/* global React, I, FINDINGS */ const { useState: useStateV } = React; const CodeV = ({ html, style }) => ( 
);

// ============ Vulnerabilities filtered by category ============
function VulnCategory({ kind }) {
  const map = {
    'vulns.injection': { tag:'INJECTION', sub:'sqlmap · ffuf · Burp · time-based + boolean-blind', filter: f => /SQLi|injection|sqli/i.test(f.title) },
    'vulns.xss':       { tag:'XSS / DOM', sub:'reflected · stored · DOM-based · CSP-aware', filter: f => /XSS|DOM/i.test(f.title) },
    'vulns.ssrf':      { tag:'SSRF / RCE', sub:'image proxy · webhook · OOB exfil patterns', filter: f => /SSRF|RCE|forgery/i.test(f.title) },
    'vulns.idor':      { tag:'IDOR', sub:'cross-tenant · sequential ID · UUID guessing', filter: f => /IDOR|tenant|cross-tenant/i.test(f.title) },
    'vulns.cve':       { tag:'KNOWN CVES', sub:'Nuclei templates · vendor advisories · pinned CVE database', filter: f => /CVE|introspection|TLS/i.test(f.title) },
  };
  const m = map[kind] || map['vulns.injection'];
  const items = FINDINGS.filter(m.filter);
  return (
    <>
      

        
VAPT.WEB{m.tag}

          
{m.sub}

        

          
          
        

      

      

        

          SEVFINDINGTARGETSOURCECONFAGE
        

        

          {items.length ? items.map(f => (
            

              
              {f.sev}
              {f.cipher && CIPHER}{f.title}
              {f.target}
              {f.src}
              
{(f.conf*100).toFixed(0)}%
              {f.age}
            

          )) : 
no findings in this category yet — Track A still scanning
}
        

      

    
  );
}

// ============ Auth & Logic ============
function AuthView({ kind }) {
  const titles = {
    'auth.bypass':   ['Auth bypass', 'header-trust · IP allowlist drift · stage cookie reuse'],
    'auth.authz':    ['Authorization / IDOR', 'object-level + function-level access control'],
    'auth.session':  ['Session flaws', 'cookie scope · fixation · idle timeout · concurrent session'],
    'auth.jwt':      ['JWT analysis', 'alg confusion · key confusion · kid injection · weak HMAC'],
    'auth.workflow': ['Workflow logic', 'multi-step abuse · race conditions · price tampering'],
  };
  const [t, sub] = titles[kind] || titles['auth.bypass'];

  if (kind === 'auth.jwt') return ;

  return (
    <>
      

        
VAPT.WEB{t}
{sub}

        

      

      

        

          

            
PROBE MATRIX

            

              {[
                ['header-trust', 'X-Forwarded-For RFC1918', 'positive · F-0042', 'crit'],
                ['IP allowlist',  'edge bypass via Host', 'no-signal', 'ok'],
                ['stage cookie',  'staging cookie on prod',  'no-signal', 'ok'],
                ['session reuse', 'pre-logout token replay', 'positive · drift', 'high'],
                ['CSRF token',    'token rotation on PATCH', 'no-signal', 'ok'],
                ['MFA enrolment', 'force-skip via X-Skip-MFA','no-signal', 'ok'],
              ].map((r,i)=>(
                

                  {r[0]}
                  {r[1]}
                  {r[2]}
                

              ))}
            

          

          

            
CIPHER · LOGIC CANDIDATES

            

              {FINDINGS.filter(f => f.logic).map(f => (
                

                  {f.sev.toUpperCase()}
                  

                    
{f.title}

                    
{f.id} · {f.target} · conf {(f.conf*100).toFixed(0)}%

                  

                

              ))}
            

          

        

      

    
  );
}

function JwtView() {
  return (
    <>
      

        
VAPT.WEBJWT analysis

          
jwt_tool · alg confusion · key confusion · kid injection · weak HMAC cracking

        

      

      

        

          
CAPTURED TOKEN · /auth/token/verify

          // header (decoded)
{ "alg": "RS256", "typ": "JWT", "kid": "prod-2025-08" }

// payload (decoded)
{
  "sub": "u_28814",
  "role": "member",
  "iss": "https://auth.merid.example.com",
  "aud": "shop-prod",
  "exp": 1746201600
}`}/>
        


        

          
ATTACK MATRIX

          

            {[
              ['alg=none',           'force unsigned token', 'POSITIVE · staging issuer accepts',  'crit', 'F-0039'],
              ['alg confusion',      'RS256 → HS256 with pubkey', 'no-signal · pubkey unreachable', 'ok',   ''],
              ['kid injection',      'kid=../../etc/passwd', 'no-signal · kid sanitised',           'ok',   ''],
              ['weak HMAC crack',    'rockyou + 100k rules', 'not applicable · RS256',              'na',   ''],
              ['expired token',      'iat/exp drift ±300s',  'no-signal · strict validation',       'ok',   ''],
              ['cross-aud reuse',    'aud=admin-prod',       'SUSPECT · 200 on shop-prod',          'high', ''],
            ].map((r,i)=>(
              

                {r[0]}
                {r[1]}
                {r[2]}
                {r[4]}
              

            ))}
          

        

      

    
  );
}

// ============ API & GraphQL ============
function ApiView({ kind }) {
  if (kind === 'api.gql') return ;
  const titles = {
    'api.rest': ['REST surface', '412 endpoints across /api/v1 (legacy) and /api/v2 (current)'],
    'api.ws':   ['WebSockets', 'realtime channels — order updates, chat, presence'],
    'api.spec': ['OpenAPI diff', 'declared spec vs observed traffic — surfaces undocumented routes'],
  };
  const [t,s] = titles[kind] || titles['api.rest'];

  if (kind === 'api.spec') return ;

  return (
    <>
      
VAPT.WEB{t}
{s}

      

        

          
{kind==='api.rest'?'NAMESPACE COVERAGE':'CHANNELS'}

          

            {(kind==='api.rest'? [
              ['/api/v2/orders',     412, 8,  '88%'],
              ['/api/v2/users',      188, 4,  '92%'],
              ['/api/v2/me',         62,  2,  '100%'],
              ['/api/v2/checkout',   144, 1,  '74%'],
              ['/api/v2/inventory',  88,  0,  '61%'],
              ['/api/v1/* (legacy)', 47,  3,  '14%'],
            ] : [
              ['/ws/orders',     'auth · jwt',   'observed · 412 frames'],
              ['/ws/chat',       'auth · cookie','observed · 88 frames'],
              ['/ws/presence',   'public',       'observed · ratelimited'],
              ['/ws/admin',      'admin · jwt',  'auth-required · not yet probed'],
            ]).map((r,i)=>(
              

                {r[0]}
                {r[1]}{kind==='api.rest'?' calls':''}
                {kind==='api.rest'? `${r[2]} flagged` : r[2]}
                {kind==='api.rest' && {r[3]}}
              

            ))}
          

        

      

    
  );
}

function GraphQLView() {
  return (
    <>
      

        
VAPT.WEBGraphQL

        
InQL · 38 queries · 14 mutations · introspection enabled in prod (F-0037)

        

      

      

        

          
SCHEMA

          """Order placed by a tenant"""
type Order {
  id: ID!
  tenantId: ID!
  items: [LineItem!]!
  total: Money!
  customer: User @auth(scope: "order.read")
}

type Query {
  order(id: ID!): Order
  orders(tenantId: ID): [Order!]!  # tenantId NULL → all tenants
  me: User
  __schema: __Schema!  # introspection enabled
}

type Mutation {
  updateUserRole(id: ID!, role: Role!): User
  refundOrder(id: ID!, amount: Money!): Order
}`}/>
        

        

          
FINDINGS

          

            {[
              ['high','Introspection enabled in prod','/graphql','InQL',0.99],
              ['high','Batched query bypasses rate-limit','/graphql','InQL',0.84],
              ['med','tenantId nullable → cross-tenant read','orders()','CIPHER',0.77],
              ['med','updateUserRole accepts unauth member token','mutation','Burp',0.69],
              ['low','Verbose error exposes resolver path','/graphql','ZAP',0.99],
            ].map((f,i)=>(
              

                
                {f[0]}
                {f[1]}
                {f[3]}
                {(f[4]*100).toFixed(0)}%
              

            ))}
          

        

      

    
  );
}

function SpecDiff() {
  return (
    <>
      

        
VAPT.WEBOpenAPI diff

        
declared spec (3.1) ↔ observed traffic — surfaces undocumented routes & shadow params

      

      

        + undocumented endpoints (8)
  + GET    /admin/users                 status=200  hits=41   risk=CRIT
  + POST   /admin/tokens                status=201  hits=2    risk=HIGH
  + GET    /debug/healthz              status=200  hits=14   risk=MED
  + POST   /legacy/v1/login            status=200  hits=7    risk=MED
  + GET    /api/img/proxy              status=200  hits=48   risk=MED  flag=SSRF
  + GET    /__internal/metrics         status=401  hits=2
  + POST   /api/v2/orders/{id}/refund  status=200  hits=12   undocumented
  + GET    /api/v2/internal/audit      status=403  hits=4

- declared but never observed (3)
  - DELETE /api/v2/orders/{id}          last seen never  → likely retired
  - PUT    /api/v2/users/{id}/avatar    last seen never
  - POST   /api/v2/feedback             last seen never

! parameter drift (5)
  /api/v2/orders                        spec=tenantId,page  observed=+debug,+__internal
  /api/v2/me                            spec=name,email     observed=+role,+tier  !
  /search                               spec=q              observed=+debug,+source
  /auth/return                          spec=to             observed=+next,+redirect
  /api/v2/orders/{id}                   spec=id             observed=+include
`}/>
      

    
  );
}

window.VulnCategory = VulnCategory;
window.AuthView = AuthView;
window.ApiView = ApiView;