feat: implement aditional sec tests

Author: Bulletdev

.pentest/front/check-content-security.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+# Content Security — Frontend (prostaff.gg)
+# Verifica disclosure de tecnologia, Referrer-Policy, cache em paginas
+# sensiveis, respostas de erro e headers desnecessarios
+
+TARGET="${1:-https://prostaff.gg}"
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+PASSED=0
+FAILED=0
+WARNED=0
+
+echo ""
+echo -e "${CYAN}Content Security Audit — Frontend${NC}"
+echo -e "${CYAN}Target: ${TARGET}${NC}"
+echo "========================================"
+echo ""
+
+test_pass() { echo -e "${GREEN}[PASS]${NC} $1"; PASSED=$((PASSED + 1)); }
+test_fail() { echo -e "${RED}[FAIL]${NC} $1"; FAILED=$((FAILED + 1)); }
+test_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; WARNED=$((WARNED + 1)); }
+
+HEADERS=$(curl -sI "${TARGET}" 2>/dev/null)
+
+echo "--- Disclosure de Tecnologia ---"
+
+# Server
+SERVER=$(echo "$HEADERS" | grep -i "^server:" | head -1 | tr -d '\r')
+if [ -z "$SERVER" ]; then
+  test_pass "Server header — ausente"
+elif echo "$SERVER" | grep -qiE "nginx/[0-9]|apache/[0-9]|node/[0-9]|next.js/[0-9]"; then
+  test_fail "Server header — revela versao: ${SERVER}"
+elif echo "$SERVER" | grep -qiE "nginx|apache|node"; then
+  test_warn "Server header — revela tecnologia: ${SERVER}"
+else
+  test_pass "Server header — generico: ${SERVER}"
+fi
+
+# X-Powered-By
+XPOWERED=$(echo "$HEADERS" | grep -i "^x-powered-by:" | head -1 | tr -d '\r')
+if [ -z "$XPOWERED" ]; then
+  test_pass "X-Powered-By — ausente"
+else
+  test_fail "X-Powered-By — presente: ${XPOWERED}"
+fi
+
+# Next.js version em header (algumas versoes expõem)
+NEXT_HEADER=$(echo "$HEADERS" | grep -i "^x-nextjs\|^x-next\b" | head -1 | tr -d '\r')
+if [ -n "$NEXT_HEADER" ]; then
+  test_warn "Next.js header detectado: ${NEXT_HEADER}"
+fi
+
+# Verifica se versao Next.js vaza no HTML
+HTML_SAMPLE=$(curl -sL "${TARGET}" --max-time 10 2>/dev/null | head -c 5000)
+NEXT_VERSION=$(echo "$HTML_SAMPLE" | grep -oP '"next":"[^"]+"' | head -1)
+if [ -n "$NEXT_VERSION" ]; then
+  test_warn "Versao Next.js no HTML: ${NEXT_VERSION} (considere remover)"
+fi
+
+echo ""
+echo "--- Referrer Policy ---"
+
+REFERRER=$(echo "$HEADERS" | grep -i "^referrer-policy:" | head -1 | tr -d '\r')
+if [ -z "$REFERRER" ]; then
+  test_fail "Referrer-Policy — ausente"
+elif echo "$REFERRER" | grep -qiE "no-referrer$|strict-origin$|strict-origin-when-cross-origin$"; then
+  test_pass "Referrer-Policy — seguro: ${REFERRER}"
+elif echo "$REFERRER" | grep -qiE "unsafe-url|no-referrer-when-downgrade$"; then
+  test_fail "Referrer-Policy — inseguro: ${REFERRER}"
+else
+  test_warn "Referrer-Policy — verifique: ${REFERRER}"
+fi
+
+echo ""
+echo "--- Cache-Control em Paginas Sensiveis ---"
+
+check_frontend_cache() {
+  local PATH_URL="$1"
+  local LABEL="$2"
+  local SHOULD_BE_PRIVATE="${3:-false}"
+
+  RESP=$(curl -sI "${TARGET}${PATH_URL}" --max-time 10 2>/dev/null)
+  CODE=$(echo "$RESP" | head -1 | grep -oP '[0-9]{3}' | head -1)
+  CACHE=$(echo "$RESP" | grep -i "^cache-control:" | head -1 | tr -d '\r')
+
+  if [ "$CODE" = "404" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
+    echo "  ${LABEL} — HTTP ${CODE} (nao aplicavel)"
+    return
+  fi
+
+  if $SHOULD_BE_PRIVATE; then
+    if echo "$CACHE" | grep -qiE "no-store|private"; then
+      test_pass "${LABEL} — Cache-Control seguro: ${CACHE}"
+    elif [ -z "$CACHE" ]; then
+      test_warn "${LABEL} — Cache-Control ausente (pagina autenticada pode ser cacheada por proxy)"
+    else
+      test_warn "${LABEL} — Cache-Control: ${CACHE}"
+    fi
+  else
+    if echo "$CACHE" | grep -qi "no-store"; then
+      test_warn "${LABEL} — no-store em pagina publica (pode impactar performance)"
+    else
+      test_pass "${LABEL} — Cache-Control: ${CACHE:-padrao}"
+    fi
+  fi
+}
+
+check_frontend_cache "/"             "GET / (home)"              false
+check_frontend_cache "/dashboard"    "GET /dashboard"            true
+check_frontend_cache "/login"        "GET /login"                false
+check_frontend_cache "/profile"      "GET /profile"              true
+check_frontend_cache "/settings"     "GET /settings"             true
+
+echo ""
+echo "--- Respostas de Erro ---"
+
+# 404 nao deve revelar stack trace
+RESP_404=$(curl -sL "${TARGET}/pagina-que-nao-existe-xyz999" --max-time 10 2>/dev/null)
+if echo "$RESP_404" | grep -qiE "traceback|stack.trace|at Object\.|webpack|__NEXT_DATA__.*error"; then
+  test_fail "404 — pode revelar informacoes de debug"
+elif echo "$RESP_404" | grep -qiE "Next.js [0-9]|react [0-9]"; then
+  test_warn "404 — versao de framework exposta na pagina de erro"
+else
+  test_pass "404 — resposta sem disclosure"
+fi
+
+echo ""
+echo "--- Headers de Seguranca Extras ---"
+
+# Permissions-Policy
+PPOLICY=$(echo "$HEADERS" | grep -i "^permissions-policy:" | head -1 | tr -d '\r')
+if [ -z "$PPOLICY" ]; then
+  test_warn "Permissions-Policy — ausente"
+else
+  test_pass "Permissions-Policy — ${PPOLICY}"
+fi
+
+# Cross-Origin-Opener-Policy
+COOP=$(echo "$HEADERS" | grep -i "^cross-origin-opener-policy:" | head -1 | tr -d '\r')
+if [ -z "$COOP" ]; then
+  test_warn "Cross-Origin-Opener-Policy — ausente (protecao contra Spectre/side-channel)"
+elif echo "$COOP" | grep -qiE "same-origin|same-origin-allow-popups"; then
+  test_pass "COOP — ${COOP}"
+else
+  test_warn "COOP — verifique o valor: ${COOP}"
+fi
+
+# Cross-Origin-Resource-Policy
+CORP=$(echo "$HEADERS" | grep -i "^cross-origin-resource-policy:" | head -1 | tr -d '\r')
+if [ -z "$CORP" ]; then
+  test_warn "Cross-Origin-Resource-Policy — ausente"
+else
+  test_pass "CORP — ${CORP}"
+fi
+
+echo ""
+echo "--- Open Graph / Meta (disclosure em HTML) ---"
+
+# Verifica se ha info sensivel em meta tags
+META_CONTENT=$(echo "$HTML_SAMPLE" | grep -iP '<meta[^>]+(name|property)=[^>]+content=[^>]+>' | head -10)
+if echo "$META_CONTENT" | grep -qiE "version|build|commit|sha|hash|deploy"; then
+  test_warn "Meta tags podem expor info de build/deploy:"
+  echo "$META_CONTENT" | grep -iE "version|build|commit|sha|hash|deploy" | head -3 | while read -r m; do
+    echo "    ${YELLOW}>${NC} ${m:0:100}"
+  done
+else
+  test_pass "Meta tags — sem info de build/deploy detectada"
+fi
+
+echo ""
+echo "========================================"
+echo -e "Resultado: ${GREEN}${PASSED} PASS${NC} | ${RED}${FAILED} FAIL${NC} | ${YELLOW}${WARNED} WARN${NC}"
+echo ""
+
+[ "$FAILED" -gt 0 ] && exit 1
+exit 0

.pentest/front/check-cookies.sh

@@ -0,0 +1,150 @@
+#!/bin/bash
+# Cookie Security — Frontend (prostaff.gg)
+# Verifica flags de seguranca nos cookies do Next.js:
+# auth cookies, session, CSRF tokens
+
+TARGET="${1:-https://prostaff.gg}"
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+PASSED=0
+FAILED=0
+WARNED=0
+
+echo ""
+echo -e "${CYAN}Cookie Security Audit — Frontend${NC}"
+echo -e "${CYAN}Target: ${TARGET}${NC}"
+echo "========================================"
+echo ""
+
+test_pass() { echo -e "${GREEN}[PASS]${NC} $1"; PASSED=$((PASSED + 1)); }
+test_fail() { echo -e "${RED}[FAIL]${NC} $1"; FAILED=$((FAILED + 1)); }
+test_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; WARNED=$((WARNED + 1)); }
+
+check_cookie() {
+  local LABEL="$1"
+  local COOKIE_LINE="$2"
+
+  echo -e "\n  Cookie: ${YELLOW}${LABEL}${NC}"
+  echo "  Raw: $(echo "$COOKIE_LINE" | tr -d '\r')"
+
+  # Secure flag
+  if echo "$COOKIE_LINE" | grep -qi "; Secure\b"; then
+    test_pass "  Secure flag — presente"
+  else
+    test_fail "  Secure flag — ausente"
+  fi
+
+  # HttpOnly flag
+  if echo "$COOKIE_LINE" | grep -qi "; HttpOnly\b"; then
+    test_pass "  HttpOnly flag — inacessivel via JS"
+  else
+    test_fail "  HttpOnly flag — ausente (vulneravel a XSS)"
+  fi
+
+  # SameSite
+  if echo "$COOKIE_LINE" | grep -qi "SameSite=Strict"; then
+    test_pass "  SameSite=Strict"
+  elif echo "$COOKIE_LINE" | grep -qi "SameSite=Lax"; then
+    test_pass "  SameSite=Lax"
+  elif echo "$COOKIE_LINE" | grep -qi "SameSite=None"; then
+    if echo "$COOKIE_LINE" | grep -qi "; Secure"; then
+      test_warn "  SameSite=None + Secure (cookie cross-site intencional?)"
+    else
+      test_fail "  SameSite=None sem Secure — configuracao invalida"
+    fi
+  else
+    test_warn "  SameSite — ausente"
+  fi
+
+  # Path scope
+  COOKIE_PATH=$(echo "$COOKIE_LINE" | grep -oiP "Path=[^;]+")
+  if [ -n "$COOKIE_PATH" ]; then
+    test_pass "  ${COOKIE_PATH}"
+  else
+    test_warn "  Path — nao definido (padrao: /)"
+  fi
+
+  # Domain scope
+  DOMAIN_SCOPE=$(echo "$COOKIE_LINE" | grep -oiP "Domain=[^;]+")
+  if [ -n "$DOMAIN_SCOPE" ]; then
+    if echo "$DOMAIN_SCOPE" | grep -qP "Domain=\\."; then
+      test_warn "  ${DOMAIN_SCOPE} — prefixo ponto (vale para todos subdomains)"
+    else
+      test_pass "  ${DOMAIN_SCOPE}"
+    fi
+  fi
+
+  # Duracao
+  MAX_AGE=$(echo "$COOKIE_LINE" | grep -oiP "Max-Age=\K[0-9]+")
+  EXPIRES=$(echo "$COOKIE_LINE" | grep -oiP "Expires=[^;]+")
+  if [ -n "$MAX_AGE" ]; then
+    DAYS=$(( MAX_AGE / 86400 ))
+    if [ "$DAYS" -gt 30 ]; then
+      test_warn "  Max-Age=${MAX_AGE} (${DAYS} dias) — duracao longa, verifique se e necessario"
+    else
+      test_pass "  Max-Age=${MAX_AGE} (${DAYS} dias)"
+    fi
+  elif [ -n "$EXPIRES" ]; then
+    test_warn "  ${EXPIRES}"
+  else
+    test_pass "  Session cookie (expira ao fechar browser)"
+  fi
+}
+
+echo "--- Cookies em GET / ---"
+
+HOME_COOKIES=$(curl -sI "${TARGET}" 2>/dev/null | grep -i "^set-cookie:")
+
+if [ -z "$HOME_COOKIES" ]; then
+  echo "  Nenhum cookie em GET /"
+else
+  while IFS= read -r LINE; do
+    NAME=$(echo "$LINE" | grep -oP "set-cookie:\s*\K[^=]+" | head -1 | xargs)
+    check_cookie "$NAME" "$LINE"
+  done <<< "$HOME_COOKIES"
+fi
+
+echo ""
+echo "--- Cookies em paginas autenticadas ---"
+echo "  (simulando navegacao para detectar cookies de sessao)"
+
+FOLLOW_COOKIES=$(curl -sI -L "${TARGET}/dashboard" 2>/dev/null | grep -i "^set-cookie:")
+
+if [ -z "$FOLLOW_COOKIES" ]; then
+  echo "  Nenhum cookie adicional em /dashboard"
+else
+  while IFS= read -r LINE; do
+    NAME=$(echo "$LINE" | grep -oP "set-cookie:\s*\K[^=]+" | head -1 | xargs)
+    check_cookie "$NAME" "$LINE"
+  done <<< "$FOLLOW_COOKIES"
+fi
+
+echo ""
+echo "--- Verificacoes de Contexto ---"
+
+# Verifica se ha cookies de CSRF
+ALL_COOKIES=$(curl -sI "${TARGET}" 2>/dev/null | grep -i "^set-cookie:" | tr -d '\r')
+
+if echo "$ALL_COOKIES" | grep -qi "csrf\|xsrf\|_token"; then
+  test_pass "Token CSRF detectado nos cookies"
+else
+  test_warn "Token CSRF nao detectado — Next.js usa Server Actions? Verifique protecao CSRF"
+fi
+
+# Verifica se cookies de auth estao sendo expostos (nao devem ter valores visiveis em resposta publica)
+if echo "$ALL_COOKIES" | grep -qiE "access.token|refresh.token|jwt|authorization"; then
+  test_warn "Cookie com nome sugestivo de token de auth detectado — verifique se esta HttpOnly"
+fi
+
+echo ""
+echo "========================================"
+echo -e "Resultado: ${GREEN}${PASSED} PASS${NC} | ${RED}${FAILED} FAIL${NC} | ${YELLOW}${WARNED} WARN${NC}"
+echo ""
+
+[ "$FAILED" -gt 0 ] && exit 1
+exit 0