@bryan-thompson/inspector-assessment 1.26.6 → 1.26.7

package/client/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js

@@ -338,6 +338,344 @@ export const AUTH_FAIL_CLOSED_PATTERNS = [
     { pattern: /"denial_reason"/i, evidence: "denial reason provided" },
 ];
 // =============================================================================
+// CROSS-TOOL STATE-BASED AUTH PATTERNS (Issue #92, Challenge #7)
+// =============================================================================
+/**
+ * Patterns indicating vulnerable shared state authorization
+ * Detects cross-tool privilege escalation via shared mutable state
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export const STATE_AUTH_VULNERABLE_PATTERNS = [
+    {
+        pattern: /"admin_mode"\s*:\s*true/i,
+        evidence: "admin_mode enabled in response",
+    },
+    {
+        pattern: /hint.*use\s+config_modifier/i,
+        evidence: "Tool hints at cross-tool state dependency",
+    },
+    {
+        pattern: /admin_mode.*set\s+by.*another\s+tool/i,
+        evidence: "Explicit cross-tool state dependency",
+    },
+    {
+        pattern: /"evidence".*cross-tool.*privilege/i,
+        evidence: "Cross-tool privilege escalation detected",
+    },
+    {
+        pattern: /elevated\s+privileges?\s+granted/i,
+        evidence: "Elevated privileges granted",
+    },
+    {
+        pattern: /admin\s+mode\s+activated/i,
+        evidence: "Admin mode activated (state modifier)",
+    },
+    {
+        pattern: /"hint".*config_modifier.*admin_mode/i,
+        evidence: "Response hints at config_modifier for admin_mode",
+    },
+    {
+        pattern: /Use\s+config_modifier.*enable.*admin_mode/i,
+        evidence: "Tool depends on config_modifier for authorization",
+    },
+];
+/**
+ * Patterns indicating safe independent authorization
+ * Detects tools that use per-request authentication (secure)
+ * Used by: analyzeStateBasedAuthBypass()
+ */
+export const STATE_AUTH_SAFE_PATTERNS = [
+    {
+        pattern: /"shared_state_checked"\s*:\s*false/i,
+        evidence: "Tool explicitly states it doesn't use shared state",
+    },
+    {
+        pattern: /"independent_auth_required"\s*:\s*true/i,
+        evidence: "Tool requires independent per-request auth",
+    },
+    {
+        pattern: /requires\s+independent\s+authorization/i,
+        evidence: "Independent authorization required",
+    },
+    {
+        pattern: /(?:not|does\s+not|doesn't)\s+(?:use\s+)?shared\s+state/i,
+        evidence: "Tool confirms it does not use shared state",
+    },
+    {
+        pattern: /stored.*for.*admin.*review/i,
+        evidence: "Request stored for admin review (no auto-execution)",
+    },
+    {
+        pattern: /per-request\s+auth/i,
+        evidence: "Per-request authentication enforced",
+    },
+];
+/**
+ * Patterns indicating vulnerable chain execution behavior
+ * - Arbitrary tool invocation without allowlist
+ * - Output injection via template substitution
+ * - Recursive/circular chain execution
+ * - Missing depth limits
+ * - State poisoning between steps
+ *
+ * Used by: analyzeChainExploitation()
+ */
+export const CHAIN_EXPLOIT_VULNERABLE_PATTERNS = [
+    // Chain execution evidence
+    {
+        pattern: /chain_results/i,
+        weight: 0.9,
+        category: "chain_execution",
+        description: "Chain execution returning step results",
+    },
+    {
+        pattern: /steps_executed/i,
+        weight: 0.8,
+        category: "chain_execution",
+        description: "Steps executed counter in response",
+    },
+    {
+        pattern: /vulnerabilities_triggered/i,
+        weight: 1.0,
+        category: "chain_execution",
+        description: "Explicit vulnerabilities triggered indicator",
+    },
+    // Output injection evidence
+    {
+        pattern: /output_injection/i,
+        weight: 1.0,
+        category: "output_injection",
+        description: "Output injection between chain steps",
+    },
+    {
+        pattern: /\{\{output\}\}.*substitut/i,
+        weight: 0.9,
+        category: "output_injection",
+        description: "Template output substitution performed",
+    },
+    {
+        pattern: /last_output.*passed/i,
+        weight: 0.8,
+        category: "output_injection",
+        description: "Raw output passed to next step",
+    },
+    // Recursive chain evidence
+    {
+        pattern: /recursive_chain/i,
+        weight: 1.0,
+        category: "recursive_chain",
+        description: "Self-referential chain execution",
+    },
+    {
+        pattern: /chain_executor.*within.*chain/i,
+        weight: 0.9,
+        category: "recursive_chain",
+        description: "Chain executor called recursively",
+    },
+    {
+        pattern: /circular.*chain/i,
+        weight: 0.9,
+        category: "recursive_chain",
+        description: "Circular chain reference detected",
+    },
+    // Arbitrary tool acceptance
+    {
+        pattern: /arbitrary.*tool.*step/i,
+        weight: 0.9,
+        category: "arbitrary_tool",
+        description: "Arbitrary tool name accepted in chain",
+    },
+    {
+        pattern: /unknown.*tool.*executed/i,
+        weight: 0.8,
+        category: "arbitrary_tool",
+        description: "Unknown tool executed without validation",
+    },
+    {
+        pattern: /attempted.*execute.*unknown/i,
+        weight: 0.8,
+        category: "arbitrary_tool",
+        description: "Attempted execution of unknown tool",
+    },
+    // Shadowed tool execution
+    {
+        pattern: /shadowed.*tool/i,
+        weight: 1.0,
+        category: "tool_shadowing",
+        description: "Shadowed/poisoned tool executed",
+    },
+    {
+        pattern: /shadowed_definition/i,
+        weight: 0.9,
+        category: "tool_shadowing",
+        description: "Shadowed definition used instead of original",
+    },
+];
+/**
+ * Patterns indicating safe/hardened chain handling
+ * - Tool allowlist validation
+ * - No execution (validation only)
+ * - Depth limits enforced
+ * - Output injection blocked
+ *
+ * Used by: analyzeChainExploitation()
+ */
+// =============================================================================
+// CHAIN VULNERABILITY THRESHOLDS (Issue #93)
+// =============================================================================
+/**
+ * Threshold for confirming vulnerable chain execution behavior.
+ * Value of 1.5 requires ~2 weighted pattern matches to confirm vulnerability.
+ *
+ * Derived from A/B testing against vulnerable-mcp/hardened-mcp testbed:
+ * - vulnerable-mcp: typical scores 2.0-4.0 for vulnerable chains
+ * - hardened-mcp: typical scores 0.0-0.8 for safe chains
+ *
+ * Setting at 1.5 provides margin against false positives while
+ * maintaining detection of genuine vulnerabilities.
+ */
+export const CHAIN_VULNERABLE_THRESHOLD = 1.5;
+/**
+ * Threshold for confirming safe/hardened chain behavior.
+ * Value of 1.0 requires 1+ weighted safe pattern matches.
+ *
+ * Derived from A/B testing:
+ * - hardened-mcp: typical scores 1.5-3.0 for safe chains
+ * - vulnerable-mcp: typical scores 0.0-0.5 for safe patterns
+ */
+export const CHAIN_SAFE_THRESHOLD = 1.0;
+// =============================================================================
+// CHAIN VULNERABILITY CATEGORY PATTERNS (Issue #93)
+// =============================================================================
+/**
+ * Maps vulnerability categories to detection patterns.
+ * Used by analyzeChainExploitation() for category classification.
+ *
+ * Extracted from inline patterns to maintain single source of truth.
+ */
+export const CHAIN_CATEGORY_PATTERNS = {
+    OUTPUT_INJECTION: [
+        { pattern: /output_injection/i, category: "OUTPUT_INJECTION" },
+        { pattern: /\{\{output\}\}.*substitut/i, category: "OUTPUT_INJECTION" },
+    ],
+    RECURSIVE_CHAIN: [
+        { pattern: /recursive_chain/i, category: "RECURSIVE_CHAIN" },
+        { pattern: /chain_executor.*within/i, category: "RECURSIVE_CHAIN" },
+    ],
+    ARBITRARY_TOOL_INVOCATION: [
+        { pattern: /arbitrary.*tool/i, category: "ARBITRARY_TOOL_INVOCATION" },
+        {
+            pattern: /unknown.*tool.*executed/i,
+            category: "ARBITRARY_TOOL_INVOCATION",
+        },
+    ],
+    TOOL_SHADOWING: [
+        { pattern: /shadowed.*tool/i, category: "TOOL_SHADOWING" },
+        { pattern: /shadowed_definition/i, category: "TOOL_SHADOWING" },
+    ],
+    MISSING_DEPTH_LIMIT: [
+        {
+            pattern: /steps_executed.*[1-9][0-9]/i,
+            category: "MISSING_DEPTH_LIMIT",
+        },
+        { pattern: /no.*depth.*limit/i, category: "MISSING_DEPTH_LIMIT" },
+    ],
+    STATE_POISONING: [
+        { pattern: /state.*poison/i, category: "STATE_POISONING" },
+        { pattern: /config.*modified.*chain/i, category: "STATE_POISONING" },
+    ],
+};
+/**
+ * Detect vulnerability categories from response text.
+ * Returns array of detected category names.
+ */
+export function detectVulnerabilityCategories(responseText) {
+    const categories = [];
+    for (const [categoryName, patterns] of Object.entries(CHAIN_CATEGORY_PATTERNS)) {
+        for (const { pattern } of patterns) {
+            if (pattern.test(responseText)) {
+                if (!categories.includes(categoryName)) {
+                    categories.push(categoryName);
+                }
+                break; // Found match for this category, move to next
+            }
+        }
+    }
+    return categories;
+}
+export const CHAIN_EXPLOIT_SAFE_PATTERNS = [
+    // Validation-only behavior
+    {
+        pattern: /stored.*for.*review/i,
+        weight: 0.8,
+        category: "safe_storage",
+        description: "Chain stored for review, not executed",
+    },
+    {
+        pattern: /validation.*only/i,
+        weight: 0.9,
+        category: "safe_validation",
+        description: "Chain validated but not executed",
+    },
+    {
+        pattern: /chain.*validated/i,
+        weight: 0.7,
+        category: "safe_validation",
+        description: "Chain validation response",
+    },
+    {
+        pattern: /pending.*review/i,
+        weight: 0.8,
+        category: "safe_storage",
+        description: "Request pending admin review",
+    },
+    // Allowlist enforcement
+    {
+        pattern: /tool.*not.*in.*allowlist/i,
+        weight: 0.9,
+        category: "allowlist",
+        description: "Tool rejected - not in allowlist",
+    },
+    {
+        pattern: /only.*safe.*tools.*permitted/i,
+        weight: 0.9,
+        category: "allowlist",
+        description: "Allowlist enforcement message",
+    },
+    {
+        pattern: /blocked.*tool.*chain/i,
+        weight: 0.8,
+        category: "allowlist",
+        description: "Tool blocked from chain execution",
+    },
+    // Depth limit enforcement
+    {
+        pattern: /depth.*limit.*enforced/i,
+        weight: 0.8,
+        category: "depth_limit",
+        description: "Depth limit properly enforced",
+    },
+    {
+        pattern: /max.*depth.*exceeded/i,
+        weight: 0.7,
+        category: "depth_limit",
+        description: "Chain rejected for exceeding depth",
+    },
+    // No execution indicators
+    {
+        pattern: /chain_executed.*false/i,
+        weight: 0.9,
+        category: "no_execution",
+        description: "Chain execution disabled",
+    },
+    {
+        pattern: /execution.*disabled/i,
+        weight: 0.8,
+        category: "no_execution",
+        description: "Execution capability disabled",
+    },
+];
+// =============================================================================
 // SEARCH/RETRIEVAL PATTERNS
 // =============================================================================
 /**

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts

@@ -35,6 +35,40 @@ export interface AuthBypassResult {
     failureMode: "FAIL_OPEN" | "FAIL_CLOSED" | "UNKNOWN";
     evidence?: string;
 }
+/**
+ * Result of cross-tool state-based auth bypass analysis (Issue #92, Challenge #7)
+ * Detects privilege escalation via shared mutable state between tools
+ */
+export interface StateBasedAuthResult {
+    vulnerable: boolean;
+    safe: boolean;
+    stateDependency: "SHARED_STATE" | "INDEPENDENT" | "UNKNOWN";
+    evidence: string;
+}
+/**
+ * Chain execution type classification (Issue #93, Challenge #6)
+ */
+export type ChainExecutionType = "VULNERABLE_EXECUTION" | "SAFE_VALIDATION" | "PARTIAL" | "UNKNOWN";
+/**
+ * Chain vulnerability categories (Issue #93, Challenge #6)
+ */
+export type ChainVulnerabilityCategory = "OUTPUT_INJECTION" | "RECURSIVE_CHAIN" | "ARBITRARY_TOOL_INVOCATION" | "TOOL_SHADOWING" | "MISSING_DEPTH_LIMIT" | "STATE_POISONING";
+/**
+ * Result of chain exploitation analysis (Issue #93, Challenge #6)
+ * Detects multi-tool chained exploitation attacks
+ */
+export interface ChainExploitationAnalysis {
+    vulnerable: boolean;
+    safe: boolean;
+    chainType: ChainExecutionType;
+    vulnerabilityCategories: ChainVulnerabilityCategory[];
+    evidence: {
+        vulnerablePatterns: string[];
+        safePatterns: string[];
+        vulnerableScore: number;
+        safeScore: number;
+    };
+}
 /**
  * Error classification types
  */
@@ -70,6 +104,31 @@ export declare class SecurityResponseAnalyzer {
      * Detects fail-open authentication vulnerabilities (CVE-2025-52882)
      */
     analyzeAuthBypassResponse(response: CompatibilityCallToolResult): AuthBypassResult;
+    /**
+     * Analyze response for cross-tool state-based authorization bypass (Issue #92)
+     * Detects Challenge #7: Privilege escalation via shared mutable state
+     *
+     * Vulnerable pattern: Tool checks shared state (e.g., config_state["admin_mode"])
+     * that can be modified by another tool (e.g., config_modifier)
+     *
+     * Safe pattern: Tool uses independent per-request authorization,
+     * indicated by shared_state_checked: false or independent_auth_required: true
+     */
+    analyzeStateBasedAuthBypass(response: CompatibilityCallToolResult): StateBasedAuthResult;
+    /**
+     * Analyze response for chain exploitation vulnerabilities (Issue #93, Challenge #6)
+     * Detects multi-tool chained exploitation attacks including:
+     * - Arbitrary tool invocation without allowlist
+     * - Output injection via {{output}} template substitution
+     * - Recursive/circular chain execution (DoS potential)
+     * - State poisoning between chain steps
+     * - Tool shadowing in chains
+     * - Missing depth/size limits
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with vulnerability status and evidence
+     */
+    analyzeChainExploitation(response: CompatibilityCallToolResult): ChainExploitationAnalysis;
     /**
      * Check if response indicates connection/server failure
      */

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IA+E7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAwClC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAoBjC"}
+{"version":3,"file":"SecurityResponseAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityResponseAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAK1E,OAAO,EAAgB,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYxE,YAAY,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAC3D,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,eAAe,EAAE,cAAc,GAAG,aAAa,GAAG,SAAS,CAAC;IAC5D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,sBAAsB,GACtB,iBAAiB,GACjB,SAAS,GACT,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,kBAAkB,GAClB,iBAAiB,GACjB,2BAA2B,GAC3B,gBAAgB,GAChB,qBAAqB,GACrB,iBAAiB,CAAC;AAEtB;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,kBAAkB,CAAC;IAC9B,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;IACtD,QAAQ,EAAE;QACR,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;;;;;GAMG;AACH,qBAAa,wBAAwB;IAEnC,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,iBAAiB,CAA4B;IACrD,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,gBAAgB,CAAmB;;IAc3C;;;;;;OAMG;IACH,eAAe,CACb,QAAQ,EAAE,2BAA2B,EACrC,OAAO,EAAE,eAAe,EACxB,IAAI,EAAE,IAAI,GACT,cAAc;IAqBjB;;OAEG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAWnB;;;OAGG;IACH,yBAAyB,CACvB,QAAQ,EAAE,2BAA2B,GACpC,gBAAgB;IAsFnB;;;;;;;;;OASG;IACH,2BAA2B,CACzB,QAAQ,EAAE,2BAA2B,GACpC,oBAAoB;IAmGvB;;;;;;;;;;;;OAYG;IACH,wBAAwB,CACtB,QAAQ,EAAE,2BAA2B,GACpC,yBAAyB;IA6D5B;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAIvD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAIzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAI/D;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;IAQrE;;OAEG;IACH,oBAAoB,CAClB,SAAS,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,EACvD,YAAY,EAAE,MAAM,GACnB,OAAO;IAIV;;OAEG;IACH,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIlD;;OAEG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAIpE;;OAEG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAOV;;OAEG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAQrB;;OAEG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIvD;;OAEG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;OAEG;IACH,qBAAqB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAIrE;;OAEG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;OAEG;IACH,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAIrD;;OAEG;IACH,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAQjD;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IA+E7B;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAwClC;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAoBjC"}

package/client/lib/services/assessment/modules/securityTests/SecurityResponseAnalyzer.js

@@ -19,6 +19,8 @@ import { ExecutionArtifactDetector } from "./ExecutionArtifactDetector.js";
 import { MathAnalyzer } from "./MathAnalyzer.js";
 import { SafeResponseDetector } from "./SafeResponseDetector.js";
 import { ConfidenceScorer } from "./ConfidenceScorer.js";
+// Import pattern library for chain exploitation analysis
+import { CHAIN_EXPLOIT_VULNERABLE_PATTERNS, CHAIN_EXPLOIT_SAFE_PATTERNS, CHAIN_VULNERABLE_THRESHOLD, CHAIN_SAFE_THRESHOLD, detectVulnerabilityCategories, } from "./SecurityPatternLibrary.js";
 /**
  * Analyzes tool responses for security vulnerabilities
  * Distinguishes between safe reflection and actual execution
@@ -153,6 +155,172 @@ export class SecurityResponseAnalyzer {
         }
         return { detected: false, failureMode: "UNKNOWN" };
     }
+    /**
+     * Analyze response for cross-tool state-based authorization bypass (Issue #92)
+     * Detects Challenge #7: Privilege escalation via shared mutable state
+     *
+     * Vulnerable pattern: Tool checks shared state (e.g., config_state["admin_mode"])
+     * that can be modified by another tool (e.g., config_modifier)
+     *
+     * Safe pattern: Tool uses independent per-request authorization,
+     * indicated by shared_state_checked: false or independent_auth_required: true
+     */
+    analyzeStateBasedAuthBypass(response) {
+        const responseText = this.extractResponseContent(response);
+        // Vulnerable patterns - shared state authorization (Challenge #7)
+        const vulnerablePatterns = [
+            {
+                pattern: /"admin_mode"\s*:\s*true/i,
+                evidence: "admin_mode enabled in response",
+            },
+            {
+                pattern: /hint.*use\s+config_modifier/i,
+                evidence: "Tool hints at cross-tool state dependency",
+            },
+            {
+                pattern: /admin_mode.*set\s+by.*another\s+tool/i,
+                evidence: "Explicit cross-tool state dependency",
+            },
+            {
+                pattern: /"evidence".*cross-tool.*privilege/i,
+                evidence: "Cross-tool privilege escalation detected",
+            },
+            {
+                pattern: /elevated\s+privileges?\s+granted/i,
+                evidence: "Elevated privileges granted",
+            },
+            {
+                pattern: /admin\s+mode\s+activated/i,
+                evidence: "Admin mode activated (state modifier)",
+            },
+            {
+                pattern: /"hint".*config_modifier.*admin_mode/i,
+                evidence: "Response hints at config_modifier for admin_mode",
+            },
+            {
+                pattern: /Use\s+config_modifier.*enable.*admin_mode/i,
+                evidence: "Tool depends on config_modifier for authorization",
+            },
+        ];
+        // Safe patterns - independent authorization (secure)
+        const safePatterns = [
+            {
+                pattern: /"shared_state_checked"\s*:\s*false/i,
+                evidence: "Tool explicitly states it doesn't use shared state",
+            },
+            {
+                pattern: /"independent_auth_required"\s*:\s*true/i,
+                evidence: "Tool requires independent per-request auth",
+            },
+            {
+                pattern: /requires\s+independent\s+authorization/i,
+                evidence: "Independent authorization required",
+            },
+            {
+                pattern: /(?:not|does\s+not|doesn't)\s+(?:use\s+)?shared\s+state/i,
+                evidence: "Tool confirms it does not use shared state",
+            },
+            {
+                pattern: /stored.*for.*admin.*review/i,
+                evidence: "Request stored for admin review (no auto-execution)",
+            },
+            {
+                pattern: /per-request\s+auth/i,
+                evidence: "Per-request authentication enforced",
+            },
+        ];
+        // Check vulnerable patterns first (SHARED_STATE)
+        for (const { pattern, evidence } of vulnerablePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    vulnerable: true,
+                    safe: false,
+                    stateDependency: "SHARED_STATE",
+                    evidence: `Cross-tool state dependency detected: ${evidence}`,
+                };
+            }
+        }
+        // Check safe patterns (INDEPENDENT)
+        for (const { pattern, evidence } of safePatterns) {
+            if (pattern.test(responseText)) {
+                return {
+                    vulnerable: false,
+                    safe: true,
+                    stateDependency: "INDEPENDENT",
+                    evidence: `Independent authorization confirmed: ${evidence}`,
+                };
+            }
+        }
+        return {
+            vulnerable: false,
+            safe: false,
+            stateDependency: "UNKNOWN",
+            evidence: "",
+        };
+    }
+    /**
+     * Analyze response for chain exploitation vulnerabilities (Issue #93, Challenge #6)
+     * Detects multi-tool chained exploitation attacks including:
+     * - Arbitrary tool invocation without allowlist
+     * - Output injection via {{output}} template substitution
+     * - Recursive/circular chain execution (DoS potential)
+     * - State poisoning between chain steps
+     * - Tool shadowing in chains
+     * - Missing depth/size limits
+     *
+     * @param response The tool response to analyze
+     * @returns Analysis result with vulnerability status and evidence
+     */
+    analyzeChainExploitation(response) {
+        const responseText = this.extractResponseContent(response);
+        let vulnerableScore = 0;
+        let safeScore = 0;
+        const matchedVulnPatterns = [];
+        const matchedSafePatterns = [];
+        // Check vulnerable patterns
+        for (const patternDef of CHAIN_EXPLOIT_VULNERABLE_PATTERNS) {
+            if (patternDef.pattern.test(responseText)) {
+                vulnerableScore += patternDef.weight;
+                matchedVulnPatterns.push(patternDef.description);
+            }
+        }
+        // Check safe patterns
+        for (const patternDef of CHAIN_EXPLOIT_SAFE_PATTERNS) {
+            if (patternDef.pattern.test(responseText)) {
+                safeScore += patternDef.weight;
+                matchedSafePatterns.push(patternDef.description);
+            }
+        }
+        // Determine chain execution type using documented thresholds
+        let chainType = "UNKNOWN";
+        if (vulnerableScore > CHAIN_VULNERABLE_THRESHOLD &&
+            vulnerableScore > safeScore) {
+            chainType = "VULNERABLE_EXECUTION";
+        }
+        else if (safeScore > CHAIN_SAFE_THRESHOLD &&
+            safeScore > vulnerableScore) {
+            chainType = "SAFE_VALIDATION";
+        }
+        else if (vulnerableScore > 0 || safeScore > 0) {
+            chainType = "PARTIAL";
+        }
+        // Detect specific vulnerability categories using centralized pattern library
+        const detectedCategories = detectVulnerabilityCategories(responseText);
+        const vulnerabilityCategories = detectedCategories;
+        return {
+            vulnerable: vulnerableScore > CHAIN_VULNERABLE_THRESHOLD &&
+                vulnerableScore > safeScore,
+            safe: safeScore > CHAIN_SAFE_THRESHOLD && safeScore > vulnerableScore,
+            chainType,
+            vulnerabilityCategories,
+            evidence: {
+                vulnerablePatterns: matchedVulnPatterns,
+                safePatterns: matchedSafePatterns,
+                vulnerableScore,
+                safeScore,
+            },
+        };
+    }
     /**
      * Check if response indicates connection/server failure
      */

package/client/lib/services/assessment/modules/securityTests/index.d.ts

@@ -2,7 +2,9 @@
  * Security Assessment Module
  * Exports all security-related components
  */
-export { SecurityResponseAnalyzer, type ConfidenceResult, type AnalysisResult, type ErrorClassification, } from "./SecurityResponseAnalyzer.js";
+export { SecurityResponseAnalyzer, type ConfidenceResult, type AnalysisResult, type ErrorClassification, type StateBasedAuthResult, type ChainExploitationAnalysis, type ChainExecutionType, type ChainVulnerabilityCategory, } from "./SecurityResponseAnalyzer.js";
 export { SecurityPayloadTester, type TestProgressCallback, type PayloadTestConfig, type TestLogger, } from "./SecurityPayloadTester.js";
 export { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
+export { CrossToolStateTester, type CrossToolTestResult, type ToolPair, type CallToolFunction, type CrossToolTestConfig, } from "./CrossToolStateTester.js";
+export { ChainExecutionTester, type ChainExecutionTestResult, type ChainExploitationSummary, type ChainExecutionTesterConfig, type ChainTestReason, } from "./ChainExecutionTester.js";
 //# sourceMappingURL=index.d.ts.map

package/client/lib/services/assessment/modules/securityTests/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,GACzB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,wBAAwB,EACxB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,kBAAkB,EACvB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,qBAAqB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,UAAU,GAChB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAEtE,OAAO,EACL,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,QAAQ,EACb,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC"}

package/client/lib/services/assessment/modules/securityTests/index.js

@@ -5,3 +5,5 @@
 export { SecurityResponseAnalyzer, } from "./SecurityResponseAnalyzer.js";
 export { SecurityPayloadTester, } from "./SecurityPayloadTester.js";
 export { SecurityPayloadGenerator } from "./SecurityPayloadGenerator.js";
+export { CrossToolStateTester, } from "./CrossToolStateTester.js";
+export { ChainExecutionTester, } from "./ChainExecutionTester.js";

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-client",
-  "version": "1.26.6",
+  "version": "1.26.7",
   "description": "Client-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment",
-  "version": "1.26.6",
+  "version": "1.26.7",
   "description": "Enhanced MCP Inspector with comprehensive assessment capabilities for server validation",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",
@@ -53,6 +53,14 @@
     "./performance": {
       "types": "./client/lib/services/assessment/config/performanceConfig.d.ts",
       "default": "./client/lib/services/assessment/config/performanceConfig.js"
+    },
+    "./modules": {
+      "types": "./client/lib/services/assessment/modules/index.d.ts",
+      "default": "./client/lib/services/assessment/modules/index.js"
+    },
+    "./security": {
+      "types": "./client/lib/services/assessment/modules/securityTests/index.d.ts",
+      "default": "./client/lib/services/assessment/modules/securityTests/index.js"
     }
   },
   "bin": {

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.26.6",
+  "version": "1.26.7",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",