#!/usr/bin/env python3 """ Sandbox URL Structure Mapper and Endpoint Analyzer Project Starlight - Security Assessment Tool Skills: endpoint_mapping, network_analysis, security_assessment Type: analysis/integration Version: 1.0 """ import json import hashlib import datetime import re import math from typing import Dict, List, Optional, Any, Union import dataclasses from collections import defaultdict @dataclasses.dataclass class Endpoint: """Endpoint data structure""" path: str methods: List[str] parameters: Dict[str, str] response_codes: List[int] auth_required: bool description: str technology: str @dataclasses.dataclass class TechnologyStack: """Technology stack information""" backend_framework: str frontend_framework: str database: str authentication: str security_headers: List[str] dependencies: List[str] class SandboxMapper: """Maps sandbox URL structure and analyzes endpoints""" def __init__(self, visible_pixel_hash: str): self.visible_pixel_hash = visible_pixel_hash self.base_url = f"/sandbox/wish-{visible_pixel_hash}" self.endpoints = [] self.technology_stack = TechnologyStack( backend_framework="FastAPI/Python", frontend_framework="HTML5/JavaScript", database="None (in-memory)", authentication="None", security_headers=["X-Content-Type-Options", "X-Frame-Options"], dependencies=["math", "json", "hashlib", "datetime"] ) def map_sandbox_structure(self) -> Dict[str, Any]: """Map the complete sandbox URL structure""" # Convert endpoints to serializable format endpoints_data = [] for endpoint in self._identify_endpoints(): endpoints_data.append({ "path": endpoint.path, "methods": endpoint.methods, "parameters": endpoint.parameters, "response_codes": endpoint.response_codes, "auth_required": endpoint.auth_required, "description": endpoint.description, "technology": endpoint.technology }) structure = { "base_url": self.base_url, "endpoints": endpoints_data, "static_routes": self._identify_static_routes(), "api_routes": self._identify_api_routes(), "dynamic_routes": self._identify_dynamic_routes() } return structure def _identify_endpoints(self) -> List[Endpoint]: """Identify all accessible endpoints""" endpoints = [ Endpoint( path=f"{self.base_url}/handler", methods=["GET", "POST"], parameters={"request": "FastAPI Request object"}, response_codes=[200, 400, 500], auth_required=False, description="Main sandbox handler endpoint", technology="FastAPI" ), Endpoint( path=f"{self.base_url}/api/[hash]/handler", methods=["GET", "POST"], parameters={"hash": "visible_pixel_hash"}, response_codes=[200, 404, 500], auth_required=False, description="Dynamic API endpoint for frontend-backend communication", technology="FastAPI Dynamic Routing" ), Endpoint( path=f"{self.base_url}/", methods=["GET"], parameters={}, response_codes=[200, 404], auth_required=False, description="Static file serving directory", technology="Static File Server" ) ] self.endpoints = endpoints return endpoints def _identify_static_routes(self) -> List[str]: """Identify static file routes""" return [ f"{self.base_url}/index.html", f"{self.base_url}/style.css", f"{self.base_url}/script.js", f"{self.base_url}/demo.html" ] def _identify_api_routes(self) -> List[str]: """Identify API routes""" return [ f"{self.base_url}/api/[hash]/handler" ] def _identify_dynamic_routes(self) -> List[str]: """Identify dynamic routes""" return [ f"{self.base_url}/[filename]", f"{self.base_url}/api/[hash]/[endpoint]" ] def analyze_request_patterns(self) -> Dict[str, Any]: """Analyze request/response patterns and data formats""" patterns = { "request_formats": [ { "type": "HTTP GET", "headers": {"Content-Type": "application/json"}, "body": None, "example": f"GET {self.base_url}/handler" }, { "type": "HTTP POST", "headers": {"Content-Type": "application/json"}, "body": {"data": "sample payload"}, "example": f"POST {self.base_url}/api/[hash]/handler" } ], "response_formats": [ { "status_code": 200, "content_type": "application/json", "structure": { "success": True, "result": "data", "error": None, "metadata": {} } }, { "status_code": 400, "content_type": "application/json", "structure": { "success": False, "result": None, "error": "error message", "metadata": {} } } ] } return patterns def analyze_authentication(self) -> Dict[str, Any]: """Document authentication mechanisms and session handling""" auth_analysis = { "authentication_type": "None", "session_management": "Stateless", "token_validation": "Not implemented", "security_headers": { "X-Content-Type-Options": "nosniff", "X-Frame-Options": "DENY", "Content-Security-Policy": "default-src 'self'" }, "access_control": "Public sandbox environment", "vulnerabilities": [ "No authentication mechanism", "Public endpoint access", "No rate limiting" ] } return auth_analysis def generate_endpoint_mapping(self) -> str: """Generate endpoint mapping spreadsheet (CSV format)""" csv_content = "Path,HTTP Methods,Parameters,Response Codes,Auth Required,Description,Technology\n" for endpoint in self.endpoints: methods = ",".join(endpoint.methods) params = ",".join([f"{k}:{v}" for k, v in endpoint.parameters.items()]) codes = ",".join(map(str, endpoint.response_codes)) csv_content += f'"{endpoint.path}","{methods}","{params}","{codes}","{endpoint.auth_required}","{endpoint.description}","{endpoint.technology}"\n' return csv_content def generate_technology_report(self) -> Dict[str, Any]: """Generate technology stack analysis report""" return { "backend": { "framework": self.technology_stack.backend_framework, "language": "Python 3.x", "runtime": "Sandboxed Python environment", "routing": "Dynamic URL routing" }, "frontend": { "framework": self.technology_stack.frontend_framework, "libraries": ["Chart.js", "Plotly.js", "D3.js"], "styling": "CSS3 with responsive design" }, "security": { "isolation": "Sandbox environment", "restrictions": ["No file system access", "No network access", "Limited imports"], "monitoring": "Automated security validation" }, "dependencies": self.technology_stack.dependencies, "attack_surface": self._assess_attack_surface() } def _assess_attack_surface(self) -> Dict[str, Any]: """Initial attack surface assessment""" return { "high_risk_areas": [ "Dynamic endpoint routing without validation", "Public file serving", "No authentication mechanism" ], "medium_risk_areas": [ "Input validation gaps", "Potential XSS in dynamic content", "CSRF vulnerability" ], "low_risk_areas": [ "Static file exposure", "Information disclosure in error messages" ], "security_score": 3.5, # Out of 10 "recommendations": [ "Implement input validation", "Add authentication middleware", "Configure security headers", "Add rate limiting" ] } def generate_network_topology(self) -> Dict[str, Any]: """Generate network topology diagram data""" topology = { "nodes": [ { "id": "client", "type": "browser", "label": "Client Browser", "position": {"x": 100, "y": 200} }, { "id": "sandbox", "type": "server", "label": f"Sandbox\nwish-{self.visible_pixel_hash[:8]}...", "position": {"x": 400, "y": 200} }, { "id": "handler", "type": "endpoint", "label": "/handler", "position": {"x": 600, "y": 150} }, { "id": "api", "type": "endpoint", "label": "/api/[hash]/handler", "position": {"x": 600, "y": 250} } ], "connections": [ { "from": "client", "to": "sandbox", "protocol": "HTTP/HTTPS", "ports": [80, 443] }, { "from": "sandbox", "to": "handler", "protocol": "Internal routing", "method": "GET/POST" }, { "from": "sandbox", "to": "api", "protocol": "Internal routing", "method": "GET/POST" } ], "security_zones": { "untrusted": ["client"], "sandbox": ["sandbox"], "controlled": ["handler", "api"] } } return topology def export_analysis(self) -> Dict[str, Any]: """Export complete analysis results""" # Ensure endpoints are identified before export if not self.endpoints: self._identify_endpoints() # Convert endpoints to serializable format endpoints_data = [] for endpoint in self.endpoints: endpoints_data.append({ "path": endpoint.path, "methods": endpoint.methods, "parameters": endpoint.parameters, "response_codes": endpoint.response_codes, "auth_required": endpoint.auth_required, "description": endpoint.description, "technology": endpoint.technology }) return { "metadata": { "analysis_date": datetime.datetime.now().isoformat(), "visible_pixel_hash": self.visible_pixel_hash, "analyst": "SandboxMapper v1.0" }, "endpoints": endpoints_data, "endpoint_mapping": self.generate_endpoint_mapping(), "url_structure": self.map_sandbox_structure(), "request_patterns": self.analyze_request_patterns(), "authentication": self.analyze_authentication(), "technology_stack": self.generate_technology_report(), "network_topology": self.generate_network_topology() } def main(): """Main execution function""" # Example visible pixel hash visible_pixel_hash = "c9364f592d6f257543e49772492ce4b48170fdc84198035b95061b1b942c37d5" # Initialize mapper mapper = SandboxMapper(visible_pixel_hash) # Generate analysis analysis = mapper.export_analysis() # Save results with open("sandbox_analysis.json", "w") as f: json.dump(analysis, f, indent=2) # Save endpoint mapping as CSV with open("endpoint_mapping.csv", "w") as f: f.write(analysis["endpoint_mapping"]) print("✅ Sandbox analysis complete!") print(f"📊 Analyzed {len(mapper.endpoints)} endpoints") print(f"🔐 Security score: {analysis['technology_stack']['attack_surface']['security_score']}/10") print(f"📁 Files saved: sandbox_analysis.json, endpoint_mapping.csv") return analysis if __name__ == "__main__": result = main()