feat: implement aditional test scenarios

Author: MichaelPlathanus

.gitignore

@@ -271,3 +271,4 @@ oldsemgrep-report.json
 .pentest/raw-headers-frontend.txt
 .pentest/raw-headers-api.txt
 /.reports
+/.pentest/snapshots

.pentest/README.md

@@ -0,0 +1,114 @@
+# ProStaff API - Pentest Lab
+
+Lab de testes de segurança para a API ProStaff. Adaptado do framework chorrocho.
+
+## Alvo
+
+- **API**: http://localhost:3333/api/v1
+- **WebSocket**: ws://localhost:3333/cable
+- **Stack**: Rails 7.1, PostgreSQL, Redis, JWT, Pundit, Rack::Attack, Meilisearch
+
+## Pre-requisitos
+
+API rodando localmente:
+
+```bash
+cd /home/bullet/PROJETOS/prostaff-api
+docker compose up -d
+docker exec prostaff-api-api-1 bundle exec rails runner scripts/create_test_user.rb
+```
+
+Credenciais de teste: `test@prostaff.gg` / `Test123!@#`
+
+## Instalacao das ferramentas
+
+```bash
+./tools/install.sh          # instala nuclei, pd-httpx, sqlmap, websocat
+./tools/install.sh check    # verifica status das ferramentas
+```
+
+## Scripts
+
+| Script | Vetor | Destrutivo |
+|--------|-------|-----------|
+| 01_health_recon.sh | Info disclosure nos endpoints de health | Nao |
+| 02_auth_fingerprint.sh | Fingerprint do sistema JWT + timing oracle | Nao |
+| 03_jwt_attacks.sh | alg:none, RS256→HS256, claims tampering, token replay | Nao |
+| 04_org_isolation.sh | IDOR + isolamento multi-tenant | Nao |
+| 05_rbac_probe.sh | Privilege escalation + Pundit bypass | Nao |
+| 06_rate_limit_probe.sh | Rack::Attack + bypass via X-Forwarded-For | Nao |
+| 07_param_fuzzing.sh | SQLi, XSS, SSTI, type confusion, oversized payloads | Nao |
+| 08_ssrf_probe.sh | SSRF via integracao Riot API | Nao |
+| 09_export_injection.sh | CSV/Formula injection nos exports | Sim (cria player) |
+| 10_websocket_probe.sh | Action Cable auth + IDOR de canal | Nao |
+| 11_search_injection.sh | Meilisearch operators + cross-org search | Nao |
+| 12_info_disclosure.sh | Rails routes expostos, headers, CORS, 500 stack traces | Nao |
+| 13_nuclei_scan.sh | Templates customizados + headers/auth/Rails exposures | Nao |
+| 14_httpx_recon.sh | Recon completo de paths e headers | Nao |
+| 15_full_audit.sh | Roda todos os scripts em sequencia | Opcional |
+
+## Uso rapido
+
+```bash
+# Todos os testes (sem os destrutivos)
+./scripts/15_full_audit.sh --skip-destructive
+
+# Todos os testes
+./scripts/15_full_audit.sh
+
+# Script individual
+./scripts/01_health_recon.sh
+./scripts/03_jwt_attacks.sh
+
+# Auditoria rapida (sem nuclei e search)
+./scripts/15_full_audit.sh --quick
+```
+
+## Ordem recomendada
+
+1. `01` → `02` (recon e auth - baseline)
+2. `03` → `04` → `05` (atacar auth e autorizacao)
+3. `06` → `07` (rate limits e fuzzing)
+4. `08` → `09` (integracao externa e exports)
+5. `10` → `11` (WebSocket e search)
+6. `12` → `13` → `14` (info disclosure e scan automatizado)
+
+## Vetores principais (Rails/JWT)
+
+### Autenticacao
+- JWT alg:none bypass
+- Modificacao de claims (role, org_id)
+- Timing oracle para enumeracao de usuarios
+- Token replay apos logout
+
+### Autorizacao
+- Multi-tenant IDOR (organization_id scope)
+- Pundit policy bypass por role
+- Mass assignment via campos extras no body
+- HTTP method override (X-HTTP-Method-Override)
+
+### Infraestrutura
+- Rack::Attack bypass por header spoofing
+- Rails info routes exposto em dev
+- CORS wildcard em API autenticada
+- Stack trace em respostas de erro
+
+### Integracao
+- SSRF via sync Riot API (region parameter)
+- CSV formula injection em exports
+- Meilisearch cross-org data leakage
+
+## Resultados
+
+Salvos em `snapshots/` com timestamp. Nunca commitar - adicione ao .gitignore.
+
+## Diferenca do chorrocho
+
+| Chorrocho | ProStaff |
+|-----------|----------|
+| HTTP POST JSON simples | REST completo com rotas aninhadas |
+| Google Apps Script backend | Rails 7.1 + PostgreSQL |
+| Cloudflare Turnstile (bot protection) | JWT Bearer token |
+| Sem usuarios/roles | JWT com roles + multi-tenant |
+| Google Sheets (nao SQL) | PostgreSQL (SQL real) |
+| Cloudflare Workers (sem state) | Rails stateful + Redis |

.pentest/scripts/01_health_recon.sh

@@ -0,0 +1,245 @@
+#!/usr/bin/env bash
+# =============================================================================
+# 01_health_recon.sh - Health endpoint reconnaissance
+#
+# Purpose: Probe all health/status endpoints and document what internal system
+#          information is exposed (DB URLs, Redis addresses, service names,
+#          version strings, environment names, etc.)
+#
+# Usage:
+#   bash 01_health_recon.sh
+#   bash 01_health_recon.sh 2>&1 | tee custom_output.txt
+#
+# Output: ../snapshots/health_recon_TIMESTAMP.txt
+# =============================================================================
+
+set -euo pipefail
+
+# ---------------------------------------------------------------------------
+# Configuration
+# ---------------------------------------------------------------------------
+BASE_URL="http://localhost:3333"
+API="http://localhost:3333/api/v1"
+TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
+SNAPSHOT_DIR="$(cd "$(dirname "$0")/../snapshots" 2>/dev/null && pwd || echo "/home/bullet/PROJETOS/prostaff-api/.pentest/snapshots")"
+OUTPUT_FILE="${SNAPSHOT_DIR}/health_recon_${TIMESTAMP}.txt"
+
+# ---------------------------------------------------------------------------
+# Color helpers (stdout only; file output is plain)
+# ---------------------------------------------------------------------------
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+ok()      { echo -e "${GREEN}[OK]${RESET} $*"; }
+finding() { echo -e "${RED}[!!]${RESET} $*"; }
+info()    { echo -e "${CYAN}[*]${RESET} $*"; }
+header()  { echo -e "\n${BOLD}${CYAN}=== $* ===${RESET}\n"; }
+
+# ---------------------------------------------------------------------------
+# Logging: write to both stdout and file (file gets plain text)
+# ---------------------------------------------------------------------------
+mkdir -p "${SNAPSHOT_DIR}"
+exec > >(tee -a "${OUTPUT_FILE}") 2>&1
+
+log_separator() {
+  echo "--------------------------------------------------------------------------------"
+}
+
+# ---------------------------------------------------------------------------
+# Probe a single endpoint and record everything
+# ---------------------------------------------------------------------------
+probe_endpoint() {
+  local label="$1"
+  local url="$2"
+  local method="${3:-GET}"
+
+  echo ""
+  log_separator
+  echo "ENDPOINT : ${label}"
+  echo "URL      : ${url}"
+  echo "METHOD   : ${method}"
+  echo "TIME     : $(date --iso-8601=seconds)"
+  log_separator
+
+  # Run curl, capture status + time + headers + body
+  local tmp_headers
+  tmp_headers="$(mktemp)"
+  local tmp_body
+  tmp_body="$(mktemp)"
+
+  local http_code
+  local total_time
+
+  http_code=$(curl -s -o "${tmp_body}" \
+    -D "${tmp_headers}" \
+    -w "%{http_code}" \
+    --max-time 10 \
+    -X "${method}" \
+    "${url}" 2>/dev/null) || http_code="CURL_ERROR"
+
+  total_time=$(curl -s -o /dev/null \
+    -w "%{time_total}" \
+    --max-time 10 \
+    -X "${method}" \
+    "${url}" 2>/dev/null) || total_time="N/A"
+
+  echo "HTTP STATUS  : ${http_code}"
+  echo "RESPONSE TIME: ${total_time}s"
+  echo ""
+
+  echo "--- Response Headers ---"
+  cat "${tmp_headers}" 2>/dev/null || echo "(no headers captured)"
+  echo ""
+
+  echo "--- Response Body ---"
+  local body
+  body="$(cat "${tmp_body}" 2>/dev/null || echo '(empty)')"
+  if [ -z "${body}" ]; then
+    echo "(empty body)"
+  else
+    # Pretty-print if JSON, otherwise raw
+    echo "${body}" | python3 -m json.tool 2>/dev/null || echo "${body}"
+  fi
+  echo ""
+
+  # -------------------------------------------------------------------------
+  # Findings analysis - look for sensitive data patterns
+  # -------------------------------------------------------------------------
+  echo "--- Findings Analysis ---"
+
+  local found_anything=0
+
+  # DB connection strings
+  if echo "${body}" | grep -qiE '(postgres|mysql|mongodb|database_url|db_host|db_url|jdbc:)'; then
+    finding "Possible database connection info in response body"
+    found_anything=1
+  fi
+
+  # Redis
+  if echo "${body}" | grep -qiE '(redis://|redis_url|redis_host|:6379|:6380)'; then
+    finding "Redis connection info leaked in response body"
+    found_anything=1
+  fi
+
+  # Internal hostnames / IPs
+  if echo "${body}" | grep -qE '(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|localhost)'; then
+    finding "Internal IP or localhost reference in response body"
+    found_anything=1
+  fi
+
+  # Service version strings
+  if echo "${body}" | grep -qiE '(version|ruby|rails|rack|puma|unicorn|nginx|apache)'; then
+    finding "Version or server technology disclosed in response body"
+    found_anything=1
+  fi
+
+  # Environment name
+  if echo "${body}" | grep -qiE '(environment|env.*:.*production|env.*:.*staging|env.*:.*development|RAILS_ENV)'; then
+    finding "Environment name disclosed in response body"
+    found_anything=1
+  fi
+
+  # API keys / secrets (partial)
+  if echo "${body}" | grep -qiE '(api_key|secret|token|password|credential)'; then
+    finding "Possible credential/key reference in response body"
+    found_anything=1
+  fi
+
+  # Stack traces
+  if echo "${body}" | grep -qiE '(\.rb:|ActiveRecord|ActionController|app/|backtrace|stack trace|Traceback)'; then
+    finding "Stack trace or Ruby internal path in response body"
+    found_anything=1
+  fi
+
+  # Server header disclosure
+  local server_header
+  server_header=$(grep -i '^server:' "${tmp_headers}" 2>/dev/null | head -1 || true)
+  if [ -n "${server_header}" ]; then
+    finding "Server header disclosed: ${server_header}"
+    found_anything=1
+  fi
+
+  # X-Powered-By
+  local powered_by
+  powered_by=$(grep -i '^x-powered-by:' "${tmp_headers}" 2>/dev/null | head -1 || true)
+  if [ -n "${powered_by}" ]; then
+    finding "X-Powered-By header disclosed: ${powered_by}"
+    found_anything=1
+  fi
+
+  # Meilisearch
+  if echo "${body}" | grep -qiE '(meilisearch|meili)'; then
+    finding "Meilisearch service reference in response body"
+    found_anything=1
+  fi
+
+  # Supabase
+  if echo "${body}" | grep -qiE '(supabase|\.supabase\.co)'; then
+    finding "Supabase reference in response body"
+    found_anything=1
+  fi
+
+  if [ "${found_anything}" -eq 0 ]; then
+    ok "No obvious sensitive data detected in response"
+  fi
+
+  # Check security headers
+  echo ""
+  echo "--- Security Headers Check ---"
+  local sec_headers=("X-Frame-Options" "X-Content-Type-Options" "Content-Security-Policy" "Strict-Transport-Security" "X-XSS-Protection")
+  for hdr in "${sec_headers[@]}"; do
+    local val
+    val=$(grep -i "^${hdr}:" "${tmp_headers}" 2>/dev/null | head -1 || true)
+    if [ -n "${val}" ]; then
+      ok "Present: ${val}"
+    else
+      info "Missing: ${hdr}"
+    fi
+  done
+
+  rm -f "${tmp_headers}" "${tmp_body}"
+}
+
+# ===========================================================================
+# MAIN
+# ===========================================================================
+header "HEALTH ENDPOINT RECONNAISSANCE"
+echo "Target    : ${BASE_URL}"
+echo "Started   : $(date --iso-8601=seconds)"
+echo "Output    : ${OUTPUT_FILE}"
+
+info "Probing health and status endpoints..."
+
+# Probe all candidate endpoints
+probe_endpoint "Root health (Rails default)" "${BASE_URL}/up"
+probe_endpoint "Generic /health"             "${BASE_URL}/health"
+probe_endpoint "Liveness probe"              "${BASE_URL}/health/live"
+probe_endpoint "Readiness probe"             "${BASE_URL}/health/ready"
+probe_endpoint "Detailed health"             "${BASE_URL}/health/detailed"
+probe_endpoint "API v1 status"               "${API}/status"
+probe_endpoint "API root"                    "${API}"
+
+# Also check for common info-disclosure paths
+probe_endpoint "Rails info (should be blocked in prod)" "${BASE_URL}/rails/info"
+probe_endpoint "Rails info properties"                  "${BASE_URL}/rails/info/properties"
+probe_endpoint "Sidekiq web UI"                         "${BASE_URL}/sidekiq"
+probe_endpoint "Cable endpoint"                         "${BASE_URL}/cable"
+
+echo ""
+log_separator
+header "RECONNAISSANCE SUMMARY"
+echo "Completed : $(date --iso-8601=seconds)"
+echo "Results saved to: ${OUTPUT_FILE}"
+echo ""
+echo "Review the [!!] findings above for sensitive disclosures."
+echo "Key questions to answer from this output:"
+echo "  1. Does /up or /health/detailed reveal DB, Redis, or service URLs?"
+echo "  2. Are Server/X-Powered-By headers disclosing tech stack?"
+echo "  3. Does /rails/info/properties return data (should 404 in prod)?"
+echo "  4. Is the Sidekiq dashboard accessible without auth?"
+echo "  5. Do any endpoints return stack traces or internal paths?"
+log_separator