首页 项目实战 OWASP Juice Shop

从 Juice Shop 的目录结构、静态资源与错误信息入手,建立完整的信息收集与资产加固体系,构建企业级资产暴露防护架构,让 "攻击起点" 变成 "防守壁垒"。

# 目录与资产暴露技术价值与实战挑战

# 信息收集的攻击价值

信息收集是网络攻击的起点,攻击者通过系统性的信息收集可以获得:

  1. 攻击面映射:完整的应用端点清单和功能模块分布
  2. 技术栈识别:框架版本、中间件信息、开发语言特征
  3. 安全配置评估:错误处理机制、安全响应头配置情况
  4. 潜在漏洞线索:调试信息、源码泄露、配置文件暴露

# 企业级防护的核心挑战

  • 资产动态变化:业务迭代导致资产清单频繁更新
  • 多环境管理:开发、测试、生产环境配置差异
  • 供应链风险:第三方依赖和静态资源的安全管控
  • 合规要求:数据保护法规对信息暴露的严格限制

# 防护效果量化指标

  • 资产暴露面缩减率:目标减少 80% 以上的非必要暴露
  • 信息泄露事件数:目标降至每月 1 次以下
  • 安全配置覆盖率:目标达到 95% 以上的端点保护
  • 自动化检测率:目标实现 100% 的资产变更监控

# Juice Shop 资产暴露架构分析

# 应用资产暴露特征

Juice Shop 作为故意设计的安全靶场,包含了典型的 Web 应用资产暴露模式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
// 典型的资产暴露点分析
const juiceShopAssets = {
  // API 端点暴露
  apiEndpoints: {
    restAPIs: [
      '/rest/user/login',
      '/rest/user/registration',
      '/rest/products/search',
      '/api/BasketItems',
      '/rest/deliveries'
    ],
    graphqlEndpoint: '/graphql',
    adminEndpoints: [
      '/rest/admin/application-configuration',
      '/rest/admin/movies'
    ]
  },
  
  // 静态资源暴露
  staticAssets: {
    javascripts: '/assets/js/',
    stylesheets: '/assets/css/',
    images: '/assets/images/',
    sourceMaps: '/assets/js/*.map',
    documentation: '/assets/docs/'
  },
  
  // 错误信息暴露
  errorExposure: {
    stackTraces: true,
    databaseErrors: true,
    frameworkInfo: true,
    serverVersion: true
  },
  
  // 响应头暴露
  headerExposure: {
    serverHeader: 'Express',
    poweredBy: 'Express',
    xAspNetVersion: '4.0.30319',
    runtimeVersion: 'Node.js'
  }
};

# 漏洞分布与风险评估

基于 Juice Shop 的资产暴露模式,我们可以识别出不同级别的安全风险:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
/**
 * 资产暴露风险评估器
 * 根据暴露类型和敏感度进行风险分级
 */
class AssetExposureRiskAssessor {
  constructor() {
    this.riskLevels = {
      CRITICAL: { score: 9.0, color: 'red', action: '立即修复' },
      HIGH: { score: 7.0, color: 'orange', action: '24小时内修复' },
      MEDIUM: { score: 5.0, color: 'yellow', action: '7天内修复' },
      LOW: { score: 3.0, color: 'blue', action: '30天内修复' }
    };
    
    this.exposureTypes = {
      SOURCE_CODE_LEAK: { weight: 0.9, impact: 'critical' },
      CONFIG_FILE_EXPOSURE: { weight: 0.8, impact: 'high' },
      ERROR_INFORMATION_LEAK: { weight: 0.6, impact: 'medium' },
      VERSION_INFORMATION_LEAK: { weight: 0.4, impact: 'low' },
      DIRECTORY_LISTING: { weight: 0.5, impact: 'medium' }
    };
  }

  /**
   * 评估单个资产暴露的风险等级
   * @param {Object} exposure - 暴露信息对象
   * @returns {Object} 风险评估结果
   */
  assessRisk(exposure) {
    const { type, path, sensitivity, accessibility } = exposure;
    
    // 基础风险分数计算
    const exposureType = this.exposureTypes[type] || { weight: 0.3, impact: 'low' };
    let riskScore = exposureType.weight * 10;
    
    // 敏感度调整
    const sensitivityMultiplier = {
      'public': 0.5,
      'internal': 0.7,
      'confidential': 1.0,
      'secret': 1.2
    };
    
    riskScore *= sensitivityMultiplier[sensitivity] || 0.5;
    
    // 可访问性调整
    const accessibilityMultiplier = {
      'internet': 1.0,
      'intranet': 0.7,
      'vpn': 0.5,
      'localhost': 0.3
    };
    
    riskScore *= accessibilityMultiplier[accessibility] || 1.0;
    
    // 确定风险等级
    let riskLevel = 'LOW';
    if (riskScore >= 9.0) riskLevel = 'CRITICAL';
    else if (riskScore >= 7.0) riskLevel = 'HIGH';
    else if (riskScore >= 5.0) riskLevel = 'MEDIUM';
    
    return {
      path,
      type,
      riskScore: Math.round(riskScore * 10) / 10,
      riskLevel,
      recommendation: this.getRecommendation(riskLevel, type),
      priority: this.getPriority(riskScore)
    };
  }

  /**
   * 获取修复建议
   * @param {string} riskLevel - 风险等级
   * @param {string} exposureType - 暴露类型
   * @returns {string} 修复建议
   */
  getRecommendation(riskLevel, exposureType) {
    const recommendations = {
      'SOURCE_CODE_LEAK': '移除源码文件,配置 .gitignore,检查构建流程',
      'CONFIG_FILE_EXPOSURE': '移除配置文件,使用环境变量管理配置',
      'ERROR_INFORMATION_LEAK': '统一错误处理,禁用详细错误信息',
      'VERSION_INFORMATION_LEAK': '隐藏版本信息,使用通用响应头',
      'DIRECTORY_LISTING': '禁用目录索引,配置默认页面'
    };
    
    return recommendations[exposureType] || '评估暴露必要性,实施访问控制';
  }

  /**
   * 获取修复优先级
   * @param {number} riskScore - 风险分数
   * @returns {number} 优先级(1-10,10最高)
   */
  getPriority(riskScore) {
    return Math.min(10, Math.round(riskScore));
  }
}

// 使用示例
const riskAssessor = new AssetExposureRiskAssessor();

// 模拟 Juice Shop 的资产暴露情况
const juiceShopExposures = [
  {
    type: 'SOURCE_CODE_LEAK',
    path: '/assets/js/app.js.map',
    sensitivity: 'public',
    accessibility: 'internet'
  },
  {
    type: 'ERROR_INFORMATION_LEAK',
    path: '/rest/user/login',
    sensitivity: 'internal',
    accessibility: 'internet'
  },
  {
    type: 'VERSION_INFORMATION_LEAK',
    path: '/',
    sensitivity: 'public',
    accessibility: 'internet'
  }
];

// 执行风险评估
const riskResults = juiceShopExposures.map(exposure => riskAssessor.assessRisk(exposure));
console.log('风险评估结果:', riskResults);

# 信息收集攻击技术深度实现

# 多维度信息收集框架

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
/**
 * 企业级信息收集框架
 * 集成多种信息收集技术,提供全面的资产发现能力
 */
class EnterpriseInformationGathering {
  constructor(targetDomain, options = {}) {
    this.targetDomain = targetDomain;
    this.options = {
      maxConcurrency: options.maxConcurrency || 10,
      timeout: options.timeout || 10000,
      userAgent: options.userAgent || 'Mozilla/5.0 (compatible; InfoGatherer/1.0)',
      followRedirects: options.followRedirects || false,
      ...options
    };
    
    this.results = {
      endpoints: [],
      staticAssets: [],
      subdomains: [],
      technologies: [],
      vulnerabilities: [],
      headers: {},
      certificates: {}
    };
    
    this.wordlists = {
      directories: this.loadWordlist('directories'),
      files: this.loadWordlist('files'),
      subdomains: this.loadWordlist('subdomains')
    };
  }

  /**
   * 加载字典文件
   * @param {string} type - 字典类型
   * @returns {Array} 字典列表
   */
  loadWordlist(type) {
    const wordlists = {
      directories: [
        'admin', 'api', 'assets', 'backup', 'config', 'css', 'data', 'docs',
        'files', 'images', 'js', 'logs', 'public', 'static', 'tmp', 'upload'
      ],
      files: [
        'index.html', 'login.html', 'admin.html', 'config.php', 'database.yml',
        'package.json', 'webpack.config.js', '.env', 'README.md', 'CHANGELOG.md'
      ],
      subdomains: [
        'api', 'admin', 'blog', 'dev', 'docs', 'mail', 'shop', 'test', 'www'
      ]
    };
    
    return wordlists[type] || [];
  }

  /**
   * 目录枚举
   * @param {Array} paths - 路径列表
   * @returns {Promise<Object>} 枚举结果
   */
  async enumerateDirectories(paths = null) {
    const targetPaths = paths || this.wordlists.directories;
    const results = [];
    
    console.log(`开始目录枚举: ${this.targetDomain}`);
    
    // 并发请求控制
    const chunks = this.chunkArray(targetPaths, this.options.maxConcurrency);
    
    for (const chunk of chunks) {
      const promises = chunk.map(async (path) => {
        const url = `https://${this.targetDomain}/${path}`;
        return this.checkEndpoint(url, 'directory');
      });
      
      const chunkResults = await Promise.allSettled(promises);
      results.push(...chunkResults.filter(r => r.status === 'fulfilled').map(r => r.value));
    }
    
    this.results.endpoints.push(...results.filter(r => r.status !== 404));
    return results;
  }

  /**
   * 检查端点响应
   * @param {string} url - 目标URL
   * @param {string} type - 检查类型
   * @returns {Promise<Object>} 检查结果
   */
  async checkEndpoint(url, type) {
    try {
      const startTime = Date.now();
      const response = await fetch(url, {
        method: 'GET',
        headers: {
          'User-Agent': this.options.userAgent
        },
        signal: AbortSignal.timeout(this.options.timeout)
      });
      
      const endTime = Date.now();
      const responseTime = endTime - startTime;
      
      // 收集响应头信息
      const headers = {};
      response.headers.forEach((value, key) => {
        headers[key.toLowerCase()] = value;
      });
      
      // 检查是否有敏感信息泄露
      const sensitiveInfo = this.analyzeResponse(response, headers);
      
      return {
        url,
        type,
        status: response.status,
        statusText: response.statusText,
        contentLength: headers['content-length'] || 0,
        contentType: headers['content-type'] || '',
        responseTime,
        headers,
        sensitiveInfo,
        accessible: response.status !== 404
      };
      
    } catch (error) {
      return {
        url,
        type,
        status: 'ERROR',
        error: error.message,
        accessible: false
      };
    }
  }

  /**
   * 分析响应中的敏感信息
   * @param {Response} response - 响应对象
   * @param {Object} headers - 响应头
   * @returns {Object} 敏感信息分析结果
   */
  analyzeResponse(response, headers) {
    const sensitiveInfo = {
      serverInfo: {},
      frameworkInfo: {},
      securityHeaders: {},
      potentialLeaks: []
    };
    
    // 服务器信息
    if (headers.server) {
      sensitiveInfo.serverInfo = {
        server: headers.server,
        version: this.extractVersion(headers.server)
      };
    }
    
    // 框架信息
    if (headers['x-powered-by']) {
      sensitiveInfo.frameworkInfo = {
        framework: headers['x-powered-by'],
        version: this.extractVersion(headers['x-powered-by'])
      };
    }
    
    // 安全头检查
    const securityHeaders = [
      'content-security-policy',
      'x-frame-options',
      'x-content-type-options',
      'strict-transport-security',
      'referrer-policy'
    ];
    
    securityHeaders.forEach(header => {
      sensitiveInfo.securityHeaders[header] = {
        present: !!headers[header],
        value: headers[header] || null
      };
    });
    
    return sensitiveInfo;
  }

  /**
   * 从字符串中提取版本信息
   * @param {string} input - 输入字符串
   * @returns {string|null} 版本信息
   */
  extractVersion(input) {
    const versionPattern = /\d+\.\d+(\.\d+)?/;
    const match = input.match(versionPattern);
    return match ? match[0] : null;
  }

  /**
   * 数组分块
   * @param {Array} array - 原数组
   * @param {number} size - 块大小
   * @returns {Array} 分块后的数组
   */
  chunkArray(array, size) {
    const chunks = [];
    for (let i = 0; i < array.length; i += size) {
      chunks.push(array.slice(i, i + size));
    }
    return chunks;
  }
}

// 使用示例
const infoGatherer = new EnterpriseInformationGathering('juice-shop.demo.target', {
  maxConcurrency: 5,
  timeout: 8000
});

// 执行目录枚举
infoGatherer.enumerateDirectories().then(results => {
  console.log('目录枚举结果:', results);
});

# 企业级资产暴露防护系统架构

# 多层防护体系设计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
/**
 * 企业级资产暴露防护系统
 * 提供完整的资产发现、评估、防护和监控能力
 */
class EnterpriseAssetExposureProtection {
  constructor(config = {}) {
    this.config = {
      scanInterval: config.scanInterval || 24 * 60 * 60 * 1000, // 24小时
      maxConcurrency: config.maxConcurrency || 10,
      timeout: config.timeout || 10000,
      ...config
    };
    
    this.assetDatabase = new Map();
    this.riskAssessor = new AssetExposureRiskAssessor();
    this.protectionRules = new Map();
    
    this.initializeProtectionRules();
  }

  /**
   * 初始化防护规则
   */
  initializeProtectionRules() {
    // 文件类型防护规则
    this.protectionRules.set('file_types', {
      blocked: ['.env', '.git', '.svn', '.DS_Store', 'Thumbs.db'],
      restricted: ['.config', '.conf', '.ini', '.log', '.bak', '.tmp'],
      allowed: ['.html', '.css', '.js', '.png', '.jpg', '.gif', '.svg']
    });
    
    // 目录防护规则
    this.protectionRules.set('directories', {
      blocked: ['admin', 'config', 'backup', 'logs', 'tmp', '.git'],
      restricted: ['api', 'internal', 'private', 'secure'],
      authentication: ['admin', 'manage', 'dashboard']
    });
    
    // 响应头防护规则
    this.protectionRules.set('security_headers', {
      required: [
        'content-security-policy',
        'x-frame-options',
        'x-content-type-options',
        'referrer-policy'
      ],
      recommended: [
        'strict-transport-security',
        'permissions-policy',
        'cross-origin-embedder-policy'
      ]
    });
  }

  /**
   * 资产发现与注册
   * @param {string} domain - 目标域名
   * @returns {Promise<Object>} 发现结果
   */
  async discoverAndRegisterAssets(domain) {
    console.log(`开始发现和注册资产: ${domain}`);
    
    try {
      // 配置扫描器
      const scanner = new EnterpriseInformationGathering(domain, this.config);
      
      // 执行扫描
      const scanResults = await scanner.enumerateDirectories();
      
      // 注册发现的资产
      const registeredAssets = this.registerAssets(scanResults);
      
      // 风险评估
      const riskAssessment = this.assessAssetRisks(registeredAssets);
      
      return {
        domain,
        scanResults,
        registeredAssets,
        riskAssessment,
        timestamp: new Date().toISOString()
      };
      
    } catch (error) {
      console.error('资产发现失败:', error);
      throw error;
    }
  }

  /**
   * 注册资产到数据库
   * @param {Array} scanResults - 扫描结果
   * @returns {Array} 注册的资产列表
   */
  registerAssets(scanResults) {
    const registeredAssets = [];
    
    for (const endpoint of scanResults) {
      if (endpoint.accessible) {
        const asset = {
          id: this.generateAssetId('endpoint', endpoint.url),
          type: 'endpoint',
          url: endpoint.url,
          status: endpoint.status,
          contentType: endpoint.contentType,
          headers: endpoint.headers,
          discoveredAt: new Date().toISOString(),
          riskLevel: 'unknown',
          protectionStatus: 'unprotected'
        };
        
        this.assetDatabase.set(asset.id, asset);
        registeredAssets.push(asset);
      }
    }
    
    console.log(`成功注册 ${registeredAssets.length} 个资产`);
    return registeredAssets;
  }

  /**
   * 生成资产ID
   * @param {string} type - 资产类型
   * @param {string} identifier - 标识符
   * @returns {string} 资产ID
   */
  generateAssetId(type, identifier) {
    const hash = this.simpleHash(identifier);
    return `${type}_${hash}`;
  }

  /**
   * 简单哈希函数
   * @param {string} str - 输入字符串
   * @returns {string} 哈希值
   */
  simpleHash(str) {
    let hash = 0;
    for (let i = 0; i < str.length; i++) {
      const char = str.charCodeAt(i);
      hash = ((hash << 5) - hash) + char;
      hash = hash & hash; // 转换为32位整数
    }
    return Math.abs(hash).toString(16);
  }

  /**
   * 评估资产风险
   * @param {Array} assets - 资产列表
   * @returns {Object} 风险评估结果
   */
  assessAssetRisks(assets) {
    const riskAssessments = [];
    
    for (const asset of assets) {
      const riskAssessment = this.assessEndpointRisk(asset);
      
      // 更新资产风险信息
      asset.riskLevel = riskAssessment.riskLevel;
      asset.riskScore = riskAssessment.riskScore;
      asset.riskFactors = riskAssessment.riskFactors;
      asset.lastAssessed = new Date().toISOString();
      
      riskAssessments.push(riskAssessment);
    }
    
    // 统计分析
    const statistics = this.calculateRiskStatistics(riskAssessments);
    
    return {
      assessments: riskAssessments,
      statistics,
      recommendations: this.generateRiskRecommendations(statistics)
    };
  }

  /**
   * 评估端点风险
   * @param {Object} endpoint - 端点资产
   * @returns {Object} 风险评估结果
   */
  assessEndpointRisk(endpoint) {
    const riskFactors = [];
    let riskScore = 0;
    
    // 检查文件类型风险
    const urlPath = new URL(endpoint.url).pathname;
    const extension = urlPath.split('.').pop().toLowerCase();
    
    const fileRules = this.protectionRules.get('file_types');
    if (fileRules.blocked.includes(`.${extension}`)) {
      riskFactors.push({
        type: 'blocked_file_type',
        severity: 'critical',
        description: `访问被禁止的文件类型: .${extension}`
      });
      riskScore += 8;
    }
    
    // 检查目录风险
    const pathSegments = urlPath.split('/').filter(segment => segment.length > 0);
    const dirRules = this.protectionRules.get('directories');
    
    for (const segment of pathSegments) {
      if (dirRules.blocked.includes(segment)) {
        riskFactors.push({
          type: 'blocked_directory',
          severity: 'high',
          description: `访问被禁止的目录: ${segment}`
        });
        riskScore += 7;
      }
    }
    
    // 检查响应头安全
    const headerRules = this.protectionRules.get('security_headers');
    const missingHeaders = [];
    
    for (const requiredHeader of headerRules.required) {
      if (!endpoint.headers[requiredHeader]) {
        missingHeaders.push(requiredHeader);
      }
    }
    
    if (missingHeaders.length > 0) {
      riskFactors.push({
        type: 'missing_security_headers',
        severity: 'medium',
        description: `缺少安全响应头: ${missingHeaders.join(', ')}`
      });
      riskScore += 3 * missingHeaders.length;
    }
    
    // 确定风险等级
    let riskLevel = 'LOW';
    if (riskScore >= 9) riskLevel = 'CRITICAL';
    else if (riskScore >= 7) riskLevel = 'HIGH';
    else if (riskScore >= 5) riskLevel = 'MEDIUM';
    
    return {
      assetId: endpoint.id,
      type: 'endpoint',
      url: endpoint.url,
      riskScore: Math.round(riskScore * 10) / 10,
      riskLevel,
      riskFactors,
      recommendation: this.getEndpointRecommendation(riskLevel, riskFactors)
    };
  }

  /**
   * 获取端点修复建议
   * @param {string} riskLevel - 风险等级
   * @param {Array} riskFactors - 风险因素
   * @returns {string} 修复建议
   */
  getEndpointRecommendation(riskLevel, riskFactors) {
    const recommendations = {
      CRITICAL: '立即移除或限制访问该端点,实施严格的访问控制',
      HIGH: '在24小时内修复安全问题,添加认证和授权机制',
      MEDIUM: '在7天内实施安全加固,添加必要的安全响应头',
      LOW: '在30天内审查端点必要性,优化安全配置'
    };
    
    return recommendations[riskLevel] || '评估端点安全性,实施适当的安全措施';
  }

  /**
   * 计算风险统计
   * @param {Array} assessments - 风险评估列表
   * @returns {Object} 统计信息
   */
  calculateRiskStatistics(assessments) {
    const statistics = {
      total: assessments.length,
      critical: 0,
      high: 0,
      medium: 0,
      low: 0,
      averageRisk: 0
    };
    
    let totalRisk = 0;
    assessments.forEach(assessment => {
      statistics[assessment.riskLevel.toLowerCase()]++;
      totalRisk += assessment.riskScore;
    });
    
    statistics.averageRisk = assessments.length > 0 ? 
      Math.round((totalRisk / assessments.length) * 10) / 10 : 0;
    
    return statistics;
  }

  /**
   * 生成风险建议
   * @param {Object} statistics - 统计信息
   * @returns {Array} 建议列表
   */
  generateRiskRecommendations(statistics) {
    const recommendations = [];
    
    if (statistics.critical > 0) {
      recommendations.push({
        priority: 'IMMEDIATE',
        title: '紧急风险处理',
        description: `发现 ${statistics.critical} 个关键风险,需要立即处理`,
        action: '立即修复所有关键级别安全问题'
      });
    }
    
    if (statistics.high > 5) {
      recommendations.push({
        priority: 'HIGH',
        title: '高危风险批量处理',
        description: `发现 ${statistics.high} 个高风险项,建议批量处理`,
        action: '建立高危风险快速响应流程'
      });
    }
    
    return recommendations;
  }
}

// 使用示例
const protectionSystem = new EnterpriseAssetExposureProtection({
  scanInterval: 12 * 60 * 60 * 1000, // 12小时
  maxConcurrency: 8
});

// 发现和保护资产
protectionSystem.discoverAndRegisterAssets('juice-shop.demo.target')
  .then(result => {
    console.log('资产发现和保护完成:', result);
  })
  .catch(error => {
    console.error('资产保护系统启动失败:', error);
  });

# 资产暴露安全测试框架

# 自动化测试套件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
/**
 * 资产暴露安全测试框架
 * 提供全面的自动化测试能力,验证防护措施的有效性
 */
class AssetExposureTestFramework {
  constructor(config = {}) {
    this.config = {
      targetDomain: config.targetDomain,
      testTimeout: config.testTimeout || 30000,
      maxConcurrency: config.maxConcurrency || 5,
      ...config
    };
    
    this.testResults = [];
    this.testSuites = new Map();
    
    this.initializeTestSuites();
  }

  /**
   * 初始化测试套件
   */
  initializeTestSuites() {
    // 目录暴露测试
    this.testSuites.set('directory_exposure', {
      name: '目录暴露测试',
      description: '检测目录索引和敏感目录访问',
      tests: ['testDirectoryListing', 'testSensitiveDirectories']
    });
    
    // 文件暴露测试
    this.testSuites.set('file_exposure', {
      name: '文件暴露测试',
      description: '检测敏感文件和配置文件暴露',
      tests: ['testConfigFiles', 'testBackupFiles', 'testEnvironmentFiles']
    });
    
    // 信息泄露测试
    this.testSuites.set('information_leakage', {
      name: '信息泄露测试',
      description: '检测响应头和错误信息泄露',
      tests: ['testServerHeaders', 'testPoweredByHeaders']
    });
  }

  /**
   * 执行完整测试
   * @returns {Promise<Object>} 测试结果
   */
  async runFullTestSuite() {
    console.log(`开始执行完整测试套件: ${this.config.targetDomain}`);
    
    const startTime = Date.now();
    const testResults = {
      targetDomain: this.config.targetDomain,
      startTime: new Date().toISOString(),
      testSuites: [],
      summary: {
        totalTests: 0,
        passedTests: 0,
        failedTests: 0,
        warnings: 0,
        vulnerabilities: []
      }
    };
    
    // 执行所有测试套件
    for (const [suiteName, suite] of this.testSuites) {
      console.log(`执行测试套件: ${suite.name}`);
      
      const suiteResult = await this.runTestSuite(suiteName, suite);
      testResults.testSuites.push(suiteResult);
      
      // 更新统计
      testResults.summary.totalTests += suiteResult.summary.totalTests;
      testResults.summary.passedTests += suiteResult.summary.passedTests;
      testResults.summary.failedTests += suiteResult.summary.failedTests;
      testResults.summary.warnings += suiteResult.summary.warnings;
      testResults.summary.vulnerabilities.push(...suiteResult.vulnerabilities);
    }
    
    testResults.endTime = new Date().toISOString();
    testResults.duration = Date.now() - startTime;
    
    console.log('测试套件执行完成');
    return testResults;
  }

  /**
   * 执行单个测试套件
   * @param {string} suiteName - 套件名称
   * @param {Object} suite - 套件配置
   * @returns {Promise<Object>} 套件结果
   */
  async runTestSuite(suiteName, suite) {
    const suiteResult = {
      name: suite.name,
      description: suite.description,
      tests: [],
      summary: {
        totalTests: suite.tests.length,
        passedTests: 0,
        failedTests: 0,
        warnings: 0
      },
      vulnerabilities: []
    };
    
    for (const testName of suite.tests) {
      try {
        console.log(`执行测试: ${testName}`);
        const testResult = await this.executeTest(testName);
        
        suiteResult.tests.push(testResult);
        
        if (testResult.status === 'passed') {
          suiteResult.summary.passedTests++;
        } else if (testResult.status === 'failed') {
          suiteResult.summary.failedTests++;
        } else if (testResult.status === 'warning') {
          suiteResult.summary.warnings++;
        }
        
        // 收集漏洞信息
        if (testResult.vulnerabilities) {
          suiteResult.vulnerabilities.push(...testResult.vulnerabilities);
        }
        
      } catch (error) {
        console.error(`测试执行失败: ${testName}`, error);
        suiteResult.tests.push({
          name: testName,
          status: 'error',
          error: error.message
        });
        suiteResult.summary.failedTests++;
      }
    }
    
    return suiteResult;
  }

  /**
   * 执行单个测试
   * @param {string} testName - 测试名称
   * @returns {Promise<Object>} 测试结果
   */
  async executeTest(testName) {
    const testMethods = {
      testDirectoryListing: () => this.testDirectoryListing(),
      testSensitiveDirectories: () => this.testSensitiveDirectories(),
      testConfigFiles: () => this.testConfigFiles(),
      testBackupFiles: () => this.testBackupFiles(),
      testEnvironmentFiles: () => this.testEnvironmentFiles(),
      testServerHeaders: () => this.testServerHeaders(),
      testPoweredByHeaders: () => this.testPoweredByHeaders()
    };
    
    const testMethod = testMethods[testName];
    if (!testMethod) {
      throw new Error(`未知的测试方法: ${testName}`);
    }
    
    return await testMethod();
  }

  /**
   * 测试目录索引
   * @returns {Object} 测试结果
   */
  async testDirectoryListing() {
    const testPaths = ['/assets/', '/public/', '/static/', '/images/', '/css/', '/js/'];
    const results = [];
    const vulnerabilities = [];
    
    for (const path of testPaths) {
      try {
        const url = `https://${this.config.targetDomain}${path}`;
        const response = await fetch(url, {
          method: 'GET',
          signal: AbortSignal.timeout(this.config.testTimeout)
        });
        
        const content = await response.text();
        const hasDirectoryListing = /Index of \//i.test(content);
        
        if (hasDirectoryListing) {
          vulnerabilities.push({
            type: 'directory_listing',
            path,
            severity: 'medium',
            description: '目录索引功能开启,暴露文件结构',
            recommendation: '禁用目录索引功能或配置默认页面'
          });
        }
        
        results.push({
          path,
          status: response.status,
          hasDirectoryListing
        });
        
      } catch (error) {
        results.push({
          path,
          error: error.message
        });
      }
    }
    
    const hasVulnerabilities = vulnerabilities.length > 0;
    
    return {
      name: 'testDirectoryListing',
      status: hasVulnerabilities ? 'failed' : 'passed',
      description: '检测目录索引功能',
      results,
      vulnerabilities: hasVulnerabilities ? vulnerabilities : undefined
    };
  }

  /**
   * 测试敏感目录
   * @returns {Object} 测试结果
   */
  async testSensitiveDirectories() {
    const sensitivePaths = ['/admin/', '/config/', '/backup/', '/logs/', '/tmp/'];
    const results = [];
    const vulnerabilities = [];
    
    for (const path of sensitivePaths) {
      try {
        const url = `https://${this.config.targetDomain}${path}`;
        const response = await fetch(url, {
          method: 'GET',
          signal: AbortSignal.timeout(this.config.testTimeout)
        });
        
        const isAccessible = response.status !== 404;
        
        if (isAccessible) {
          vulnerabilities.push({
            type: 'sensitive_directory_access',
            path,
            severity: 'high',
            description: '敏感目录可被公开访问',
            recommendation: '限制敏感目录访问,实施认证机制'
          });
        }
        
        results.push({
          path,
          status: response.status,
          isAccessible
        });
        
      } catch (error) {
        results.push({
          path,
          error: error.message
        });
      }
    }
    
    const hasVulnerabilities = vulnerabilities.length > 0;
    
    return {
      name: 'testSensitiveDirectories',
      status: hasVulnerabilities ? 'failed' : 'passed',
      description: '检测敏感目录访问',
      results,
      vulnerabilities: hasVulnerabilities ? vulnerabilities : undefined
    };
  }

  /**
   * 测试配置文件暴露
   * @returns {Object} 测试结果
   */
  async testConfigFiles() {
    const configFiles = [
      '/config.json',
      '/database.yml',
      '/app.config',
      '/.env',
      '/config/database.json'
    ];
    
    const results = [];
    const vulnerabilities = [];
    
    for (const file of configFiles) {
      try {
        const url = `https://${this.config.targetDomain}${file}`;
        const response = await fetch(url, {
          method: 'GET',
          signal: AbortSignal.timeout(this.config.testTimeout)
        });
        
        const isAccessible = response.status === 200;
        
        if (isAccessible) {
          vulnerabilities.push({
            type: 'config_file_exposure',
            file,
            severity: 'high',
            description: '配置文件可被公开访问',
            recommendation: '移除配置文件或限制访问权限'
          });
        }
        
        results.push({
          file,
          status: response.status,
          isAccessible
        });
        
      } catch (error) {
        results.push({
          file,
          error: error.message
        });
      }
    }
    
    const hasVulnerabilities = vulnerabilities.length > 0;
    
    return {
      name: 'testConfigFiles',
      status: hasVulnerabilities ? 'failed' : 'passed',
      description: '检测配置文件暴露',
      results,
      vulnerabilities: hasVulnerabilities ? vulnerabilities : undefined
    };
  }

  /**
   * 测试服务器响应头
   * @returns {Object} 测试结果
   */
  async testServerHeaders() {
    try {
      const url = `https://${this.config.targetDomain}/`;
      const response = await fetch(url, {
        method: 'GET',
        signal: AbortSignal.timeout(this.config.testTimeout)
      });
      
      const headers = {};
      response.headers.forEach((value, key) => {
        headers[key.toLowerCase()] = value;
      });
      
      const vulnerabilities = [];
      
      // 检查服务器版本信息泄露
      if (headers.server) {
        const versionPattern = /(apache|nginx|iis|express)\/[\d.]+/i;
        if (versionPattern.test(headers.server)) {
          vulnerabilities.push({
            type: 'server_version_leak',
            header: 'server',
            value: headers.server,
            severity: 'low',
            description: '服务器版本信息泄露',
            recommendation: '隐藏或泛化服务器版本信息'
          });
        }
      }
      
      return {
        name: 'testServerHeaders',
        status: vulnerabilities.length > 0 ? 'warning' : 'passed',
        description: '检测服务器响应头信息泄露',
        headers,
        vulnerabilities: vulnerabilities.length > 0 ? vulnerabilities : undefined
      };
      
    } catch (error) {
      return {
        name: 'testServerHeaders',
        status: 'error',
        error: error.message
      };
    }
  }

  /**
   * 测试 X-Powered-By 头
   * @returns {Object} 测试结果
   */
  async testPoweredByHeaders() {
    try {
      const url = `https://${this.config.targetDomain}/`;
      const response = await fetch(url, {
        method: 'GET',
        signal: AbortSignal.timeout(this.config.testTimeout)
      });
      
      const poweredBy = response.headers.get('x-powered-by');
      
      if (poweredBy) {
        return {
          name: 'testPoweredByHeaders',
          status: 'warning',
          description: '检测框架信息泄露',
          hasPoweredBy: true,
          value: poweredBy,
          recommendation: '移除 X-Powered-By 响应头'
        };
      }
      
      return {
        name: 'testPoweredByHeaders',
        status: 'passed',
        description: '检测框架信息泄露',
        hasPoweredBy: false
      };
      
    } catch (error) {
      return {
        name: 'testPoweredByHeaders',
        status: 'error',
        error: error.message
      };
    }
  }
}

// 使用示例
const testFramework = new AssetExposureTestFramework({
  targetDomain: 'juice-shop.demo.target',
  testTimeout: 15000,
  maxConcurrency: 3
});

// 执行完整测试套件
testFramework.runFullTestSuite().then(results => {
  console.log('测试结果:', results);
});

# 实战加固清单与最佳实践

# Juice Shop 资产暴露加固清单

# 1. 目录访问控制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
// Express.js 目录访问控制配置
const express = require('express');
const path = require('path');

const app = express();

// 禁用目录索引
app.use(express.static('public', {
  index: false, // 禁用默认文件查找
  maxAge: '1d', // 设置缓存时间
  setHeaders: (res, path) => {
    // 禁用目录浏览
    if (path.endsWith('/')) {
      res.setHeader('X-Content-Type-Options', 'nosniff');
    }
  }
}));

// 敏感目录访问限制
const sensitiveDirectories = ['/admin', '/config', '/backup', '/logs'];
sensitiveDirectories.forEach(dir => {
  app.use(dir, (req, res, next) => {
    // IP白名单检查
    const allowedIPs = ['127.0.0.1', '::1'];
    const clientIP = req.ip || req.connection.remoteAddress;
    
    if (!allowedIPs.includes(clientIP)) {
      return res.status(403).json({ error: 'Access denied' });
    }
    
    next();
  });
});

# 2. 响应头安全配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// 安全响应头中间件
const helmet = require('helmet');

app.use(helmet({
  // 内容安全策略
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      connectSrc: ["'self'"],
      fontSrc: ["'self'"],
      objectSrc: ["'none'"],
      mediaSrc: ["'self'"],
      frameSrc: ["'none'"]
    }
  },
  
  // 隐藏 X-Powered-By 头
  hidePoweredBy: true,
  
  // HSTS配置
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  },
  
  // 其他安全头
  frameguard: { action: 'deny' },
  xssFilter: true,
  noSniff: true,
  referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
}));

// 自定义安全头
app.use((req, res, next) => {
  // 移除服务器信息
  res.removeHeader('Server');
  
  // 添加自定义安全头
  res.setHeader('X-Download-Options', 'noopen');
  res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
  res.setHeader('X-Content-Type-Options', 'nosniff');
  
  next();
});

# 3. 错误处理加固

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
// 统一错误处理中间件
app.use((err, req, res, next) => {
  // 记录详细错误信息到日志
  console.error('Error details:', {
    message: err.message,
    stack: err.stack,
    url: req.url,
    method: req.method,
    ip: req.ip,
    userAgent: req.get('User-Agent'),
    timestamp: new Date().toISOString()
  });
  
  // 生产环境返回通用错误信息
  if (process.env.NODE_ENV === 'production') {
    res.status(500).json({
      error: 'Internal Server Error',
      requestId: req.id || 'unknown'
    });
  } else {
    // 开发环境返回详细错误信息
    res.status(500).json({
      error: err.message,
      stack: err.stack
    });
  }
});

// 404处理
app.use((req, res) => {
  res.status(404).json({
    error: 'Not Found',
    path: req.path
  });
});

# 4. 静态资源保护

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// 静态资源访问控制
app.use('/assets', express.static('public/assets', {
  maxAge: '1y', // 长期缓存
  etag: true,
  lastModified: true,
  setHeaders: (res, filePath) => {
    // 禁止访问敏感文件
    const sensitiveExtensions = ['.map', '.config', '.env', '.key'];
    const fileExtension = path.extname(filePath);
    
    if (sensitiveExtensions.includes(fileExtension)) {
      return res.status(403).json({ error: 'Access denied' });
    }
    
    // 设置安全头
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'DENY');
  }
}));

// Source Map 文件访问控制
app.get('*.map', (req, res) => {
  // 只允许内网访问
  const clientIP = req.ip || req.connection.remoteAddress;
  const allowedNetworks = ['127.0.0.1', '::1', '10.', '192.168.', '172.16.'];
  
  const isAllowed = allowedNetworks.some(network => 
    clientIP.startsWith(network)
  );
  
  if (!isAllowed) {
    return res.status(403).json({ error: 'Source map access denied' });
  }
  
  next();
});

# 监控与告警机制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
/**
 * 资产暴露监控与告警系统
 */
class AssetExposureMonitor {
  constructor(config = {}) {
    this.config = {
      checkInterval: config.checkInterval || 60 * 60 * 1000, // 1小时
      alertThresholds: {
        newEndpoints: config.newEndpoints || 5,
        highRiskEndpoints: config.highRiskEndpoints || 3,
        missingSecurityHeaders: config.missingSecurityHeaders || 2
      },
      notification: {
        email: config.email || false,
        slack: config.slack || false,
        webhook: config.webhook || null
      },
      ...config
    };
    
    this.baselineAssets = new Map();
    this.currentAssets = new Map();
    this.alertHistory = [];
    
    this.initializeMonitoring();
  }

  /**
   * 初始化监控系统
   */
  initializeMonitoring() {
    // 建立基线
    this.establishBaseline();
    
    // 定期检查
    setInterval(() => {
      this.performSecurityCheck();
    }, this.config.checkInterval);
    
    console.log('资产暴露监控系统已启动');
  }

  /**
   * 建立资产基线
   */
  async establishBaseline() {
    console.log('建立资产基线...');
    
    try {
      const scanner = new EnterpriseInformationGathering(
        this.config.targetDomain,
        { maxConcurrency: 5 }
      );
      
      const scanResults = await scanner.enumerateDirectories();
      
      // 存储基线数据
      scanResults.forEach(endpoint => {
        if (endpoint.accessible) {
          this.baselineAssets.set(endpoint.url, {
            ...endpoint,
            firstSeen: new Date().toISOString(),
            baselineRisk: this.calculateRisk(endpoint)
          });
        }
      });
      
      console.log(`基线建立完成,共 ${this.baselineAssets.size} 个资产`);
      
    } catch (error) {
      console.error('基线建立失败:', error);
    }
  }

  /**
   * 执行安全检查
   */
  async performSecurityCheck() {
    console.log('执行定期安全检查...');
    
    try {
      const scanner = new EnterpriseInformationGathering(
        this.config.targetDomain,
        { maxConcurrency: 5 }
      );
      
      const scanResults = await scanner.enumerateDirectories();
      
      // 清空当前资产列表
      this.currentAssets.clear();
      
      // 更新当前资产
      scanResults.forEach(endpoint => {
        if (endpoint.accessible) {
          this.currentAssets.set(endpoint.url, {
            ...endpoint,
            lastSeen: new Date().toISOString(),
            currentRisk: this.calculateRisk(endpoint)
          });
        }
      });
      
      // 检测变化
      const changes = this.detectChanges();
      
      // 生成告警
      if (changes.length > 0) {
        await this.generateAlerts(changes);
      }
      
      // 更新基线
      this.updateBaseline();
      
      console.log(`安全检查完成,发现 ${changes.length} 个变化`);
      
    } catch (error) {
      console.error('安全检查失败:', error);
    }
  }

  /**
   * 检测资产变化
   * @returns {Array} 变化列表
   */
  detectChanges() {
    const changes = [];
    
    // 检测新增资产
    for (const [url, asset] of this.currentAssets) {
      if (!this.baselineAssets.has(url)) {
        changes.push({
          type: 'new_endpoint',
          url,
          asset,
          severity: 'medium',
          description: `发现新端点: ${url}`
        });
      }
    }
    
    // 检测消失的资产
    for (const [url, asset] of this.baselineAssets) {
      if (!this.currentAssets.has(url)) {
        changes.push({
          type: 'removed_endpoint',
          url,
          asset,
          severity: 'low',
          description: `端点已消失: ${url}`
        });
      }
    }
    
    // 检测风险变化
    for (const [url, currentAsset] of this.currentAssets) {
      const baselineAsset = this.baselineAssets.get(url);
      if (baselineAsset && currentAsset.currentRisk > baselineAsset.baselineRisk) {
        changes.push({
          type: 'risk_increase',
          url,
          baselineRisk: baselineAsset.baselineRisk,
          currentRisk: currentAsset.currentRisk,
          severity: 'high',
          description: `端点风险增加: ${url}`
        });
      }
    }
    
    return changes;
  }

  /**
   * 计算资产风险
   * @param {Object} endpoint - 端点信息
   * @returns {number} 风险分数
   */
  calculateRisk(endpoint) {
    let risk = 0;
    
    // 基于路径的风险评估
    const riskyPaths = ['/admin', '/config', '/backup', '/debug'];
    riskyPaths.forEach(riskyPath => {
      if (endpoint.url.includes(riskyPath)) {
        risk += 3;
      }
    });
    
    // 基于响应头的风险评估
    const missingHeaders = [];
    const requiredHeaders = ['content-security-policy', 'x-frame-options'];
    
    requiredHeaders.forEach(header => {
      if (!endpoint.headers[header]) {
        missingHeaders.push(header);
      }
    });
    
    risk += missingHeaders.length * 2;
    
    // 基于内容类型的风险评估
    if (endpoint.contentType.includes('application/json')) {
      risk += 1; // API端点
    }
    
    return Math.min(risk, 10);
  }

  /**
   * 生成告警
   * @param {Array} changes - 变化列表
   */
  async generateAlerts(changes) {
    const alerts = changes.map(change => ({
      id: this.generateAlertId(),
      timestamp: new Date().toISOString(),
      targetDomain: this.config.targetDomain,
      ...change
    }));
    
    // 存储告警历史
    this.alertHistory.push(...alerts);
    
    // 发送通知
    if (this.config.notification.email) {
      await this.sendEmailAlert(alerts);
    }
    
    if (this.config.notification.slack) {
      await this.sendSlackAlert(alerts);
    }
    
    if (this.config.notification.webhook) {
      await this.sendWebhookAlert(alerts);
    }
    
    console.log(`已生成 ${alerts.length} 个告警`);
  }

  /**
   * 生成告警ID
   * @returns {string} 告警ID
   */
  generateAlertId() {
    return `alert_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
  }

  /**
   * 发送邮件告警
   * @param {Array} alerts - 告警列表
   */
  async sendEmailAlert(alerts) {
    // 这里实现邮件发送逻辑
    console.log('邮件告警:', alerts);
  }

  /**
   * 发送Slack告警
   * @param {Array} alerts - 告警列表
   */
  async sendSlackAlert(alerts) {
    // 这里实现Slack通知逻辑
    console.log('Slack告警:', alerts);
  }

  /**
   * 发送Webhook告警
   * @param {Array} alerts - 告警列表
   */
  async sendWebhookAlert(alerts) {
    try {
      const response = await fetch(this.config.notification.webhook, {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json'
        },
        body: JSON.stringify({
          alerts,
          timestamp: new Date().toISOString(),
          target: this.config.targetDomain
        })
      });
      
      if (response.ok) {
        console.log('Webhook告警发送成功');
      } else {
        console.error('Webhook告警发送失败:', response.statusText);
      }
      
    } catch (error) {
      console.error('Webhook告警发送错误:', error);
    }
  }

  /**
   * 更新基线
   */
  updateBaseline() {
    // 将当前资产状态更新为基线
    this.currentAssets.forEach((asset, url) => {
      this.baselineAssets.set(url, {
        ...asset,
        firstSeen: this.baselineAssets.get(url)?.firstSeen || asset.lastSeen,
        baselineRisk: asset.currentRisk
      });
    });
    
    // 移除已消失的资产
    for (const [url] of this.baselineAssets) {
      if (!this.currentAssets.has(url)) {
        this.baselineAssets.delete(url);
      }
    }
  }

  /**
   * 生成监控报告
   * @returns {Object} 监控报告
   */
  generateMonitoringReport() {
    const report = {
      timestamp: new Date().toISOString(),
      targetDomain: this.config.targetDomain,
      summary: {
        totalAssets: this.currentAssets.size,
        baselineAssets: this.baselineAssets.size,
        recentAlerts: this.alertHistory.filter(
          alert => Date.now() - new Date(alert.timestamp).getTime() < 24 * 60 * 60 * 1000
        ).length
      },
      assets: Array.from(this.currentAssets.values()),
      recentAlerts: this.alertHistory.slice(-10), // 最近10个告警
      recommendations: this.generateRecommendations()
    };
    
    return report;
  }

  /**
   * 生成建议
   * @returns {Array} 建议列表
   */
  generateRecommendations() {
    const recommendations = [];
    
    // 基于告警历史生成建议
    const recentAlerts = this.alertHistory.filter(
      alert => Date.now() - new Date(alert.timestamp).getTime() < 7 * 24 * 60 * 60 * 1000
    );
    
    const newEndpointAlerts = recentAlerts.filter(alert => alert.type === 'new_endpoint');
    if (newEndpointAlerts.length > this.config.alertThresholds.newEndpoints) {
      recommendations.push({
        priority: 'HIGH',
        title: '新端点频繁出现',
        description: `一周内发现 ${newEndpointAlerts.length} 个新端点`,
        action: '审查部署流程,建立端点变更审批机制'
      });
    }
    
    const highRiskAlerts = recentAlerts.filter(alert => alert.severity === 'high');
    if (highRiskAlerts.length > this.config.alertThresholds.highRiskEndpoints) {
      recommendations.push({
        priority: 'CRITICAL',
        title: '高风险端点增加',
        description: `一周内发现 ${highRiskAlerts.length} 个高风险变化`,
        action: '立即进行安全评估,实施紧急防护措施'
      });
    }
    
    return recommendations;
  }
}

// 使用示例
const monitor = new AssetExposureMonitor({
  targetDomain: 'juice-shop.demo.target',
  checkInterval: 30 * 60 * 1000, // 30分钟
  notification: {
    email: true,
    slack: true,
    webhook: 'https://api.example.com/alerts'
  }
});

// 生成监控报告
setInterval(() => {
  const report = monitor.generateMonitoringReport();
  console.log('监控报告:', JSON.stringify(report, null, 2));
}, 24 * 60 * 60 * 1000); // 每天生成报告

通过这套完整的资产暴露防护体系,企业可以有效降低信息泄露风险,提升整体安全防护水平,将传统的 "被动防御" 转变为 "主动防护",构建真正有效的纵深防御体系。