Documentation
¶
Index ¶
- Variables
- func CheckHeaderReflection(mutation Mutation, resp *ResponseContext, baseline *ResponseContext) (bool, string)
- func GenerateHTMLReport(result *ScanResult, targetURL string, filename string) error
- func GenerateSARIF(result *ScanResult, targetURL string, filename string) error
- func GetAdaptiveSummary(tech *TechProfile) string
- func IsResponseSignificantlyDifferent(baseline, mutated *ResponseContext, profile *BaselineProfile) bool
- type BaselineProfile
- type CORSAnalysis
- type ChainedMutation
- type DiffResult
- type EvidenceItem
- type Finding
- type HostInjectionResult
- type InfoLeak
- type MissingSecurityHeader
- type Mutation
- type OOBCallback
- type OOBInteraction
- type OOBServer
- func (s *OOBServer) CollectConfirmed(waitDuration time.Duration) []*OOBInteraction
- func (s *OOBServer) ConfirmedCount() int
- func (s *OOBServer) GenerateInteraction(header, payload, category, impact string) string
- func (s *OOBServer) GetAllCallbacks() []OOBCallback
- func (s *OOBServer) GetCallbackURL(interactionID string) string
- func (s *OOBServer) GetDNSHostname(interactionID string) string
- func (s *OOBServer) IsRunning() bool
- func (s *OOBServer) PendingCount() int
- func (s *OOBServer) Start() error
- func (s *OOBServer) Stop()
- type Orchestrator
- type ReconResult
- type ReconSummary
- type ReflectionHit
- type RequestContext
- type ResponseContext
- type ScanConfig
- type ScanResult
- type ScanStats
- type SecurityAudit
- type SimilarityResult
- type TechFingerprint
- type TechProfile
- type VerbBypass
- type VerbTamperResult
Constants ¶
This section is empty.
Variables ¶
var ( GetAuthMutations func() []Mutation GetProxyMutations func() []Mutation GetCORSMutations func() []Mutation GetCacheMutations func() []Mutation GetOverrideMutations func() []Mutation GetCloudMutations func() []Mutation GetDebugMutations func() []Mutation GetSmugglingMutations func() []Mutation GetInjectionMutations func() []Mutation GetSSRFMutations func() []Mutation GetHopByHopMutations func() []Mutation GetRateLimitMutations func() []Mutation GetSecurityMutations func() []Mutation GetWebSocketMutations func() []Mutation GetJWTMutations func() []Mutation GetCRLFMutations func() []Mutation GetCookieMutations func() []Mutation GetContentTypeMutations func() []Mutation GetRedirectMutations func() []Mutation GetProtocolMutations func() []Mutation GetEncodingMutations func() []Mutation GetGatewayMutations func() []Mutation )
Functions ¶
func CheckHeaderReflection ¶
func CheckHeaderReflection(mutation Mutation, resp *ResponseContext, baseline *ResponseContext) (bool, string)
CheckHeaderReflection performs context-aware reflection detection. Returns (reflected, location) where location describes whether the value landed in a dangerous position. The baseline response is used to exclude values that were already present before the probe — those represent ambient server output, not reflection of our input.
func GenerateHTMLReport ¶
func GenerateHTMLReport(result *ScanResult, targetURL string, filename string) error
GenerateHTMLReport creates a professional, self-contained HTML report
func GenerateSARIF ¶
func GenerateSARIF(result *ScanResult, targetURL string, filename string) error
GenerateSARIF creates a SARIF 2.1.0 report for CI/CD integration
func GetAdaptiveSummary ¶
func GetAdaptiveSummary(tech *TechProfile) string
GetAdaptiveSummary returns a human-readable summary of adaptive prioritization
func IsResponseSignificantlyDifferent ¶
func IsResponseSignificantlyDifferent(baseline, mutated *ResponseContext, profile *BaselineProfile) bool
IsResponseSignificantlyDifferent returns true if the mutation response is meaningfully different from the baseline, accounting for dynamic content
Types ¶
type BaselineProfile ¶
type BaselineProfile struct {
StatusCode int
StatusConsistent bool
BodyHashes []string
BodyConsistent bool
AvgSize float64
SizeStdDev float64
AvgTiming float64
TimingStdDev float64
ConsistentHeaders map[string]bool // headers that appear in all baselines
BaselineKeys []string // JSON keys from baseline
BaselineSensitive []string // sensitive patterns already in baseline
Responses []*ResponseContext
// Volatile field tracking (Rule #1)
VolatileHeaders map[string]bool // headers whose values change across samples
VolatileCookies map[string]bool // cookie names with rotating values
}
BaselineProfile holds statistical data from multiple baseline requests
func NewBaselineProfile ¶
func NewBaselineProfile(responses []*ResponseContext) *BaselineProfile
type CORSAnalysis ¶
type CORSAnalysis struct {
AllowOrigin string `json:"allow_origin"`
AllowCredentials bool `json:"allow_credentials"`
AllowMethods string `json:"allow_methods"`
AllowHeaders string `json:"allow_headers"`
ExposeHeaders string `json:"expose_headers"`
MaxAge string `json:"max_age"`
Vulnerable bool `json:"vulnerable"`
Details string `json:"details"`
}
type ChainedMutation ¶
type ChainedMutation struct {
Headers map[string]string // header -> value
Category string
Impact string
Source []Mutation // original mutations that form this chain
}
ChainedMutation represents a group of headers sent together
func GenerateChains ¶
func GenerateChains(mutations []Mutation, maxChainSize int) []ChainedMutation
GenerateChains creates intelligent multi-header combinations from a set of mutations. Returns ChainedMutations grouped by attack strategy.
type DiffResult ¶
type DiffResult struct {
StatusChanged bool
BodyHashChanged bool
NewJSONKeys []string
SizeChangeRatio float64
TimingDeltaMS int64
HeadersAdded []string
HeadersRemoved []string
PrivilegeElevate bool
AuthBypass bool
HeaderReflection bool
ReflectedValue string
SensitiveDataFound []string
CORSMisconfigured bool
CORSDetails string
InfoDisclosure []string
TimingAnomaly string
// Enhanced response tracking
LocationHeader string
LocationChanged bool
SetCookiePresent bool
SetCookieValues []string
ContentTypeChanged bool
AuthChallengeGone bool
// New: evidence-based scoring
Evidence []EvidenceItem
TotalConfidence float64
HighestSeverity string
EvidenceCount int
ReflectionContext string // "html_tag", "html_attr", "js_context", "json_value", "header", "safe"
}
func CalculateDiff ¶
func CalculateDiff(baseline, mutated *ResponseContext) *DiffResult
func CalculateDiffWithProfile ¶
func CalculateDiffWithProfile(baseline, mutated *ResponseContext, profile *BaselineProfile) *DiffResult
func (*DiffResult) IsCookieOnly ¶ added in v0.2.2
func (d *DiffResult) IsCookieOnly() bool
IsCookieOnly returns true if new cookies are the ONLY difference
func (*DiffResult) IsSignificant ¶
func (d *DiffResult) IsSignificant() bool
func (*DiffResult) IsTimingOnly ¶ added in v0.2.2
func (d *DiffResult) IsTimingOnly() bool
IsTimingOnly returns true if timing anomaly is the ONLY signal (Rule #2)
type EvidenceItem ¶
type Finding ¶
type Finding struct {
Header string `json:"header"`
Payload string `json:"payload"`
Impact string `json:"impact"`
Confidence string `json:"confidence"`
ConfidenceScore float64 `json:"confidence_score"`
Evidence map[string]string `json:"evidence"`
Category string `json:"category"`
Severity string `json:"severity"`
CVSS float64 `json:"cvss,omitempty"`
CWE string `json:"cwe,omitempty"`
Remediation string `json:"remediation,omitempty"`
References []string `json:"references,omitempty"`
Request string `json:"request,omitempty"`
Response string `json:"response,omitempty"`
Timestamp time.Time `json:"timestamp"`
Verified bool `json:"verified,omitempty"`
VerifiedAt time.Time `json:"verified_at,omitempty"`
ReconSource string `json:"recon_source,omitempty"`
CurlCommand string `json:"curl_command,omitempty"`
Reproducible bool `json:"reproducible,omitempty"`
VerifyAttempts int `json:"verify_attempts,omitempty"`
TimingOnly bool `json:"timing_only,omitempty"`
ScopeNote string `json:"scope_note,omitempty"`
}
func DeduplicateFindings ¶
DeduplicateFindings removes duplicate and near-duplicate findings, keeping the highest-confidence instance per root cause group. Groups are formed by (header_family, impact_type, severity).
func OOBToFindings ¶
func OOBToFindings(confirmed []*OOBInteraction) []Finding
OOBToFindings converts confirmed OOB interactions into findings
func ReconToFindings ¶
func ReconToFindings(recon *ReconResult) []Finding
ReconToFindings converts recon results into Finding structs
type HostInjectionResult ¶
type HostInjectionResult struct {
Header string
Canary string
Context string // "body_link", "location_redirect", "meta_tag", "base_href"
Impact string // "cache_poisoning", "password_reset_poisoning", "open_redirect"
}
HostInjectionResult records a host header injection finding
type MissingSecurityHeader ¶
type Mutation ¶
func ChainedToMutations ¶
func ChainedToMutations(chains []ChainedMutation) []Mutation
ChainedToMutations converts chained mutations to flat Mutation structs for the orchestrator. The first header becomes the primary, rest go in headers map.
func InjectOOBPayloads ¶
InjectOOBPayloads generates OOB-enhanced versions of mutations when OOB server is active
func PrioritizeMutationsForTech ¶
func PrioritizeMutationsForTech(mutations []Mutation, tech *TechProfile) []Mutation
PrioritizeMutationsForTech reorders and augments mutations based on detected technology
type OOBCallback ¶
type OOBCallback struct {
InteractionID string `json:"interaction_id"`
RemoteAddr string `json:"remote_addr"`
Method string `json:"method"`
Path string `json:"path"`
Headers map[string]string `json:"headers"`
Body string `json:"body,omitempty"`
ReceivedAt time.Time `json:"received_at"`
Protocol string `json:"protocol"` // "http" or "dns"
}
OOBCallback records an incoming callback from a target
type OOBInteraction ¶
type OOBInteraction struct {
ID string `json:"id"`
Header string `json:"header"`
Payload string `json:"payload"`
Category string `json:"category"`
Impact string `json:"impact"`
CreatedAt time.Time `json:"created_at"`
Confirmed bool `json:"confirmed"`
Callback *OOBCallback `json:"callback,omitempty"`
}
OOBInteraction tracks a pending OOB interaction linked to a specific mutation
type OOBServer ¶
type OOBServer struct {
// contains filtered or unexported fields
}
OOBServer is an out-of-band callback server for confirming blind vulnerabilities. It runs an HTTP listener that captures incoming requests from injected payloads, correlating them back to specific mutations via unique interaction IDs.
func NewOOBServer ¶
NewOOBServer creates a new OOB callback server
func (*OOBServer) CollectConfirmed ¶
func (s *OOBServer) CollectConfirmed(waitDuration time.Duration) []*OOBInteraction
CollectConfirmed waits for a specified duration and returns all confirmed interactions
func (*OOBServer) ConfirmedCount ¶
ConfirmedCount returns the number of confirmed interactions
func (*OOBServer) GenerateInteraction ¶
GenerateInteraction creates a new unique interaction ID linked to a mutation
func (*OOBServer) GetAllCallbacks ¶
func (s *OOBServer) GetAllCallbacks() []OOBCallback
GetAllCallbacks returns all received callbacks
func (*OOBServer) GetCallbackURL ¶
GetCallbackURL returns the full callback URL for an interaction ID
func (*OOBServer) GetDNSHostname ¶
GetDNSHostname returns a DNS hostname that would resolve to the OOB server
func (*OOBServer) PendingCount ¶
PendingCount returns the number of pending (unconfirmed) interactions
type Orchestrator ¶
type Orchestrator struct {
// contains filtered or unexported fields
}
func NewOrchestrator ¶
func NewOrchestrator(config *ScanConfig) *Orchestrator
func (*Orchestrator) Scan ¶
func (o *Orchestrator) Scan() (*ScanResult, error)
type ReconResult ¶
type ReconResult struct {
Reflections []ReflectionHit
VerbTamper *VerbTamperResult
HostInjections []HostInjectionResult
TotalRequests int
}
ReconResult holds all reconnaissance findings from the pre-scan phase
func RunRecon ¶
func RunRecon(client *http.Client, config *ScanConfig, baseline *ResponseContext, profile *BaselineProfile) *ReconResult
RunRecon orchestrates all reconnaissance probes
func (*ReconResult) ReflectedHeaderSet ¶
func (r *ReconResult) ReflectedHeaderSet() map[string]bool
ReflectedHeaderSet returns a set of header names that were found to reflect
func (*ReconResult) ToSummary ¶
func (r *ReconResult) ToSummary() *ReconSummary
ToSummary converts a ReconResult into a ReconSummary for the scan result
type ReconSummary ¶
type ReconSummary struct {
ReflectedHeaders []string `json:"reflected_headers,omitempty"`
AllowedMethods []string `json:"allowed_methods,omitempty"`
DangerousMethods []string `json:"dangerous_methods,omitempty"`
TraceEnabled bool `json:"trace_enabled"`
HostInjectable []string `json:"host_injectable,omitempty"`
VerbTamperBypasses int `json:"verb_tamper_bypasses"`
}
type ReflectionHit ¶
type ReflectionHit struct {
Header string
Canary string
Location string // "body" or "header:<name>"
Context string // "href", "src", "script_src", "form_action", "meta_tag", "base_href", "json_value", "plain_text", "location_header", "set_cookie", "response_header"
Dangerous bool
}
ReflectionHit records where a canary was reflected via a specific header
type RequestContext ¶
type RequestContext struct {
URL string
Method string
Headers map[string]string
Body []byte
ProxyURL string
Timeout time.Duration
FollowRedir bool
}
func NewRequestContext ¶
func NewRequestContext(url, method string) *RequestContext
func ParseRawRequest ¶
func ParseRawRequest(raw string, useTLS bool) (*RequestContext, error)
ParseRawRequest parses a raw HTTP request (e.g., from Burp Suite copy-paste) and returns a RequestContext. The raw format is:
GET /path HTTP/1.1 Host: example.com Header: value optional body
func (*RequestContext) AddHeader ¶
func (rc *RequestContext) AddHeader(key, value string)
func (*RequestContext) Clone ¶
func (rc *RequestContext) Clone() *RequestContext
func (*RequestContext) Execute ¶
func (rc *RequestContext) Execute(client *http.Client) (*ResponseContext, error)
func (*RequestContext) SetBody ¶
func (rc *RequestContext) SetBody(body []byte, contentType string)
SetBody sets the request body and auto-sets Content-Type if not already set
type ResponseContext ¶
type ScanConfig ¶
type ScanConfig struct {
URL string
Method string
Headers map[string]string
Body []byte
ContentType string
Auth bool
Proxy bool
CORS bool
Cache bool
Override bool
Cloud bool
Debug bool
Smuggling bool
Injection bool
SSRF bool
HopByHop bool
RateLimit bool
Security bool
WebSocket bool
JWT bool
CRLF bool
Cookie bool
ContentTypeCat bool
Redirect bool
Protocol bool
Encoding bool
Gateway bool
Chain bool
DiffOnly bool
PrivCheck bool
WAFEvasion bool
Audit bool
Recon bool
Verify bool
ProxyURL string
Workers int
RateDelay int
Stealth bool
Timeout time.Duration
// v4.0 features
OOBServer *OOBServer
OOBWait time.Duration
FollowRedirects bool
MatchStatus []int
FilterStatus []int
MatchSize int64
FilterSize int64
// v0.2.2 false-positive elimination
TimingOnly bool // --timing-only: show timing-only findings
ShowAll bool // --all: show LOW and timing-only findings
Verbose bool // --verbose: show normalized diff for each finding
ScopeRules []string // loaded from --scope file
}
type ScanResult ¶
type ScanResult struct {
Findings []Finding `json:"findings"`
SecurityAudit *SecurityAudit `json:"security_audit,omitempty"`
Recon *ReconSummary `json:"recon,omitempty"`
Stats ScanStats `json:"stats"`
TargetURL string `json:"target_url"`
}
type ScanStats ¶
type ScanStats struct {
TotalMutations int `json:"total_mutations"`
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
Info int `json:"info"`
Duration time.Duration `json:"duration"`
BaselineStatus int `json:"baseline_status"`
BaselineSize int64 `json:"baseline_size"`
BaselineTime int64 `json:"baseline_time_ms"`
ReconRequests int `json:"recon_requests,omitempty"`
VerifiedFindings int `json:"verified_findings,omitempty"`
OOBConfirmed int `json:"oob_confirmed,omitempty"`
ChainsTested int `json:"chains_tested,omitempty"`
}
type SecurityAudit ¶
type SecurityAudit struct {
MissingHeaders []MissingSecurityHeader `json:"missing_headers"`
InformationLeaks []InfoLeak `json:"information_leaks"`
TechFingerprints []TechFingerprint `json:"tech_fingerprints"`
WAFDetected string `json:"waf_detected"`
ServerInfo string `json:"server_info"`
CORSAnalysis *CORSAnalysis `json:"cors_analysis,omitempty"`
}
func RunSecurityAudit ¶
func RunSecurityAudit(resp *ResponseContext) *SecurityAudit
type SimilarityResult ¶
type SimilarityResult struct {
// BodySimilarity is 0.0 (completely different) to 1.0 (identical)
BodySimilarity float64
// StructuralSimilarity compares HTML/JSON structure ignoring content
StructuralSimilarity float64
// HeaderSimilarity compares response header sets
HeaderSimilarity float64
// NormalizedBodySimilarity is body similarity after removing dynamic content
NormalizedBodySimilarity float64
// OverallScore is the weighted composite score
OverallScore float64
// IsDynamic indicates the baseline response has dynamic content
IsDynamic bool
// DynamicPatterns lists detected dynamic content patterns
DynamicPatterns []string
}
SimilarityResult holds the detailed comparison between two responses
func CalculateSimilarity ¶
func CalculateSimilarity(baseline, mutated *ResponseContext) *SimilarityResult
CalculateSimilarity computes a detailed similarity analysis between two responses
func CalculateSimilarityWithProfile ¶
func CalculateSimilarityWithProfile(baseline, mutated *ResponseContext, profile *BaselineProfile) *SimilarityResult
CalculateSimilarityWithProfile uses baseline profile for better dynamic detection
type TechFingerprint ¶
type TechProfile ¶
type TechProfile struct {
Server string // nginx, apache, IIS, etc.
Language string // PHP, Java, Python, .NET, Node.js, etc.
Framework string // Laravel, Spring, Django, Express, etc.
Cloud string // AWS, Azure, GCP, Cloudflare, etc.
WAF string // Cloudflare, AWS WAF, Akamai, etc.
Technologies []string // All detected technologies
}
TechProfile represents the detected technology stack of a target
func BuildTechProfile ¶
func BuildTechProfile(audit *SecurityAudit) *TechProfile
BuildTechProfile constructs a technology profile from security audit results
type VerbBypass ¶
VerbBypass records a successful verb tampering auth bypass
type VerbTamperResult ¶
type VerbTamperResult struct {
AllowedMethods []string
DangerousMethods []string
TraceEnabled bool
TraceReflects bool
VerbBypasses []VerbBypass
}
VerbTamperResult records HTTP method discovery and verb tampering outcomes
Source Files