scanner

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2026 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package scanner runs passive security checks over captured flows. It never sends traffic — it only inspects request/response metadata and bodies that were already recorded, keeping analysis off the proxy hot path.

Index

Constants

This section is empty.

Variables

View Source
var BuiltinChecks = []BuiltinCheck{
	{checkPasswordInBody, "Password transmitted in request body", "Secrets", "Medium", "A password field is sent in the request body."},
	{checkTokenInResp, "Session token leaked in response body", "Secrets", "High", "A bearer token / credential is returned in the response body."},
	{checkSensitiveURL, "Sensitive token or credential in URL", "Secrets", "Medium", "A credential-like parameter is in the request URL query string."},
	{checkSecurityHeaders, "Missing security response headers", "Headers", "Medium", "Bundles CSP, HSTS, X-Content-Type-Options, clickjacking & Referrer-Policy into one finding listing whichever are missing."},
	{checkCorsWildcard, "Overly permissive CORS policy", "CORS", "Medium", "Access-Control-Allow-Origin: * lets any origin read the resource."},
	{checkCorsCreds, "CORS with credentials enabled", "CORS", "High", "Wildcard or reflected Origin combined with Allow-Credentials: true."},
	{checkInsecureCookie, "Cookie set without Secure and HttpOnly", "Cookies", "Low", "A cookie lacks the Secure and/or HttpOnly attributes."},
	{checkCookieSameSite, "Cookie missing SameSite attribute", "Cookies", "Low", "A cookie is set without a SameSite attribute (CSRF surface)."},
	{checkCacheableAuth, "Authenticated response may be cached", "Cookies", "Low", "A cookie-setting response lacks Cache-Control: no-store/private."},
	{checkVersionDisclosure, "Server software version disclosed", "Disclosure", "Low", "Server / X-Powered-By / X-AspNet-Version reveals a version."},
	{checkVerboseError, "Verbose error discloses internal details", "Disclosure", "Medium", "A 5xx response leaks trace ids / stack frames."},
	{checkPrivateIP, "Internal IP address disclosed", "Disclosure", "Low", "The response body contains a private/loopback IP address."},
	{checkReflectedParam, "Request parameter reflected in HTML", "Injection", "Low", "A parameter is echoed verbatim into HTML — a possible reflected-XSS sink."},
	{checkDBError, "Possible SQL injection (DB error in response)", "Injection", "High", "The response contains a database error string — a strong SQLi signal."},
	{checkBasicAuth, "HTTP Basic authentication in use", "Auth", "Low", "Credentials are sent as reversible base64 (Authorization: Basic)."},
	{checkMixedContent, "Mixed content: HTTPS page loads HTTP resource", "Config", "Medium", "An HTTPS page references a resource over plain HTTP."},
	{checkOpenRedirect, "Potential open redirect via request parameter", "Redirect", "Medium", "A 3xx Location is influenced by a request parameter, off-host."},
	{checkDirListing, "Directory listing enabled", "Config", "Low", "The response looks like an auto-generated directory index."},
	{checkCloudKey, "Cloud/API credential or private key exposed", "Secrets", "High", "A response or request body contains a well-known API key, cloud credential, or private-key block."},
	{checkPII, "Personal data (card/SSN) exposed in response", "Disclosure", "Medium", "A Luhn-valid payment card number or a US SSN appears in the response body."},
	{checkSourceMap, "Source map reference exposed", "Disclosure", "Low", "A JavaScript response references a sourceMappingURL, which may expose original source."},
	{checkDebugPage, "Framework debug / stack-trace page", "Disclosure", "High", "The response is a framework debug page or language stack trace, leaking internals."},
	{checkWeakCSP, "Weak Content-Security-Policy", "Headers", "Medium", "A CSP is present but permits unsafe-inline, unsafe-eval, or a wildcard script source."},
	{checkWeakHSTS, "Weak HSTS policy (short max-age)", "Headers", "Low", "HSTS is set but its max-age is under 180 days, shrinking the HTTPS-enforcement window."},
	{checkInsecureForm, "Form submits over plaintext HTTP", "Config", "Medium", "An HTML form's action posts to an http:// URL, exposing submitted data."},
	{checkTabnabbing, "Reverse tabnabbing (target=_blank without noopener)", "Config", "Low", "An external link opens in a new tab without rel=noopener, exposing window.opener."},
	{checkGraphQLIntrospect, "GraphQL introspection enabled", "Disclosure", "Medium", "The response contains a GraphQL introspection schema, revealing the full API surface."},
	{checkSameSiteNone, "Cookie SameSite=None without Secure", "Cookies", "Medium", "A cookie declares SameSite=None but is not marked Secure."},
	{checkInsecureWS, "Insecure WebSocket (ws://) reference", "Config", "Low", "An HTTPS page references a plaintext ws:// WebSocket endpoint."},
	{checkJSONP, "JSONP endpoint reflects callback", "Disclosure", "Low", "A javascript response wraps data in a caller-supplied callback — cross-origin data theft surface."},
}

BuiltinChecks lists every built-in passive check. The Category groups them in the UI; Severity is the default the check emits.

Functions

func Analyze

func Analyze(f *store.Flow, reqBody, resBody []byte) []store.Issue

Analyze runs all passive checks (none disabled) — kept for the existing 3-arg callers and tests. The real scan path uses AnalyzeWithDisabled so users can turn individual built-in checks off.

func AnalyzeWithDisabled

func AnalyzeWithDisabled(f *store.Flow, reqBody, resBody []byte, disabled map[string]bool) []store.Issue

AnalyzeWithDisabled runs the built-in passive checks, skipping any whose ID is in disabled. disabled may be nil to run everything.

func BuiltinTemplate

func BuiltinTemplate(id string) (string, bool)

BuiltinTemplate returns the default Starlark source for a built-in passive check. Saving this to ~/.interseptor/checks/<id>.star overrides the compiled Go check.

func IsBuiltinID

func IsBuiltinID(id string) bool

IsBuiltinID reports whether id is a built-in passive check.

Types

type BuiltinCheck

type BuiltinCheck struct {
	ID          string `json:"id"`
	Title       string `json:"title"`
	Category    string `json:"category"`
	Severity    string `json:"severity"`
	Description string `json:"description"`
}

BuiltinCheck is metadata for a built-in passive check — shown in the Checks manager so users can see and toggle each one (built-ins can be disabled but not deleted; only Starlark checks are user-editable).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL