mirror of
https://github.com/Vyntral/god-eye.git
synced 2026-07-11 14:16:34 +02:00
feat: v2.0 full rewrite — event-driven pipeline, AI + Nuclei + proxy
Complete architectural overhaul. Replaces the v0.1 monolithic scanner with an event-driven pipeline of auto-registered modules. Foundation (internal/): - eventbus: typed pub/sub, 20 event types, race-safe, drop counter - module: registry with phase-based selection - store: thread-safe host store with per-host locks + deep-copy reads - pipeline: coordinator with phase barriers + panic recovery - config: 5 scan profiles + 3 AI tiers + YAML loader + auto-discovery Modules (26 auto-registered across 6 phases): - Discovery: passive (26 sources), bruteforce, recursive, AXFR, GitHub dorks, CT streaming, permutation, reverse DNS, vhost, ASN, supply chain (npm + PyPI) - Enrichment: HTTP probe + tech fingerprint + TLS appliance ID, ports - Analysis: security checks, takeover (110+ sigs), cloud, JavaScript, GraphQL, JWT, headers (OWASP), HTTP smuggling, AI cascade, Nuclei - Reporting: TXT/JSON/CSV writer + AI scan brief AI layer (internal/ai/ + internal/modules/ai/): - Three profiles: lean (16 GB), balanced (32 GB MoE), heavy (64 GB) - Six event-driven handlers: CVE, JS file, HTTP response, secret filter, multi-agent vuln enrichment, anomaly + executive report - Content-hash cache dedups Ollama calls across hosts - Auto-pull of missing models via /api/pull with streaming progress - End-of-scan AI SCAN BRIEF in terminal with top chains + next actions Nuclei compat layer (internal/nucleitpl/): - Executes ~13k community templates (HTTP subset) - Auto-download of nuclei-templates ZIP to ~/.god-eye/nuclei-templates - Scope filter rejects off-host templates (eliminates OSINT FPs) Operations: - Interactive wizard (internal/wizard/) — zero-flag launch - LivePrinter (internal/tui/) — colorized event stream - Diff engine + scheduler (internal/diff, internal/scheduler) for continuous ASM monitoring with webhook alerts - Proxy support (internal/proxyconf/): http / https / socks5 / socks5h + basic auth Fixes #1 — native SOCKS5 / Tor compatibility via --proxy flag. 185 unit tests across 15 packages, all race-detector clean.
This commit is contained in:
@@ -0,0 +1,253 @@
|
||||
// Package headers performs a detailed inspection of HTTP response headers
|
||||
// and reports every missing or misconfigured security control. Unlike v1's
|
||||
// lightweight header check, this module flags each issue as an individual
|
||||
// VulnerabilityFound event with remediation guidance aligned to OWASP
|
||||
// Secure Headers Project.
|
||||
package headers
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"god-eye/internal/eventbus"
|
||||
gohttp "god-eye/internal/http"
|
||||
"god-eye/internal/module"
|
||||
"god-eye/internal/store"
|
||||
)
|
||||
|
||||
const ModuleName = "vuln.security-headers"
|
||||
|
||||
type hdrModule struct{}
|
||||
|
||||
func Register() { module.Register(&hdrModule{}) }
|
||||
|
||||
func (*hdrModule) Name() string { return ModuleName }
|
||||
func (*hdrModule) Phase() module.Phase { return module.PhaseAnalysis }
|
||||
func (*hdrModule) Consumes() []eventbus.EventType { return []eventbus.EventType{eventbus.EventHTTPProbed} }
|
||||
func (*hdrModule) Produces() []eventbus.EventType {
|
||||
return []eventbus.EventType{eventbus.EventVulnerability}
|
||||
}
|
||||
func (*hdrModule) DefaultEnabled() bool { return true }
|
||||
|
||||
func (*hdrModule) Run(mctx module.Context) error {
|
||||
timeout := mctx.Config.Int("timeout", 10)
|
||||
client := gohttp.GetSharedClient(timeout)
|
||||
|
||||
processed := make(map[string]struct{})
|
||||
var mu sync.Mutex
|
||||
shouldProcess := func(host string) bool {
|
||||
mu.Lock()
|
||||
defer mu.Unlock()
|
||||
if _, ok := processed[host]; ok {
|
||||
return false
|
||||
}
|
||||
processed[host] = struct{}{}
|
||||
return true
|
||||
}
|
||||
|
||||
var wg sync.WaitGroup
|
||||
|
||||
// Drain the store.
|
||||
for _, h := range mctx.Store.All(mctx.Ctx) {
|
||||
if h == nil || h.StatusCode == 0 {
|
||||
continue
|
||||
}
|
||||
if !shouldProcess(h.Subdomain) {
|
||||
continue
|
||||
}
|
||||
host := h.Subdomain
|
||||
wg.Add(1)
|
||||
go func() { defer wg.Done(); inspect(mctx, client, host) }()
|
||||
}
|
||||
|
||||
// Late events.
|
||||
sub := mctx.Bus.Subscribe(eventbus.EventHTTPProbed, func(_ context.Context, e eventbus.Event) {
|
||||
ev, ok := e.(eventbus.HTTPProbed)
|
||||
if !ok || ev.StatusCode == 0 {
|
||||
return
|
||||
}
|
||||
host := ev.Meta().Target
|
||||
if !shouldProcess(host) {
|
||||
return
|
||||
}
|
||||
wg.Add(1)
|
||||
go func() { defer wg.Done(); inspect(mctx, client, host) }()
|
||||
})
|
||||
defer sub.Unsubscribe()
|
||||
|
||||
select {
|
||||
case <-time.After(500 * time.Millisecond):
|
||||
case <-mctx.Ctx.Done():
|
||||
}
|
||||
|
||||
wg.Wait()
|
||||
return nil
|
||||
}
|
||||
|
||||
func inspect(mctx module.Context, client *http.Client, host string) {
|
||||
req, err := http.NewRequest("GET", "https://"+host, nil)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
req.Header.Set("User-Agent", "god-eye-v2")
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
issues := assess(resp.Header)
|
||||
if len(issues) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
_ = mctx.Store.Upsert(mctx.Ctx, host, func(h *store.Host) {
|
||||
now := time.Now()
|
||||
for _, iss := range issues {
|
||||
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
|
||||
ID: iss.id,
|
||||
Title: iss.title,
|
||||
Description: iss.desc,
|
||||
Severity: string(iss.sev),
|
||||
URL: "https://" + host,
|
||||
Remediation: iss.fix,
|
||||
OWASP: "A05:2021-Security Misconfiguration",
|
||||
FoundAt: now,
|
||||
})
|
||||
}
|
||||
})
|
||||
for _, iss := range issues {
|
||||
mctx.Bus.Publish(mctx.Ctx, eventbus.VulnerabilityFound{
|
||||
EventMeta: eventbus.EventMeta{At: time.Now(), Source: ModuleName, Target: host},
|
||||
ID: iss.id,
|
||||
Title: iss.title,
|
||||
Description: iss.desc,
|
||||
Severity: iss.sev,
|
||||
URL: "https://" + host,
|
||||
Remediation: iss.fix,
|
||||
OWASP: "A05:2021-Security Misconfiguration",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type issue struct {
|
||||
id, title, desc, fix string
|
||||
sev eventbus.Severity
|
||||
}
|
||||
|
||||
func assess(h http.Header) []issue {
|
||||
var out []issue
|
||||
hasHeader := func(k string) bool { return strings.TrimSpace(h.Get(k)) != "" }
|
||||
|
||||
if !hasHeader("Strict-Transport-Security") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-hsts",
|
||||
title: "Missing Strict-Transport-Security",
|
||||
desc: "HSTS is absent; clients may accept plaintext downgrades.",
|
||||
fix: "Add: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload",
|
||||
sev: eventbus.SeverityMedium,
|
||||
})
|
||||
} else if hsts := h.Get("Strict-Transport-Security"); !strings.Contains(strings.ToLower(hsts), "max-age=") ||
|
||||
!strings.Contains(strings.ToLower(hsts), "includesubdomains") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-weak-hsts",
|
||||
title: "Weak HSTS policy",
|
||||
desc: "HSTS set but missing includeSubDomains and/or sufficient max-age.",
|
||||
fix: "Use: max-age=63072000; includeSubDomains; preload",
|
||||
sev: eventbus.SeverityLow,
|
||||
})
|
||||
}
|
||||
|
||||
if !hasHeader("Content-Security-Policy") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-csp",
|
||||
title: "Missing Content-Security-Policy",
|
||||
desc: "No CSP header; XSS mitigations rely solely on upstream filtering.",
|
||||
fix: "Deploy a nonce-based CSP restricting script-src, object-src 'none'.",
|
||||
sev: eventbus.SeverityMedium,
|
||||
})
|
||||
} else if strings.Contains(strings.ToLower(h.Get("Content-Security-Policy")), "unsafe-inline") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-weak-csp",
|
||||
title: "Weak CSP (allows unsafe-inline)",
|
||||
desc: "CSP allows unsafe-inline, neutralizing most XSS protection.",
|
||||
fix: "Remove unsafe-inline; use nonces or hashes.",
|
||||
sev: eventbus.SeverityMedium,
|
||||
})
|
||||
}
|
||||
|
||||
if !hasHeader("X-Frame-Options") {
|
||||
// Only flag if CSP doesn't include frame-ancestors.
|
||||
csp := strings.ToLower(h.Get("Content-Security-Policy"))
|
||||
if !strings.Contains(csp, "frame-ancestors") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-clickjack",
|
||||
title: "Clickjacking not prevented",
|
||||
desc: "Neither X-Frame-Options nor CSP frame-ancestors is set.",
|
||||
fix: "Add: X-Frame-Options: DENY OR CSP with frame-ancestors 'none'.",
|
||||
sev: eventbus.SeverityLow,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
if !hasHeader("X-Content-Type-Options") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-nosniff",
|
||||
title: "Missing X-Content-Type-Options",
|
||||
desc: "MIME sniffing permitted; certain XSS escalations become easier.",
|
||||
fix: "Add: X-Content-Type-Options: nosniff",
|
||||
sev: eventbus.SeverityLow,
|
||||
})
|
||||
}
|
||||
|
||||
if !hasHeader("Referrer-Policy") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-referrer-policy",
|
||||
title: "Missing Referrer-Policy",
|
||||
desc: "Default browser Referrer-Policy leaks URLs to third parties.",
|
||||
fix: "Add: Referrer-Policy: strict-origin-when-cross-origin",
|
||||
sev: eventbus.SeverityLow,
|
||||
})
|
||||
}
|
||||
|
||||
if !hasHeader("Permissions-Policy") && !hasHeader("Feature-Policy") {
|
||||
out = append(out, issue{
|
||||
id: "hdr-missing-permissions-policy",
|
||||
title: "Missing Permissions-Policy",
|
||||
desc: "Browser features (camera, geolocation, USB, etc.) are unrestricted by default.",
|
||||
fix: "Add: Permissions-Policy: camera=(), microphone=(), geolocation=()",
|
||||
sev: eventbus.SeverityInfo,
|
||||
})
|
||||
}
|
||||
|
||||
// Dangerous information disclosure via default server banner.
|
||||
if srv := h.Get("Server"); looksLikeBanner(srv) {
|
||||
out = append(out, issue{
|
||||
id: "hdr-server-banner",
|
||||
title: "Server banner leaks version",
|
||||
desc: "Server header exposes exact software + version: " + srv,
|
||||
fix: "Strip or generalize via proxy/web-server config.",
|
||||
sev: eventbus.SeverityInfo,
|
||||
})
|
||||
}
|
||||
|
||||
return out
|
||||
}
|
||||
|
||||
func looksLikeBanner(s string) bool {
|
||||
s = strings.ToLower(s)
|
||||
return strings.Contains(s, "/") && (strings.Contains(s, ".") || anyDigit(s))
|
||||
}
|
||||
|
||||
func anyDigit(s string) bool {
|
||||
for _, r := range s {
|
||||
if r >= '0' && r <= '9' {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user