Skip to content

Xia0checkmate/vector-engine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
UPDATE.md
UPDATE.md
 
 
index.html
index.html
 
 

Repository files navigation

Version CVSS License Client Side

VECTOR

Bug Hunter CVSS Calculator

A dark-themed, single-file CVSS v3.1 scoring engine built for bug bounty hunters and security researchers.

FeaturesQuickstartDecision TreeOWASP PresetsAudit LogTech StackSecurityLicense

Features

CVSS v3.1 Scoring Engine

Full implementation of the Common Vulnerability Scoring System v3.1 specification:

  • Base Score — Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability
  • Temporal Score — Exploit Maturity, Remediation Level, Report Confidence
  • Environmental Score — Confidentiality, Integrity, Availability Requirements (CR/IR/AR)
  • Real-time animated gauge with severity classification (NONE → LOW → MEDIUM → HIGH → CRITICAL)
  • CRITICAL scores (9.0+) trigger a pulse animation to draw attention

Vuln Decision Tree

28 vulnerability categories with 89 pre-scored scenarios across all severity levels:

Category Key Category Key
Cross-Site Request Forgery CSRF Remote Code Execution RCE
Cross-Site Scripting XSS XML External Entity XXE
CORS Misconfiguration CORS Server-Side Template Injection SSTI
Insecure Direct Object Reference IDOR Open Redirect REDIR
Business Logic Flaws BIZ Malicious File Upload UPLOAD
Server-Side Request Forgery SSRF Authentication Bypass AUTHBYP
SQL Injection SQLI Race Condition RACE
Insecure Deserialization DESER JWT Vulnerabilities JWT
GraphQL Vulnerabilities GQL API Security Flaws APIS
Subdomain Takeover SUBTK Clickjacking CLICKJ
HTTP Request Smuggling SMUGGL Web Cache Poisoning CACHEP
Host Header Injection HOSTHDR Path Traversal PATHTR
Information Disclosure INFOLEAK Missing Rate Limiting RATELIM
Mass Assignment MASSASGN Prototype Pollution PROTOPL

Each scenario includes:

  • Real-world description
  • Pre-calculated CVSS score
  • Severity + Bounty Tier classification
  • One-click vector loading into the calculator

OWASP Quick Presets

One-click loading of OWASP Top 10 (2021) vulnerability vectors:

  • A01 — Broken Access Control
  • A02 — Cryptographic Failures
  • A03 — Injection (SQLi, XSS, Command Injection)
  • A04 — Insecure Design
  • A05 — Security Misconfiguration
  • A06 — Vulnerable Components
  • A07 — Auth & Session Failures
  • A08 — Software & Data Integrity
  • A09 — Security Logging Failures
  • A10 — Server-Side Request Forgery

Bounty Tier Mapping

Automatic classification into bug bounty payout tiers:

Score Severity Tier Typical Payout
9.0 – 10.0 CRITICAL P1 $2,000 – $10,000+
7.0 – 8.9 HIGH P2 $500 – $2,000
4.0 – 6.9 MEDIUM P3 $150 – $500
0.1 – 3.9 LOW P4 $50 – $150
0.0 NONE P5 $0 – $50 (Info)

Audit Log

  • Commit calculated vectors to a local audit log
  • Copy any vector to clipboard with one click
  • Export full audit log as JSON
  • Entries stored in localStorage with UUID identifiers
  • Maximum 50 entries with duplicate detection

Vector Parser

Paste any CVSS v3.1 vector string and parse it directly into the calculator:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Quickstart

Option 1: Open directly

# Clone the repo
git clone https://github.com/YOUR_USERNAME/vector.git

# Open in browser
open index.html

Option 2: Serve locally

# Python
python -m http.server 8080

# Node.js
npx serve .

# Then open http://localhost:8080

No build step. No dependencies to install. Just open index.html.

Usage

Calculate a CVSS Score

  1. Select values for all 8 base metrics (Attack Vector, Attack Complexity, etc.)
  2. Optionally set Temporal metrics (Exploit Maturity, Remediation Level, Report Confidence)
  3. The score updates in real-time on the gauge
  4. Click Commit to Audit Log to save

Use the Decision Tree

  1. Scroll to the Vuln Decision Tree section
  2. Select a vulnerability category tab (CSRF, XSS, SQLi, etc.)
  3. Click a scenario card to view details
  4. Click Load Vector into Calculator to auto-fill all metrics

Parse a Vector String

  1. Click Parse Vector String in the sidebar
  2. Paste any CVSS v3.1 vector (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  3. Click Parse & Load
  4. Metrics auto-fill and score calculates

Apply OWASP Presets

  1. Select an OWASP category from the dropdown
  2. Click Apply
  3. Vector loads with a description of the vulnerability class

Tech Stack

Technology Purpose
HTML5 Semantic structure
CSS3 Dark theme with CSS variables, custom properties
JavaScript (ES6+) CVSS calculation engine, DOM manipulation
GSAP 3.12.5 Scroll animations, gauge animations, UI transitions
Tailwind CSS Utility-first layout helpers
Google Fonts Bebas Neue (display), JetBrains Mono (code), Space Grotesk (body)

All external scripts loaded with Subresource Integrity (SRI) hashes.

Project Structure

vector/
├── index.html      # Complete SPA — HTML + CSS + JS in one file
├── README.md       # This file
└── UPDATE.md       # Full changelog

Security

Implemented Protections

Protection Description
XSS Prevention escapeHtml() sanitizes all data before innerHTML injection
Safe DOM Rendering Decision Tree uses createElement + textContent instead of innerHTML
Input Whitelisting All CVSS keys/values validated against VALID_CVSS_KEYS before processing
localStorage Validation sanitizeLogEntry() validates type, length, and score range of all entries
SRI Hashes GSAP scripts loaded with integrity + crossorigin attributes
No Inline Handlers Event listeners attached via addEventListener, not onclick attributes
UUID Audit Entries Each log entry gets a v4 UUID to prevent ID collisions

Threat Model

This is a client-side only tool. All calculations happen in the browser. No data is sent to any server. The audit log uses localStorage for persistence.

Accessibility

  • role="radiogroup" + aria-label on all metric option grids
  • aria-label on every radio input
  • aria-live="polite" on score gauge and live clock
  • Global focus-visible styles for keyboard navigation
  • Focus trap in the Parse Vector modal
  • High-contrast dark theme

Browser Support

Browser Status
Chrome 90+ Full support
Firefox 90+ Full support
Safari 15+ Full support
Edge 90+ Full support

Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/new-vuln-category)
  3. Make your changes in index.html
  4. Test in at least two browsers
  5. Submit a pull request

Adding a New Vulnerability Category

  1. Add a new entry to the DT_DATA object in the <script> section
  2. Add a <button class="dt-tab" data-vuln="YOUR_KEY">Label</button> to the #dt-tabs div
  3. Follow the existing format: label, icon, scenarios[] with id, tier, sev, score, color, name, desc, vector

License

MIT License. Use it, fork it, modify it.

VECTOR — Built for bug hunters who take scoring seriously.

About

A professional, interactive CVSS v3.1 Scoring Engine & Vulnerability Decision Tree built for Bug Bounty Hunters and Security Researchers.

xia0checkmate.github.io/vector-engine/

Topics

cybersecurity penetration-testing bugbounty security-tools owasp-top-10 cvss-calculator

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages