Documentation
¶
Overview ¶
Package scanner runs passive security checks over captured flows. It never sends traffic — it only inspects request/response metadata and bodies that were already recorded, keeping analysis off the proxy hot path.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var BuiltinChecks = []BuiltinCheck{
{checkPasswordInBody, "Password transmitted in request body", "Secrets", "Medium", "A password field is sent in the request body."},
{checkTokenInResp, "Session token leaked in response body", "Secrets", "High", "A bearer token / credential is returned in the response body."},
{checkSensitiveURL, "Sensitive token or credential in URL", "Secrets", "Medium", "A credential-like parameter is in the request URL query string."},
{checkSecurityHeaders, "Missing security response headers", "Headers", "Medium", "Bundles CSP, HSTS, X-Content-Type-Options, clickjacking & Referrer-Policy into one finding listing whichever are missing."},
{checkCorsWildcard, "Overly permissive CORS policy", "CORS", "Medium", "Access-Control-Allow-Origin: * lets any origin read the resource."},
{checkCorsCreds, "CORS with credentials enabled", "CORS", "High", "Wildcard or reflected Origin combined with Allow-Credentials: true."},
{checkInsecureCookie, "Cookie set without Secure and HttpOnly", "Cookies", "Low", "A cookie lacks the Secure and/or HttpOnly attributes."},
{checkCookieSameSite, "Cookie missing SameSite attribute", "Cookies", "Low", "A cookie is set without a SameSite attribute (CSRF surface)."},
{checkCacheableAuth, "Authenticated response may be cached", "Cookies", "Low", "A cookie-setting response lacks Cache-Control: no-store/private."},
{checkVersionDisclosure, "Server software version disclosed", "Disclosure", "Low", "Server / X-Powered-By / X-AspNet-Version reveals a version."},
{checkVerboseError, "Verbose error discloses internal details", "Disclosure", "Medium", "A 5xx response leaks trace ids / stack frames."},
{checkPrivateIP, "Internal IP address disclosed", "Disclosure", "Low", "The response body contains a private/loopback IP address."},
{checkReflectedParam, "Request parameter reflected in HTML", "Injection", "Low", "A parameter is echoed verbatim into HTML — a possible reflected-XSS sink."},
{checkDBError, "Possible SQL injection (DB error in response)", "Injection", "High", "The response contains a database error string — a strong SQLi signal."},
{checkBasicAuth, "HTTP Basic authentication in use", "Auth", "Low", "Credentials are sent as reversible base64 (Authorization: Basic)."},
{checkMixedContent, "Mixed content: HTTPS page loads HTTP resource", "Config", "Medium", "An HTTPS page references a resource over plain HTTP."},
{checkOpenRedirect, "Potential open redirect via request parameter", "Redirect", "Medium", "A 3xx Location is influenced by a request parameter, off-host."},
{checkDirListing, "Directory listing enabled", "Config", "Low", "The response looks like an auto-generated directory index."},
{checkCloudKey, "Cloud/API credential or private key exposed", "Secrets", "High", "A response or request body contains a well-known API key, cloud credential, or private-key block."},
{checkPII, "Personal data (card/SSN) exposed in response", "Disclosure", "Medium", "A Luhn-valid payment card number or a US SSN appears in the response body."},
{checkSourceMap, "Source map reference exposed", "Disclosure", "Low", "A JavaScript response references a sourceMappingURL, which may expose original source."},
{checkDebugPage, "Framework debug / stack-trace page", "Disclosure", "High", "The response is a framework debug page or language stack trace, leaking internals."},
{checkWeakCSP, "Weak Content-Security-Policy", "Headers", "Medium", "A CSP is present but permits unsafe-inline, unsafe-eval, or a wildcard script source."},
{checkWeakHSTS, "Weak HSTS policy (short max-age)", "Headers", "Low", "HSTS is set but its max-age is under 180 days, shrinking the HTTPS-enforcement window."},
{checkInsecureForm, "Form submits over plaintext HTTP", "Config", "Medium", "An HTML form's action posts to an http:// URL, exposing submitted data."},
{checkTabnabbing, "Reverse tabnabbing (target=_blank without noopener)", "Config", "Low", "An external link opens in a new tab without rel=noopener, exposing window.opener."},
{checkGraphQLIntrospect, "GraphQL introspection enabled", "Disclosure", "Medium", "The response contains a GraphQL introspection schema, revealing the full API surface."},
{checkSameSiteNone, "Cookie SameSite=None without Secure", "Cookies", "Medium", "A cookie declares SameSite=None but is not marked Secure."},
{checkInsecureWS, "Insecure WebSocket (ws://) reference", "Config", "Low", "An HTTPS page references a plaintext ws:// WebSocket endpoint."},
{checkJSONP, "JSONP endpoint reflects callback", "Disclosure", "Low", "A javascript response wraps data in a caller-supplied callback — cross-origin data theft surface."},
}
BuiltinChecks lists every built-in passive check. The Category groups them in the UI; Severity is the default the check emits.
Functions ¶
func Analyze ¶
Analyze runs all passive checks (none disabled) — kept for the existing 3-arg callers and tests. The real scan path uses AnalyzeWithDisabled so users can turn individual built-in checks off.
func AnalyzeWithDisabled ¶ added in v0.14.0
func AnalyzeWithDisabled(f *store.Flow, reqBody, resBody []byte, disabled map[string]bool) []store.Issue
AnalyzeWithDisabled runs the built-in passive checks, skipping any whose ID is in disabled. disabled may be nil to run everything.
func BuiltinTemplate ¶ added in v0.17.0
BuiltinTemplate returns the default Starlark source for a built-in passive check. Saving this to ~/.interceptor/checks/<id>.star overrides the compiled Go check.
func IsBuiltinID ¶ added in v0.17.0
IsBuiltinID reports whether id is a built-in passive check.
Types ¶
type BuiltinCheck ¶ added in v0.14.0
type BuiltinCheck struct {
ID string `json:"id"`
Title string `json:"title"`
Category string `json:"category"`
Severity string `json:"severity"`
Description string `json:"description"`
}
BuiltinCheck is metadata for a built-in passive check — shown in the Checks manager so users can see and toggle each one (built-ins can be disabled but not deleted; only Starlark checks are user-editable).