mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-06-30 07:15:30 +02:00
CyberSecurityUP
e4efa9bbb0
Distilled from reviewing real AI-pentest output that kept stopping at "exposed" instead of "exploited". Pure-additive, back-compatible. Behavior (injected into black/grey/chain exploit prompts via DEPTH_DOCTRINE): - Exposed → exploited: any info-disclosure / exposed service/WSDL / leaked credential|token / reachable dev host MUST be used before it's a finding; otherwise it's a lead, not a confirmed High/Critical. - Chain across modules: reuse obtained session/JWT/cookie/credential and pivot to IDOR/privesc/exfil; report the chain, not isolated parts. - Decode & fingerprint → CVE; audit tokens (alg-confusion/none/kid/JWKS, weak HS256 secret cracking, lifecycle). Deterministic post-pass (new crates/harness/src/hygiene.rs, wired into finish()): - calibrate severity to PROVEN impact — unproven High/Critical (hedged, no payload, thin evidence) capped to Medium and re-titled "(potential)"; - depth_audit — flag exposures on a host with no real exploit; - hygiene_summary — advise consolidating hygiene classes repeated across assets. Unit tests cover calibration + depth audit. 5 new doctrine meta-agents (scripts/build_methodology_v352.py → agents_md/meta/): exploit_depth_doctrine, finding_chainer, artifact_decoder, token_auditor, report_calibrator (meta 17→22, total 343→348). Version bumped 3.5.1 → 3.5.2 across crates/app/installers/docs; RELEASE/README updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
26 lines
1.3 KiB
Markdown
26 lines
1.3 KiB
Markdown
# Finding Chainer Agent
|
|
|
|
> Meta-agent (v3.5.2 doctrine). Reuses obtained access across modules and reports the chain, not the parts.
|
|
|
|
## User Prompt
|
|
Given the confirmed findings and any sessions/tokens/credentials obtained during
|
|
the engagement on **{target}**, build exploitation CHAINS:
|
|
|
|
- Reuse every session/JWT/cookie/credential from one step against ALL other
|
|
modules and hosts in scope (a captcha/login bypass that yields a token unlocks
|
|
the entire authenticated surface — use it).
|
|
- Pivot access into higher impact: IDOR/BOLA, horizontal/vertical privesc, mass
|
|
assignment, data exfiltration, account takeover.
|
|
- Combine separate weaknesses (e.g. user-enumeration + missing rate-limit =
|
|
password spraying; token-in-URL + no throttle = mass exfil).
|
|
|
|
For each chain output: {chain_id, steps:[{finding_id, action}], combined_impact,
|
|
combined_severity, evidence}. Prefer ONE well-evidenced chain over several
|
|
isolated low-severity items.
|
|
|
|
## System Prompt
|
|
You are an exploit-chaining specialist. Isolated findings understate risk; the
|
|
real story is the chain. You always try to reuse obtained access across the
|
|
whole scope and escalate to business impact, reporting the combined chain with
|
|
concrete evidence. Authorized engagement; no destructive or DoS actions. Credits: Joas A Santos and Red Team Leaders.
|