scanner

package
v0.27.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package scanner runs passive security checks over captured flows. It never sends traffic — it only inspects request/response metadata and bodies that were already recorded, keeping analysis off the proxy hot path.

Index

Constants

This section is empty.

Variables

View Source
var BuiltinChecks = []BuiltinCheck{
	{checkPasswordInBody, "Password transmitted in request body", "Secrets", "Medium", "A password field is sent in the request body."},
	{checkTokenInResp, "Session token leaked in response body", "Secrets", "High", "A bearer token / credential is returned in the response body."},
	{checkSensitiveURL, "Sensitive token or credential in URL", "Secrets", "Medium", "A credential-like parameter is in the request URL query string."},
	{checkSecurityHeaders, "Missing security response headers", "Headers", "Medium", "Bundles CSP, HSTS, X-Content-Type-Options, clickjacking & Referrer-Policy into one finding listing whichever are missing."},
	{checkCorsWildcard, "Overly permissive CORS policy", "CORS", "Medium", "Access-Control-Allow-Origin: * lets any origin read the resource."},
	{checkCorsCreds, "CORS with credentials enabled", "CORS", "High", "Wildcard or reflected Origin combined with Allow-Credentials: true."},
	{checkInsecureCookie, "Cookie set without Secure and HttpOnly", "Cookies", "Low", "A cookie lacks the Secure and/or HttpOnly attributes."},
	{checkCookieSameSite, "Cookie missing SameSite attribute", "Cookies", "Low", "A cookie is set without a SameSite attribute (CSRF surface)."},
	{checkCacheableAuth, "Authenticated response may be cached", "Cookies", "Low", "A cookie-setting response lacks Cache-Control: no-store/private."},
	{checkVersionDisclosure, "Server software version disclosed", "Disclosure", "Low", "Server / X-Powered-By / X-AspNet-Version reveals a version."},
	{checkVerboseError, "Verbose error discloses internal details", "Disclosure", "Medium", "A 5xx response leaks trace ids / stack frames."},
	{checkPrivateIP, "Internal IP address disclosed", "Disclosure", "Low", "The response body contains a private/loopback IP address."},
	{checkReflectedParam, "Request parameter reflected in HTML", "Injection", "Low", "A parameter is echoed verbatim into HTML — a possible reflected-XSS sink."},
	{checkDBError, "Possible SQL injection (DB error in response)", "Injection", "High", "The response contains a database error string — a strong SQLi signal."},
	{checkBasicAuth, "HTTP Basic authentication in use", "Auth", "Low", "Credentials are sent as reversible base64 (Authorization: Basic)."},
	{checkMixedContent, "Mixed content: HTTPS page loads HTTP resource", "Config", "Medium", "An HTTPS page references a resource over plain HTTP."},
	{checkOpenRedirect, "Potential open redirect via request parameter", "Redirect", "Medium", "A 3xx Location is influenced by a request parameter, off-host."},
	{checkDirListing, "Directory listing enabled", "Config", "Low", "The response looks like an auto-generated directory index."},
	{checkCloudKey, "Cloud/API credential or private key exposed", "Secrets", "High", "A response or request body contains a well-known API key, cloud credential, or private-key block."},
	{checkPII, "Personal data (card/SSN) exposed in response", "Disclosure", "Medium", "A Luhn-valid payment card number or a US SSN appears in the response body."},
	{checkSourceMap, "Source map reference exposed", "Disclosure", "Low", "A JavaScript response references a sourceMappingURL, which may expose original source."},
	{checkDebugPage, "Framework debug / stack-trace page", "Disclosure", "High", "The response is a framework debug page or language stack trace, leaking internals."},
	{checkWeakCSP, "Weak Content-Security-Policy", "Headers", "Medium", "A CSP is present but permits unsafe-inline, unsafe-eval, or a wildcard script source."},
	{checkWeakHSTS, "Weak HSTS policy (short max-age)", "Headers", "Low", "HSTS is set but its max-age is under 180 days, shrinking the HTTPS-enforcement window."},
	{checkInsecureForm, "Form submits over plaintext HTTP", "Config", "Medium", "An HTML form's action posts to an http:// URL, exposing submitted data."},
	{checkTabnabbing, "Reverse tabnabbing (target=_blank without noopener)", "Config", "Low", "An external link opens in a new tab without rel=noopener, exposing window.opener."},
	{checkGraphQLIntrospect, "GraphQL introspection enabled", "Disclosure", "Medium", "The response contains a GraphQL introspection schema, revealing the full API surface."},
	{checkSameSiteNone, "Cookie SameSite=None without Secure", "Cookies", "Medium", "A cookie declares SameSite=None but is not marked Secure."},
	{checkInsecureWS, "Insecure WebSocket (ws://) reference", "Config", "Low", "An HTTPS page references a plaintext ws:// WebSocket endpoint."},
	{checkJSONP, "JSONP endpoint reflects callback", "Disclosure", "Low", "A javascript response wraps data in a caller-supplied callback — cross-origin data theft surface."},
}

BuiltinChecks lists every built-in passive check. The Category groups them in the UI; Severity is the default the check emits.

Functions

func Analyze

func Analyze(f *store.Flow, reqBody, resBody []byte) []store.Issue

Analyze runs all passive checks (none disabled) — kept for the existing 3-arg callers and tests. The real scan path uses AnalyzeWithDisabled so users can turn individual built-in checks off.

func AnalyzeWithDisabled added in v0.14.0

func AnalyzeWithDisabled(f *store.Flow, reqBody, resBody []byte, disabled map[string]bool) []store.Issue

AnalyzeWithDisabled runs the built-in passive checks, skipping any whose ID is in disabled. disabled may be nil to run everything.

func BuiltinTemplate added in v0.17.0

func BuiltinTemplate(id string) (string, bool)

BuiltinTemplate returns the default Starlark source for a built-in passive check. Saving this to ~/.interceptor/checks/<id>.star overrides the compiled Go check.

func IsBuiltinID added in v0.17.0

func IsBuiltinID(id string) bool

IsBuiltinID reports whether id is a built-in passive check.

Types

type BuiltinCheck added in v0.14.0

type BuiltinCheck struct {
	ID          string `json:"id"`
	Title       string `json:"title"`
	Category    string `json:"category"`
	Severity    string `json:"severity"`
	Description string `json:"description"`
}

BuiltinCheck is metadata for a built-in passive check — shown in the Checks manager so users can see and toggle each one (built-ins can be disabled but not deleted; only Starlark checks are user-editable).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL