harness: deterministic HTTP probe grounds recon & decisions (more robust)

New harness::probe runs a real request/response analysis of the target BEFORE
the model recon and injects the observed facts into recon, so agent-selection
and exploitation decisions are grounded in evidence (robust even when model
recon is weak):
- status & redirect, Server/X-Powered-By/content-type, 6 security headers,
  cookie flags (HttpOnly/Secure/SameSite), CORS reflection test (arbitrary
  Origin + credentials), tech fingerprint, linked scripts, form count, a 404
  baseline for soft-404 differentials, and high-signal paths (/robots.txt,
  /.git/config, /.env, /sitemap.xml, /.well-known/security.txt).
- Best-effort (never fatal — degrades to a note on network failure), honors the
  identifying User-Agent and the Burp/ZAP proxy. Wired into black-box run() and
  greybox recon. A one-line probe summary streams to the live feed.
This commit is contained in:
CyberSecurityUP
2026-07-02 13:48:04 -03:00
parent 2edd35068d
commit 3ca04498a9
5 changed files with 263 additions and 8 deletions
+5
View File
@@ -68,6 +68,11 @@ Control TUI**.
- 🧾 **Grounding** — hard rule: **no claim without a tool receipt** (raw tool
output, not paraphrase). Empirical for black-box, symbolic (`file:line`) for
white-box; ungrounded claims are demoted.
- 🔬 **Deterministic HTTP probe** — before the model recon, the harness runs a
**real** request/response analysis (status/redirects, security headers, cookie
flags, CORS reflection, tech fingerprint, linked JS, 404 baseline, high-signal
paths) and feeds those observed facts into recon, so agent selection and
exploitation decisions are grounded in evidence — not the model's guess.
- 🔗 **Attack chaining** — 12 multi-stage chain agents (SQLi→RCE→LPE, SSRF→AWS
creds, upload→LFI→RCE→LPE, default-creds→domain, …); each stage proven before
advancing.