diff --git a/README.md b/README.md index 3f48745..38a7f9a 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # VulnAPI: An API Security Vulnerability Scanner -## Overview +VulnAPI is an open-source project designed to help you scan your APIs for common security vulnerabilities and weaknesses. -As APIs are becoming increasingly essential, they are also becoming prime targets for security breaches. To protect your APIs, it's vital to proactively identify and address security vulnerabilities. +By using this tool, you can detect that some API potential vulnerabilities and fix security issues. -VulnAPI is an open-source project designed to help you scan your APIs for common security vulnerabilities and weaknesses. By using this tool, you can detect that some API potential vulnerabilities and fix security issues. +![Demo](demo.gif) You can test the scanner against example [vulnerability challenges](https://github.com/cerberauth/api-vulns-challenges). @@ -76,7 +76,26 @@ The CLI provides detailed reports on any vulnerabilities detected during the sca Warning: Critical vulnerabilities detected! ``` -In this example, each line represents a detected vulnerability, including the timestamp, severity level (critical), vulnerability type (JWT Alg None), affected endpoint (http://localhost:8080/), and a description of the vulnerability (JWT accepts none algorithm and does not verify JWT). +In this example, each line represents a detected vulnerability, severity level (critical), vulnerability type, affected operation (GET http://localhost:8080/), and a description of the vulnerability. + +## Vulnerabilities Detected + +The scanner is capable of detecting the following vulnerabilities: +* JWT `none` algorithm accepted +* JWT not verified +* JWT weak secret used +* JWT null signature accepted + +The scanner also detects the following security best practices: +* CSP Header is not set +* HSTS Header is not set +* CORS Header is not set +* X-Content-Type-Options Header is not set +* X-Frame-Options Header is not set +* HTTP Trace Method enabled +* Server Signature exposed + +> More vulnerabilities and best practices will be added in future releases. If you have any suggestions or requests for additional vulnerabilities or best practices to be included, please feel free to open an issue or submit a pull request. ## Additional Options diff --git a/demo.cast b/demo.cast new file mode 100644 index 0000000..5d3d9bc --- /dev/null +++ b/demo.cast @@ -0,0 +1,85 @@ +{"version": 2, "width": 158, "height": 30, "timestamp": 1709146657, "env": {"SHELL": "/usr/bin/zsh", "TERM": "xterm-256color"}} +[0.668542, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r\u001b]2;manu@manu-pc:~\u0007\u001b]1;~\u0007"] +[0.680054, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[39m\u001b[0m\u001b[49m\u001b[40m\u001b[39m manu@manu-pc \u001b[44m\u001b[30m\u001b[30m ~ \u001b[49m\u001b[34m\u001b[39m \u001b[K"] +[0.680142, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[1.95861, "o", "c"] +[2.0363, "o", "\bcu"] +[2.148797, "o", "r"] +[2.228692, "o", "l"] +[2.284312, "o", " "] +[2.901584, "o", "http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[K"] +[5.08551, "o", "\u001b[?1l\u001b>"] +[5.085651, "o", "\u001b[?2004l\r\r\n"] +[5.086534, "o", "\u001b]2;curl http://localhost:8080 --verbose -H \u0007\u001b]1;curl\u0007"] +[5.095416, "o", "* Trying 127.0.0.1:8080...\r\n"] +[5.095499, "o", "* Connected to localhost (127.0.0.1) port 8080 (#0)\r\n"] +[5.095534, "o", "> GET / HTTP/1.1\r\r\n> Host: localhost:8080\r\r\n"] +[5.095562, "o", "> User-Agent: curl/7.81.0\r\r\n> Accept: */*\r\r\n> Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\r\r\n> \r\r\n"] +[5.095701, "o", "* Mark bundle as not supporting multiuse\r\n< HTTP/1.1 401 Unauthorized\r\r\n"] +[5.095732, "o", "< Date: Wed, 28 Feb 2024 18:57:42 GMT\r\r\n< Content-Length: 0\r\r\n< \r\r\n* Connection #0 to host localhost left intact\r\n"] +[5.096324, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[5.096391, "o", "\u001b]2;manu@manu-pc:~\u0007\u001b]1;~\u0007"] +[5.104763, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[39m\u001b[0m\u001b[49m\u001b[40m\u001b[39m manu@manu-pc \u001b[44m\u001b[30m\u001b[30m ~ \u001b[49m\u001b[34m\u001b[39m \u001b[K"] +[5.10484, "o", "\u001b[?1h\u001b="] +[5.104872, "o", "\u001b[?2004h"] +[8.676598, "o", "c"] +[8.756332, "o", "\bcl"] +[8.876111, "o", "e"] +[8.948342, "o", "a"] +[9.452901, "o", "r"] +[9.58024, "o", "\u001b[?1l\u001b>"] +[9.580381, "o", "\u001b[?2004l\r\r\n"] +[9.581128, "o", "\u001b]2;clear\u0007\u001b]1;clear\u0007"] +[9.583342, "o", "\u001b[H\u001b[2J\u001b[3J"] +[9.583449, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[9.583517, "o", "\u001b]2;manu@manu-pc:~\u0007\u001b]1;~\u0007"] +[9.593162, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[39m\u001b[0m\u001b[49m\u001b[40m\u001b[39m manu@manu-pc \u001b[44m\u001b[30m\u001b[30m ~ \u001b[49m\u001b[34m\u001b[39m \u001b[K"] +[9.59325, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[10.269055, "o", "c"] +[10.340703, "o", "\bcu"] +[10.436515, "o", "r"] +[10.516757, "o", "l"] +[10.604671, "o", " "] +[10.78935, "o", "http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[K"] +[11.214622, "o", "\u001b[3A\u001b[61D"] +[11.845302, "o", "vcurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[11.916563, "o", "\bvucurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[11.964255, "o", "lcurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.108563, "o", "ncurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.20467, "o", "acurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.340804, "o", "pcurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.388384, "o", "icurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.46053, "o", " curl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.636834, "o", "scurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.708436, "o", "\u001b[1Ccurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.852842, "o", "acurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.92443, "o", "ncurl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[12.988363, "o", " curl http://localhost:8080 --verbose -H \"Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhE\u001b[1B\rmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ\"\u001b[3A\u001b[61D"] +[14.189372, "o", "\u001b[?1l\u001b>"] +[14.189519, "o", "\u001b[?2004l\u001b[3B\r\r\n"] +[14.19031, "o", "\u001b]2;vulnapi scan curl http://localhost:8080 --verbose -H \u0007\u001b]1;vulnapi\u0007"] +[14.196247, "o", "\u001b[36m __ __ _ _ ____ ___\u001b[0m\r\n\u001b[36m \\ \\ / / _ _ | | _ __ / \\ | _ \\ |_ _|\u001b[0m\r\n\u001b[36m \\ \\ / / | | | | | | | '_ \\ / _ \\ | |_) | | |\u001b[0m\r\n\u001b[36m \\ V / | |_| | | | | | | | / ___ \\ | __/ | |\u001b[0m\r\n\u001b[36m \\_/ \\__,_| |_| |_| |_| /_/ \\_\\ |_| |___|\u001b[0m\r\n"] +[14.197764, "o", "+------------+--------------------------------+--------------------------------+\r\n|"] +[14.19782, "o", " RISK LEVEL | VULNERABILITY | DESCRIPTION |\r\n+------------+--------------------------------+--------------------------------+\r\n| \u001b[1;31mCritical\u001b[0m | \u001b[1;31mJWT None Algorithm\u001b[0m | \u001b[1;31mJWT with none algorithm is\u001b[0m |\r\n| | "] +[14.197853, "o", " | accepted allowing to bypass |\r\n| | | authentication. |"] +[14.197886, "o", "\r\n| \u001b[1;44mLow\u001b[0m | \u001b[1;44mCSP Header is not set\u001b[0m | \u001b[1;44mNo Content Security Policy\u001b[0m |\r\n| "] +[14.197913, "o", " | | (CSP) Header has been detected |\r\n| "] +[14.19794, "o", " | | in HTTP Response. |\r\n| \u001b[1;44mLow\u001b[0m |"] +[14.197971, "o", " \u001b[1;44mCORS Header is not set\u001b[0m | \u001b[1;44mNo CORS Header has been\u001b[0m |\r\n| | "] +[14.197995, "o", "| detected in HTTP Response. |\r\n| \u001b[1;44mLow\u001b[0m | "] +[14.198018, "o", "\u001b[1;44mHSTS Header is not set\u001b[0m | \u001b[1;44mNo HSTS Header has been\u001b[0m |\r\n| |"] +[14.198039, "o", " | detected in HTTP Response. |\r\n"] +[14.198061, "o", "| \u001b[1;44mLow\u001b[0m | \u001b[1;44mX-Content-Type-Options Header\u001b[0m | \u001b[1;44mNo X-Content-Type-Options\u001b[0m "] +[14.198093, "o", " |\r\n| | is not set | Header has been detected in |"] +[14.198117, "o", "\r\n| | | "] +[14.198139, "o", "HTTP Response. |\r\n| \u001b[1;44mLow\u001b[0m | \u001b[1;44mX-Frame-Options Header is not\u001b[0m "] +[14.198167, "o", " | \u001b[1;44mNo X-Frame-Options Header\u001b[0m |\r\n| | "] +[14.198185, "o", "set | has been detected in HTTP |\r\n| "] +[14.198208, "o", " | | Response. |"] +[14.198233, "o", "\r\n+------------+--------------------------------+--------------------------------+\r\n\u001b[31mWarning: Critical vulnerabilities detected!\u001b[0m\r\n"] +[14.199015, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[14.199086, "o", "\u001b]2;manu@manu-pc:~\u0007\u001b]1;~\u0007"] +[14.207592, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[39m\u001b[0m\u001b[49m\u001b[40m\u001b[39m manu@manu-pc \u001b[44m\u001b[30m\u001b[30m ~ \u001b[49m\u001b[34m\u001b[39m \u001b[K"] +[14.207646, "o", "\u001b[?1h\u001b="] +[14.207676, "o", "\u001b[?2004h"] +[16.276961, "o", "\u001b[?2004l\r\r\n"] diff --git a/demo.gif b/demo.gif new file mode 100644 index 0000000..da780c9 Binary files /dev/null and b/demo.gif differ