mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-07-11 05:33:43 +02:00
NeuroSploit v3.2.1 - AI-Everywhere Auto Pentest + Container Fix + Deep Recon Overhaul
## AI-Everywhere Auto Pentest - Pre-stream AI master planning (_ai_master_plan) runs before parallel streams - Stream 1 AI recon analysis (Phase 9: hidden endpoint probing, priority routing) - Stream 2 AI payload generation (replaces hardcoded payloads with context-aware AI) - Stream 3 AI tool output analysis (real findings vs noise classification) - 4 new prompt builders in ai_prompts.py (master_plan, junior_ai_test, tool_analysis, recon_analysis) ## LLM-as-VulnEngine: AI Deep Testing - New _ai_deep_test() iterative loop: OBSERVE→PLAN→EXECUTE→ANALYZE→ADAPT (3 iterations max) - AI-first for top 15 injection types, hardcoded fallback for rest - Per-endpoint AI testing in Phase C instead of single _ai_dynamic_test() - New system prompt context: deep_testing + iterative_testing - Token budget adaptive: 15 normal, 5 when <50k tokens remain ## Container Fix (Critical) - Fixed ENTRYPOINT ["/bin/bash", "-c"] → CMD ["bash"] in Dockerfile.kali - Root cause: Docker ran /bin/bash -c "sleep" "infinity" → missing operand → container exit - All Kali sandbox tools (nuclei, naabu, etc.) now start and execute correctly ## Deep Recon Overhaul - JS analysis: 10→30 files, 11 regex patterns, source map parsing, parameter extraction - Sitemaps: recursive index following (depth 3), 8 candidates, 500 URL cap - API discovery: 7→20 Swagger/OpenAPI paths, 1→6 GraphQL paths, request body schema extraction - Framework detection: 9 frameworks (WordPress, Laravel, Django, Spring, Express, ASP.NET, Rails, Next.js, Flask) - 40+ common hidden/sensitive paths checked (.env, .git, /actuator, /debug, etc.) - API pattern fuzzing: infers endpoints from discovered patterns, batch existence checks - HTTP method discovery via OPTIONS probing - URL normalization and deduplication ## Frontend Fixes - Elapsed time now works for completed scans (computed from started_at→completed_at) - Container telemetry: exit -1 shows "ERR" (yellow), duration shows "N/A" on failure - HTML report rewrite: professional pentest report with cover page, risk gauge, ToC, per-finding cards, print CSS ## Other - Updated rebuild.sh summary and validation - Bug bounty training datasets added Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1624,3 +1624,476 @@ VULN_AI_PROMPTS: Dict[str, dict] = {
|
||||
"technology_hints": {"general": "OWASP API Security #3. Check: REST APIs without field selection, GraphQL without proper field-level authorization, response serializers including all model fields."}
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Deep Test Prompts — AI-driven iterative testing loop
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def get_deep_test_plan_prompt(
|
||||
vuln_type: str,
|
||||
context: str,
|
||||
playbook_ctx: str = "",
|
||||
iteration: int = 1,
|
||||
previous_results: str = "",
|
||||
) -> str:
|
||||
"""Build the PLANNING prompt for _ai_deep_test() Step 2.
|
||||
|
||||
The LLM receives full context about the endpoint and must generate
|
||||
specific, targeted test cases — not generic payloads.
|
||||
|
||||
Args:
|
||||
vuln_type: The vulnerability type being tested (e.g., "sqli_error")
|
||||
context: Rich context string (endpoint, baseline, tech, WAF, params)
|
||||
playbook_ctx: Playbook methodology context for this vuln type
|
||||
iteration: Current iteration number (1-3)
|
||||
previous_results: JSON string of previous test results (for iterations 2+)
|
||||
"""
|
||||
# Get per-type proof requirements
|
||||
proof_req = ""
|
||||
try:
|
||||
from backend.core.vuln_engine.system_prompts import VULN_TYPE_PROOF_REQUIREMENTS
|
||||
proof_req = VULN_TYPE_PROOF_REQUIREMENTS.get(vuln_type, "")
|
||||
except ImportError:
|
||||
pass
|
||||
|
||||
# Get per-type AI prompt for detection strategy
|
||||
type_prompt = VULN_AI_PROMPTS.get(vuln_type, {})
|
||||
detection = type_prompt.get("detection_strategy", "")
|
||||
methodology = type_prompt.get("test_methodology", "")
|
||||
payload_hints = type_prompt.get("payload_selection", "")
|
||||
|
||||
iteration_context = ""
|
||||
if iteration > 1 and previous_results:
|
||||
iteration_context = f"""
|
||||
## PREVIOUS TEST RESULTS (Round {iteration - 1})
|
||||
You have already tested this endpoint. Here are the ACTUAL server responses:
|
||||
|
||||
{previous_results}
|
||||
|
||||
IMPORTANT: Analyze what happened. What did the server do with your input?
|
||||
- Did any payload cause an error? → Exploit that error pattern.
|
||||
- Did any payload get reflected? → Check encoding, try context escape.
|
||||
- Did any payload change the response? → Investigate what changed and why.
|
||||
- Did all payloads get blocked? → Try encoding/obfuscation bypass.
|
||||
- Did the server behave identically for all inputs? → Endpoint likely NOT vulnerable.
|
||||
|
||||
Generate NEW test cases that build on what you learned. Do NOT repeat previous payloads.
|
||||
"""
|
||||
|
||||
return f"""You are an expert penetration tester performing Round {iteration} of iterative {vuln_type.upper()} testing.
|
||||
|
||||
## TARGET CONTEXT
|
||||
{context}
|
||||
|
||||
{f"## DETECTION STRATEGY" + chr(10) + detection if detection else ""}
|
||||
{f"## METHODOLOGY" + chr(10) + methodology if methodology else ""}
|
||||
{f"## PAYLOAD HINTS" + chr(10) + payload_hints if payload_hints else ""}
|
||||
{playbook_ctx}
|
||||
{f"## PROOF REQUIREMENTS" + chr(10) + proof_req if proof_req else ""}
|
||||
{iteration_context}
|
||||
|
||||
## YOUR TASK
|
||||
Generate {3 if iteration == 1 else 5} specific test cases for {vuln_type} on this endpoint.
|
||||
Each test must be a concrete HTTP request — not a description of what to test.
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"reasoning": "Brief explanation of your testing strategy based on the context",
|
||||
"tests": [
|
||||
{{
|
||||
"name": "Descriptive name of the test",
|
||||
"rationale": "Why this specific test based on what you observed",
|
||||
"method": "GET|POST|PUT|DELETE",
|
||||
"url": "Full URL to test (use actual URLs from context)",
|
||||
"params": {{"param_name": "payload_value"}},
|
||||
"headers": {{"Header-Name": "value"}},
|
||||
"body": "request body if POST/PUT (or empty string)",
|
||||
"content_type": "application/x-www-form-urlencoded|application/json|text/xml",
|
||||
"injection_point": "parameter|header|body|path",
|
||||
"success_indicators": ["what to look for in response that proves vulnerability"],
|
||||
"failure_indicators": ["what indicates NOT vulnerable"]
|
||||
}}
|
||||
]
|
||||
}}
|
||||
|
||||
RULES:
|
||||
- Use ACTUAL URLs and parameters from the context — don't invent endpoints.
|
||||
- Each test MUST have a clear rationale tied to the target's behavior.
|
||||
- Include both aggressive tests (exploit attempts) and subtle probes (behavior mapping).
|
||||
- If this is Round 2+, your tests MUST be adapted based on previous results."""
|
||||
|
||||
|
||||
def get_deep_test_analysis_prompt(
|
||||
vuln_type: str,
|
||||
test_results: str,
|
||||
baseline: str = "",
|
||||
iteration: int = 1,
|
||||
) -> str:
|
||||
"""Build the ANALYSIS prompt for _ai_deep_test() Step 4.
|
||||
|
||||
The LLM receives actual HTTP responses and must analyze them
|
||||
for vulnerability indicators with anti-hallucination enforcement.
|
||||
|
||||
Args:
|
||||
vuln_type: The vulnerability type being tested
|
||||
test_results: JSON string of test results with actual HTTP responses
|
||||
baseline: Baseline response data for comparison
|
||||
iteration: Current iteration number
|
||||
"""
|
||||
# Get per-type proof requirements
|
||||
proof_req = ""
|
||||
try:
|
||||
from backend.core.vuln_engine.system_prompts import VULN_TYPE_PROOF_REQUIREMENTS
|
||||
proof_req = VULN_TYPE_PROOF_REQUIREMENTS.get(vuln_type, "")
|
||||
except ImportError:
|
||||
pass
|
||||
|
||||
type_prompt = VULN_AI_PROMPTS.get(vuln_type, {})
|
||||
verification = type_prompt.get("verification_criteria", "")
|
||||
fp_indicators = type_prompt.get("false_positive_indicators", "")
|
||||
|
||||
return f"""Analyze these HTTP responses for {vuln_type.upper()} vulnerability.
|
||||
This is Round {iteration} of iterative testing.
|
||||
|
||||
## BASELINE RESPONSE (normal behavior without attack payload)
|
||||
{baseline if baseline else "Not available — compare between test responses instead."}
|
||||
|
||||
## TEST RESULTS (actual server responses)
|
||||
{test_results}
|
||||
|
||||
{f"## VERIFICATION CRITERIA" + chr(10) + verification if verification else ""}
|
||||
{f"## KNOWN FALSE POSITIVE PATTERNS" + chr(10) + fp_indicators if fp_indicators else ""}
|
||||
{f"## PROOF REQUIREMENTS" + chr(10) + proof_req if proof_req else ""}
|
||||
|
||||
## ANALYSIS INSTRUCTIONS
|
||||
|
||||
For EACH test result, analyze:
|
||||
1. Did the response differ from baseline? How exactly? (status, body, headers, timing)
|
||||
2. Is the difference CAUSED by the payload, or is it generic application behavior?
|
||||
3. Does the response contain proof of execution (not just delivery)?
|
||||
4. Would you stake your professional reputation on this finding?
|
||||
|
||||
ANTI-HALLUCINATION CHECK:
|
||||
- ONLY cite evidence that appears in the ACTUAL response data above.
|
||||
- Do NOT infer, assume, or speculate about what "might" happen.
|
||||
- If the evidence is ambiguous, it is NOT confirmed.
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"analysis": [
|
||||
{{
|
||||
"test_name": "Name of the test analyzed",
|
||||
"is_vulnerable": true|false,
|
||||
"confidence": "high|medium|low",
|
||||
"evidence": "EXACT string/pattern from the actual response that proves it",
|
||||
"reasoning": "Why this specific evidence proves (or disproves) the vulnerability"
|
||||
}}
|
||||
],
|
||||
"overall_vulnerable": true|false,
|
||||
"continue_testing": true|false,
|
||||
"next_round_strategy": "What to try next if continue_testing is true (or 'done' if false)",
|
||||
"summary": "One-line summary of findings"
|
||||
}}
|
||||
|
||||
CRITICAL: Set "continue_testing": true ONLY if you observed promising signals that
|
||||
warrant deeper investigation. If all tests show no vulnerability indicators, set false."""
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Pre-Stream Master Planning Prompt — AI context before parallel streams
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def get_master_plan_prompt(
|
||||
target: str,
|
||||
initial_response: str = "",
|
||||
technologies: str = "",
|
||||
endpoints_preview: str = "",
|
||||
forms_preview: str = "",
|
||||
waf_info: str = "",
|
||||
playbook_context: str = "",
|
||||
) -> str:
|
||||
"""Build the master planning prompt executed BEFORE the 3 parallel streams.
|
||||
|
||||
This gives the AI full initial context and asks it to produce a strategic
|
||||
test plan that all 3 streams can reference for context-aware testing.
|
||||
"""
|
||||
return f"""You are a senior penetration tester planning a comprehensive security assessment.
|
||||
|
||||
## TARGET
|
||||
URL: {target}
|
||||
|
||||
## INITIAL RECONNAISSANCE
|
||||
{f"### Response Headers & Body Fingerprint" + chr(10) + initial_response if initial_response else "Initial probe not yet available."}
|
||||
|
||||
{f"### Technologies Detected" + chr(10) + technologies if technologies else "Not yet detected."}
|
||||
|
||||
{f"### Endpoints Discovered" + chr(10) + endpoints_preview if endpoints_preview else "No endpoints discovered yet."}
|
||||
|
||||
{f"### Forms Found" + chr(10) + forms_preview if forms_preview else "No forms found yet."}
|
||||
|
||||
{f"### WAF Detection" + chr(10) + waf_info if waf_info else "No WAF detected."}
|
||||
|
||||
{playbook_context}
|
||||
|
||||
## YOUR TASK
|
||||
Create a MASTER TEST PLAN for this target. This plan will guide 3 parallel testing streams:
|
||||
1. **Recon Stream** — what to look for during deeper reconnaissance
|
||||
2. **Testing Stream** — which vulnerability types to prioritize and why
|
||||
3. **Tool Stream** — which security tools would be most effective
|
||||
|
||||
Analyze the target's technology stack, response patterns, and attack surface to produce:
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"target_profile": "Brief description of what this application appears to be",
|
||||
"technology_assessment": "Key technologies and their security implications",
|
||||
"attack_surface_summary": "Primary attack vectors based on initial recon",
|
||||
"priority_vuln_types": ["ordered list of 10-15 vuln types most likely to succeed"],
|
||||
"high_value_endpoints": ["endpoints that deserve the most attention"],
|
||||
"recon_guidance": {{
|
||||
"focus_areas": ["what the recon stream should specifically look for"],
|
||||
"hidden_surface_hints": ["directories, API patterns, or configs to probe"]
|
||||
}},
|
||||
"testing_strategy": {{
|
||||
"immediate_tests": ["vuln types to test RIGHT NOW on the main URL"],
|
||||
"tech_specific_tests": ["tests specific to the detected technology stack"],
|
||||
"bypass_strategies": ["WAF bypass or encoding strategies if WAF detected"]
|
||||
}},
|
||||
"tool_recommendations": {{
|
||||
"priority_tools": ["tools to run first and why"],
|
||||
"tool_arguments": ["specific flags or wordlists for this target"]
|
||||
}},
|
||||
"risk_assessment": "Overall risk level and what makes this target interesting"
|
||||
}}
|
||||
|
||||
RULES:
|
||||
- Base your analysis on ACTUAL data from the initial probe — don't speculate.
|
||||
- Prioritize vuln types by LIKELIHOOD of success on THIS specific target.
|
||||
- Consider the technology stack when recommending tests (e.g., Java → deserialization, PHP → LFI).
|
||||
- If WAF is detected, factor bypass strategies into every recommendation."""
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Junior Stream AI Payload Generation Prompt
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def get_junior_ai_test_prompt(
|
||||
url: str,
|
||||
vuln_type: str,
|
||||
params: list,
|
||||
method: str = "GET",
|
||||
tech_context: str = "",
|
||||
master_plan_context: str = "",
|
||||
waf_info: str = "",
|
||||
) -> str:
|
||||
"""Build prompt for AI-generated payloads in Stream 2 junior testing.
|
||||
|
||||
Instead of hardcoded 3 payloads, the AI generates context-aware payloads
|
||||
tailored to the specific endpoint, parameters, and technology stack.
|
||||
"""
|
||||
# Get per-type detection strategy
|
||||
type_prompt = VULN_AI_PROMPTS.get(vuln_type, {})
|
||||
detection = type_prompt.get("detection_strategy", "")
|
||||
payload_hints = type_prompt.get("payload_selection", "")
|
||||
|
||||
params_str = ", ".join(params[:5]) if params else "unknown"
|
||||
|
||||
return f"""You are a penetration tester performing quick, targeted {vuln_type.upper()} testing.
|
||||
|
||||
## TARGET
|
||||
URL: {url}
|
||||
Method: {method}
|
||||
Parameters: {params_str}
|
||||
{f"Technologies: {tech_context}" if tech_context else ""}
|
||||
{f"WAF: {waf_info}" if waf_info else ""}
|
||||
{f"Master Plan Context: {master_plan_context}" if master_plan_context else ""}
|
||||
|
||||
{f"## DETECTION STRATEGY" + chr(10) + detection if detection else ""}
|
||||
{f"## PAYLOAD HINTS" + chr(10) + payload_hints if payload_hints else ""}
|
||||
|
||||
## YOUR TASK
|
||||
Generate 3-5 targeted {vuln_type} payloads for this specific endpoint.
|
||||
Each payload must be crafted for the actual parameters and technology stack.
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"reasoning": "Brief strategy for testing this endpoint",
|
||||
"tests": [
|
||||
{{
|
||||
"param": "parameter name to inject into",
|
||||
"payload": "the actual payload string",
|
||||
"method": "GET|POST",
|
||||
"injection_point": "parameter|header|body",
|
||||
"header_name": "header name if injection_point is header",
|
||||
"success_indicator": "what to look for in response"
|
||||
}}
|
||||
]
|
||||
}}
|
||||
|
||||
RULES:
|
||||
- Use ACTUAL parameter names from the target.
|
||||
- Tailor payloads to the technology stack (don't send PHP payloads to Java apps).
|
||||
- If WAF is detected, use encoding/obfuscation in payloads.
|
||||
- Include at least one probe payload (behavior mapping) and one exploit payload.
|
||||
- Keep it fast — max 5 payloads."""
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Tool Output AI Analysis Prompt
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def get_tool_analysis_prompt(
|
||||
tool_name: str,
|
||||
tool_output: str,
|
||||
target: str,
|
||||
existing_findings_summary: str = "",
|
||||
) -> str:
|
||||
"""Build prompt for AI analysis of security tool output in Stream 3.
|
||||
|
||||
Instead of just ingesting raw tool findings, the AI analyzes the output
|
||||
to identify real vulnerabilities, filter noise, and suggest follow-up tests.
|
||||
"""
|
||||
return f"""You are a senior penetration tester analyzing output from the security tool "{tool_name}".
|
||||
|
||||
## TARGET
|
||||
{target}
|
||||
|
||||
## TOOL OUTPUT (raw stdout/stderr)
|
||||
```
|
||||
{tool_output[:4000]}
|
||||
```
|
||||
|
||||
{f"## EXISTING FINDINGS (already confirmed)" + chr(10) + existing_findings_summary if existing_findings_summary else ""}
|
||||
|
||||
## YOUR TASK
|
||||
Analyze this tool output with expert judgment:
|
||||
|
||||
1. **True Findings**: Identify REAL vulnerabilities from the output (not informational noise)
|
||||
2. **False Positives**: Flag findings that are likely false positives and explain why
|
||||
3. **Follow-Up Tests**: Suggest manual tests to confirm ambiguous findings
|
||||
4. **Hidden Insights**: What does this output reveal about the target that isn't obvious?
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"real_findings": [
|
||||
{{
|
||||
"title": "Finding title",
|
||||
"severity": "critical|high|medium|low|info",
|
||||
"vulnerability_type": "vuln_type_name",
|
||||
"endpoint": "affected URL",
|
||||
"evidence": "exact evidence from tool output",
|
||||
"confidence": "high|medium|low",
|
||||
"reasoning": "why this is a real finding"
|
||||
}}
|
||||
],
|
||||
"false_positives": [
|
||||
{{
|
||||
"title": "What the tool flagged",
|
||||
"reason": "why it's a false positive"
|
||||
}}
|
||||
],
|
||||
"follow_up_tests": [
|
||||
{{
|
||||
"test": "what to test manually",
|
||||
"vuln_type": "vuln_type_name",
|
||||
"endpoint": "URL to test",
|
||||
"rationale": "why this follow-up is needed"
|
||||
}}
|
||||
],
|
||||
"target_insights": "What this tool output reveals about the target's security posture"
|
||||
}}
|
||||
|
||||
RULES:
|
||||
- Only mark findings as "real" if the tool output contains concrete evidence.
|
||||
- Default scanner informational items (server headers, allowed methods) are NOT vulnerabilities.
|
||||
- Consider existing findings — don't flag duplicates.
|
||||
- Focus on ACTIONABLE output, not noise."""
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Recon AI Endpoint Analysis Prompt
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def get_recon_analysis_prompt(
|
||||
target: str,
|
||||
endpoints: str,
|
||||
forms: str = "",
|
||||
technologies: str = "",
|
||||
parameters: str = "",
|
||||
js_files: str = "",
|
||||
api_endpoints: str = "",
|
||||
) -> str:
|
||||
"""Build prompt for AI analysis of recon results in Stream 1.
|
||||
|
||||
After endpoint discovery, AI analyzes the full attack surface to
|
||||
prioritize endpoints and identify hidden attack vectors.
|
||||
"""
|
||||
return f"""You are a penetration tester analyzing reconnaissance results.
|
||||
|
||||
## TARGET
|
||||
{target}
|
||||
|
||||
## DISCOVERED ENDPOINTS
|
||||
{endpoints}
|
||||
|
||||
{f"## FORMS" + chr(10) + forms if forms else ""}
|
||||
{f"## TECHNOLOGIES" + chr(10) + technologies if technologies else ""}
|
||||
{f"## PARAMETERS" + chr(10) + parameters if parameters else ""}
|
||||
{f"## JAVASCRIPT FILES" + chr(10) + js_files if js_files else ""}
|
||||
{f"## API ENDPOINTS" + chr(10) + api_endpoints if api_endpoints else ""}
|
||||
|
||||
## YOUR TASK
|
||||
Analyze this reconnaissance data as a penetration tester would:
|
||||
|
||||
1. **Endpoint Prioritization**: Rank endpoints by attack potential
|
||||
2. **Hidden Surface**: Identify probable hidden endpoints or patterns
|
||||
3. **Parameter Analysis**: Flag high-risk parameters based on naming conventions
|
||||
4. **Technology Vulnerabilities**: Map technologies to known vulnerability classes
|
||||
5. **Attack Chains**: Identify potential multi-step attack paths
|
||||
|
||||
Respond ONLY with JSON:
|
||||
{{
|
||||
"high_priority_endpoints": [
|
||||
{{
|
||||
"url": "endpoint URL",
|
||||
"risk_score": 1-10,
|
||||
"reason": "why this endpoint is high priority",
|
||||
"suggested_vuln_types": ["vuln types to test"]
|
||||
}}
|
||||
],
|
||||
"hidden_endpoints_to_probe": [
|
||||
{{
|
||||
"url": "URL pattern to try",
|
||||
"rationale": "why this might exist"
|
||||
}}
|
||||
],
|
||||
"high_risk_parameters": [
|
||||
{{
|
||||
"param": "parameter name",
|
||||
"endpoint": "where found",
|
||||
"risk_type": "what kind of injection it's susceptible to",
|
||||
"priority": "high|medium|low"
|
||||
}}
|
||||
],
|
||||
"tech_vuln_mapping": [
|
||||
{{
|
||||
"technology": "tech name",
|
||||
"vuln_types": ["relevant vuln types"],
|
||||
"specific_tests": ["targeted test recommendations"]
|
||||
}}
|
||||
],
|
||||
"attack_chains": [
|
||||
{{
|
||||
"chain": "Step 1 → Step 2 → Impact",
|
||||
"starting_point": "where to begin"
|
||||
}}
|
||||
],
|
||||
"additional_recon_suggestions": ["What else to look for"]
|
||||
}}
|
||||
|
||||
RULES:
|
||||
- Base ALL analysis on the actual data provided — don't invent endpoints.
|
||||
- Prioritize by LIKELIHOOD of exploitation, not theoretical severity.
|
||||
- Consider technology-specific vulnerabilities (e.g., Spring → actuator, WordPress → wp-admin).
|
||||
- Flag parameters like 'url', 'file', 'path', 'redirect', 'callback', 'template' as high-risk."""
|
||||
|
||||
@@ -268,6 +268,41 @@ belongs to another user or represents privileged information. When in doubt, do
|
||||
three-way comparison: (1) your data, (2) target ID as you, (3) target ID as target user."""
|
||||
|
||||
|
||||
PROMPT_ITERATIVE_TESTING = """## ITERATIVE TESTING (OBSERVE → ADAPT → EXPLOIT)
|
||||
|
||||
You are testing ITERATIVELY. Each round, you see the actual server responses from your
|
||||
previous tests. Use this feedback to refine your attack.
|
||||
|
||||
OBSERVE → HYPOTHESIZE → TEST → ANALYZE → ADAPT:
|
||||
|
||||
1. OBSERVE: Study the response carefully — status code, headers, body content, timing.
|
||||
What does the server actually DO with your input?
|
||||
|
||||
2. HYPOTHESIZE: Based on observed behavior, form a specific hypothesis:
|
||||
- "Parameter reflects input unencoded → likely XSS"
|
||||
- "Single quote causes 500 → backend SQL parsing fails → try error-based SQLi"
|
||||
- "Different response for id=1 vs id=2 → possible IDOR"
|
||||
- "Response includes external URL content → SSRF confirmed, try internal targets"
|
||||
|
||||
3. TEST: Design your next test to confirm or deny the hypothesis.
|
||||
Target the SPECIFIC behavior you observed — don't spray generic payloads.
|
||||
|
||||
4. ANALYZE: Did the hypothesis hold? What new information did you learn?
|
||||
- Error message leaked DB type → now try DB-specific injection syntax
|
||||
- WAF blocked <script> → try event handlers, SVG, or encoding bypass
|
||||
- Parameter reflected but encoded → try double encoding or context escape
|
||||
|
||||
5. ADAPT: Refine your approach based on all accumulated evidence.
|
||||
Each round should be MORE targeted than the last.
|
||||
|
||||
RULES:
|
||||
- NEVER repeat the same payload twice.
|
||||
- NEVER ignore server responses — they contain the clues.
|
||||
- ALWAYS explain your reasoning: "I observed X, therefore I'm trying Y."
|
||||
- When you find something promising, ESCALATE: probe deeper, not wider.
|
||||
- If 3 rounds produce no results, the endpoint is likely NOT vulnerable to this type."""
|
||||
|
||||
|
||||
PROMPT_OFFENSIVE_MINDSET = """## OFFENSIVE MINDSET (MID-LEVEL PENTESTER)
|
||||
|
||||
You are a MID-LEVEL penetration tester, not a vulnerability scanner.
|
||||
@@ -442,11 +477,17 @@ PROMPT_CATALOG: Dict[str, Dict] = {
|
||||
"content": PROMPT_ACCESS_CONTROL_INTELLIGENCE,
|
||||
"contexts": ["testing", "verification", "confirmation"],
|
||||
},
|
||||
"iterative_testing": {
|
||||
"id": "iterative_testing",
|
||||
"title": "Iterative Testing (Observe → Adapt → Exploit)",
|
||||
"content": PROMPT_ITERATIVE_TESTING,
|
||||
"contexts": ["deep_testing"],
|
||||
},
|
||||
"offensive_mindset": {
|
||||
"id": "offensive_mindset",
|
||||
"title": "Offensive Mindset (Mid-Level Pentester)",
|
||||
"content": PROMPT_OFFENSIVE_MINDSET,
|
||||
"contexts": ["testing", "strategy"],
|
||||
"contexts": ["testing", "strategy", "deep_testing"],
|
||||
},
|
||||
"architecture_analysis": {
|
||||
"id": "architecture_analysis",
|
||||
@@ -537,6 +578,18 @@ CONTEXT_PROMPTS: Dict[str, List[str]] = {
|
||||
"think_like_pentester",
|
||||
"anti_severity_inflation",
|
||||
],
|
||||
# Deep testing: AI-driven iterative testing loop (observe → plan → test → analyze → adapt)
|
||||
"deep_testing": [
|
||||
"anti_hallucination",
|
||||
"anti_scanner",
|
||||
"proof_of_execution",
|
||||
"think_like_pentester",
|
||||
"offensive_mindset",
|
||||
"method_variation",
|
||||
"iterative_testing",
|
||||
"negative_controls",
|
||||
"operational_humility",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user