module NoirTaggers
Defined in:
tagger/tagger.crConstant Summary
-
HasFrameworkTaggers =
{django_auth: {name: "Django Auth Tagger", desc: "Identifies Django authentication patterns (decorators, mixins, DRF permissions)", runner: DjangoAuthTagger}, spring_auth: {name: "Spring Auth Tagger", desc: "Identifies Spring Security patterns (annotations, security config)", runner: SpringAuthTagger}, spring_security: {name: "Spring Security Tagger", desc: "Identifies Spring security signals beyond auth (CSRF disabled, CORS policy, security headers, input validation)", runner: SpringSecurityTagger}, express_auth: {name: "Express Auth Tagger", desc: "Identifies Express.js authentication patterns (Passport, JWT, auth middleware)", runner: ExpressAuthTagger}, go_auth: {name: "Go Auth Tagger", desc: "Identifies Go authentication patterns (middleware, JWT, session)", runner: GoAuthTagger}, go_security: {name: "Go Security Tagger", desc: "Identifies Go security middleware (CSRF, security headers, rate limiting, body-size limits)", runner: GoSecurityTagger}, rust_auth: {name: "Rust Auth Tagger", desc: "Identifies Rust authentication patterns (guards, extractors, middleware)", runner: RustAuthTagger}, rust_security: {name: "Rust Security Tagger", desc: "Identifies Rust framework security protections (CORS, rate limiting, security headers, body-size limits)", runner: RustSecurityTagger}, flask_auth: {name: "Flask Auth Tagger", desc: "Identifies Flask authentication patterns (flask-login, flask-jwt, flask-httpauth)", runner: FlaskAuthTagger}, fastapi_auth: {name: "FastAPI Auth Tagger", desc: "Identifies FastAPI authentication patterns (Depends, Security, OAuth2)", runner: FastAPIAuthTagger}, python_misc_auth: {name: "Python Misc Auth Tagger", desc: "Identifies Sanic/Tornado authentication patterns", runner: PythonMiscAuthTagger}, ruby_auth: {name: "Ruby Auth Tagger", desc: "Identifies Ruby authentication patterns (Devise, Pundit, CanCanCan, Warden)", runner: RubyAuthTagger}, rails_security: {name: "Rails Security Tagger", desc: "Identifies Rails controller security signals (CSRF protection, mass assignment, rate limiting)", runner: RailsSecurityTagger}, php_auth: {name: "PHP Auth Tagger", desc: "Identifies PHP authentication patterns (Laravel, Symfony, CakePHP)", runner: PhpAuthTagger}, nestjs_auth: {name: "NestJS Auth Tagger", desc: "Identifies NestJS authentication patterns (Guards, decorators)", runner: NestjsAuthTagger}, js_misc_auth: {name: "JS Misc Auth Tagger", desc: "Identifies Fastify/Koa/Restify authentication patterns", runner: JsMiscAuthTagger}, aspnet_auth: {name: "ASP.NET Auth Tagger", desc: "Identifies ASP.NET authentication patterns ([Authorize], policies)", runner: AspnetAuthTagger}, fastendpoints_auth: {name: "FastEndpoints Auth Tagger", desc: "Identifies FastEndpoints authentication patterns (Roles, Permissions, Policies)", runner: FastEndpointsAuthTagger}, elixir_auth: {name: "Elixir Auth Tagger", desc: "Identifies Phoenix/Plug authentication patterns (plugs, Guardian, Pow)", runner: ElixirAuthTagger}, ktor_auth: {name: "Ktor Auth Tagger", desc: "Identifies Ktor authentication patterns (authenticate blocks, principals)", runner: KtorAuthTagger}, java_misc_auth: {name: "Java Misc Auth Tagger", desc: "Identifies Vert.x/Armeria/JSP authentication patterns", runner: JavaMiscAuthTagger}, swift_auth: {name: "Swift Auth Tagger", desc: "Identifies Vapor/Kitura/Hummingbird authentication patterns", runner: SwiftAuthTagger}, scala_auth: {name: "Scala Auth Tagger", desc: "Identifies Play/Akka/Scalatra authentication patterns", runner: ScalaAuthTagger}, crystal_auth: {name: "Crystal Auth Tagger", desc: "Identifies Crystal framework authentication patterns (Kemal, Amber, Lucky)", runner: CrystalAuthTagger}, hono_auth: {name: "Hono Auth Tagger", desc: "Identifies Hono authentication patterns (bearerAuth, jwt, basicAuth, custom middleware)", runner: HonoAuthTagger}, perl_auth: {name: "Perl Auth Tagger", desc: "Identifies Perl authentication patterns (Dancer2 Auth::Extensible, Mojolicious, Catalyst)", runner: PerlAuthTagger}} -
HasTaggers =
{hunt: {name: "HuntParam Tagger", desc: "Identifies common parameters vulnerable to certain vulnerability classes", runner: HuntParamTagger}, oauth: {name: "OAuth Tagger", desc: "Identifies OAuth endpoints", runner: OAuthTagger}, cors: {name: "CORS Tagger", desc: "Identifies CORS endpoints", runner: CorsTagger}, soap: {name: "SOAP Tagger", desc: "Identifies SOAP endpoints", runner: SoapTagger}, websocket: {name: "Websocket Tagger", desc: "Identifies Websocket endpoints", runner: WebsocketTagger}, graphql: {name: "GraphQL Tagger", desc: "Identifies GraphQL endpoints", runner: GraphqlTagger}, mcp: {name: "MCP Tagger", desc: "Identifies Model Context Protocol endpoints", runner: McpTagger}, jwt: {name: "JWT Tagger", desc: "Identifies JWT authentication endpoints", runner: JwtTagger}, file_upload: {name: "FileUpload Tagger", desc: "Identifies file upload endpoints", runner: FileUploadTagger}, pii: {name: "PII Tagger", desc: "Identifies endpoints handling personally identifiable information", runner: PiiTagger}, admin: {name: "Admin Tagger", desc: "Identifies administrative and privileged endpoints", runner: AdminTagger}, payment: {name: "Payment Tagger", desc: "Identifies payment and financial transaction endpoints", runner: PaymentTagger}, webhook: {name: "Webhook Tagger", desc: "Identifies inbound webhook and callback endpoints", runner: WebhookTagger}, crypto: {name: "Crypto Tagger", desc: "Identifies cryptographic operation endpoints (encryption, signing, hashing, key management)", runner: CryptoTagger}, debug: {name: "Debug Tagger", desc: "Identifies debug, diagnostic, and internal-only endpoints (debug consoles, profilers, actuator, pprof, internal APIs)", runner: DebugTagger}, api_docs: {name: "API Docs Tagger", desc: "Identifies API documentation/schema endpoints (Swagger, OpenAPI, GraphiQL, ReDoc, WSDL)", runner: ApiDocsTagger}, account_recovery: {name: "Account Recovery Tagger", desc: "Identifies credential-management and account-recovery endpoints (password reset/change, MFA/OTP, verification)", runner: AccountRecoveryTagger}}
Class Method Summary
- .available_tagger_names : Array(String)
- .framework_taggers
- .run_tagger(endpoints : Array(Endpoint), options : Hash(String, YAML::Any), use_taggers : String)
- .taggers
- .unknown_tagger_names(use_taggers : String) : Array(String)
- .validate_tagger_names!(use_taggers : String)