harness: deterministic HTTP probe grounds recon & decisions (more robust)

New harness::probe runs a real request/response analysis of the target BEFORE
the model recon and injects the observed facts into recon, so agent-selection
and exploitation decisions are grounded in evidence (robust even when model
recon is weak):
- status & redirect, Server/X-Powered-By/content-type, 6 security headers,
  cookie flags (HttpOnly/Secure/SameSite), CORS reflection test (arbitrary
  Origin + credentials), tech fingerprint, linked scripts, form count, a 404
  baseline for soft-404 differentials, and high-signal paths (/robots.txt,
  /.git/config, /.env, /sitemap.xml, /.well-known/security.txt).
- Best-effort (never fatal — degrades to a note on network failure), honors the
  identifying User-Agent and the Burp/ZAP proxy. Wired into black-box run() and
  greybox recon. A one-line probe summary streams to the live feed.
This commit is contained in:
CyberSecurityUP
2026-07-02 13:48:04 -03:00
parent 2edd35068d
commit 3ca04498a9
5 changed files with 263 additions and 8 deletions
+10
View File
@@ -59,6 +59,16 @@ interactive line-editing.
## Deeper recon & analysis (agent prompts)
- **Deterministic HTTP probe (native, `harness::probe`).** Before the model
recon, the harness performs a **real** request/response analysis of the target
and injects the observed facts into recon so agent-selection and exploitation
decisions are grounded in evidence (more robust — works even when the model's
recon is weak): status & redirect, `Server`/`X-Powered-By`/content-type, the 6
security headers (present/missing), **cookie flags** (HttpOnly/Secure/SameSite),
**CORS reflection** test (arbitrary Origin + credentials), tech fingerprint,
linked scripts, form count, a **404 baseline** for soft-404 differentials, and
a few high-signal paths (`/robots.txt`, `/.git/config`, `/.env`, …). Best-effort
(never fatal), honors the identifying User-Agent and the Burp/ZAP proxy.
- **RECON_SYS** now crawls pages/params/headers/cookies, **downloads the linked
JavaScript and analyzes it** (API endpoints, hidden params, GraphQL, secrets /
keys / tokens, `sourceMappingURL` → recover original source), fingerprints