mirror of
https://github.com/Vyntral/god-eye.git
synced 2026-05-16 13:39:10 +02:00
Vyntral
3a4c230aa7
Complete architectural overhaul. Replaces the v0.1 monolithic scanner with an event-driven pipeline of auto-registered modules. Foundation (internal/): - eventbus: typed pub/sub, 20 event types, race-safe, drop counter - module: registry with phase-based selection - store: thread-safe host store with per-host locks + deep-copy reads - pipeline: coordinator with phase barriers + panic recovery - config: 5 scan profiles + 3 AI tiers + YAML loader + auto-discovery Modules (26 auto-registered across 6 phases): - Discovery: passive (26 sources), bruteforce, recursive, AXFR, GitHub dorks, CT streaming, permutation, reverse DNS, vhost, ASN, supply chain (npm + PyPI) - Enrichment: HTTP probe + tech fingerprint + TLS appliance ID, ports - Analysis: security checks, takeover (110+ sigs), cloud, JavaScript, GraphQL, JWT, headers (OWASP), HTTP smuggling, AI cascade, Nuclei - Reporting: TXT/JSON/CSV writer + AI scan brief AI layer (internal/ai/ + internal/modules/ai/): - Three profiles: lean (16 GB), balanced (32 GB MoE), heavy (64 GB) - Six event-driven handlers: CVE, JS file, HTTP response, secret filter, multi-agent vuln enrichment, anomaly + executive report - Content-hash cache dedups Ollama calls across hosts - Auto-pull of missing models via /api/pull with streaming progress - End-of-scan AI SCAN BRIEF in terminal with top chains + next actions Nuclei compat layer (internal/nucleitpl/): - Executes ~13k community templates (HTTP subset) - Auto-download of nuclei-templates ZIP to ~/.god-eye/nuclei-templates - Scope filter rejects off-host templates (eliminates OSINT FPs) Operations: - Interactive wizard (internal/wizard/) — zero-flag launch - LivePrinter (internal/tui/) — colorized event stream - Diff engine + scheduler (internal/diff, internal/scheduler) for continuous ASM monitoring with webhook alerts - Proxy support (internal/proxyconf/): http / https / socks5 / socks5h + basic auth Fixes #1 — native SOCKS5 / Tor compatibility via --proxy flag. 185 unit tests across 15 packages, all race-detector clean.
254 lines
7.2 KiB
Go
254 lines
7.2 KiB
Go
// Package headers performs a detailed inspection of HTTP response headers
|
|
// and reports every missing or misconfigured security control. Unlike v1's
|
|
// lightweight header check, this module flags each issue as an individual
|
|
// VulnerabilityFound event with remediation guidance aligned to OWASP
|
|
// Secure Headers Project.
|
|
package headers
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"god-eye/internal/eventbus"
|
|
gohttp "god-eye/internal/http"
|
|
"god-eye/internal/module"
|
|
"god-eye/internal/store"
|
|
)
|
|
|
|
const ModuleName = "vuln.security-headers"
|
|
|
|
type hdrModule struct{}
|
|
|
|
func Register() { module.Register(&hdrModule{}) }
|
|
|
|
func (*hdrModule) Name() string { return ModuleName }
|
|
func (*hdrModule) Phase() module.Phase { return module.PhaseAnalysis }
|
|
func (*hdrModule) Consumes() []eventbus.EventType { return []eventbus.EventType{eventbus.EventHTTPProbed} }
|
|
func (*hdrModule) Produces() []eventbus.EventType {
|
|
return []eventbus.EventType{eventbus.EventVulnerability}
|
|
}
|
|
func (*hdrModule) DefaultEnabled() bool { return true }
|
|
|
|
func (*hdrModule) Run(mctx module.Context) error {
|
|
timeout := mctx.Config.Int("timeout", 10)
|
|
client := gohttp.GetSharedClient(timeout)
|
|
|
|
processed := make(map[string]struct{})
|
|
var mu sync.Mutex
|
|
shouldProcess := func(host string) bool {
|
|
mu.Lock()
|
|
defer mu.Unlock()
|
|
if _, ok := processed[host]; ok {
|
|
return false
|
|
}
|
|
processed[host] = struct{}{}
|
|
return true
|
|
}
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
// Drain the store.
|
|
for _, h := range mctx.Store.All(mctx.Ctx) {
|
|
if h == nil || h.StatusCode == 0 {
|
|
continue
|
|
}
|
|
if !shouldProcess(h.Subdomain) {
|
|
continue
|
|
}
|
|
host := h.Subdomain
|
|
wg.Add(1)
|
|
go func() { defer wg.Done(); inspect(mctx, client, host) }()
|
|
}
|
|
|
|
// Late events.
|
|
sub := mctx.Bus.Subscribe(eventbus.EventHTTPProbed, func(_ context.Context, e eventbus.Event) {
|
|
ev, ok := e.(eventbus.HTTPProbed)
|
|
if !ok || ev.StatusCode == 0 {
|
|
return
|
|
}
|
|
host := ev.Meta().Target
|
|
if !shouldProcess(host) {
|
|
return
|
|
}
|
|
wg.Add(1)
|
|
go func() { defer wg.Done(); inspect(mctx, client, host) }()
|
|
})
|
|
defer sub.Unsubscribe()
|
|
|
|
select {
|
|
case <-time.After(500 * time.Millisecond):
|
|
case <-mctx.Ctx.Done():
|
|
}
|
|
|
|
wg.Wait()
|
|
return nil
|
|
}
|
|
|
|
func inspect(mctx module.Context, client *http.Client, host string) {
|
|
req, err := http.NewRequest("GET", "https://"+host, nil)
|
|
if err != nil {
|
|
return
|
|
}
|
|
req.Header.Set("User-Agent", "god-eye-v2")
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
issues := assess(resp.Header)
|
|
if len(issues) == 0 {
|
|
return
|
|
}
|
|
|
|
_ = mctx.Store.Upsert(mctx.Ctx, host, func(h *store.Host) {
|
|
now := time.Now()
|
|
for _, iss := range issues {
|
|
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
|
|
ID: iss.id,
|
|
Title: iss.title,
|
|
Description: iss.desc,
|
|
Severity: string(iss.sev),
|
|
URL: "https://" + host,
|
|
Remediation: iss.fix,
|
|
OWASP: "A05:2021-Security Misconfiguration",
|
|
FoundAt: now,
|
|
})
|
|
}
|
|
})
|
|
for _, iss := range issues {
|
|
mctx.Bus.Publish(mctx.Ctx, eventbus.VulnerabilityFound{
|
|
EventMeta: eventbus.EventMeta{At: time.Now(), Source: ModuleName, Target: host},
|
|
ID: iss.id,
|
|
Title: iss.title,
|
|
Description: iss.desc,
|
|
Severity: iss.sev,
|
|
URL: "https://" + host,
|
|
Remediation: iss.fix,
|
|
OWASP: "A05:2021-Security Misconfiguration",
|
|
})
|
|
}
|
|
}
|
|
|
|
type issue struct {
|
|
id, title, desc, fix string
|
|
sev eventbus.Severity
|
|
}
|
|
|
|
func assess(h http.Header) []issue {
|
|
var out []issue
|
|
hasHeader := func(k string) bool { return strings.TrimSpace(h.Get(k)) != "" }
|
|
|
|
if !hasHeader("Strict-Transport-Security") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-hsts",
|
|
title: "Missing Strict-Transport-Security",
|
|
desc: "HSTS is absent; clients may accept plaintext downgrades.",
|
|
fix: "Add: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload",
|
|
sev: eventbus.SeverityMedium,
|
|
})
|
|
} else if hsts := h.Get("Strict-Transport-Security"); !strings.Contains(strings.ToLower(hsts), "max-age=") ||
|
|
!strings.Contains(strings.ToLower(hsts), "includesubdomains") {
|
|
out = append(out, issue{
|
|
id: "hdr-weak-hsts",
|
|
title: "Weak HSTS policy",
|
|
desc: "HSTS set but missing includeSubDomains and/or sufficient max-age.",
|
|
fix: "Use: max-age=63072000; includeSubDomains; preload",
|
|
sev: eventbus.SeverityLow,
|
|
})
|
|
}
|
|
|
|
if !hasHeader("Content-Security-Policy") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-csp",
|
|
title: "Missing Content-Security-Policy",
|
|
desc: "No CSP header; XSS mitigations rely solely on upstream filtering.",
|
|
fix: "Deploy a nonce-based CSP restricting script-src, object-src 'none'.",
|
|
sev: eventbus.SeverityMedium,
|
|
})
|
|
} else if strings.Contains(strings.ToLower(h.Get("Content-Security-Policy")), "unsafe-inline") {
|
|
out = append(out, issue{
|
|
id: "hdr-weak-csp",
|
|
title: "Weak CSP (allows unsafe-inline)",
|
|
desc: "CSP allows unsafe-inline, neutralizing most XSS protection.",
|
|
fix: "Remove unsafe-inline; use nonces or hashes.",
|
|
sev: eventbus.SeverityMedium,
|
|
})
|
|
}
|
|
|
|
if !hasHeader("X-Frame-Options") {
|
|
// Only flag if CSP doesn't include frame-ancestors.
|
|
csp := strings.ToLower(h.Get("Content-Security-Policy"))
|
|
if !strings.Contains(csp, "frame-ancestors") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-clickjack",
|
|
title: "Clickjacking not prevented",
|
|
desc: "Neither X-Frame-Options nor CSP frame-ancestors is set.",
|
|
fix: "Add: X-Frame-Options: DENY OR CSP with frame-ancestors 'none'.",
|
|
sev: eventbus.SeverityLow,
|
|
})
|
|
}
|
|
}
|
|
|
|
if !hasHeader("X-Content-Type-Options") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-nosniff",
|
|
title: "Missing X-Content-Type-Options",
|
|
desc: "MIME sniffing permitted; certain XSS escalations become easier.",
|
|
fix: "Add: X-Content-Type-Options: nosniff",
|
|
sev: eventbus.SeverityLow,
|
|
})
|
|
}
|
|
|
|
if !hasHeader("Referrer-Policy") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-referrer-policy",
|
|
title: "Missing Referrer-Policy",
|
|
desc: "Default browser Referrer-Policy leaks URLs to third parties.",
|
|
fix: "Add: Referrer-Policy: strict-origin-when-cross-origin",
|
|
sev: eventbus.SeverityLow,
|
|
})
|
|
}
|
|
|
|
if !hasHeader("Permissions-Policy") && !hasHeader("Feature-Policy") {
|
|
out = append(out, issue{
|
|
id: "hdr-missing-permissions-policy",
|
|
title: "Missing Permissions-Policy",
|
|
desc: "Browser features (camera, geolocation, USB, etc.) are unrestricted by default.",
|
|
fix: "Add: Permissions-Policy: camera=(), microphone=(), geolocation=()",
|
|
sev: eventbus.SeverityInfo,
|
|
})
|
|
}
|
|
|
|
// Dangerous information disclosure via default server banner.
|
|
if srv := h.Get("Server"); looksLikeBanner(srv) {
|
|
out = append(out, issue{
|
|
id: "hdr-server-banner",
|
|
title: "Server banner leaks version",
|
|
desc: "Server header exposes exact software + version: " + srv,
|
|
fix: "Strip or generalize via proxy/web-server config.",
|
|
sev: eventbus.SeverityInfo,
|
|
})
|
|
}
|
|
|
|
return out
|
|
}
|
|
|
|
func looksLikeBanner(s string) bool {
|
|
s = strings.ToLower(s)
|
|
return strings.Contains(s, "/") && (strings.Contains(s, ".") || anyDigit(s))
|
|
}
|
|
|
|
func anyDigit(s string) bool {
|
|
for _, r := range s {
|
|
if r >= '0' && r <= '9' {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|