RedMesh features pack 1

extensions/business/cybersec/red_mesh/constants.py

@@ -40,22 +40,24 @@
       "_service_info_elasticsearch",
       "_service_info_memcached",
       "_service_info_mongodb",
-      "_service_info_modbus"
+      "_service_info_modbus",
+      "_service_info_couchdb",
+      "_service_info_influxdb"
     ]
   },
   {
     "id": "web_discovery",
     "label": "Discovery",
     "description": "Enumerate exposed files, admin panels, homepage secrets, tech fingerprinting, and VPN endpoints (OWASP WSTG-INFO).",
     "category": "web",
-    "methods": ["_web_test_common", "_web_test_homepage", "_web_test_tech_fingerprint", "_web_test_vpn_endpoints"]
+    "methods": ["_web_test_common", "_web_test_homepage", "_web_test_tech_fingerprint", "_web_test_vpn_endpoints", "_web_test_cms_fingerprint", "_web_test_verbose_errors", "_web_test_java_servers"]
   },
   {
     "id": "web_hardening",
     "label": "Hardening audit",
-    "description": "Audit cookie flags, security headers, CORS policy, redirect handling, and HTTP methods (OWASP WSTG-CONF).",
+    "description": "Audit cookie flags, security headers, CORS policy, CSRF tokens, and HTTP methods (OWASP WSTG-CONF).",
     "category": "web",
-    "methods": ["_web_test_flags", "_web_test_security_headers", "_web_test_cors_misconfiguration", "_web_test_open_redirect", "_web_test_http_methods"]
+    "methods": ["_web_test_flags", "_web_test_security_headers", "_web_test_cors_misconfiguration", "_web_test_http_methods", "_web_test_csrf"]
   },
   {
     "id": "web_api_exposure",
@@ -67,16 +69,30 @@
   {
     "id": "web_injection",
     "label": "Injection probes",
-    "description": "Non-destructive probes for path traversal, reflected XSS, and SQL injection (OWASP WSTG-INPV).",
+    "description": "Non-destructive probes for path traversal, reflected XSS, SQL injection, SSRF, and open redirect (OWASP WSTG-INPV).",
     "category": "web",
-    "methods": ["_web_test_path_traversal", "_web_test_xss", "_web_test_sql_injection"]
+    "methods": ["_web_test_path_traversal", "_web_test_xss", "_web_test_sql_injection", "_web_test_ssti", "_web_test_shellshock", "_web_test_php_cgi", "_web_test_ognl_injection", "_web_test_java_deserialization", "_web_test_spring_actuator", "_web_test_open_redirect", "_web_test_ssrf_basic"]
+  },
+  {
+    "id": "web_auth_design",
+    "label": "Authentication & design flaws",
+    "description": "Detect account enumeration, missing rate limiting, and IDOR indicators (OWASP A04).",
+    "category": "web",
+    "methods": ["_web_test_account_enumeration", "_web_test_rate_limiting", "_web_test_idor_indicators"]
+  },
+  {
+    "id": "web_integrity",
+    "label": "Software integrity",
+    "description": "Check subresource integrity, mixed content, and client-side library versions (OWASP A08).",
+    "category": "web",
+    "methods": ["_web_test_subresource_integrity", "_web_test_mixed_content", "_web_test_js_library_versions"]
   },
   {
     "id": "active_auth",
     "label": "Credential testing",
     "description": "Test default/weak credentials on database and remote access services. May trigger account lockout.",
     "category": "service",
-    "methods": ["_service_info_mysql_creds", "_service_info_postgresql_creds"]
+    "methods": ["_service_info_mysql_creds", "_service_info_postgresql_creds", "_service_info_http_basic_auth"]
   },
   {
     "id": "post_scan_correlation",
@@ -89,6 +105,9 @@
 
 # Job status constants
 JOB_STATUS_RUNNING = "RUNNING"
+JOB_STATUS_COLLECTING = "COLLECTING"        # Launcher merging worker reports
+JOB_STATUS_ANALYZING = "ANALYZING"          # Running LLM analysis
+JOB_STATUS_FINALIZING = "FINALIZING"        # Computing risk, writing archive
 JOB_STATUS_SCHEDULED_FOR_STOP = "SCHEDULED_FOR_STOP"
 JOB_STATUS_STOPPED = "STOPPED"
 JOB_STATUS_FINALIZED = "FINALIZED"
@@ -169,11 +188,47 @@
     "_service_info_modbus":     frozenset({"modbus"}),
     "_service_info_wins":    frozenset({"wins", "nbns"}),
     "_service_info_rsync":   frozenset({"rsync"}),
+    "_service_info_couchdb":    frozenset({"http", "https"}),
+    "_service_info_influxdb":   frozenset({"http", "https"}),
     "_service_info_generic": frozenset({"unknown"}),
     "_service_info_mysql_creds": frozenset({"mysql"}),
     "_service_info_postgresql_creds": frozenset({"postgresql"}),
+    "_service_info_http_basic_auth": frozenset({"http", "https"}),
+    # OWASP full coverage probes
+    "_web_test_ssrf_basic":            frozenset({"http", "https"}),
+    "_web_test_account_enumeration":   frozenset({"http", "https"}),
+    "_web_test_rate_limiting":         frozenset({"http", "https"}),
+    "_web_test_idor_indicators":       frozenset({"http", "https"}),
+    "_web_test_subresource_integrity": frozenset({"http", "https"}),
+    "_web_test_mixed_content":         frozenset({"http", "https"}),
+    "_web_test_js_library_versions":   frozenset({"http", "https"}),
+    "_web_test_verbose_errors":        frozenset({"http", "https"}),
+    "_web_test_java_servers":          frozenset({"http", "https"}),
+    "_web_test_ognl_injection":        frozenset({"http", "https"}),
+    "_web_test_java_deserialization":  frozenset({"http", "https"}),
+    "_web_test_spring_actuator":       frozenset({"http", "https"}),
 }
 
+# =====================================================================
+# Local worker threads per node
+# =====================================================================
+
+LOCAL_WORKERS_MIN = 1
+LOCAL_WORKERS_MAX = 16
+LOCAL_WORKERS_DEFAULT = 2
+
+# =====================================================================
+# Port lists
+# =====================================================================
+
+COMMON_PORTS = [
+  21, 22, 23, 25, 53, 80, 110, 143, 161, 443, 445,
+  502, 1433, 1521, 27017, 3306, 3389, 5432, 5900,
+  8080, 8443, 9200, 11211
+]
+
+ALL_PORTS = list(range(1, 65536))
+
 # =====================================================================
 # Risk score computation
 # =====================================================================
@@ -182,4 +237,26 @@
 RISK_CONFIDENCE_MULTIPLIERS = {"certain": 1.0, "firm": 0.8, "tentative": 0.5}
 RISK_SIGMOID_K = 0.02
 RISK_CRED_PENALTY_PER = 15
-RISK_CRED_PENALTY_CAP = 30
+RISK_CRED_PENALTY_CAP = 30
+
+# =====================================================================
+# Job archive
+# =====================================================================
+
+JOB_ARCHIVE_VERSION = 1
+MAX_CONTINUOUS_PASSES = 100
+
+# =====================================================================
+# Live progress publishing
+# =====================================================================
+
+PROGRESS_PUBLISH_INTERVAL = 10  # seconds between progress updates to CStore
+
+# Scan phases in execution order (5 phases total)
+PHASE_ORDER = ["port_scan", "fingerprint", "service_probes", "web_tests", "correlation"]
+PHASE_MARKERS = {
+  "fingerprint": "fingerprint_completed",
+  "service_probes": "service_info_completed",
+  "web_tests": "web_tests_completed",
+  "correlation": "correlation_completed",
+}

extensions/business/cybersec/red_mesh/correlation_mixin.py

@@ -76,16 +76,19 @@ class _CorrelationMixin:
 
   def _post_scan_correlate(self):
     """Entry point: run all correlation checks and store findings."""
+    findings = []
+
+    # Scan-metadata-dependent correlations
     meta = self.state.get("scan_metadata")
-    if not meta:
-      return
+    if meta:
+      findings += self._correlate_port_ratio()
+      findings += self._correlate_os_consistency()
+      findings += self._correlate_infrastructure_leak()
+      findings += self._correlate_tls_consistency()
+      findings += self._correlate_timezone_drift()
 
-    findings = []
-    findings += self._correlate_port_ratio()
-    findings += self._correlate_os_consistency()
-    findings += self._correlate_infrastructure_leak()
-    findings += self._correlate_tls_consistency()
-    findings += self._correlate_timezone_drift()
+    # Cross-probe correlations (don't require scan_metadata)
+    findings += self._correlate_redirect_ssrf()
 
     if findings:
       self.P(f"Correlation engine produced {len(findings)} findings.")
@@ -211,3 +214,38 @@ def _correlate_timezone_drift(self):
         confidence="firm",
       ))
     return findings
+
+  def _correlate_redirect_ssrf(self):
+    """Flag SSRF chaining risk if open redirect + internal services detected."""
+    findings = []
+    web_info = self.state.get("web_tests_info", {})
+
+    has_open_redirect = False
+    has_metadata = False
+
+    for port_data in web_info.values():
+      for probe_name, result in port_data.items():
+        if not isinstance(result, dict):
+          continue
+        for f in result.get("findings", []):
+          title = f.get("title", "") if isinstance(f, dict) else ""
+          if "open redirect" in title.lower():
+            has_open_redirect = True
+          if "metadata" in title.lower() and "exposed" in title.lower():
+            has_metadata = True
+
+    if has_open_redirect and has_metadata:
+      findings.append(Finding(
+        severity=Severity.MEDIUM,
+        title="Open redirect may enable SSRF to cloud metadata",
+        description="An open redirect was found alongside accessible cloud metadata "
+                    "endpoints. If internal services follow redirects, an attacker "
+                    "can chain the redirect to access metadata credentials.",
+        evidence="Open redirect + cloud metadata endpoint both detected.",
+        remediation="Fix the open redirect; ensure internal HTTP clients do not follow "
+                    "redirects to metadata IPs.",
+        owasp_id="A10:2021",
+        cwe_id="CWE-918",
+        confidence="tentative",
+      ))
+    return findings