mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-07-07 11:57:54 +02:00
identification/attribution + multi-role access-control auth (v3.5.5)
Attribution (anti-plagiarism), multiple layers: - Identifying User-Agent on every request (default NeuroSploit/<ver> + an X-NeuroSploit-Scan header), overridable via /ua or NEUROSPLOIT_UA env; shown in the run banner. RunConfig.user_agent + Session.user_agent wired through. - Every finding is stamped "Identified and validated by NeuroSploit …" (in finish() and the raw-report path) so provenance travels in the finding text, findings.json and the report. Multi-role authentication for access-control testing (IDOR/BOLA/BFLA/privesc): - creds.yaml gains named identity blocks (admin:/user:/victim:/…), each with jwt | header | cookie | apikey | login+username+password. With >=2 roles the harness injects a cross-role access-control directive (authorized-vs-unauthorized proof) and defaults the primary auth to the first role. Also: /help now lists one command per line (fixes smushed OPTIONS/RUN columns); /ua command + Session field; docs (README + RELEASE) updated.
This commit is contained in:
@@ -243,6 +243,39 @@ auth: **AWS** access keys or profile; **GCP** a service-account JSON
|
||||
|
||||
---
|
||||
|
||||
## 👥 Multiple identities — access-control testing (IDOR / BOLA / BFLA)
|
||||
|
||||
Give NeuroSploit two or more **named roles** in `creds.yaml` and it authenticates
|
||||
as each and tests **cross-role** access (a low-priv role reaching another user's
|
||||
object or an admin function is a finding):
|
||||
|
||||
```yaml
|
||||
admin:
|
||||
jwt: eyJ... # per role: jwt | header (raw) | cookie | apikey | login+username+password
|
||||
user:
|
||||
apikey: abc123 # → X-Api-Key: abc123
|
||||
victim:
|
||||
cookie: "session=deadbeef"
|
||||
```
|
||||
|
||||
```bash
|
||||
neurosploit run https://app.example --creds creds.yaml \
|
||||
--subscription --model anthropic:claude-opus-4-8 -v
|
||||
```
|
||||
|
||||
Each finding is proven with the **authorized vs unauthorized** request pair, under
|
||||
the data-safety guardrail (read-only, PII masked).
|
||||
|
||||
## 🏷️ Identification & attribution (anti-plagiarism)
|
||||
|
||||
Every request is tagged with an identifying **User-Agent** (default
|
||||
`NeuroSploit/<ver> …`, change with **`/ua`** or `NEUROSPLOIT_UA`) plus an
|
||||
`X-NeuroSploit-Scan` header, and every finding is **stamped** "Identified and
|
||||
validated by NeuroSploit" — so provenance travels in the traffic, the finding
|
||||
text, `findings.json` and the report footer.
|
||||
|
||||
---
|
||||
|
||||
## Build
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user