websec-validator 0.2.3__tar.gz → 0.2.5__tar.gz

{websec_validator-0.2.3/src/websec_validator.egg-info → websec_validator-0.2.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.3
+Version: 0.2.5
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.3 → websec_validator-0.2.5}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.3"
+version = "0.2.5"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/briefing.py

@@ -118,6 +118,7 @@ credentials** — ask the human, never fabricate, never hit production.
 - **Datastores:** {", ".join(stack.get("datastores", [])) or "?"}  ·  **Monorepo:** {stack.get("monorepo", False)}
 - **Auth scheme:** `{auth.get("scheme","?")}` (token in {auth.get("token_location","?")})  ·  guard files: {len(auth.get("guard_files", []))}
 - **Route engine:** {routes.get("engine","?")}  ·  **{routes.get('count',0)} endpoints**  ·  by method: {routes.get("by_method", {})}
+{("> " + routes["note"]) if routes.get("note") else ""}
 
 ## 2. ★ Tenant boundary (confirm first — highest value, easiest to get wrong)
 

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/cli.py

@@ -87,7 +87,7 @@ def cmd_run(args) -> int:
     print(f"websec-validator v{__version__}  ·  target: {target}  ·  run {ts}\n")
 
     # 1. recon
-    facts = recon.build_facts(target, __version__)
+    facts = recon.build_facts(target, __version__, args.exclude)
     recon.write_facts(facts, out / "FACTS.json")
     langs = facts["stack"]["languages"]
     _print_facts_summary(facts)
@@ -98,13 +98,21 @@ def cmd_run(args) -> int:
     unified = None
     if args.scan:
         print("\n  running available static scanners (read-only)…")
-        scan_results = scanners.run_available(target, out, langs)
+        only = args.scanners.split(",") if args.scanners else None
+        scan_results = scanners.run_available(target, out, langs, excludes=args.exclude, only=only)
         for r in scan_results:
             tag = r.get("findings", r.get("status", "?"))
             print(f"    {r['name']}: {tag}")
-        unified = scanners.normalize_findings(scan_results, out)
+        unified = scanners.normalize_findings(scan_results, out, target=target)
         print(f"  → {unified['total']} de-duplicated findings "
               f"({unified['cross_tool_or_dup_merged']} merged) · {unified['by_severity']}")
+        _hyg = []
+        if unified.get('contamination_dropped'):
+            _hyg.append(f"{unified['contamination_dropped']} dropped (skip-dir contamination)")
+        if unified.get('local_only_downgraded'):
+            _hyg.append(f"{unified['local_only_downgraded']} downgraded (gitignored/local-only secret)")
+        if _hyg:
+            print(f"    hygiene: {' · '.join(_hyg)}")
     else:
         print(f"\n  scanners available: {', '.join(s['name'] for s in det['available']) or 'none'}"
               "  (add --scan to execute them)")
@@ -161,6 +169,12 @@ def cmd_dynamic(args) -> int:
         for r in u["results"]:
             mark = "🔓" if r["verdict"] == "OPEN-no-auth" else (" ·" if r["verdict"] == "protected" else "  ")
             print(f"    {mark} {str(r['status']):>4}  {r['verdict']:26} {r['path']}")
+        ftb = dyn.get("forged_token_bypass", {})
+        if ftb:
+            print(f"\n  forged-token (unverified-signature) → {ftb['summary']}")
+            for r in ftb.get("results", []):
+                if r["verdict"] == "BYPASS":
+                    print(f"    🚨 BYPASS  {r['baseline']}→{r['forged']}  {r['method']} {r['path']}  (via {r['via']})")
         if args.probe_writes:
             w = dyn["write_auth_enforcement"]
             print(f"\n  write-verb auth enforcement → {w['summary']}")
@@ -342,6 +356,10 @@ def build_parser() -> argparse.ArgumentParser:
     r.add_argument("target")
     r.add_argument("--scan", action="store_true", help="also execute available static scanners")
     r.add_argument("--out", help="output dir (default: ./websec-out)")
+    r.add_argument("--exclude", action="append", metavar="PATH",
+                   help="exclude a path/glob from recon + scanners (repeatable; e.g. --exclude 'docs/**')")
+    r.add_argument("--scanners", metavar="A,B",
+                   help="comma-separated subset of scanners to run with --scan (e.g. gitleaks,semgrep)")
     r.set_defaults(func=cmd_run)
 
     # recon/proof/calibrate are hidden from the main --help (argparse.SUPPRESS): recon is a

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/dynamic.py

@@ -37,10 +37,13 @@ def _dig(d: dict, dotted: str):
     return cur
 
 
-def _request(method: str, url: str, token: str | None, timeout: int = 20, data: bytes | None = None):
+def _request(method: str, url: str, token: str | None, timeout: int = 20,
+             data: bytes | None = None, cookie: str | None = None):
     headers = {"Accept": "application/json"}
     if token:
         headers["Authorization"] = f"Bearer {token}"
+    if cookie:
+        headers["Cookie"] = cookie
     if data is not None:
         headers["Content-Type"] = "application/json"
     req = urllib.request.Request(url, method=method, headers=headers, data=data)
@@ -254,9 +257,89 @@ def write_auth_enforcement(target: str, facts: dict, max_endpoints: int = 80) ->
     }
 
 
+# Codes that mean "the request reached the handler/validation" — i.e. auth PASSED. Used to
+# judge a forged-token attempt. Deliberately EXCLUDES 401/403 (blocked), 429 (rate-limited —
+# would otherwise be a false bypass), 5xx and 000/None (ambiguous/transport). A gated route
+# (401/403 with no token) that returns one of these WITH a forged token = signature not verified.
+_REACHED_HANDLER = {200, 201, 202, 203, 204, 206, 400, 404, 405, 409, 413, 415, 422}
+
+
+def _forge_jwt(payload: dict, alg: str = "RS256") -> str:
+    """A structurally-valid JWT with a DELIBERATELY INVALID signature (no real key). The whole
+    point is to see whether the target verifies the signature at all — a correct verifier
+    rejects this outright; a decode-only auth path (the decodeJwtPayloadUnsafe class) trusts it."""
+    import base64
+
+    def b(o):
+        return base64.urlsafe_b64encode(json.dumps(o).encode()).rstrip(b"=").decode()
+    sig = "" if alg == "none" else "d2Vic2VjLWZvcmdlZC1zaWc"  # 'websec-forged-sig' — not a real signature
+    return ".".join([b({"alg": alg, "typ": "JWT", "kid": "forged"}), b(payload), sig])
+
+
+def forged_token_bypass(target: str, facts: dict, cookie_names=None,
+                        probe_writes: bool = False, max_endpoints: int = 60) -> dict:
+    """Does the app actually VERIFY JWT signatures? Forge a token with a far-future `exp` and a
+    BOGUS signature, present it to each route that is GATED without auth, and compare. A route
+    that answers 401/403 with NO token but REACHES THE HANDLER with the forged token is trusting
+    an unverified token = authentication bypass (CWE-347 / OWASP API2:2023) — the dynamic verdict
+    on the `decodeJwtPayloadUnsafe`/`jwt.decode(verify=False)` hypothesis.
+
+    GET reads by default (read-safe); write verbs (empty body, dummy ids — non-destructive) only
+    when `probe_writes`. Tries `Authorization: Bearer` (universal) plus any `cookie_names` given,
+    since apps read tokens from different locations. 429/5xx are treated as inconclusive, never
+    a bypass, so an aggressive rate limiter can't manufacture a false positive."""
+    forged = _forge_jwt({"sub": "websec-forged", "email": "websec-forged@example.com",
+                         "role": "admin", "roles": ["admin"], "exp": 9999999999})
+    cookie_names = list(cookie_names or [])
+
+    targets = [("GET", e.get("path", "")) for e in (facts.get("routes") or {}).get("endpoints", [])
+               if e.get("method") == "GET" and "{" not in e.get("path", "")
+               and not SIDE_EFFECTING.search(e.get("path", ""))]
+    if probe_writes:
+        targets += [(e.get("method"), e.get("path", "")) for e in (facts.get("routes") or {}).get("endpoints", [])
+                    if e.get("method") in WRITE_VERBS and "{" not in e.get("path", "")
+                    and not SIDE_EFFECTING.search(e.get("path", ""))]
+    targets = sorted(set(targets))[:max_endpoints]
+
+    results, bypassed = [], []
+    for method, path in targets:
+        url = target + path
+        body = b"{}" if method in WRITE_VERBS else None
+        base_code, _ = _request(method, url, token=None, data=body)
+        if base_code not in (401, 403):
+            continue  # only routes that are gated WITHOUT auth tell us anything about forgery
+        attempts = [("Authorization: Bearer", _request(method, url, token=forged, data=body)[0])]
+        for cn in cookie_names:
+            attempts.append((f"cookie:{cn}", _request(method, url, token=None, data=body, cookie=f"{cn}={forged}")[0]))
+        hit = next(((via, code) for via, code in attempts if code in _REACHED_HANDLER), None)
+        if hit:
+            via, fcode = hit
+            row = {"method": method, "path": path, "baseline": base_code, "forged": fcode,
+                   "via": via, "verdict": "BYPASS"}
+            bypassed.append(row)
+        else:
+            row = {"method": method, "path": path, "baseline": base_code,
+                   "forged": attempts[0][1], "via": "Authorization: Bearer", "verdict": "rejected"}
+        results.append(row)
+
+    return {
+        "target": target,
+        "mode": "present an UNSIGNED/bogus-sig JWT (far-future exp) to each gated route; "
+                "reached-handler = signature not verified",
+        "token_locations": ["Authorization: Bearer"] + [f"cookie:{c}" for c in cookie_names],
+        "tested": len(results),
+        "bypassed": bypassed,
+        "results": results,
+        "summary": f"{len(bypassed)}/{len(results)} gated route(s) accepted a forged unsigned token"
+                   + (" — ⚠ SIGNATURE NOT VERIFIED (CWE-347 auth bypass)" if bypassed
+                      else " — all rejected the forged token"),
+    }
+
+
 def run_unauth(target: str, facts_path: Path, outdir: Path, probe_writes: bool = False) -> dict:
     facts = json.loads(Path(facts_path).read_text())
-    res = {"unauth_reachability": unauth_reachability(target, facts)}
+    res = {"unauth_reachability": unauth_reachability(target, facts),
+           "forged_token_bypass": forged_token_bypass(target, facts, probe_writes=probe_writes)}
     if probe_writes:
         res["write_auth_enforcement"] = write_auth_enforcement(target, facts)
     outdir.mkdir(parents=True, exist_ok=True)

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/extractors/__init__.py

@@ -39,9 +39,9 @@ REGISTRY: list[Extractor] = [
 ]
 
 
-def run_all(root: Path, version: str) -> dict:
+def run_all(root: Path, version: str, excludes: list | None = None) -> dict:
     """Walk the repo once, run every extractor, return the merged FACTS dict."""
-    ctx = RepoContext(root)
+    ctx = RepoContext(root, excludes)
     facts: dict = {
         "tool": "websec-validator",
         "version": version,

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/extractors/authz.py

@@ -52,6 +52,14 @@ ROLE = re.compile(
     r"has_?[Rr]ole\s*\(\s*['\"]([\w:.-]+)['\"]|"
     r"authorizeRoles\s*\(([^)]*)\)|permission_required\s*\(\s*['\"]([\w:.-]+)['\"]")
 
+# F5: a call to a decoder/parser named "unsafe"/"unverified"/"noVerify"/"skipVerify"
+# (e.g. decodeJwtPayloadUnsafe) — dangerous when its result feeds an auth decision.
+UNSAFE_DECODER = re.compile(r"\b([A-Za-z_]\w*(?:[Uu]nsafe|[Uu]nverified|[Nn]o[Vv]erif\w*|[Ss]kip[Vv]erif\w*)\w*)\s*\(")
+# does this file actually make an auth/identity decision? (so the unsafe decode matters)
+AUTH_CONTEXT = re.compile(
+    r"require(?:Auth|Admin|Role|Permission)|isAdmin|authoriz|getToken\s*\(|getServerSession|"
+    r"req\.auth\b|currentUser|jwt\.(?:decode|verify)|decodeJwt", re.I)
+
 
 def _parse_next_middleware(ctx: RepoContext) -> dict:
     # Next 15.5+/16 renamed `middleware.ts` → `proxy.ts` (both filenames are valid; the
@@ -127,6 +135,13 @@ class AuthzExtractor(Extractor):
                 if e.get("method") in WRITE_VERBS and not PUBLIC_HINT.search(e.get("path", "")):
                     no_guard_writes.append(f"{e['method']} {e['path']}  ({relcp or '?'})")
 
+        # F5: files that make an auth decision AND call an unsafe/unverified decoder
+        unsafe_decoders = []
+        for _p, rel, text in ctx.iter_code():
+            if AUTH_CONTEXT.search(text):
+                for dec in sorted(set(UNSAFE_DECODER.findall(text))):
+                    unsafe_decoders.append({"file": rel, "decoder": dec})
+
         if global_auth:
             where = f"`{mw['file']}` (matcher {mw.get('matchers') or '—'})" if mw_auth else "`app.use(<auth>)`"
             note = (f"A GLOBAL auth middleware ({where}) was detected — most routes are protected by default. "
@@ -146,5 +161,6 @@ class AuthzExtractor(Extractor):
                               "no_visible_guard": no_guard, "unknown": unknown},
             "endpoint_guards": egs[:400],
             "write_endpoints_without_visible_guard": sorted(set(no_guard_writes))[:60],
+            "unsafe_auth_decoders": unsafe_decoders[:30],
             "note": note,
         }

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/extractors/base.py

@@ -9,6 +9,7 @@ still say something useful.
 
 from __future__ import annotations
 
+import fnmatch
 from pathlib import Path
 
 SKIP_DIRS = {".git", "node_modules", "dist", "build", ".next", ".nuxt", "venv",
@@ -27,13 +28,17 @@ MAX_BYTES = 2_000_000
 class RepoContext:
     """Walk the tree once; cache file text; serve cheap queries to every extractor."""
 
-    def __init__(self, root: Path):
+    def __init__(self, root: Path, excludes: list | None = None):
         self.root = root
+        self.excludes = [e for e in (excludes or []) if e]   # user --exclude paths/globs
         self._text: dict[Path, str] = {}
         self.code_files: list[Path] = []
         self.stack: dict = {}          # filled by StackExtractor, read by the rest
         self._walk()
 
+    def _excluded(self, rel: str) -> bool:
+        return any(ex in rel or fnmatch.fnmatch(rel, ex) for ex in self.excludes)
+
     def _walk(self) -> None:
         n = 0
         for p in self.root.rglob("*"):
@@ -44,6 +49,8 @@ class RepoContext:
             # have its whole tree skipped.
             if p.is_dir() or any(part in SKIP_DIRS for part in p.relative_to(self.root).parts):
                 continue
+            if self.excludes and self._excluded(str(p.relative_to(self.root))):
+                continue
             if p.suffix.lower() in CODE_EXT:
                 self.code_files.append(p)
                 n += 1

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/extractors/routes.py

@@ -25,7 +25,18 @@ import subprocess
 import tempfile
 from pathlib import Path
 
-from .base import Extractor, RepoContext
+from .base import SKIP_DIRS, Extractor, RepoContext
+
+# Noir is a subprocess that scans the raw tree — it does NOT know the walker's SKIP_DIRS,
+# so without this it grinds through (and emits routes from) build output (.next, cdk.out,
+# dist), dependencies (node_modules, vendor), and NESTED WORKTREES (.claude/worktrees — a
+# full copy of the repo → doubled routes). Pass the skip dirs as exclude globs (perf) AND
+# post-filter Noir's output by code_path (the correctness guarantee).
+_NOIR_SKIP_GLOBS = ",".join(f"**/{d}/**" for d in sorted(SKIP_DIRS))
+
+
+def _in_skip_dir(code_path: str) -> bool:
+    return any(part in SKIP_DIRS for part in (code_path or "").replace("\\", "/").split("/"))
 
 WRITE_VERBS = {"POST", "PUT", "PATCH", "DELETE"}
 EXCLUDE_GLOBS = "*.test.ts,*.test.tsx,*.spec.ts,*.test.js,*.spec.js,*_test.go,*_test.py,test_*.py,*.stories.tsx"
@@ -38,6 +49,20 @@ TRAVERSAL_NAMES = re.compile(r"^(file|filename|filepath|path|dir|folder|template
 TEMPLATED = ("BASE_URL", "localhost", "127.0.0.1", "${", "{{")
 ASSET_GLOB = re.compile(r"\*\.\w+")
 
+# A route whose source file is a vendored/third-party API SPEC (OpenAPI/Swagger/GraphQL
+# schema), not an app handler. Noir parses these and emits their paths as if the app
+# served them — which on a repo that vendors e.g. a 16k-line swagger turns ~15 real
+# findings into hundreds of phantom ones. We split these out as informational.
+SPEC_PATH = re.compile(
+    r"\.(?:ya?ml|graphql|gql|raml)$"                                  # spec file formats
+    r"|(?:^|/)(?:node_modules|vendor|vendored|third[_-]?party|examples?|schemas?"
+    r"|(?:docs?|documentation)[\w-]*)/"                               # vendor/docs/schema dirs
+    r"|swagger|openapi", re.I)
+
+
+def _is_spec_derived(code_path: str) -> bool:
+    return bool(code_path) and bool(SPEC_PATH.search(code_path))
+
 
 def _clean_path(p: str) -> str:
     p = re.sub(r":(\w+)", r"{\1}", p)    # Express :id  -> {id}
@@ -53,16 +78,17 @@ def _is_noise(path: str) -> bool:
     return bool(ASSET_GLOB.search(path))   # static-asset glob route (/*.png)
 
 
-def _noir_scan(root: Path) -> list | None:
+def _noir_scan(root: Path, extra_excludes: list | None = None) -> list | None:
     """Run Noir → list of endpoint dicts, or None if Noir unavailable/failed."""
     if not shutil.which("noir"):
         return None
+    excl = ",".join([EXCLUDE_GLOBS, _NOIR_SKIP_GLOBS] + (list(extra_excludes) if extra_excludes else []))
     with tempfile.NamedTemporaryFile(suffix=".json", delete=False) as tf:
         out = Path(tf.name)
     try:
         proc = subprocess.run(
             ["noir", "scan", str(root), "-f", "json", "-o", str(out),
-             "--exclude-path", EXCLUDE_GLOBS, "--no-log", "--no-color"],
+             "--exclude-path", excl, "--no-log", "--no-color"],
             capture_output=True, text=True, timeout=300)
         if not out.exists():
             return None
@@ -77,8 +103,10 @@ def _noir_scan(root: Path) -> list | None:
             pass
 
 
-def _normalize_noir(eps: list) -> list:
-    rows, seen = [], set()
+def _normalize_noir(eps: list) -> tuple:
+    """→ (app_routes, spec_derived_routes). Routes whose source file is a vendored API
+    spec are split out so they don't generate phantom findings (B1)."""
+    rows, spec, seen = [], [], set()
     for e in eps:
         if e.get("internal"):
             continue
@@ -89,21 +117,22 @@ def _normalize_noir(eps: list) -> list:
         if _is_noise(path):
             continue
         method = (e.get("method") or "GET").upper()
-        if (method, path) in seen:
-            continue
-        seen.add((method, path))
-        params = [{"name": p.get("name", ""), "where": p.get("param_type", "")}
-                  for p in (e.get("params") or [])]
         cp = (e.get("details", {}) or {}).get("code_paths") or [{}]
-        rows.append({
+        code_path = cp[0].get("path", "")
+        if (method, path, code_path) in seen:
+            continue
+        seen.add((method, path, code_path))
+        row = {
             "method": method,
             "path": path,
-            "params": params,
+            "params": [{"name": p.get("name", ""), "where": p.get("param_type", "")}
+                       for p in (e.get("params") or [])],
             "technology": (e.get("details", {}) or {}).get("technology", ""),
-            "code_path": cp[0].get("path", ""),
+            "code_path": code_path,
             "source": "noir",
-        })
-    return rows
+        }
+        (spec if _is_spec_derived(code_path) else rows).append(row)
+    return rows, spec
 
 
 # ---- regex fallback (only when Noir is absent) ---------------------------------------------
@@ -193,19 +222,26 @@ class RoutesExtractor(Extractor):
     category = "surface"
 
     def extract(self, ctx: RepoContext, facts: dict) -> dict:
-        eps = _noir_scan(ctx.root)
+        eps = _noir_scan(ctx.root, getattr(ctx, "excludes", None))
         if eps is not None:
-            routes = _normalize_noir(eps)
+            routes, spec_derived = _normalize_noir(eps)
             engine = "noir"
         else:
-            routes = _fallback(ctx)
+            routes, spec_derived = _fallback(ctx), []
             engine = "regex-fallback (install OWASP Noir for full coverage: brew install noir)"
+        # honor user --exclude against route code_paths too (Noir's own --exclude-path glob is
+        # unreliable for bare dir names; this guarantees `--exclude <path>` drops those routes).
+        if getattr(ctx, "excludes", None):
+            routes = [r for r in routes if not ctx._excluded(r.get("code_path", ""))]
+        # Noir doesn't honor SKIP_DIRS — drop any route it found under build output / deps /
+        # nested worktrees (e.g. .claude/worktrees/* doubling the whole app).
+        routes = [r for r in routes if not _in_skip_dir(r.get("code_path", ""))]
         by_method: dict = {}
         by_tech: dict = {}
         for r in routes:
             by_method[r["method"]] = by_method.get(r["method"], 0) + 1
             by_tech[r["technology"]] = by_tech.get(r["technology"], 0) + 1
-        return {
+        out = {
             "engine": engine,
             "count": len(routes),
             "by_method": by_method,
@@ -213,3 +249,12 @@ class RoutesExtractor(Extractor):
             "endpoints": routes,
             "targeting": _derive(routes),
         }
+        if spec_derived:
+            from collections import Counter
+            srcs = Counter(r["code_path"] for r in spec_derived)
+            out["spec_derived_excluded"] = len(spec_derived)
+            out["spec_derived_sources"] = [f"{n}× {f}" for f, n in srcs.most_common(8)]
+            out["note"] = (f"⚠ {len(spec_derived)} routes came from vendored API SPEC files "
+                           f"(OpenAPI/Swagger/GraphQL), not app handlers — EXCLUDED from the {len(routes)} "
+                           f"app routes + all findings. Sources: {', '.join(f for f, _ in srcs.most_common(5))}.")
+        return out

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/findings.py

@@ -26,6 +26,9 @@ from . import calibration
 STANDARDS = {
     "missing-auth": (["CWE-862 Missing Authorization", "CWE-306 Missing Authentication"],
                      "ASVS V4.1.1", ["API1:2023 BOLA", "API5:2023 BFLA"]),
+    "unsafe-auth-decoder": (["CWE-347 Improper Verification of Cryptographic Signature",
+                             "CWE-345 Insufficient Verification of Data Authenticity"],
+                            "ASVS V3.5.2", ["API2:2023 Broken Authentication"]),
     "bola": (["CWE-639 Authorization Bypass (IDOR)"], "ASVS V4.2.1", ["API1:2023 BOLA"]),
     "ssrf": (["CWE-918 SSRF"], "ASVS V12.6", ["API7:2023 SSRF"]),
     "secret": (["CWE-798 Hard-coded Credentials"], "ASVS V2.10", ["API8:2023 Misconfiguration"]),
@@ -48,6 +51,9 @@ REMEDIATION = {
     "missing-auth": "Add an auth guard to the handler (e.g. requireAuth()/getServerSession()), or a "
                     "middleware matcher over /api/(.*) with an explicit public allowlist so it can't be forgotten.",
     "bola": "Enforce object ownership: verify the authenticated principal owns/can access the resource id (tenant scope).",
+    "unsafe-auth-decoder": "Verify the token/signature before trusting it for an auth/identity decision — use a "
+                           "verifying decode (e.g. jwt.verify with the key / a checked session), never an *Unsafe* "
+                           "or decode-only path whose output then feeds requireAuth/requireAdmin.",
     "ssrf": "Validate + allowlist outbound URLs; block RFC1918/IMDS/file://; never fetch a raw user-supplied URL.",
     "secret": "Rotate the credential, remove from code/history, load from a secrets manager.",
     "cve": "Upgrade the dependency to the fixed version.",
@@ -150,6 +156,28 @@ def build_ledger(facts: dict, unified: dict | None, dynamic: dict | None = None,
                       [{"layer": "dynamic", "detail": f"cross-tenant GET returned another tenant's data "
                         f"(HTTP {lk.get('status')}, {lk.get('direction')})"}]))
 
+    # ---- 1c. Unsafe/unverified decoder feeding an auth decision (F5) ----
+    for ud in ((facts.get("authz", {}) or {}).get("unsafe_auth_decoders", []) or []):
+        out.append(_f(f"Auth decision uses an unverified decoder: {ud.get('decoder')}", "access-control",
+                      "unsafe-auth-decoder", "HIGH", "MEDIUM", ud.get("file", ""),
+                      [{"layer": "recon", "detail": f"{ud.get('file')} makes an auth/identity decision AND calls "
+                        f"{ud.get('decoder')}() — if that decodes a token/signature WITHOUT verifying it, a forged "
+                        "value is trusted (the decodeJwtPayloadUnsafe → requireAdmin class of bug). Trace the call path."}]))
+
+    # ---- 1d. Forged-token acceptance — unverified signature, DYNAMICALLY CONFIRMED ----
+    # The verdict for 1c: we presented an UNSIGNED/bogus-sig token and the route reached its
+    # handler anyway (no-auth 401/403 → reached-handler with the forged token). That is the
+    # decodeJwtPayloadUnsafe/jwt.decode(verify=False) hypothesis proven — CWE-347 broken auth.
+    for b in ((dynamic or {}).get("forged_token_bypass", {}) or {}).get("bypassed", []):
+        out.append(_f(
+            f"Auth bypass: forged unsigned token accepted — {b.get('method')} {b.get('path')}",
+            "access-control", "unsafe-auth-decoder", "CRITICAL", "HIGH",
+            f"{b.get('method')} {b.get('path')}",
+            [{"layer": "dynamic", "detail": f"no auth → HTTP {b.get('baseline')}; a token with NO valid "
+              f"signature (via {b.get('via')}, far-future exp) → HTTP {b.get('forged')} — the auth gate "
+              "accepted it, so the signature is NOT verified. Reachable by anyone who can craft a token "
+              "string; route the guard through a verifying decode (jwt.verify w/ the key / a checked session)."}]))
+
     # ---- 2. Static scanner findings (de-duplicated `unified`) ----
     cat_to_class = {"sca": "cve", "secret": "secret", "iac": "iac", "sast": "sast"}
     for t in (unified or {}).get("top", []):

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/probes.py

@@ -28,6 +28,8 @@ PROBES = {
                         "a low-priv token + a write endpoint that updates a record"),
     "jwt-attacks": ("jwt-attacks.sh", "JWT: alg:none, tamper, expiry, replay",
                    "a valid token + the login + a protected endpoint"),
+    "forged-token": ("forged-token.sh", "Forged/unsigned-JWT acceptance (CWE-347 broken auth)",
+                     "just the target base URL — it forges its own token + reads routes from probe-context.json"),
     "hs256-brute-force": ("hs256-brute-force.py", "Offline HS256 weak-secret brute",
                          "one HS256 JWT (offline — no live app needed)"),
     "ssrf-probes": ("ssrf-probes.sh", "SSRF: IMDS / RFC1918 / file://",
@@ -47,7 +49,7 @@ PROBES = {
 
 # unauth-baseline is ALWAYS staged: it's the cheapest probe and directly exercises the
 # #1 lead class (missing authentication) — the one a no-creds run can confirm immediately.
-ALWAYS = ["unauth-baseline", "jwt-attacks", "hs256-brute-force", "rate-limit-burst"]
+ALWAYS = ["unauth-baseline", "forged-token", "jwt-attacks", "hs256-brute-force", "rate-limit-burst"]
 
 # which targeting bucket each probe should be pointed at (for the manifest's real targets)
 _TARGET_KEYS = {
@@ -100,6 +102,10 @@ def build_context(facts: dict) -> dict:
     auth = facts.get("auth") or {}
     writes = [f"{e.get('method')} {e.get('path')}" for e in routes.get("endpoints", [])
               if e.get("method") in WRITE_VERBS][:80]
+    # GET/HEAD data-read routes — the read half of the protected surface (the forged-token probe
+    # needs these; the bypass class hits reads like /api/wallets/lookup that are in no other bucket).
+    reads = [f"{e.get('method')} {e.get('path')}" for e in routes.get("endpoints", [])
+             if e.get("method") in ("GET", "HEAD")][:80]
     return {
         "target_base_url": "FILL_ME (e.g. http://localhost:3000)",
         "auth": {
@@ -111,6 +117,7 @@ def build_context(facts: dict) -> dict:
         },
         "endpoints": {
             "writes": writes,
+            "reads": reads,
             "idor_candidates": tgt.get("idor_candidates", [])[:60],
             "ssrf_candidates": tgt.get("ssrf_candidates", [])[:40],
             "upload_candidates": tgt.get("upload_candidates", [])[:40],

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/recon.py

@@ -14,8 +14,8 @@ from .extractors.base import RepoContext
 from .extractors.stack import StackExtractor
 
 
-def build_facts(root: Path, version: str) -> dict:
-    return extractors.run_all(root, version)
+def build_facts(root: Path, version: str, excludes: list | None = None) -> dict:
+    return extractors.run_all(root, version, excludes)
 
 
 def write_facts(facts: dict, out: Path) -> Path:

{websec_validator-0.2.3 → websec_validator-0.2.5}/src/websec_validator/report.py

@@ -43,8 +43,12 @@ def render(facts: dict, scanners: dict, scan_results: list, unified: dict | None
             chain = " → ".join(e["layer"] for e in f["evidence"])
             api = (" · " + ", ".join(f["standards"]["owasp_api"])) if f["standards"]["owasp_api"] else ""
             cal = f.get("calibrated") or {}
-            calstr = (f" · P(real)≈**{cal.get('p')}** CI {cal.get('ci')} (n={cal.get('n')}, {cal.get('basis')})"
-                      if cal else "")
+            if not cal:
+                calstr = ""
+            elif cal.get("n", 0) == 0 or str(cal.get("basis", "")).startswith("prior"):
+                calstr = " · P(real): _uncalibrated — verify manually_"   # don't dress n=0 as a measurement (B4)
+            else:
+                calstr = f" · P(real)≈**{cal.get('p')}** CI {cal.get('ci')} (n={cal.get('n')}, {cal.get('basis')})"
             _ll.append(f"- **[{f['severity']}/{f['confidence']}]** {f['title']}  \n"
                        f"  `{f['location']}` · evidence: {chain} · {cwe}{api}{calstr}  \n"
                        f"  _fix:_ {f['remediation']}")
@@ -68,7 +72,7 @@ def render(facts: dict, scanners: dict, scan_results: list, unified: dict | None
 | | |
 |---|---|
 | Stack | {", ".join(stack.get("languages", [])) or "?"} · {", ".join(stack.get("frameworks", [])) or "?"} · {", ".join(stack.get("datastores", [])) or "?"} |
-| Endpoints | **{routes.get('count', 0)}** (via {routes.get('engine','?').split(' ')[0]}) |
+| Endpoints | **{routes.get('count', 0)}** app routes (via {routes.get('engine','?').split(' ')[0]}){(" · " + str(routes.get('spec_derived_excluded')) + " spec-derived excluded") if routes.get('spec_derived_excluded') else ""} |
 | Auth | {facts.get('auth', {}).get('scheme','?')} · roles: {', '.join(authz.get('roles_detected', [])) or 'none'} |
 | Access control | {gs.get('with_visible_guard', 0)} guarded · **{gs.get('no_visible_guard', 0)} no visible guard** · global-middleware: {authz.get('global_auth_middleware', False)} |
 | Static scanner (raw, pre-triage) | {sev_line} |