dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity
Files
d803bfe2b1fe7f5e219e50ac20d6801a0a58ac75
wifi-densepose/npm/packages/agentic-synth/examples/security/vulnerability-testing.js
ruv d803bfe2b1 Squashed 'vendor/ruvector/' content from commit b64c2172 
git-subtree-dir: vendor/ruvector
git-subtree-split: b64c21726f2bb37286d9ee36a7869fef60cc6900
2026-02-28 14:39:40 -05:00

422 lines
17 KiB
JavaScript
Raw Blame History

"use strict";
/**
* Vulnerability Testing Data Examples
*
* ⚠️ ETHICAL USE ONLY ⚠️
* These examples are for:
* - Authorized penetration testing
* - Security research in controlled environments
* - Defensive security training
* - Vulnerability scanner development
*
* NEVER use against systems without explicit authorization.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.generateSQLInjectionPayloads = generateSQLInjectionPayloads;
exports.generateXSSVectors = generateXSSVectors;
exports.generateCSRFScenarios = generateCSRFScenarios;
exports.generateAuthBypassTests = generateAuthBypassTests;
exports.generateAPIAbusePatterns = generateAPIAbusePatterns;
exports.generateOWASPTop10Tests = generateOWASPTop10Tests;
exports.runVulnerabilityTests = runVulnerabilityTests;
const agentic_synth_1 = require("agentic-synth");
/**
* SQL Injection Test Payloads
* For testing input validation and parameterized queries
*/
async function generateSQLInjectionPayloads() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.7,
maxRetries: 3
});
const sqlInjectionPrompt = `
Generate SQL injection test payloads for defensive security testing.
Include classic, union-based, boolean-based, and time-based blind SQLi payloads.
Each payload should have: type, payload, expected_detection, severity, mitigation.
Generate 15 diverse payloads covering different SQL injection techniques.
`;
const payloads = await synth.generate({
prompt: sqlInjectionPrompt,
schema: {
type: 'object',
properties: {
payloads: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
type: {
type: 'string',
enum: ['classic', 'union', 'boolean_blind', 'time_blind', 'error_based', 'stacked_queries']
},
payload: { type: 'string' },
description: { type: 'string' },
target_parameter: { type: 'string' },
expected_behavior: { type: 'string' },
should_be_blocked: { type: 'boolean' },
severity: {
type: 'string',
enum: ['critical', 'high', 'medium', 'low']
},
mitigation: { type: 'string' }
},
required: ['id', 'type', 'payload', 'severity', 'mitigation']
}
}
},
required: ['payloads']
}
});
return payloads;
}
/**
* XSS (Cross-Site Scripting) Test Vectors
* For testing output encoding and CSP effectiveness
*/
async function generateXSSVectors() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.8,
maxRetries: 3
});
const xssPrompt = `
Generate XSS (Cross-Site Scripting) test vectors for security testing.
Include stored, reflected, and DOM-based XSS payloads.
Cover HTML injection, JavaScript execution, event handlers, and encoding bypass techniques.
Each vector should have: type, payload, context, expected_sanitization, severity.
Generate 20 diverse XSS test cases.
`;
const vectors = await synth.generate({
prompt: xssPrompt,
schema: {
type: 'object',
properties: {
vectors: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
type: {
type: 'string',
enum: ['stored', 'reflected', 'dom_based', 'mutation_based']
},
payload: { type: 'string' },
context: {
type: 'string',
enum: ['html', 'attribute', 'javascript', 'url', 'css']
},
description: { type: 'string' },
bypass_technique: { type: 'string' },
expected_sanitization: { type: 'string' },
should_be_blocked: { type: 'boolean' },
severity: {
type: 'string',
enum: ['critical', 'high', 'medium', 'low']
},
csp_bypass: { type: 'boolean' },
mitigation: { type: 'string' }
},
required: ['id', 'type', 'payload', 'context', 'severity']
}
}
},
required: ['vectors']
}
});
return vectors;
}
/**
* CSRF (Cross-Site Request Forgery) Test Scenarios
* For testing CSRF token validation and SameSite cookie protection
*/
async function generateCSRFScenarios() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.7,
maxRetries: 3
});
const csrfPrompt = `
Generate CSRF attack test scenarios for security validation.
Include different attack methods: form submission, AJAX requests, clickjacking.
Each scenario should have: attack_method, target_endpoint, payload, tokens_present, expected_result.
Generate 10 comprehensive CSRF test cases.
`;
const scenarios = await synth.generate({
prompt: csrfPrompt,
schema: {
type: 'object',
properties: {
scenarios: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
attack_method: {
type: 'string',
enum: ['form_post', 'ajax', 'image_tag', 'iframe', 'fetch_api']
},
target_endpoint: { type: 'string' },
http_method: { type: 'string' },
payload: { type: 'object' },
csrf_token_present: { type: 'boolean' },
csrf_token_valid: { type: 'boolean' },
origin_header: { type: 'string' },
referer_header: { type: 'string' },
expected_result: {
type: 'string',
enum: ['blocked', 'allowed', 'token_error', 'origin_mismatch']
},
severity: { type: 'string' },
mitigation: { type: 'string' }
},
required: ['id', 'attack_method', 'target_endpoint', 'expected_result']
}
}
},
required: ['scenarios']
}
});
return scenarios;
}
/**
* Authentication Bypass Test Cases
* For testing authentication mechanisms and session management
*/
async function generateAuthBypassTests() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.7,
maxRetries: 3
});
const authPrompt = `
Generate authentication bypass test cases for security assessment.
Include password attacks, session hijacking, JWT manipulation, OAuth flaws.
Each test should have: technique, payload, expected_detection, impact.
Generate 12 authentication security test cases.
`;
const tests = await synth.generate({
prompt: authPrompt,
schema: {
type: 'object',
properties: {
tests: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
technique: {
type: 'string',
enum: [
'default_credentials',
'weak_password',
'session_fixation',
'session_hijacking',
'jwt_manipulation',
'oauth_redirect',
'password_reset_flaw',
'brute_force',
'credential_stuffing'
]
},
description: { type: 'string' },
test_payload: { type: 'object' },
preconditions: { type: 'array', items: { type: 'string' } },
expected_detection: { type: 'string' },
should_be_prevented: { type: 'boolean' },
impact: {
type: 'string',
enum: ['critical', 'high', 'medium', 'low']
},
mitigation: { type: 'string' },
owasp_category: { type: 'string' }
},
required: ['id', 'technique', 'impact', 'mitigation']
}
}
},
required: ['tests']
}
});
return tests;
}
/**
* API Abuse and Rate Limiting Test Patterns
* For testing API security controls and abuse prevention
*/
async function generateAPIAbusePatterns() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.7,
maxRetries: 3
});
const apiPrompt = `
Generate API abuse test patterns for security validation.
Include rate limiting bypass, parameter tampering, mass assignment, BOLA/IDOR attacks.
Each pattern should have: attack_type, endpoints, request_pattern, rate_limit_status.
Generate 10 API security test patterns.
`;
const patterns = await synth.generate({
prompt: apiPrompt,
schema: {
type: 'object',
properties: {
patterns: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
attack_type: {
type: 'string',
enum: [
'rate_limit_bypass',
'parameter_pollution',
'mass_assignment',
'bola_idor',
'api_key_exposure',
'excessive_data_exposure',
'lack_of_resources_rate_limiting'
]
},
target_endpoints: { type: 'array', items: { type: 'string' } },
request_pattern: {
type: 'object',
properties: {
requests_per_second: { type: 'number' },
total_requests: { type: 'number' },
payload_variation: { type: 'string' },
headers: { type: 'object' }
}
},
expected_rate_limit: { type: 'boolean' },
expected_response_code: { type: 'number' },
severity: { type: 'string' },
mitigation: { type: 'string' }
},
required: ['id', 'attack_type', 'target_endpoints', 'severity']
}
}
},
required: ['patterns']
}
});
return patterns;
}
/**
* OWASP Top 10 Comprehensive Test Suite
* Covers all OWASP Top 10 vulnerability categories
*/
async function generateOWASPTop10Tests() {
const synth = new agentic_synth_1.AgenticSynth({
temperature: 0.7,
maxRetries: 3
});
const owaspPrompt = `
Generate comprehensive test cases for OWASP Top 10 vulnerabilities.
Include: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection,
A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components,
A07 Authentication Failures, A08 Data Integrity Failures, A09 Logging Failures,
A10 SSRF.
Each test should map to specific OWASP category with test vectors.
Generate 20 test cases covering all categories.
`;
const tests = await synth.generate({
prompt: owaspPrompt,
schema: {
type: 'object',
properties: {
owasp_tests: {
type: 'array',
items: {
type: 'object',
properties: {
id: { type: 'string' },
owasp_category: {
type: 'string',
enum: [
'A01_Broken_Access_Control',
'A02_Cryptographic_Failures',
'A03_Injection',
'A04_Insecure_Design',
'A05_Security_Misconfiguration',
'A06_Vulnerable_Components',
'A07_Authentication_Failures',
'A08_Data_Integrity_Failures',
'A09_Logging_Monitoring_Failures',
'A10_SSRF'
]
},
vulnerability_name: { type: 'string' },
test_description: { type: 'string' },
test_payload: { type: 'object' },
expected_secure_behavior: { type: 'string' },
vulnerable_behavior: { type: 'string' },
severity: { type: 'string' },
remediation: { type: 'string' },
cwe_id: { type: 'string' },
test_steps: { type: 'array', items: { type: 'string' } }
},
required: ['id', 'owasp_category', 'vulnerability_name', 'severity']
}
}
},
required: ['owasp_tests']
}
});
return tests;
}
/**
* Example Usage
*/
async function runVulnerabilityTests() {
console.log('⚠️ Running Authorized Security Tests Only ⚠️\n');
try {
// Generate SQL injection payloads
console.log('Generating SQL injection test payloads...');
const sqlPayloads = await generateSQLInjectionPayloads();
console.log(`Generated ${sqlPayloads.payloads?.length || 0} SQL injection tests\n`);
// Generate XSS vectors
console.log('Generating XSS test vectors...');
const xssVectors = await generateXSSVectors();
console.log(`Generated ${xssVectors.vectors?.length || 0} XSS test vectors\n`);
// Generate CSRF scenarios
console.log('Generating CSRF test scenarios...');
const csrfScenarios = await generateCSRFScenarios();
console.log(`Generated ${csrfScenarios.scenarios?.length || 0} CSRF scenarios\n`);
// Generate authentication bypass tests
console.log('Generating authentication bypass tests...');
const authTests = await generateAuthBypassTests();
console.log(`Generated ${authTests.tests?.length || 0} authentication tests\n`);
// Generate API abuse patterns
console.log('Generating API abuse patterns...');
const apiPatterns = await generateAPIAbusePatterns();
console.log(`Generated ${apiPatterns.patterns?.length || 0} API abuse patterns\n`);
// Generate OWASP Top 10 tests
console.log('Generating OWASP Top 10 tests...');
const owaspTests = await generateOWASPTop10Tests();
console.log(`Generated ${owaspTests.owasp_tests?.length || 0} OWASP tests\n`);
return {
sqlPayloads,
xssVectors,
csrfScenarios,
authTests,
apiPatterns,
owaspTests
};
}
catch (error) {
console.error('Error generating vulnerability tests:', error);
throw error;
}
}
// Export all generators
exports.default = {
generateSQLInjectionPayloads,
generateXSSVectors,
generateCSRFScenarios,
generateAuthBypassTests,
generateAPIAbusePatterns,
generateOWASPTop10Tests,
runVulnerabilityTests
};
//# sourceMappingURL=vulnerability-testing.js.map
Reference in New Issue View Git Blame Copy Permalink