 content_rules = [r for r in all_rules if not r.get('pattern','').startswith('MEDIA_TYPE:')]
@@ -127,9 +121,7 @@ for rule in content_rules:
                 'sample': encoded[:80],
             })
 
-out = ROOT / 'security/pentest-prep/reports/dlp-bypass/findings.json'
-out.parent.mkdir(parents=True, exist_ok=True)
-out.write_text(json.dumps(findings, indent=2))
+out = _lib.save("dlp-bypass", findings)
 
 bypasses = [f for f in findings if not f['matched'] and f['encoding'] != 'plain']
 plain_misses = [f for f in findings if not f['matched'] and f['encoding'] == 'plain']

websec_validator-0.2.3/src/websec_validator/templates/probes/mass-assignment.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+"""Mass assignment / BOPLA (OWASP API #3) — FACTS-driven.
+
+Injects THIS app's privileged model fields (from probe-context.json → sensitive_fields,
+i.e. the schema extractor's output: role/isAdmin/groupId/ownerId/…) into each write
+endpoint and flags any request that's ACCEPTED (2xx). A correct server strips or rejects
+server-controlled fields. Acceptance is a *lead*, not proof — re-fetch the object as the
+agent to confirm the privileged field actually persisted/escalated before reporting.
+
+Env (see _lib.py): TARGET, TOKEN_A|COOKIE_A|APIKEY, optional OBJ_A (your own object id for
+self-edit paths; defaults to the literal 'me').
+"""
+import os
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+import _lib  # noqa: E402
+
+BASE = _lib.base_url()
+HDR = _lib.auth_headers("A")
+if not HDR:
+    sys.exit("Supply auth: TOKEN_A=<jwt> (or COOKIE_A / APIKEY). See _lib.py.")
+OBJ_A = os.environ.get("OBJ_A", "me")
+fields = _lib.context().get("sensitive_fields") or ["role", "isAdmin", "groupId", "ownerId", "permissions"]
+
+
+def _val(f: str):
+    fl = f.lower()
+    if any(k in fl for k in ("isadmin", "admin", "verified", "enabled", "active")):
+        return True
+    if any(k in fl for k in ("permission", "scope", "group", "roles")):
+        return ["*"]
+    if any(k in fl for k in ("role", "status", "plan", "tier")):
+        return "admin"
+    return "websec-injected"
+
+
+PAYLOAD = {f: _val(f) for f in fields}
+eps = _lib.write_endpoints()
+if not eps:
+    sys.exit("No write endpoints in probe-context.json — nothing to probe.")
+
+print(f"=== Mass-assignment probe vs {BASE}   injecting app fields: {list(PAYLOAD)} ===")
+findings = []
+for method, path in eps:
+    url = BASE + re.sub(r"\{[^}]+\}", OBJ_A, path)
+    code, body = _lib.curl(method, url, headers=HDR, body=dict(PAYLOAD))
+    sev = "SUSPECT" if code in (200, 201, 204) else ("PASS" if code in (400, 403, 422) else "INVESTIGATE")
+    mark = {"SUSPECT": "!!", "PASS": "ok", "INVESTIGATE": "??"}[sev]
+    findings.append({"method": method, "path": path, "url": url, "status": code,
+                     "severity": sev, "preview": body[:140]})
+    print(f"  [{mark}] {sev:11} {method:6} {url}  -> {code}")
+
+out = _lib.save("mass-assignment", findings)
+sus = sum(1 for f in findings if f["severity"] == "SUSPECT")
+print(f"\n  SUSPECT (privileged fields accepted — verify they stuck)={sus}  ·  saved {out.name}")
+print("  Re-fetch the object as the agent to confirm the field persisted/escalated, then debate-verify.")
+sys.exit(1 if sus else 0)

websec_validator-0.2.3/src/websec_validator/templates/probes/race-conditions.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+"""
+Race condition probe — fires N parallel requests at race-prone endpoints
+and checks if the server's invariants hold.
+
+Common race targets:
+  - "claim" / "assign" endpoints — only one parallel claim should succeed
+  - status / state toggles — multiple parallel calls should converge
+  - inventory / quota decrements — should not allow over-spend
+  - tag/label-add endpoints — should dedupe
+
+For each target:
+  - Fire PARALLEL_REQUESTS in parallel
+  - Count successes (200/201)
+  - Compare to expected_unique (usually 1 — only one assignment should win)
+  - If success_count > expected_unique -> race condition likely
+
+Uses async httpx for true parallelism (synchronous loops can't trigger races).
+
+Install: pip install httpx
+"""
+import asyncio, httpx, json, os, re, sys
+from pathlib import Path
+from collections import Counter
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+import _lib  # noqa: E402
+
+TARGET = _lib.base_url()
+_lib.require("OBJ_A")                      # an object id you own (the single-winner target)
+OBJ_A = os.environ["OBJ_A"]
+_tok, _cookie = os.environ.get("TOKEN_A"), os.environ.get("COOKIE_A")
+HEADERS = {"Authorization": f"Bearer {_tok}"} if _tok else ({"Cookie": _cookie} if _cookie else {})
+if not HEADERS:
+    sys.exit("Supply auth: TOKEN_A=<jwt> (or COOKIE_A). See _lib.py.")
+
+PARALLEL = 50  # concurrent requests per target
+
+# Race-prone targets = this app's mutating endpoints (from probe-context.json). For each, the
+# server should keep its single-winner / converge / dedupe invariant under PARALLEL concurrency.
+TARGETS = [{"name": f"{m} {p}", "method": m, "url": TARGET + re.sub(r"\{[^}]+\}", OBJ_A, p),
+            "payload": {}, "expected_unique": 1,
+            "note": "parallel fire — a single-winner/converge/dedupe invariant should hold"}
+           for m, p in _lib.write_endpoints()][:8]
+if not TARGETS:
+    sys.exit("No write endpoints in probe-context.json — nothing to probe.")
+
+async def fire(client, t):
+    """Single request, return (status_code, response_body_preview)"""
+    try:
+        r = await client.request(
+            t['method'], t['url'],
+            json=t['payload'],
+            headers=HEADERS,
+            timeout=30.0,
+        )
+        return (r.status_code, r.text[:120])
+    except Exception as e:
+        return (None, str(e)[:120])
+
+async def run_target(t):
+    print(f"  Firing {PARALLEL} parallel {t['method']} to {t['url'][len(TARGET):]}")
+    async with httpx.AsyncClient() as client:
+        results = await asyncio.gather(*[fire(client, t) for _ in range(PARALLEL)])
+    codes = Counter(r[0] for r in results)
+    success = sum(1 for r in results if r[0] and 200 <= r[0] < 300)
+    race_likely = success > t['expected_unique']
+    print(f"  -> status counts: {dict(codes)}, successes: {success}, expected: {t['expected_unique']}")
+    if race_likely:
+        print(f"    !! RACE CONDITION SUSPECTED -- {success} successes vs {t['expected_unique']} expected")
+    return {
+        'name': t['name'],
+        'parallel': PARALLEL,
+        'status_counts': dict(codes),
+        'success_count': success,
+        'expected_unique': t['expected_unique'],
+        'race_suspected': race_likely,
+        'note': t['note'],
+        'sample_responses': [r for r in results if r[0] and r[0] < 500][:3],
+    }
+
+async def main():
+    findings = []
+    for t in TARGETS:
+        print(f"\n=== {t['name']}: {t['note']}")
+        f = await run_target(t)
+        findings.append(f)
+    out = _lib.save("race-conditions", findings)
+    crit = sum(1 for f in findings if f['race_suspected'])
+    print(f"\n=== Summary ===")
+    print(f"  race suspected on {crit}/{len(findings)} endpoints")
+    print(f"  saved to {out}")
+    return crit
+
+if __name__ == '__main__':
+    rc = asyncio.run(main())
+    sys.exit(1 if rc > 0 else 0)

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator/templates/probes/webhook-forgery.py

@@ -19,16 +19,13 @@ This probe tests:
   8. Empty body                        -> expect 401
   9. Wrong content-type                -> expect 401
 """
-import json, subprocess, time, sys
+import json, os, subprocess, time, sys
 from pathlib import Path
 
-ROOT = Path(__file__).resolve().parents[2].parent
-ENV = {}
-for line in (ROOT / 'security/zap/.env').read_text().splitlines():
-    if '=' in line and not line.lstrip().startswith('#'):
-        k, v = line.split('=', 1); ENV[k.strip()] = v.strip()
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+import _lib  # noqa: E402
 
-TARGET = ENV['ZAP_TARGET']
+TARGET = _lib.base_url()
 
 # PROJECT-SPECIFIC START
 # TODO: replace with your project's inbound-webhook path, signature header
@@ -38,9 +35,11 @@ TARGET = ENV['ZAP_TARGET']
 #   Twilio:             /webhooks/twilio,      X-Twilio-Signature
 #   GitHub:             /webhooks/github,      X-Hub-Signature-256
 #   Custom:             /webhooks/<provider>,  X-Signature, X-Timestamp
-WEBHOOK_PATH = "/webhooks/<provider>"
-SIG_HEADER = "x-signature"
-TS_HEADER  = "x-timestamp"
+# set WEBHOOK_PATH / SIG_HEADER / TS_HEADER env vars, or edit these. probe-context.json
+# lists this app's detected integrations/webhooks to pick the real path from.
+WEBHOOK_PATH = os.environ.get("WEBHOOK_PATH", "/webhooks/<provider>")
+SIG_HEADER = os.environ.get("SIG_HEADER", "x-signature")
+TS_HEADER  = os.environ.get("TS_HEADER", "x-timestamp")
 
 URL = f"{TARGET}{WEBHOOK_PATH}"
 
@@ -94,9 +93,7 @@ for name, headers, body, expected, reason in probes:
         'body_preview': body_text[:120],
     })
 
-out_p = ROOT / 'security/pentest-prep/reports/webhook-forgery/findings.json'
-out_p.parent.mkdir(parents=True, exist_ok=True)
-out_p.write_text(json.dumps(findings, indent=2))
+out_p = _lib.save("webhook-forgery", findings)
 
 passed = sum(1 for f in findings if f['pass'])
 print(f"\n=== Summary ===")

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator/templates/reports/FINDINGS-SUMMARY.md.template

@@ -1,18 +1,18 @@
 # Security tooling pass — findings summary
 
 > Date: <YYYY-MM-DD>. Tools run locally; **zero repo footprint added**.
-> All outputs in `security/<tool>/` (gitignored).
+> All outputs in `websec-out/scanners/<tool>/` (gitignored).
 
 ## Tools run
 
 | Tool | Status | Outputs |
 |---|---|---|
-| **Prowler** <ver> | ☐ | `security/prowler/` |
-| **Nuclei** <ver> | ☐ | `security/nuclei/` |
-| **Semgrep** <ver> | ☐ | `security/semgrep/` |
-| **Gitleaks** <ver> | ☐ | `security/gitleaks/` |
-| **Trivy** <ver> | ☐ | `security/trivy/` |
-| **ZAP** <ver> + manual probes | ☐ | `security/zap/`, `security/pentest-prep/` |
+| **Prowler** <ver> | ☐ | `websec-out/scanners/prowler/` |
+| **Nuclei** <ver> | ☐ | `websec-out/scanners/nuclei/` |
+| **Semgrep** <ver> | ☐ | `websec-out/scanners/semgrep/` |
+| **Gitleaks** <ver> | ☐ | `websec-out/scanners/gitleaks/` |
+| **Trivy** <ver> | ☐ | `websec-out/scanners/trivy/` |
+| **ZAP** <ver> + manual probes | ☐ | `websec-out/scanners/zap/`, `websec-out/scanners/pentest-prep/` |
 
 ## Most important finding
 
@@ -49,27 +49,27 @@
 prowler aws --region us-east-1 \
   --compliance cis_2.0_aws aws_foundational_security_best_practices_aws \
   --output-formats html json-asff csv \
-  --output-directory security/prowler/
+  --output-directory websec-out/scanners/prowler/
 
 # Nuclei
-TOKEN=$(./security/zap/run.sh --print-token)
+TOKEN=$(./websec-out/scanners/zap/run.sh --print-token)
 nuclei -target "$ZAP_TARGET" -H "Authorization: Bearer $TOKEN" \
   -tags "jwt,ssrf,sqli,lfi,redirect,rce,exposure,misconfig,cve" \
   -severity medium,high,critical -rate-limit 30 -concurrency 5 \
-  -json-export security/nuclei/nuclei-baseline.json \
-  -output security/nuclei/nuclei-baseline.txt
+  -json-export websec-out/scanners/nuclei/nuclei-baseline.json \
+  -output websec-out/scanners/nuclei/nuclei-baseline.txt
 
 # Semgrep
 semgrep --config auto --config p/typescript --config p/javascript \
   --config p/security-audit --severity WARNING --severity ERROR \
-  --json -o security/semgrep/semgrep-backend.json backend/src
+  --json -o websec-out/scanners/semgrep/semgrep-backend.json backend/src
 
 # Gitleaks
-gitleaks detect --source . --report-format json --report-path security/gitleaks/current.json
-gitleaks git --report-format json --report-path security/gitleaks/history.json
+gitleaks detect --source . --report-format json --report-path websec-out/scanners/gitleaks/current.json
+gitleaks git --report-format json --report-path websec-out/scanners/gitleaks/history.json
 
 # Trivy
 trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL \
   --skip-dirs node_modules --skip-dirs security \
-  --format json --output security/trivy/trivy-fs.json .
+  --format json --output websec-out/scanners/trivy/trivy-fs.json .
 ```

{websec_validator-0.2.2 → websec_validator-0.2.3/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.2
+Version: 0.2.3
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT
@@ -171,9 +171,9 @@ the next dynamic probes (explicitly gated — they mutate).
 
 ## Validated on
 
-HugoCross (Next.js), `wu-whatsappinbox` (106-service Express/AWS monorepo), VAmPI, NodeGoat, DVGA —
-independently reproducing a hand-done pentest's findings (tenant boundary, SSO-endpoint SSRF, media
-upload, conversation-BOLA routes, roles).
+A production Next.js app, a large Express/AWS monorepo, and the VAmPI / NodeGoat / DVGA vuln-app
+corpus — independently reproducing a hand-done pentest's findings (tenant boundary, SSRF, file
+upload, cross-tenant BOLA, role/authz gaps).
 
 ## Tests
 

{websec_validator-0.2.2 → websec_validator-0.2.3}/src/websec_validator.egg-info/SOURCES.txt

@@ -33,6 +33,7 @@ src/websec_validator/extractors/schemas.py
 src/websec_validator/extractors/stack.py
 src/websec_validator/extractors/surface.py
 src/websec_validator/extractors/tenant.py
+src/websec_validator/templates/probes/_lib.py
 src/websec_validator/templates/probes/bola-cross-tenant.sh
 src/websec_validator/templates/probes/bola-write-verbs.py
 src/websec_validator/templates/probes/compare-roles.sh