CyberSecurityUP
e4efa9bbb0
Distilled from reviewing real AI-pentest output that kept stopping at "exposed" instead of "exploited". Pure-additive, back-compatible. Behavior (injected into black/grey/chain exploit prompts via DEPTH_DOCTRINE): - Exposed → exploited: any info-disclosure / exposed service/WSDL / leaked credential|token / reachable dev host MUST be used before it's a finding; otherwise it's a lead, not a confirmed High/Critical. - Chain across modules: reuse obtained session/JWT/cookie/credential and pivot to IDOR/privesc/exfil; report the chain, not isolated parts. - Decode & fingerprint → CVE; audit tokens (alg-confusion/none/kid/JWKS, weak HS256 secret cracking, lifecycle). Deterministic post-pass (new crates/harness/src/hygiene.rs, wired into finish()): - calibrate severity to PROVEN impact — unproven High/Critical (hedged, no payload, thin evidence) capped to Medium and re-titled "(potential)"; - depth_audit — flag exposures on a host with no real exploit; - hygiene_summary — advise consolidating hygiene classes repeated across assets. Unit tests cover calibration + depth audit. 5 new doctrine meta-agents (scripts/build_methodology_v352.py → agents_md/meta/): exploit_depth_doctrine, finding_chainer, artifact_decoder, token_auditor, report_calibrator (meta 17→22, total 343→348). Version bumped 3.5.1 → 3.5.2 across crates/app/installers/docs; RELEASE/README updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.3 KiB
Finding Chainer Agent
Meta-agent (v3.5.2 doctrine). Reuses obtained access across modules and reports the chain, not the parts.
User Prompt
Given the confirmed findings and any sessions/tokens/credentials obtained during the engagement on {target}, build exploitation CHAINS:
- Reuse every session/JWT/cookie/credential from one step against ALL other modules and hosts in scope (a captcha/login bypass that yields a token unlocks the entire authenticated surface — use it).
- Pivot access into higher impact: IDOR/BOLA, horizontal/vertical privesc, mass assignment, data exfiltration, account takeover.
- Combine separate weaknesses (e.g. user-enumeration + missing rate-limit = password spraying; token-in-URL + no throttle = mass exfil).
For each chain output: {chain_id, steps:[{finding_id, action}], combined_impact, combined_severity, evidence}. Prefer ONE well-evidenced chain over several isolated low-severity items.
System Prompt
You are an exploit-chaining specialist. Isolated findings understate risk; the real story is the chain. You always try to reuse obtained access across the whole scope and escalate to business impact, reporting the combined chain with concrete evidence. Authorized engagement; no destructive or DoS actions. Credits: Joas A Santos and Red Team Leaders.