Skip to content

v0.2.0 - From Beta to Stable

Choose a tag to compare

@j3ssie j3ssie released this 05 Jul 06:41

v0.2.0 - From Beta to Stable, with 29 New Detectors

The first stable (non-beta) release. This message summarizes everything landed since v0.1.43-beta: a major detection-coverage expansion (six new module families), deeper discovery and data-portability tooling, and a broad false-positive-hardening and severity-calibration sweep across the existing detectors.

Cumulative range: v0.1.44-beta -> v0.1.45-beta -> v0.1.46-beta -> v0.1.47-beta -> v0.2.0.

Highlights

  • Six new module families: GraphQL security testing, Adobe Experience Manager (AEM), SaaS data-exposure (Salesforce / ServiceNow / Power Pages), Internet Information Services (IIS), an enlarged Model Context Protocol (MCP) suite, plus standalone dependency-confusion and JavaScript-beautification passives.
  • 29 new registered modules (22 active + 7 passive), bringing the registry to 193 active + 109 passive. Every new active family is tech-gated, fail-closed, and multi-round-confirmed to keep the false-positive floor low.
  • Version dropped its -beta prerelease label and jumped to a minor release, reflecting the size of the coverage expansion.

New Module Families and Detection Coverage

  • GraphQL security scanning (OWASP WSTG) — the graphql_scan module gains a full phase suite backed by a new pkg/graphqlx library: operation-name expansion, introspection/console exposure, query batching, field-level authorization (IDOR), reflected-XSS-in-errors, boolean-based SQL injection, and denial-of-service (deeply-nested / aliased / circular queries). Every phase runs only against an endpoint confirmed to speak GraphQL (a { __typename } probe returning a spec-shaped envelope) and confirms findings across multiple rounds.
  • Adobe Experience Manager (AEM) — 11 active + 1 passive aem_* modules over a shared, fail-closed infra/aem gate (ConfirmAEM): dispatcher-bypass (differential), sensitive-servlet and console exposure, QueryBuilder content discovery (surfacing rep:password as Critical), default credentials, CloudSettings injection, reflected XSS (headless-confirmed), SSRF, out-of-band injection, XXE (CVE-2019-8086 entity-expansion proof), and RCE, alongside a passive aem-fingerprint. Detection-only; every active probe is gated to a genuine AEM instance.
  • SaaS data-exposure (Salesforce / ServiceNow / Power Pages) — 7 active + 3 passive modules over a shared infra/saasprobe gate: Salesforce Aura object/record exposure (getConfigData / getItems), Salesforce Aura guest Apex execution (ApexActionController.execute), Salesforce Lightning debug-mode exposure (PRODDEBUG/DEV/JSTESTDEBUG), ServiceNow widget and KB-article data exposure (g_ck + cookie, treating a 401 as not a finding), and Power Pages Dataverse /_api exposure, each paired with a per-vendor passive fingerprint. Every active probe gates on a live Aura gateway, pairs a catch-all negative control with the positive, and confirms across multiple independent rounds.
  • IISiis-shortname-discovery gains true 8.3 short-name resolution (a Go port of the gen8dot3/checksum technique that feeds deparos content-discovery with embedded wordlists), joined by two new active modules: iis-cookieless-source-disclosure and iis-extension-confusion-bypass (::$DATA / trailing-dot). All IIS/ASPX-gated and multi-round-confirmed.
  • MCP suite expansion — two new active modules (mcp-tool-definition-drift, mcp-dos-amplification) and a new passive mcp-dangerous-tool-exposure extend the Model Context Protocol family audited against OWASP.
  • dependency-confusion passive — extracts scoped npm import specifiers from first-party JS responses only and flags any package left unclaimed (404) on registry.npmjs.org. Suspect/Tentative severity, batched registry lookup via a flusher, with over-query guards (public-scope skiplist + statement-boundary regex) and fail-closed handling of any indeterminate lookup.
  • js-beautify passive — unminifies and unpacks minified or bundled first-party scripts (React/Next/Vue SPA output) into readable source via the embedded jsscan tool over webcrack (static unpacking, no eval-based deobfuscation). Runs as a bounded bun subprocess (capped at GOMAXPROCS-2, max 4). For JS responses the stored record body is rewritten in place with the beautified document and tagged js-beautified, so linkfinder, observed-word harvesting, and manual review all read clean source; inline <script> code in HTML is beautified into finding evidence only. A cheap Go-side pre-gate avoids spawning a subprocess for tiny or already-readable scripts, results are deduped per host+path, and known third-party assets are skipped unless the scan is targeting that vendor. Informational severity; cleanly no-ops when the embedded binary is unavailable.

Added

  • Spider response-aware form filling (v0.1.47-beta) — the crawler derives form values from the target and the response instead of always using fixed placeholders: it recalls a value entered earlier in the same crawl (so a registered identity is reused at login), falls back to target-derived values, then to an on-page example, then to smart/fixed defaults. Passwords are never taken from the page. Default-on and non-destructive.
  • Common-credential login spray on confirmed login forms (v0.1.47-beta) — at balanced intensity the spider tries a minimal list (admin:admin, admin:123456) and at deep the full documented short list (never a wordlist), but only after confirming a genuine local login form and that a bogus control pair is rejected first. On success the session cookies persist and the crawl continues authenticated. Off at quick/lite.
  • vigolium import merges vigolium SQLite databases (v0.1.47-beta) — import accepts another vigolium result database as its source (auto-detected by SQLite magic header) and folds it into the destination --db. A lossless, idempotent SQLite->SQLite merge of HTTP records, findings, scans, agentic scans, and OAST interactions, deduped on natural keys, each row keeping its original project_uuid. The natural companion to scan -S --format sqlite.
  • agent audit --output-dir <dir> (v0.1.47-beta, stateless-only) — bundles a -S run's HTML report and a copy of each driver's raw vigolium-results/ tree into one folder.
  • vigolium server --passive-only (v0.1.47-beta) — with -S/--scan-on-receive, restricts scanning to passive modules only (no active scan traffic; secret detection still runs) on every ingested request.
  • vigolium replay bulk mode (v0.1.46-beta) — passing --all (or any of --host/--method/--status/--path/--source/--search/--body) replays every matching stored record instead of a single source. Any --mutate is applied per record; without one, records are re-sent verbatim. Results stream as JSONL, throttled with -c/--concurrency and capped with -n/--limit.
  • replay -S/--stateless --db <file> (v0.1.46-beta) — replay can read baselines from a standalone .sqlite or .jsonl export with project scoping off, matching the read semantics of traffic/finding.
  • Secret findings labelled by credential family (v0.1.45-beta) — secret-detect tags each finding with a short classification (JWT, Google API key, reCAPTCHA site key, Google OAuth client ID, or the Kingfisher rule name), rendered as a leading [JWT] bracket and carried in the jsonl/DB meta.pattern field.

Changed

  • Version dropped its -beta label and jumped to a minor release (v0.2.0) — v0.2.0 is the first stable release.
  • MCP false-positive hardening (v0.2.0) across the existing family — method-enum negative control, batch singleton baseline, session-fixation gate, origin locality, server-probe isError/skip handling, and resource-fuzz OAST/metadata checks, plus expanded mcp-description-injection coverage.
  • Example blocks refreshed (v0.1.47-beta) — replay, update, agent triage, and extensions example carry inline --help examples; the import examples document the new SQLite-merge source.
  • replay no longer prints the banner (v0.1.46-beta) — added to the banner-suppression list alongside scan/run/traffic, keeping JSONL output clean for piping.
  • traffic --replay examples refreshed (v0.1.46-beta) — document stateless-export replay, method/host filtering, and --all --with-browser.

Fixed (False-Positive Hardening and Severity Calibration)

  • Markup-reflection oracles ignore JSON/XML-echoed payloads (v0.1.45-beta) — a new modkit.IsNonHTMLReflectionContext treats an HTML/template marker echoed inside a non-HTML response (the canonical FastAPI/Pydantic 422 application/json validation-error echo) as a data value, not rendered markup. Applied to csti-detection, pdf-generation-injection, and ws-injection; evaluated-result oracles left alone.
  • Error-signature detectors bound their match span (v0.1.45-beta) — a loosely-anchored X.*?Y pattern could bridge two coincidental words across a large body (Oracle.*?Driver spanning 60 KB of a Salesforce Aura shell). The shared modkit.MatchWithinSpan / MaxErrorSignatureSpan (512 B) gate requires a compact span. Applied to sqli-error-based, insecure-deserialization, and siblings.
  • IDOR detectors no longer flag bare sequential integers (v0.1.45-beta) — authzutil.ClassifyParam drops the value signal for a plain sequential integer lacking both an identifier-shaped name and a resource-noun path context, so telemetry/pagination/status params (page_number=5, responseStatus=200) stop being misreported. Wired into idor-guid and idor-params-detect.
  • Passive server-side detectors skip client build bundles (v0.1.45-beta) — jsframework.IsClientBuildArtifact skips immutable framework output (/_next/static/, /_nuxt/), so a shared vendor chunk no longer yields one false positive per host. Applied across the Next.js/Nuxt/server-action detectors and cache-data-leak.
  • Differential detectors confirm against non-determinism (v0.1.45-beta) — http-method-tampering and race-interference add determinism controls so a per-request token/nonce or SSR variance between legs isn't mistaken for a method-override or race divergence.
  • Discovery extension-fuzz gating (v0.1.45-beta) — deparos trusts a start URL's .aspx/.php/.jsp suffix as a stack signal only when the URL was actually served as that extension (2xx/401/403, not a 3xx/404/5xx recon seed), plus a per-extension catch-all guard so an SPA/CDN that 200s any path isn't fingerprinted into a wrong-stack wordlist fuzz.
  • Lower-signal passive findings recalibrated (v0.1.45-beta) — oauth-facebook-detect and graphql-introspection-detect -> Info; serialized-object-detect, jackson-deserialize-detect, sensitive-api-fields-detect, api-pagination-leak, auth-headers-detect -> Low; jwt-claims-detect now grades per-issue (hygiene -> Low, alg=none -> High); postmessage-handler-detect, javascript-uri-sink, openredirect-params, input-reflection-detect, and unsafe-html-sink gained value-shape/context gates.
  • Path-probe exposure modules ignore their own reflected slug (v0.1.44-beta) — a marker that is just the probe's last path segment (filament for /filament, redoc, healthchecks-ui) self-matched when a content/SEO route echoed the requested slug. A new slug-reflection control probes a nonexistent sibling carrying a canary and drops the finding only when the route reflects it into a 200. Applied to laravel-admin-exposure, swagger-exposure, and aspnet-health-exposure.
  • struts-ognl-injection confirms the addHeader variant via a real response header (v0.1.44-beta) — detection now keys on X-Struts-Test being a genuinely parsed response header, and confirmation re-injects a fresh random marker and requires it back as a real header each round, closing a forged-marker FP where a gateway echoes the injected Content-Type into the error body.
  • Injection detectors strip the reflected payload before matching (v0.1.44-beta) — a new modkit.StripReflected removes the injected payload from the response before signature matching, so an endpoint that merely rejects and quotes the input back can't self-trigger. Fixes insecure-deserialization and xxe-generic; nosqli-error-based uses the shared helper, and the struts-ognl-injection arithmetic variant strips as defense in depth.
  • secret-detect downgrades documentation-page demo credentials (v0.1.44-beta) — a secret-shaped string served as rendered page content from a docs/reference/manual/CLI/tutorial route (Supabase demo JWTs, local-dev postgresql://postgres:postgres@... URLs, placeholder connection strings) drops to Low/Tentative. Gated on both the route and an HTML/RSC content type; a validated live secret always outranks this to Critical.

Internal

  • New shared libraries: pkg/graphqlx (GraphQL detection, introspection, schema, operation building) and the infra/aem / infra/saasprobe gate packages backing the AEM and SaaS families. (v0.2.0)
  • Tech-fingerprint tags added for the new gating (aem/adobe, salesforce/lightning/aura, servicenow, powerpages/dataverse) in tech_tags.go, published by the respective *_fingerprint passives. The jsscan webpackExtractor was extended to recover per-module source paths for js-beautify. (v0.2.0)
  • New form.FillContext (per-crawl identity memory) threads response-aware values through form filling; DetectedInput gains DefaultValue/DatalistOptions. Login spray lives in crawler/login_creds.go (single-flight per host, negative-control gated). SQLite file detection centralized in pkg/database/detect.go. (v0.1.47-beta)
  • The single-source and bulk replay paths share one call shape via a new replayRun struct; client construction, cookie-jar save, header-overlay parsing, and output-writer setup extracted into reusable helpers; bulk selection maps onto database.QueryFilters via buildReplayBulkFilters. (v0.1.46-beta)
  • New shared helpers modkit.IsNonHTMLReflectionContext, modkit.MatchWithinSpan + modkit.MaxErrorSignatureSpan, jsframework.IsClientBuildArtifact, the authzutil.ClassifyParam sequential-int gate, and secret_detect.PatternLabel; format_screen.go renders any finding's Metadata["pattern"] as a leading bracket. (v0.1.45-beta)
  • New shared path-decomposition and slug-reflection helpers in modkit/pathprobe.go; modkit.StripReflected as the request-body analogue of StripReflectedProbePath; secret-detect gains IsDocDemoSecretContext. (v0.1.44-beta)
  • Regression and unit coverage added throughout alongside each new module and hardened detector.