taint

package
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Filename: probes.go

Filename: internal/analysis/active/taint/scanner.go

Filename: taint_analyzer.go File: internal/analysis/active/taint/analyzer.go

Filename: types.go package taint defines the core data structures, constants, and interfaces used throughout the IAST analysis system.

Index

Constants

View Source 
const (
	JSCallbackSinkEvent      = "__scalpel_sink_event"
	JSCallbackExecutionProof = "__scalpel_execution_proof"
	JSCallbackShimError      = "__scalpel_shim_error"
)

Constants defining the base names of Go functions exposed to the browser's JavaScript environment. These are used as prefixes to generate session-specific randomized names.

Variables

View Source 
var ValidTaintFlows = map[TaintFlowPath]bool{
	{schemas.ProbeTypeXSS, schemas.SinkEval}:                true,
	{schemas.ProbeTypeXSS, schemas.SinkInnerHTML}:           true,
	{schemas.ProbeTypeXSS, schemas.SinkOuterHTML}:           true,
	{schemas.ProbeTypeXSS, schemas.SinkDocumentWrite}:       true,
	{schemas.ProbeTypeXSS, schemas.SinkIframeSrcDoc}:        true,
	{schemas.ProbeTypeXSS, schemas.SinkFunctionConstructor}: true,
	{schemas.ProbeTypeXSS, schemas.SinkScriptSrc}:           true,
	{schemas.ProbeTypeXSS, schemas.SinkIframeSrc}:           true,
	{schemas.ProbeTypeXSS, schemas.SinkNavigation}:          true,
	{schemas.ProbeTypeXSS, schemas.SinkPostMessage}:         true,
	{schemas.ProbeTypeXSS, schemas.SinkWorkerPostMessage}:   true,

	{schemas.ProbeTypeDOMClobbering, schemas.SinkEval}:       true,
	{schemas.ProbeTypeDOMClobbering, schemas.SinkInnerHTML}:  true,
	{schemas.ProbeTypeDOMClobbering, schemas.SinkNavigation}: true,

	{schemas.ProbeTypeSSTI, schemas.SinkEval}:                true,
	{schemas.ProbeTypeSSTI, schemas.SinkInnerHTML}:           true,
	{schemas.ProbeTypeSSTI, schemas.SinkOuterHTML}:           true,
	{schemas.ProbeTypeSSTI, schemas.SinkDocumentWrite}:       true,
	{schemas.ProbeTypeSSTI, schemas.SinkIframeSrcDoc}:        true,
	{schemas.ProbeTypeSSTI, schemas.SinkFunctionConstructor}: true,

	{schemas.ProbeTypeSQLi, schemas.SinkInnerHTML}:         true,
	{schemas.ProbeTypeCmdInjection, schemas.SinkInnerHTML}: true,

	{schemas.ProbeTypeGeneric, schemas.SinkWebSocketSend}:     true,
	{schemas.ProbeTypeGeneric, schemas.SinkXMLHTTPRequest}:    true,
	{schemas.ProbeTypeGeneric, schemas.SinkXMLHTTPRequestURL}: true,
	{schemas.ProbeTypeGeneric, schemas.SinkFetch}:             true,
	{schemas.ProbeTypeGeneric, schemas.SinkFetchURL}:          true,
	{schemas.ProbeTypeGeneric, schemas.SinkNavigation}:        true,
	{schemas.ProbeTypeGeneric, schemas.SinkSendBeacon}:        true,
	{schemas.ProbeTypeGeneric, schemas.SinkWorkerSrc}:         true,

	{schemas.ProbeTypeOAST, schemas.SinkWebSocketSend}:     true,
	{schemas.ProbeTypeOAST, schemas.SinkXMLHTTPRequest}:    true,
	{schemas.ProbeTypeOAST, schemas.SinkXMLHTTPRequestURL}: true,
	{schemas.ProbeTypeOAST, schemas.SinkFetch}:             true,
	{schemas.ProbeTypeOAST, schemas.SinkFetchURL}:          true,
	{schemas.ProbeTypeOAST, schemas.SinkNavigation}:        true,
	{schemas.ProbeTypeOAST, schemas.SinkSendBeacon}:        true,
	{schemas.ProbeTypeOAST, schemas.SinkWorkerSrc}:         true,
}

ValidTaintFlows is a map that acts as a rules engine, defining the set of logical and high-risk taint flows. For example, it validates that an XSS probe reaching an `innerHTML` sink is a valid path to report, while a generic probe reaching the same sink might be ignored.

Functions

func BuildTaintShim 

func BuildTaintShim(templateContent string, configJSON string, sinkCallback, proofCallback, backendProofCallback, errorCallback string) (string, error)

BuildTaintShim is an exported utility function that constructs the final JavaScript instrumentation shim. VULN-FIX (Timing): Updated signature to include the backend proof callback name.

Types

type ActiveProbe 

type ActiveProbe struct {
	Type      schemas.ProbeType
	Key       string // The name/key used for injection (e.g., URL parameter name).
	Value     string // The full payload after template substitution.
	Canary    string // The unique identifier for this probe instance.
	Source    schemas.TaintSource
	CreatedAt time.Time
}

ActiveProbe represents an instance of a ProbeDefinition that has been injected into the target. It includes the unique canary used for tracking and metadata about its injection point (source).

type Analyzer 

type Analyzer struct {
	// contains filtered or unexported fields
}

Analyzer orchestrates the Hybrid IAST process. It manages dynamic probe injection, event collection, static analysis of loaded scripts, and correlation.

func NewAnalyzer 

func NewAnalyzer(config Config, reporter ResultsReporter, oastProvider OASTProvider, logger *zap.Logger) (*Analyzer, error)

NewAnalyzer creates and initializes a new taint Analyzer instance.

func (*Analyzer) Analyze 

func (a *Analyzer) Analyze(ctx context.Context, session SessionContext) error

Analyze is the main entry point for the Hybrid IAST analysis.

func (*Analyzer) HandleScriptLoaded 

func (a *Analyzer) HandleScriptLoaded(url, content string)

HandleScriptLoaded (New Method) is the entry point for the SAST engine when a script is loaded. This method is expected to be called by the infrastructure managing the SessionContext (e.g., the browser controller) when it intercepts a script load.

func (*Analyzer) UpdateTaintFlowRuleForTesting 

func (a *Analyzer) UpdateTaintFlowRuleForTesting(flow TaintFlowPath, isValid bool)

UpdateTaintFlowRuleForTesting provides a thread-safe mechanism to modify the taint flow validation rules during tests.

type Config 

type Config struct {
	TaskID      string                    `json:"task_id" yaml:"task_id"`
	Target      *url.URL                  `json:"target" yaml:"target"`
	Probes      []ProbeDefinition         `json:"probes" yaml:"probes"`
	Sinks       []SinkDefinition          `json:"sinks" yaml:"sinks"` // Uses the alias to core.SinkDefinition
	Interaction schemas.InteractionConfig `json:"interaction" yaml:"interaction"`

	// AnalysisTimeout is the total maximum duration for the entire analysis task.
	AnalysisTimeout time.Duration `json:"analysis_timeout" yaml:"analysis_timeout"`

	// -- Performance & Concurrency Tuning --
	CorrelationWorkers      int           `json:"correlation_workers" yaml:"correlation_workers"`
	EventChannelBuffer      int           `json:"event_channel_buffer" yaml:"event_channel_buffer"`
	FinalizationGracePeriod time.Duration `json:"finalization_grace_period" yaml:"finalization_grace_period"`
	ProbeExpirationDuration time.Duration `json:"probe_expiration_duration" yaml:"probe_expiration_duration"`
	CleanupInterval         time.Duration `json:"cleanup_interval" yaml:"cleanup_interval"`
	OASTPollingInterval     time.Duration `json:"oast_polling_interval" yaml:"oast_polling_interval"`
}

Config encapsulates all settings and parameters for a single taint analysis task, from the target and probes to performance tuning and timeouts.

type CorrelatedFinding 

type CorrelatedFinding struct {
	TaskID    string
	TargetURL string // The initial target URL of the analysis task.

	// FIX: Add the URL and Title of the page where the sink/execution actually occurred.
	OccurrenceURL   string
	OccurrenceTitle string

	Sink              schemas.TaintSink
	Origin            schemas.TaintSource
	Value             string // The value observed at the sink.
	Canary            string
	Probe             ActiveProbe
	Detail            string
	IsConfirmed       bool // True if confirmed by execution proof or OAST.
	SanitizationLevel SanitizationLevel
	StackTrace        string
	OASTDetails       *OASTInteraction // Details if confirmed via OAST.

	// Step 5: Unified Reporting (Correlated Findings)
	// Confirmation flags
	ConfirmedStatic  bool // Found via AST analysis (SAST)
	ConfirmedDynamic bool // Found via Shim/Execution Proof (IAST/DAST)

	// Link to the static finding if correlated.
	StaticFinding *javascript.StaticFinding
}

CorrelatedFinding is the final, structured output of the taint analysis engine. It represents a confirmed or potential vulnerability, linking a taint source (Probe) to a sink and including all relevant evidence.

type Event 

type Event interface {
	// contains filtered or unexported methods
}

Event is a marker interface for all types of events that can be sent to the correlation engine. This allows various event structs (SinkEvent, ExecutionProofEvent, etc.) to be sent over the same channel.

type ExecutionProofEvent 

type ExecutionProofEvent struct {
	Canary     string `json:"canary"`
	StackTrace string `json:"stack"`
	// FIX: Add context about the page where the event occurred for FP reduction.
	PageURL   string `json:"page_url"`
	PageTitle string `json:"page_title"`
}

ExecutionProofEvent is generated by the JavaScript shim when a payload's canary is executed as code (e.g., via `eval` or an event handler), providing definitive proof of a vulnerability like XSS.

type HumanoidProvider 

type HumanoidProvider interface {
	GetHumanoid() *humanoid.Humanoid
}

HumanoidProvider defines an interface for duck-typing the SessionContext to check if it provides access to the Humanoid controller.

type OASTInteraction 

type OASTInteraction struct {
	schemas.OASTInteraction
}

OASTInteraction wraps the canonical schema definition to satisfy the local Event interface required by the analysis engine. This avoids duplicating the struct definition while enforcing the interface contract.

type OASTProvider 

type OASTProvider schemas.OASTProvider

OASTProvider is an alias for the canonical `schemas.OASTProvider` interface, used here to decouple the analyzer from the API schema package if needed.

type PANScanner 

type PANScanner struct {
	// contains filtered or unexported fields
}

PANScanner handles the verification of credit card numbers (Primary Account Numbers).

func NewPANScanner 

func NewPANScanner() *PANScanner

NewPANScanner initializes a PANScanner by compiling the detection regex once for efficient reuse.

func (*PANScanner) HasValidPAN 

func (ps *PANScanner) HasValidPAN(input string) bool

HasValidPAN checks if an input string contains at least one sequence that matches the PAN pattern and subsequently passes the Luhn algorithm validation.

type ProbeDefinition 

type ProbeDefinition struct {
	Type        schemas.ProbeType `json:"type" yaml:"type"`
	Payload     string            `json:"payload" yaml:"payload"`
	Context     string            `json:"context" yaml:"context"`
	Description string            `json:"description" yaml:"description"`
}

ProbeDefinition defines the blueprint for a single attack payload, including its type, the payload template, and a description.

func DefaultProbes 

func DefaultProbes() []ProbeDefinition

DefaultProbes provides a default, comprehensive list of attack payloads (probes) for various vulnerability classes, including XSS, SSTI, Prototype Pollution, and OAST-based checks. This list serves as the default configuration for the taint analyzer.

type ResultsReporter 

type ResultsReporter interface {
	Report(finding CorrelatedFinding)
}

ResultsReporter defines a simple, thread-safe interface for reporting correlated findings back to the main analysis context.

type SanitizationLevel 

type SanitizationLevel int

SanitizationLevel categorizes the degree to which a payload has been altered by the application before it reaches a sink. 

const (
	// SanitizationNone indicates the payload reached the sink completely unchanged.
	SanitizationNone SanitizationLevel = iota
	// SanitizationPartial indicates that the core canary was found, but the
	// surrounding payload was modified (e.g., HTML tags stripped or quotes escaped).
	SanitizationPartial
	// SanitizationFull indicates that the canary was not found in the sink,
	// implying the payload was completely removed or altered beyond recognition.
	SanitizationFull
)

type SessionContext 

type SessionContext schemas.SessionContext

SessionContext is an alias for the canonical `schemas.SessionContext` interface.

type ShimErrorEvent 

type ShimErrorEvent struct {
	Error      string `json:"error"`
	Location   string `json:"location"`
	StackTrace string `json:"stack"`
}

ShimErrorEvent is used to report internal errors from the JavaScript instrumentation shim back to the Go backend for debugging purposes.

type SinkDefinition 

type SinkDefinition = core.SinkDefinition

SinkDefinition provides the blueprint for instrumenting a single JavaScript sink. (Step 1: Alias to the unified definition in core)

func DefaultSinks 

func DefaultSinks() []SinkDefinition

DefaultSinks provides a default list of JavaScript sinks to be instrumented by the taint analysis shim. (Step 1: Delegate to the unified core list)

type SinkEvent 

type SinkEvent struct {
	Type       schemas.TaintSink `json:"type"`   // The type of sink that was triggered.
	Value      string            `json:"value"`  // The tainted value observed at the sink.
	Detail     string            `json:"detail"` // Additional context, like the property name.
	StackTrace string            `json:"stack"`  // The JavaScript stack trace.
	// FIX: Add context about the page where the event occurred for FP reduction.
	PageURL   string `json:"page_url"`   // The URL of the document at the time of the event.
	PageTitle string `json:"page_title"` // The title of the document at the time of the event.
}

SinkEvent is generated by the JavaScript shim when a value containing a canary is passed to an instrumented sink (e.g., `element.innerHTML = taintedValue`).

type TaintFlowPath 

type TaintFlowPath struct {
	ProbeType schemas.ProbeType
	SinkType  schemas.TaintSink
}

TaintFlowPath represents a logical path from a probe (representing a taint source) to a sink. This is used to define a ruleset for valid and invalid flows to reduce false positives.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.