UNPKG

aimless-security

Version:

Enhanced Runtime Application Self-Protection (RASP) and API Fuzzing Engine with advanced threat detection, behavioral analysis, and intelligent response scoring for Node.js applications

github.com/CamozDevelopment/Aimless-Security

CamozDevelopment/Aimless-Security

298 lines (240 loc) โ€ข 9.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
/** * False Positive Prevention Tests * Ensures legitimate inputs don't trigger security alerts */ const { Aimless } = require('./dist/index.js'); let testsPassed = 0; let testsFailed = 0; function test(name, fn) { try { fn(); console.log(`โœ… ${name}`); testsPassed++; } catch (error) { console.error(`โŒ ${name}`); console.error(` Error: ${error.message}`); testsFailed++; } } console.log('๐Ÿงช Testing False Positive Prevention\n'); const aimless = new Aimless({ rasp: { blockMode: true, injectionProtection: true, xssProtection: true } }); // ============================================================================ // TEST 1: Legitimate Inputs Should NOT Trigger Alerts // ============================================================================ test('Email addresses should not trigger SQL injection', () => { const result = aimless.validate('user@example.com') .against(['sql']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('UUIDs should not trigger alerts', () => { const result = aimless.validate('123e4567-e89b-12d3-a456-426614174000') .against(['sql', 'xss', 'command']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('ISO dates should not trigger alerts', () => { const result = aimless.validate('2024-11-20T10:30:00.000Z') .against(['sql', 'xss', 'command']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('Normal usernames should not trigger alerts', () => { const result = aimless.validate('john_doe_123') .against(['sql', 'xss', 'command']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('Normal text should not trigger alerts', () => { const result = aimless.validate('This is a normal sentence with spaces.') .against(['sql', 'xss', 'command']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('Numbers should not trigger alerts', () => { const result1 = aimless.validate('12345').against(['sql']).result(); const result2 = aimless.validate('123.45').against(['sql']).result(); if (!result1.safe || !result2.safe) { throw new Error('False positive on numbers'); } }); test('Single safe words should not trigger alerts', () => { const safeWords = ['select', 'insert', 'update', 'delete', 'order', 'sort']; for (const word of safeWords) { const result = aimless.validate(word).against(['sql']).result(); if (!result.safe) { throw new Error(`False positive on word: ${word}`); } } }); test('Normal URLs should not trigger SSRF on URL inputs', () => { const result = aimless.validate('https://example.com/path/to/resource') .against(['xss']) // Don't check SSRF for URLs .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('File paths without traversal should be allowed', () => { const result = aimless.validate('/var/www/public/image.jpg') .against(['sql', 'xss']) .result(); if (!result.safe) { throw new Error(`False positive: ${JSON.stringify(result.threats)}`); } }); test('JSON data should not trigger NoSQL injection (single pattern match)', () => { const result = aimless.validate('{"name": "John"}') .against(['nosql']) .result(); // Single curly brace shouldn't trigger, need 2+ patterns if (!result.safe && result.threats[0].metadata.matchCount < 2) { throw new Error('False positive on normal JSON'); } }); // ============================================================================ // TEST 2: Actual Threats SHOULD Trigger Alerts // ============================================================================ test('SQL injection should be detected', () => { const result = aimless.validate("' OR '1'='1") .against(['sql']) .result(); if (result.safe) { throw new Error('Failed to detect SQL injection'); } }); test('XSS attacks should be detected', () => { const result = aimless.validate('<script>alert(1)</script>') .against(['xss']) .result(); if (result.safe) { throw new Error('Failed to detect XSS'); } }); test('Command injection should be detected', () => { const result = aimless.validate('test; rm -rf /') .against(['command']) .result(); if (result.safe) { throw new Error('Failed to detect command injection'); } }); test('Path traversal should be detected', () => { const result = aimless.validate('../../../../etc/passwd') .against(['path']) .result(); if (result.safe) { throw new Error('Failed to detect path traversal'); } }); test('NoSQL injection should be detected (multiple patterns)', () => { const result = aimless.validate('{"$ne": null}') .against(['nosql']) .result(); if (result.safe) { throw new Error('Failed to detect NoSQL injection'); } }); // ============================================================================ // TEST 3: Edge Cases // ============================================================================ test('Very short strings should not trigger (< 2 chars)', () => { const result = aimless.validate('a').against(['sql', 'xss']).result(); if (!result.safe) { throw new Error('False positive on very short string'); } }); test('Empty strings should not trigger', () => { const result = aimless.validate('').against(['sql', 'xss']).result(); if (!result.safe) { throw new Error('False positive on empty string'); } }); test('Whitespace-only should not trigger', () => { const result = aimless.validate(' ').against(['sql', 'xss']).result(); if (!result.safe) { throw new Error('False positive on whitespace'); } }); test('Null and undefined should not crash', () => { const result1 = aimless.validate(null).against(['sql']).result(); const result2 = aimless.validate(undefined).against(['sql']).result(); // Should be safe (no input to validate) if (!result1.safe || !result2.safe) { throw new Error('Null/undefined caused false positive'); } }); // ============================================================================ // TEST 4: Context-Aware Detection // ============================================================================ test('Email context should whitelist email patterns', () => { const rasp = aimless.rasp; const threats = rasp.detectInjections('user@example.com', 'email'); if (threats.length > 0) { throw new Error('Email context should whitelist valid emails'); } }); test('Username context should whitelist valid usernames', () => { const rasp = aimless.rasp; const threats = rasp.detectInjections('john_doe', 'username'); if (threats.length > 0) { throw new Error('Username context should whitelist valid usernames'); } }); // ============================================================================ // TEST 5: Confidence Scoring // ============================================================================ test('High confidence threats should have confidence > 50%', () => { const result = aimless.validate("' OR '1'='1 --") .against(['sql']) .result(); if (result.safe) { throw new Error('Should detect SQL injection'); } const confidence = result.threats[0].confidence; if (confidence < 50) { throw new Error(`Confidence too low: ${confidence}%`); } }); test('Single pattern match should have lower confidence', () => { // This would only match 1 pattern (the semicolon) const rasp = aimless.rasp; const threats = rasp.detectInjections('test;', 'unknown'); // Should not trigger (requires 2+ patterns or high confidence pattern) if (threats.length > 0) { throw new Error('Single semicolon should not trigger without other patterns'); } }); // ============================================================================ // RESULTS // ============================================================================ console.log('\n' + '='.repeat(50)); console.log(`โœ… Tests Passed: ${testsPassed}`); console.log(`โŒ Tests Failed: ${testsFailed}`); console.log('='.repeat(50)); if (testsFailed === 0) { console.log('\n๐ŸŽ‰ All false positive prevention tests passed!'); console.log('โœ… Legitimate inputs are NOT flagged'); console.log('โœ… Real threats ARE detected'); console.log('โœ… Confidence scoring works correctly'); process.exit(0); } else { console.log('\nโŒ Some tests failed!'); process.exit(1); }