pwn 0.5.538 → 0.5.539

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d9ce21b1d507091646c3ec3f4099bf500fc60c2501864e8b41ee5fe5ac7e9d6a
-  data.tar.gz: 9bbef9c3e5daef59c2b471d6598f9b6815a1437d825870c9a0103830653176a4
+  metadata.gz: 28e2d9f826bd3fdd281a2fb31c794596390e7a8c933503c16d4af32862b1584a
+  data.tar.gz: b3aa66dd40f8c2bba18b9ac1a9192dde92e906962fad90ae9d063e78e8a8d5a7
 SHA512:
-  metadata.gz: 8293c431567a0b0bd78a1394950a89f8ff5a444c00f553c24f9e9452262d5b78f76302da7afba9abc11626d1a9f0a18cde9f261eba87ba4db95b4f200119b81c
-  data.tar.gz: '03961baac23048d18dea46f56206e316990f5d7bdfcc2206b2a2761e194a7535ee6ef1a0e92b635c66908c3f50df5ed9bef865109a81f05d8a8ec6ce51251791'
+  metadata.gz: bc3dc9ce7e3ff1cb2b83e65e352efaf0d2fc838f34cb606e810deae54c6b5e9b2fc70b2d0f254b7a797d737abdf2381342a5bda71e8b53eeaabea36d8466bb97
+  data.tar.gz: cd0a2c06cf19d4d4c432bb8a45b9b910f07d575af9290658e7abe2934431256e966c904051ee2b372e861259a6a54d0753050b04386258b03ed0637274d7adc3

data/README.md

@@ -37,7 +37,7 @@ $ cd /opt/pwn
 $ ./install.sh
 $ ./install.sh ruby-gem
 $ pwn
-pwn[v0.5.538]:001 >>> PWN.help
+pwn[v0.5.539]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-4.0.1@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.5.538]:001 >>> PWN.help
+pwn[v0.5.539]:001 >>> PWN.help
 ```
 
 If you're using a multi-user install of RVM do:
@@ -62,7 +62,7 @@ $ rvm use ruby-4.0.1@pwn
 $ rvmsudo gem uninstall --all --executables pwn
 $ rvmsudo gem install --verbose pwn
 $ pwn
-pwn[v0.5.538]:001 >>> PWN.help
+pwn[v0.5.539]:001 >>> PWN.help
 ```
 
 PWN periodically upgrades to the latest version of Ruby which is reflected in `/opt/pwn/.ruby-version`.  The easiest way to upgrade to the latest version of Ruby from a previous PWN installation is to run the following script:

data/lib/pwn/ai/agent/burp_suite.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module PWN
+  module AI
+    module Agent
+      # This module is an AI agent designed to analyze HTTP request/response pairs and WebSocket messages for high-impact vulnerabilities, with a focus on XSS and related issues. It provides detailed analysis and generates PoCs for identified vulnerabilities.
+      module BurpSuite
+        # Supported Method Parameters::
+        # ai_analysis = PWN::AI::Agent::BurpSuite.analyze(
+        #   request: 'required HTTP request/response pair or WebSocket message as a string'
+        # )
+
+        public_class_method def self.analyze(opts = {})
+          request = opts[:request]
+          raise 'ERROR: request parameter is required' if request.nil? || request.empty?
+
+          system_role_content = '
+            Your expertise lies in dissecting HTTP request/response pairs and WebSocket messages to identify high-impact vulnerabilities, including but not limited to XSS (reflected, stored, DOM-based), CSRF, SSRF, IDOR, open redirects, CORS misconfigurations, authentication bypasses, SQLi/NoSQLi, command/code injection, business logic flaws, race conditions, and API abuse. You prioritize zero-days and novel chains, always focusing on exploitability, impact (e.g., account takeover, data exfiltration, RCE), and reproducibility.
+
+            During analysis:
+
+            1. **Parse and Contextualize Traffic**:
+               - Break down every element: HTTP method, URI (path, query parameters), headers (e.g., Host, User-Agent, Cookies, Authorization, Referer, Origin, Content-Type), request body (e.g., form data, JSON payloads), response status code, response headers, and response body (HTML, JSON, XML, etc.).
+               - Identify dynamic elements: User-controlled inputs (e.g., query params, POST data, headers like X-Forwarded-For), server-side echoes, redirects, and client-side processing.
+               - Trace data flow: Map how inputs propagate from request to response, including any client-side JavaScript execution where exploitation may be possible in the client without communicating with the server (e.g. DOM-XSS).
+
+            2. **Vulnerability Hunting Framework**:
+               - **Input Validation & Sanitization**: Check for unescaped/lack of encoding in outputs (e.g., HTML context for XSS, URL context for open redirects).
+               - **XSS Focus**: Hunt for sinks like innerHTML/outerHTML, document.write, eval, setTimeout/setInterval with strings, location.href/assign/replace, and history.pushState. Test payloads like <script>alert(1)</script>, javascript:alert(1), and polyglots. For DOM-based, simulate client-side execution.
+               - **JavaScript Library Analysis**: If JS is present (e.g., in response body or referenced scripts), deobfuscate and inspect:
+                 - Objects/properties that could clobber DOM (e.g., window.name, document.cookie manipulation leading to prototype pollution).
+                 - DOM XSS vectors: Analyze event handlers, querySelector, addEventListener with unsanitized data from location.hash/search, postMessage, or localStorage.
+                 - Third-party libs (e.g., jQuery, React): Flag known sink patterns like .html(), dangerouslySetInnerHTML, or eval-like functions.
+               - **Server-Side Issues**: Probe for SSRF (e.g., via URL params fetching internal resources), IDOR (e.g., manipulating IDs in paths/bodies), rate limiting bypass, and insecure deserialization (e.g., in JSON/PHP objects).
+               - **Headers & Misc**: Examine for exposed sensitive info (e.g., debug headers, stack traces), misconfigured security headers (CSP, HSTS), and upload flaws (e.g., file extension bypass).
+               - **Chaining Opportunities**: Always consider multi-step exploits, like XSS leading to CSRF token theft or SSRF to internal metadata endpoints.
+
+            3. **PoC Generation**:
+               - Produce concise, step-by-step PoCs in a standardized format:
+                 - **Description**: Clear vuln summary, CVSS-like severity, and impact.
+                 - **Steps to Reproduce**: Numbered HTTP requests (use curl or Burp syntax, e.g., `curl -X POST -d "param=<payload>" https://target.com/endpoint`).
+                 - **Payloads**: Provide working, minimal payloads with variations for evasion (e.g., encoded, obfuscated).
+                 - **Screenshots/Evidence**: Suggest what to capture (e.g., alert popup for XSS, response diff for IDOR).
+                 - **Mitigation Advice**: Recommend fixes (e.g., output encoding, input validation).
+               - Ensure PoCs are ethical: Target only in-scope assets, avoid DoS, and emphasize disclosure via proper channels (e.g., HackerOne, Bugcrowd).
+               - If no vuln found, explain why and suggest further tests (e.g., fuzzing params).
+            4. Risk Score:
+              For each analysis generate a risk score between 0% - 100% based on exploitability and impact.  This should be reflected as { "risk_score": "nnn%" } in the final output JSON.
+
+            Analyze provided HTTP request/response pairs methodically: Start with a high-level overview, then dive into specifics, flag potential issues with evidence from the traffic, and end with PoC if applicable. Be verbose in reasoning but concise in output. Prioritize high-severity findings. If data is incomplete, request clarifications.
+          '
+
+          PWN::AI::Introspection.reflect_on(
+            system_role_content: system_role_content,
+            request: request,
+            suppress_pii_warning: true
+          )
+        rescue StandardError => e
+          raise e.backtrace
+        end
+
+        # Author(s):: 0day Inc. <support@0dayinc.com>
+
+        public_class_method def self.authors
+          "AUTHOR(S):
+            0day Inc. <support@0dayinc.com>
+          "
+        end
+
+        # Display Usage for this Module
+
+        public_class_method def self.help
+          puts "USAGE:
+
+            #{self}.authors
+          "
+        end
+      end
+    end
+  end
+end

data/lib/pwn/ai/agent.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module PWN
+  # This file, using the autoload directive loads SAST modules
+  # into memory only when they're needed. For more information, see:
+  # http://www.rubyinside.com/ruby-techniques-revealed-autoload-1652.html
+  module AI
+    # Collection of Agentic AI Modules. These modules are designed to perform specific tasks autonomously, such as interacting with APIs, performing reconnaissance, or automating exploitation steps. Each module is designed to be used within an agentic AI framework, allowing for the creation of intelligent agents that can perform complex tasks without human intervention. The Agent module serves as a namespace for all agentic AI modules, providing a structured way to organize and access these functionalities. By using autoload, we ensure that each module is only loaded into memory when it's actually needed, optimizing resource usage and improving performance.
+    module Agent
+      # Agentic AI Modules
+      autoload :BurpSuite, 'pwn/ai/agent/burp_suite'
+      autoload :SAST, 'pwn/ai/agent/sast'
+
+      # Display a List of Every PWN::AI Module
+
+      public_class_method def self.help
+        constants.sort
+      end
+    end
+  end
+end

data/lib/pwn/ai.rb

@@ -5,6 +5,7 @@ module PWN
   # into memory only when they're needed. For more information, see:
   # http://www.rubyinside.com/ruby-techniques-revealed-autoload-1652.html
   module AI
+    autoload :Agent, 'pwn/ai/agent'
     autoload :Grok, 'pwn/ai/grok'
     autoload :Introspection, 'pwn/ai/introspection'
     autoload :Ollama, 'pwn/ai/ollama'

data/lib/pwn/plugins/burp_suite.rb

@@ -67,42 +67,6 @@ module PWN
         if PWN::Env[:ai][:introspection]
           introspection_thread_arr = burp_obj[:introspection_threads] ||= []
           introspection_thread = Thread.new do
-            system_role_content = '
-              Your expertise lies in dissecting HTTP request/response pairs and WebSocket messages to identify high-impact vulnerabilities, including but not limited to XSS (reflected, stored, DOM-based), CSRF, SSRF, IDOR, open redirects, CORS misconfigurations, authentication bypasses, SQLi/NoSQLi, command/code injection, business logic flaws, race conditions, and API abuse. You prioritize zero-days and novel chains, always focusing on exploitability, impact (e.g., account takeover, data exfiltration, RCE), and reproducibility.
-
-              During analysis:
-
-              1. **Parse and Contextualize Traffic**:
-                 - Break down every element: HTTP method, URI (path, query parameters), headers (e.g., Host, User-Agent, Cookies, Authorization, Referer, Origin, Content-Type), request body (e.g., form data, JSON payloads), response status code, response headers, and response body (HTML, JSON, XML, etc.).
-                 - Identify dynamic elements: User-controlled inputs (e.g., query params, POST data, headers like X-Forwarded-For), server-side echoes, redirects, and client-side processing.
-                 - Trace data flow: Map how inputs propagate from request to response, including any client-side JavaScript execution where exploitation may be possible in the client without communicating with the server (e.g. DOM-XSS).
-
-              2. **Vulnerability Hunting Framework**:
-                 - **Input Validation & Sanitization**: Check for unescaped/lack of encoding in outputs (e.g., HTML context for XSS, URL context for open redirects).
-                 - **XSS Focus**: Hunt for sinks like innerHTML/outerHTML, document.write, eval, setTimeout/setInterval with strings, location.href/assign/replace, and history.pushState. Test payloads like <script>alert(1)</script>, javascript:alert(1), and polyglots. For DOM-based, simulate client-side execution.
-                 - **JavaScript Library Analysis**: If JS is present (e.g., in response body or referenced scripts), deobfuscate and inspect:
-                   - Objects/properties that could clobber DOM (e.g., window.name, document.cookie manipulation leading to prototype pollution).
-                   - DOM XSS vectors: Analyze event handlers, querySelector, addEventListener with unsanitized data from location.hash/search, postMessage, or localStorage.
-                   - Third-party libs (e.g., jQuery, React): Flag known sink patterns like .html(), dangerouslySetInnerHTML, or eval-like functions.
-                 - **Server-Side Issues**: Probe for SSRF (e.g., via URL params fetching internal resources), IDOR (e.g., manipulating IDs in paths/bodies), rate limiting bypass, and insecure deserialization (e.g., in JSON/PHP objects).
-                 - **Headers & Misc**: Examine for exposed sensitive info (e.g., debug headers, stack traces), misconfigured security headers (CSP, HSTS), and upload flaws (e.g., file extension bypass).
-                 - **Chaining Opportunities**: Always consider multi-step exploits, like XSS leading to CSRF token theft or SSRF to internal metadata endpoints.
-
-              3. **PoC Generation**:
-                 - Produce concise, step-by-step PoCs in a standardized format:
-                   - **Description**: Clear vuln summary, CVSS-like severity, and impact.
-                   - **Steps to Reproduce**: Numbered HTTP requests (use curl or Burp syntax, e.g., `curl -X POST -d "param=<payload>" https://target.com/endpoint`).
-                   - **Payloads**: Provide working, minimal payloads with variations for evasion (e.g., encoded, obfuscated).
-                   - **Screenshots/Evidence**: Suggest what to capture (e.g., alert popup for XSS, response diff for IDOR).
-                   - **Mitigation Advice**: Recommend fixes (e.g., output encoding, input validation).
-                 - Ensure PoCs are ethical: Target only in-scope assets, avoid DoS, and emphasize disclosure via proper channels (e.g., HackerOne, Bugcrowd).
-                 - If no vuln found, explain why and suggest further tests (e.g., fuzzing params).
-              4. Risk Score:
-                For each analysis generate a risk score between 0% - 100% based on exploitability and impact.  This should be reflected as { "risk_score": "nnn%" } in the final output JSON.
-
-              Analyze provided HTTP request/response pairs methodically: Start with a high-level overview, then dive into specifics, flag potential issues with evidence from the traffic, and end with PoC if applicable. Be verbose in reasoning but concise in output. Prioritize high-severity findings. If data is incomplete, request clarifications.
-            '
-
             get_highlight_color = lambda do |opts = {}|
               ai_analysis = opts[:ai_analysis]
 
@@ -169,10 +133,8 @@ module PWN
                     response = Base64.strict_decode64(response)
 
                     http_request_response = PWN::Plugins::Char.force_utf8("#{request}\r\n\r\n#{response}")
-                    ai_analysis = PWN::AI::Introspection.reflect_on(
-                      system_role_content: system_role_content,
-                      request: http_request_response,
-                      suppress_pii_warning: true
+                    ai_analysis = PWN::AI::Agent::BurpSuite.analyze(
+                      request: http_request_response
                     )
 
                     next if ai_analysis.nil? || ai_analysis.strip.empty?
@@ -225,10 +187,8 @@ module PWN
                     request = Base64.strict_decode64(request)
                     response = Base64.strict_decode64(response)
                     http_request_response = PWN::Plugins::Char.force_utf8("#{request}\r\n\r\n#{response}")
-                    ai_analysis = PWN::AI::Introspection.reflect_on(
-                      system_role_content: system_role_content,
-                      request: http_request_response,
-                      suppress_pii_warning: true
+                    ai_analysis = PWN::AI::Agent::BurpSuite.analyze(
+                      request: http_request_response
                     )
 
                     next if ai_analysis.nil? || ai_analysis.strip.empty?
@@ -259,10 +219,8 @@ module PWN
 
                   payload = Base64.strict_decode64(payload)
                   websocket_req = PWN::Plugins::Char.force_utf8("WebSocket ID: #{web_socket_id}\nDirection: #{direction}\nPayload:\n#{payload}")
-                  ai_analysis = PWN::AI::Introspection.reflect_on(
-                    system_role_content: system_role_content,
-                    request: websocket_req,
-                    suppress_pii_warning: true
+                  ai_analysis = PWN::AI::Agent::BurpSuite.analyze(
+                    request: websocket_req
                   )
 
                   next if ai_analysis.nil? || ai_analysis.strip.empty?

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.5.538'
+  VERSION = '0.5.539'
 end

data/spec/lib/pwn/ai/agent/burp_suite_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe PWN::AI::Agent::BurpSuite do
+  it 'scan method should exist' do
+    scan_response = PWN::AI::Agent::BurpSuite
+    expect(scan_response).to respond_to :scan
+  end
+
+  it 'should display information for authors' do
+    authors_response = PWN::AI::Agent::BurpSuite
+    expect(authors_response).to respond_to :authors
+  end
+
+  it 'should display information for existing help method' do
+    help_response = PWN::AI::Agent::BurpSuite
+    expect(help_response).to respond_to :help
+  end
+end

data/spec/lib/pwn/ai/agent_spec.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Pwn::AI::Agent do
+  it 'should return data for help method' do
+    help_response = Pwn::AI::Agent.help
+    expect(help_response).not_to be_nil
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.5.538
+  version: 0.5.539
 platform: ruby
 authors:
 - 0day Inc.
@@ -1758,6 +1758,8 @@ files:
 - install.sh
 - lib/pwn.rb
 - lib/pwn/ai.rb
+- lib/pwn/ai/agent.rb
+- lib/pwn/ai/agent/burp_suite.rb
 - lib/pwn/ai/grok.rb
 - lib/pwn/ai/introspection.rb
 - lib/pwn/ai/ollama.rb
@@ -2118,6 +2120,8 @@ files:
 - packer/provisioners/zzuf.sh
 - pwn.gemspec
 - reinstall_gemset.sh
+- spec/lib/pwn/ai/agent/burp_suite_spec.rb
+- spec/lib/pwn/ai/agent_spec.rb
 - spec/lib/pwn/ai/grok_spec.rb
 - spec/lib/pwn/ai/introspection_spec.rb
 - spec/lib/pwn/ai/ollama_spec.rb