mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-07-10 13:18:39 +02:00
train agent with bug-bounty techniques: methodology meta-agent + recon tricks
- New meta/bugbounty_methodology.md (library 398): distilled high-signal techniques from public writeups (HackerOne Hacktivity, KingOfBugBounty, Awesome-Bugbounty- Writeups, bug-bounty-reference, top hunters) — hunter mindset + per-class tricks (IDOR/BOLA, 403 bypass, account takeover, SSRF->cloud, business logic/race, cache poisoning, subdomain takeover, GraphQL), chaining and reporting. - RECON_SYS gains KingOfBugBounty-style recon: subdomain enum (crt.sh/subfinder/ amass->httpx), historical URLs (gau/waybackurls/katana), gf patterns, param mining (arjun+JS/wayback), content discovery (ffuf/feroxbuster), classic exposure checks (.git/.env/swagger/actuator, dangling CNAMEs). Degrades to installed tools. - Docs: counts 397->398, RELEASE note.
This commit is contained in:
@@ -11,7 +11,7 @@
|
|||||||
<img src="https://img.shields.io/badge/Version-3.5.5-blue?style=flat-square">
|
<img src="https://img.shields.io/badge/Version-3.5.5-blue?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/Harness-Rust%20%7C%20tokio-e6b673?style=flat-square">
|
<img src="https://img.shields.io/badge/Harness-Rust%20%7C%20tokio-e6b673?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/License-MIT-green?style=flat-square">
|
<img src="https://img.shields.io/badge/License-MIT-green?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/MD%20Agents-397-red?style=flat-square">
|
<img src="https://img.shields.io/badge/MD%20Agents-398-red?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/Models-14%20providers-success?style=flat-square">
|
<img src="https://img.shields.io/badge/Models-14%20providers-success?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/Modes-Black%20%7C%20White%20%7C%20Grey%20%7C%20Host-9cf?style=flat-square">
|
<img src="https://img.shields.io/badge/Modes-Black%20%7C%20White%20%7C%20Grey%20%7C%20Host-9cf?style=flat-square">
|
||||||
<img src="https://img.shields.io/badge/Auth-API%20key%20%7C%20Subscription-orange?style=flat-square">
|
<img src="https://img.shields.io/badge/Auth-API%20key%20%7C%20Subscription-orange?style=flat-square">
|
||||||
@@ -44,7 +44,7 @@ LLMs** — via **API key** or local **subscription** (Claude Code / Codex / Gemi
|
|||||||
Grok) — recons the target, **intelligently selects only the agents that match the
|
Grok) — recons the target, **intelligently selects only the agents that match the
|
||||||
discovered surface**, runs them in parallel, **chains** findings into deeper
|
discovered surface**, runs them in parallel, **chains** findings into deeper
|
||||||
impact, and **validates every claim by cross-model voting + tool-receipt
|
impact, and **validates every claim by cross-model voting + tool-receipt
|
||||||
grounding** before reporting. It ships **397 markdown agents** and a **Mission
|
grounding** before reporting. It ships **398 markdown agents** and a **Mission
|
||||||
Control TUI**.
|
Control TUI**.
|
||||||
|
|
||||||
### Engagement modes
|
### Engagement modes
|
||||||
|
|||||||
+16
@@ -102,6 +102,22 @@ interactive line-editing.
|
|||||||
- **Rate-limit testing** is a first-class control check (small non-disruptive
|
- **Rate-limit testing** is a first-class control check (small non-disruptive
|
||||||
burst → look for 429/lockout/Retry-After), never a DoS.
|
burst → look for 429/lockout/Retry-After), never a DoS.
|
||||||
|
|
||||||
|
## Bug-bounty methodology & recon tricks
|
||||||
|
|
||||||
|
- **Bug-bounty methodology meta-agent** (`agents_md/meta/bugbounty_methodology.md`,
|
||||||
|
library **398**) — distilled, high-signal techniques from public writeups
|
||||||
|
(HackerOne Hacktivity, KingOfBugBounty tips, Awesome-Bugbounty-Writeups,
|
||||||
|
bug-bounty-reference and top hunters' reports): the hunter *mindset* plus the
|
||||||
|
concrete per-class tricks (IDOR/BOLA, 403 bypass, account takeover, SSRF→cloud,
|
||||||
|
business logic/race, cache poisoning, subdomain takeover, GraphQL) and how to
|
||||||
|
chain and report them — depth and proof over scanner breadth.
|
||||||
|
- **Recon upgraded with KingOfBugBounty-style tricks** — `RECON_SYS` now expands
|
||||||
|
scope (subdomains via crt.sh/subfinder/amass → httpx), harvests historical URLs
|
||||||
|
(gau/waybackurls/katana), filters with `gf` patterns, mines params (arjun +
|
||||||
|
JS/wayback), content-discovers (ffuf/feroxbuster), and checks classic exposures
|
||||||
|
(.git/.env/swagger/actuator, dangling CNAMEs). Degrades gracefully to what's
|
||||||
|
installed; prioritises auth/reset/payment/upload/admin/export flows.
|
||||||
|
|
||||||
## EOL / End-of-Support exploitation
|
## EOL / End-of-Support exploitation
|
||||||
|
|
||||||
- **+8 EOL agents** (library **397**) that detect components past their vendor
|
- **+8 EOL agents** (library **397**) that detect components past their vendor
|
||||||
|
|||||||
+3
-3
@@ -40,7 +40,7 @@ You give NeuroSploit a **target** (URL, repo, app, or host/IP). It:
|
|||||||
|
|
||||||
1. **Recons** the target with real tools (curl/nmap/…).
|
1. **Recons** the target with real tools (curl/nmap/…).
|
||||||
2. **Intelligently selects** only the agents whose preconditions match the recon
|
2. **Intelligently selects** only the agents whose preconditions match the recon
|
||||||
(it does *not* blindly run all 397).
|
(it does *not* blindly run all 398).
|
||||||
3. **Exploits** in parallel — each agent works in a ReAct loop and must prove its
|
3. **Exploits** in parallel — each agent works in a ReAct loop and must prove its
|
||||||
claim with a **tool receipt** (raw output).
|
claim with a **tool receipt** (raw output).
|
||||||
4. **Validates** every candidate by **cross-model voting** (a different model
|
4. **Validates** every candidate by **cross-model voting** (a different model
|
||||||
@@ -99,7 +99,7 @@ Agents **degrade gracefully**: if `rustscan` is absent they use `nmap`; if neith
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
neurosploit --version # neurosploit 3.5.5
|
neurosploit --version # neurosploit 3.5.5
|
||||||
neurosploit agents # {"vulns":196,...,"chains":12,"total":397}
|
neurosploit agents # {"vulns":196,...,"chains":12,"total":398}
|
||||||
neurosploit models # all providers & models
|
neurosploit models # all providers & models
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -535,7 +535,7 @@ built from SAST/dataflow), so uncertainty becomes *path reachability*, not state
|
|||||||
|
|
||||||
## 13. The agent library
|
## 13. The agent library
|
||||||
|
|
||||||
`agents_md/` holds **397** markdown agents in categories:
|
`agents_md/` holds **398** markdown agents in categories:
|
||||||
|
|
||||||
| Category | Dir | Count | Purpose |
|
| Category | Dir | Count | Purpose |
|
||||||
|----------|-----|-------|---------|
|
|----------|-----|-------|---------|
|
||||||
|
|||||||
@@ -0,0 +1,73 @@
|
|||||||
|
# Bug-Bounty Methodology Agent
|
||||||
|
|
||||||
|
> Meta-agent (v3.5.5 doctrine). Distilled, high-signal techniques from public
|
||||||
|
> bug-bounty writeups (HackerOne Hacktivity, KingOfBugBounty tips, Awesome-Bugbounty
|
||||||
|
> Writeups, bug-bounty-reference, and top hunters' reports). This is the *mindset
|
||||||
|
> and the concrete tricks* that separate a real bug from a scanner ping — it steers
|
||||||
|
> recon and exploitation, it is not a scanner. Authorized testing only.
|
||||||
|
|
||||||
|
## User Prompt
|
||||||
|
For **{target}**, apply the bug-bounty hunter methodology below to find HIGH-IMPACT,
|
||||||
|
reportable issues that automated scanners miss. Prioritise depth, chaining and
|
||||||
|
proof over breadth.
|
||||||
|
|
||||||
|
**Recon Context:**
|
||||||
|
{recon_json}
|
||||||
|
|
||||||
|
## METHODOLOGY — how top hunters actually find bugs
|
||||||
|
|
||||||
|
### 1. Recon that finds the real surface (KingOfBugBounty-style)
|
||||||
|
- **Expand scope**: enumerate subdomains (crt.sh, `subfinder`/`amass`, cert transparency),
|
||||||
|
resolve live ones (`httpx`/`httprobe`), and grab historical URLs (`gau`, `waybackurls`,
|
||||||
|
`katana`) — old/forgotten endpoints and staging hosts are where the easy wins live.
|
||||||
|
- **Mine JavaScript**: download every JS bundle, extract endpoints/paths, API routes,
|
||||||
|
GraphQL, secrets/keys, and `sourceMappingURL` (fetch `.map` to recover source). Tools:
|
||||||
|
`linkfinder`, `getJS`, `gf` patterns (`gf ssrf`, `gf redirect`, `gf xss`, `gf sqli`).
|
||||||
|
- **Parameter discovery**: `arjun`/param-mining + params seen in JS/wayback; test each
|
||||||
|
with the fitting attack. Look for `url=`,`next=`,`redirect=`,`file=`,`path=`,`id=`,
|
||||||
|
`callback=`,`domain=`,`dest=`,`html=`.
|
||||||
|
- **Google/GitHub dorking**: `site:target ext:php|json|log`, exposed `.git/.env/.json`,
|
||||||
|
and GitHub for leaked keys/internal repos.
|
||||||
|
- **Content discovery**: `ffuf`/`feroxbuster` with a good wordlist on each host + vhost
|
||||||
|
fuzzing; check `/api`, `/v1`, `/graphql`, `/actuator`, `/.git`, `/swagger`, `/debug`.
|
||||||
|
|
||||||
|
### 2. The bugs that pay (per-class hunter tricks)
|
||||||
|
- **IDOR/BOLA** (most common high-impact): swap object IDs (numeric ±1, UUID from another
|
||||||
|
account, encoded ids), change ids in JSON/GraphQL, try the object under a sibling
|
||||||
|
endpoint, and switch the HTTP method. Compare a low-priv user vs another user's object.
|
||||||
|
- **Access-control / 403 bypass**: verb tampering, path tricks (`//`,`/.`,`%2e`,`;`,`..;/`,
|
||||||
|
trailing dot/space), header spoofing (`X-Original-URL`,`X-Rewrite-URL`,`X-Forwarded-For/Host`,
|
||||||
|
`Referer`), and hitting the API directly behind the UI.
|
||||||
|
- **Account takeover**: password-reset poisoning (`Host`/`X-Forwarded-Host` in the reset
|
||||||
|
link), reset-token leakage/predictability, response manipulation, OAuth `redirect_uri`
|
||||||
|
and `state` abuse, and pre-account-takeover via email change without verification.
|
||||||
|
- **SSRF**: `url`/`webhook`/`image`/`callback` params → hit `169.254.169.254` (AWS),
|
||||||
|
`metadata.google.internal` (GCP), `localhost`/internal ranges; try DNS rebinding, gopher,
|
||||||
|
and blind SSRF via OOB. Chain to cloud creds → account compromise.
|
||||||
|
- **XSS that matters**: DOM sinks (`innerHTML`, `location`, `bypassSecurityTrust*`), stored
|
||||||
|
over reflected, blind XSS via a collaborator, and chaining XSS → CSRF token theft →
|
||||||
|
account takeover. Prove execution in a real browser.
|
||||||
|
- **Subdomain takeover**: dangling CNAMEs to unclaimed S3/GitHub Pages/Heroku/Azure/etc.
|
||||||
|
- **Business logic**: negative/huge quantities, price/currency tampering, coupon reuse,
|
||||||
|
race conditions (parallel requests) on balance/coupon/invite, and workflow step-skipping.
|
||||||
|
- **Web cache poisoning / deception**: unkeyed headers (`X-Forwarded-Host`, `X-Forwarded-Scheme`)
|
||||||
|
reflected+cached; path-confusion caching of authenticated pages.
|
||||||
|
- **GraphQL**: introspection, field suggestion, batching/aliasing abuse, and IDOR via node ids.
|
||||||
|
- **SSRF/CSRF/clickjacking**: build the PoC artifact and prove the state change / framing.
|
||||||
|
|
||||||
|
### 3. Chain, don't stop
|
||||||
|
- Combine findings: info-leak → creds → auth → IDOR → privesc → data/RCE. A single
|
||||||
|
medium chained into account/tenant takeover is a Critical. Reuse every token/session.
|
||||||
|
|
||||||
|
### 4. Report like a hunter
|
||||||
|
- Clear title, severity, precise steps, the two requests (control vs exploit), a working
|
||||||
|
PoC, real impact, and remediation. No theory — only what you proved with a receipt.
|
||||||
|
|
||||||
|
## System Prompt
|
||||||
|
You are a top-tier bug-bounty hunter. You think in terms of REAL, reportable impact:
|
||||||
|
IDOR/BOLA, account takeover, SSRF→cloud, access-control bypass, business-logic and
|
||||||
|
chains — not scanner noise. You recon deeply (subdomains, JS, params, wayback), pick
|
||||||
|
the technique from the observed response, always try the next step and the chain, and
|
||||||
|
prove every claim with a concrete receipt and (when needed) a working PoC. Authorized
|
||||||
|
engagement; read-only proof; mask PII; never destructive/DoS. Credits: Joas A Santos &
|
||||||
|
Red Team Leaders.
|
||||||
@@ -28,7 +28,8 @@ const RECON_SYS: &str = "You are an elite web recon specialist on an AUTHORIZED
|
|||||||
- Fingerprint the tech stack and EXACT versions (server, framework, libraries, CMS, JS libs) from headers, HTML, asset paths and JS.\n\
|
- Fingerprint the tech stack and EXACT versions (server, framework, libraries, CMS, JS libs) from headers, HTML, asset paths and JS.\n\
|
||||||
- Analyze responses deeply: status codes, ALL headers, Set-Cookie flags, verbose errors/stack traces, content types, and length/timing differentials.\n\
|
- Analyze responses deeply: status codes, ALL headers, Set-Cookie flags, verbose errors/stack traces, content types, and length/timing differentials.\n\
|
||||||
- Map auth (cookie/JWT/OAuth), APIs (REST & GraphQL), and any dev/staging/internal hosts referenced anywhere.\n\
|
- Map auth (cookie/JWT/OAuth), APIs (REST & GraphQL), and any dev/staging/internal hosts referenced anywhere.\n\
|
||||||
Base everything on real observed responses — never assume. Reply with a COMPACT JSON object with keys {tech, versions, endpoints, params, apis, auth, js_findings, secrets, hosts, notes}. No prose.";
|
- BUG-BOUNTY RECON TRICKS (use what's installed; degrade gracefully): expand scope — subdomains via crt.sh / `subfinder` / `amass`, resolve live with `httpx`/`httprobe`; harvest historical URLs with `gau` / `waybackurls` / `katana` (old & forgotten endpoints, staging); filter interesting URLs with `gf` patterns (ssrf, redirect, xss, sqli, idor); discover params with `arjun` + params seen in JS/wayback; content-discovery with `ffuf`/`feroxbuster` on each host and vhost; check `/.git`,`/.env`,`/api`,`/v1`,`/graphql`,`/swagger`,`/actuator`,`/debug`, and dangling CNAMEs (subdomain takeover). Prioritise auth/reset/payment/upload/admin/export flows.\n\
|
||||||
|
Base everything on real observed responses — never assume. Reply with a COMPACT JSON object with keys {tech, versions, endpoints, params, apis, auth, js_findings, secrets, hosts, subdomains, wayback_hits, notes}. No prose.";
|
||||||
|
|
||||||
/// Operator directives (focus instructions + auth material) prepended to
|
/// Operator directives (focus instructions + auth material) prepended to
|
||||||
/// recon/exploit prompts so the engagement is steered as the user asked.
|
/// recon/exploit prompts so the engagement is steered as the user asked.
|
||||||
|
|||||||
Reference in New Issue
Block a user