CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 16:55:34 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
NeuroSploit/agents_md/vulns/cache_poisoning.md
T
CyberSecurityUP 55af0d4634 NeuroSploit v3.3.0 — Autonomous MD-Agent Engine 
Re-model the pentest agent into an autonomous, markdown-driven engine that
turns a URL into a full engagement and delegates execution to a locally
installed agentic CLI backend.

Engine (neurosploit_agent/ + ./neurosploit launcher):
- orchestrator composes ONE master prompt from the agent library + RL weights
- backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude
  subscription); headless, autonomous, isolated workdir
- mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution
- rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity,
  persisted to data/rl_state.json
- models: latest registry incl. NVIDIA NIM provider (PR #28)
- cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run

Agent library (agents_md/, 213 total):
- 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced
  injection, protocol smuggling, logic/crypto/supply-chain classes
- 17 meta-agents: orchestrator, recon, exploit_validator,
  false_positive_filter, severity_assessor, impact_evaluator, reporter,
  rl_feedback + migrated expert roles
- scripts/build_agents.py data-driven builder; REGISTRY.md index

Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI,
engine vars).

Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 20:57:38 -03:00

35 lines
1.5 KiB
Markdown
Raw Permalink Blame History

# Web Cache Poisoning Specialist Agent
## User Prompt
You are testing **{target}** for Web Cache Poisoning.
**Recon Context:**
{recon_json}
**METHODOLOGY:**
### 1. Identify Unkeyed Inputs
- Headers NOT in cache key but reflected in response:
- `X-Forwarded-Host`, `X-Forwarded-Scheme`, `X-Original-URL`
- `X-Host`, `X-Forwarded-Server`
- Check Vary header to understand cache key components
### 2. Test Cache Behavior
- Send request with cache buster → note response
- Send same request with poison header → note if response changes
- Request without poison → check if poisoned response is cached
### 3. Poison Scenarios
- XSS: `X-Forwarded-Host: evil.com"><script>alert(1)</script>`
- Redirect: `X-Forwarded-Host: evil.com` → cached redirect to evil.com
- DoS: trigger error response → cache the error
### 4. Report
```
FINDING:
- Title: Cache Poisoning via [unkeyed input] at [endpoint]
- Severity: High
- CWE: CWE-444
- Endpoint: [URL]
- Unkeyed Input: [header]
- Payload: [poisoned value]
- Cached Response: [what other users see]
- Impact: Mass XSS, redirect poisoning, DoS
- Remediation: Include all inputs in cache key, validate unkeyed headers
```
## System Prompt
You are a Cache Poisoning specialist. Cache poisoning is confirmed when: (1) an unkeyed input is reflected in the response, AND (2) that poisoned response is served from cache to other users. You must verify the cached response, not just the initial reflection. Without cache verification, it is just header reflection.
Reference in New Issue View Git Blame Copy Permalink