@intentsolutionsio/penetration-tester 2.0.0 → 3.0.4

package/skills/fingerprinting-server-software/scripts/fingerprint_server.py

@@ -0,0 +1,347 @@
+#!/usr/bin/env python3
+"""Server-software fingerprinting via HTTP response signatures.
+
+Companion to skill `fingerprinting-server-software`. Sends a baseline
+GET + an OPTIONS + optionally a malformed-request error probe, then
+parses every standard fingerprinting header and Set-Cookie name
+pattern.
+
+Each match grades against the threshold table in the skill body:
+explicit-version disclosures are MEDIUM (CWE-200), framework
+identification without version is LOW, stack-trace disclosure from
+error pages is HIGH (CWE-209).
+
+References:
+    OWASP WSTG-INFO-02 Fingerprint Web Server
+    OWASP WSTG-INFO-08 Fingerprint Web Application Framework
+    CWE-200 Information Exposure
+    CWE-209 Information Exposure Through an Error Message
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+_PLUGIN_ROOT = Path(__file__).resolve().parents[3]
+if str(_PLUGIN_ROOT) not in sys.path:
+    sys.path.insert(0, str(_PLUGIN_ROOT))
+
+from lib.authz_check import require_authorization  # noqa: E402
+from lib.finding import Finding, Severity  # noqa: E402
+from lib.http_client import make_session, safe_get, safe_options  # noqa: E402
+from lib.report import emit, exit_code  # noqa: E402
+
+SKILL_ID = "fingerprinting-server-software"
+
+
+# Headers that commonly leak version
+VERSION_HEADERS = [
+    "Server",
+    "X-Powered-By",
+    "X-AspNet-Version",
+    "X-AspNetMvc-Version",
+    "X-Runtime",
+    "X-Generator",
+    "X-Drupal-Cache",
+    "X-Drupal-Dynamic-Cache",
+    "X-Backend-Server",
+    "X-Server-Powered-By",
+    "X-Joomla-Version",
+]
+# Framework identification headers (lower severity — no version)
+FRAMEWORK_HEADERS = [
+    "X-Rails-Version",
+    "X-Django-Version",
+    "X-Frame-Options",  # only if present along with other framework signals
+    "Via",
+]
+# Framework-default Set-Cookie names (low — identifies stack)
+DEFAULT_COOKIES = {
+    "PHPSESSID": "PHP",
+    "JSESSIONID": "Java EE / Tomcat / WebSphere / WebLogic",
+    "ASP.NET_SessionId": "ASP.NET",
+    "ASPSESSIONID": "Classic ASP",
+    "ASPSESSIONID*": "Classic ASP (pattern)",
+    "connect.sid": "Express + connect.session",
+    "session": "Generic — multiple frameworks",
+    "_session_id": "Rails",
+    "laravel_session": "Laravel",
+    "ci_session": "CodeIgniter",
+    "frontend": "Magento",
+    "X-Mapping-*": "Sun ONE / iPlanet load-balancer",
+    "BIGipServer*": "F5 BIG-IP load-balancer",
+    "AWSALB": "AWS ALB",
+    "AWSELB": "AWS ELB classic",
+}
+# Error-page stack-trace fingerprints
+STACK_TRACE_SIGS = [
+    (r"^[ \t]*at\s+[\w.<>$]+\([\w./\\:?]+:\d+\)", "Java stack trace"),
+    (r"File\s+\"[/\\][\w/.\\]+\.py\",\s+line\s+\d+", "Python traceback"),
+    (r"in\s+/[^\s]+\.php on line \d+", "PHP error trace"),
+    (r"at\s+(?:[\w$]+\.)+[\w$]+\s+\([\w./:\\]+:\d+:\d+\)", "JavaScript stack trace"),
+    (r"\(in /[\w/.-]+\.rb:\d+", "Ruby exception"),
+    (r"goroutine\s+\d+\s+\[running\]:", "Go panic"),
+    (r"System\.[\w.]+Exception:", ".NET exception"),
+    (r"<title>[^<]*(stack trace|exception|fatal error)", "Generic error-page banner"),
+]
+
+
+def _version_in(value: str) -> bool:
+    """Heuristic: header value contains an explicit version number."""
+    return bool(re.search(r"\d+\.\d+", value))
+
+
+def _check_version_headers(headers, target, source_label):
+    findings = []
+    for h in VERSION_HEADERS:
+        v = headers.get(h)
+        if not v:
+            continue
+        has_version = _version_in(v)
+        sev = Severity.MEDIUM if has_version else Severity.LOW
+        # Specific: X-AspNet-Version always shows runtime version — HIGH
+        if h.lower().startswith("x-aspnet") and has_version:
+            sev = Severity.HIGH
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title=f"{h} header discloses {'version' if has_version else 'product'}: {v[:80]}",
+                severity=sev,
+                target=target,
+                detail=(
+                    f"The {source_label} response includes {h}: {v!r}. "
+                    "Attackers query published CVE catalogs for the disclosed "
+                    "version + family to enumerate exploitable conditions "
+                    "without further probing."
+                ),
+                remediation=_remediation_for_header(h),
+                cwe_id="CWE-200",
+                affected_control="OWASP A05:2021",
+                references=("https://cwe.mitre.org/data/definitions/200.html",),
+                evidence=((f"header:{h}", v),),
+            )
+        )
+    return findings
+
+
+def _check_framework_headers(headers, target, source_label):
+    findings = []
+    for h in FRAMEWORK_HEADERS:
+        v = headers.get(h)
+        if not v:
+            continue
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title=f"{h} header discloses stack identification: {v[:80]}",
+                severity=Severity.LOW,
+                target=target,
+                detail=(
+                    f"The {source_label} response includes {h}: {v!r}. "
+                    "Framework identification without version. Combined with "
+                    "version-bearing headers, informs CVE lookup."
+                ),
+                remediation=_remediation_for_header(h),
+                cwe_id="CWE-200",
+                affected_control="OWASP A05:2021",
+                evidence=((f"header:{h}", v),),
+            )
+        )
+    return findings
+
+
+def _check_cookies(headers, target):
+    findings = []
+    set_cookie = headers.get("Set-Cookie", "")
+    if not set_cookie:
+        return findings
+    # requests joins multiple Set-Cookie headers with comma in .headers; iterate
+    # cookie names separately
+    for cookie_blob in set_cookie.split(","):
+        # cookie name is the first token before '='
+        name = cookie_blob.split("=", 1)[0].strip()
+        for default_name, framework in DEFAULT_COOKIES.items():
+            if default_name.endswith("*"):
+                if name.startswith(default_name.rstrip("*")):
+                    break
+            elif name == default_name:
+                break
+        else:
+            continue
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title=f"Framework-default cookie name discloses stack: {name} ({framework})",
+                severity=Severity.LOW,
+                target=target,
+                detail=(
+                    f"Set-Cookie name {name!r} matches the conventional "
+                    f"default for {framework}. Combined with other signals, "
+                    "informs framework + version inference."
+                ),
+                remediation=(
+                    "Rename the session cookie to a non-default value. In "
+                    "Express: app.use(session({name: 'sid', ...})). In Spring: "
+                    "server.servlet.session.cookie.name=sid. In Rails: "
+                    "config.session_store :cookie_store, key: '_sid'."
+                ),
+                cwe_id="CWE-200",
+                affected_control="OWASP A05:2021",
+            )
+        )
+    return findings
+
+
+def _check_etag(headers, target):
+    etag = headers.get("ETag", "")
+    if not etag:
+        return []
+    # Apache hex-ETag format: "<inode>-<size>-<mtime>"
+    if re.match(r'^"[0-9a-f]+-[0-9a-f]+-[0-9a-f]+"$', etag):
+        return [
+            Finding(
+                skill_id=SKILL_ID,
+                title="ETag format reveals Apache inode-size-mtime triple (cluster-member fingerprint)",
+                severity=Severity.LOW,
+                target=target,
+                detail=(
+                    f"The ETag {etag!r} matches Apache's default "
+                    "inode-size-mtime format. Across a load-balanced cluster, "
+                    "the inode portion distinguishes individual nodes, enabling "
+                    "node-by-node probing."
+                ),
+                remediation=(
+                    "Apache: `FileETag MTime Size` (drop inode). Or `FileETag None` to disable ETags entirely."
+                ),
+                cwe_id="CWE-200",
+            )
+        ]
+    return []
+
+
+def _check_error_disclosure(body_text, target):
+    findings = []
+    sample = (body_text or "")[:8192]
+    for pattern, name in STACK_TRACE_SIGS:
+        if re.search(pattern, sample, re.MULTILINE | re.IGNORECASE):
+            findings.append(
+                Finding(
+                    skill_id=SKILL_ID,
+                    title=f"Error page leaks {name}",
+                    severity=Severity.HIGH,
+                    target=target,
+                    detail=(
+                        f"The error response body contains content matching "
+                        f"the {name} pattern. Server-internal file paths, "
+                        "function names, and framework details are visible to "
+                        "any external requestor that triggers an error."
+                    ),
+                    remediation=(
+                        "Disable detailed error pages in production. Per-stack: "
+                        "Django DEBUG=False, Rails Rails.application.config."
+                        "consider_all_requests_local=false, Spring "
+                        "server.error.include-stacktrace=never, ASP.NET "
+                        "customErrors mode='RemoteOnly', Express "
+                        "app.use(errorHandler({log:false,debug:false}))."
+                    ),
+                    cwe_id="CWE-209",
+                    affected_control="OWASP A05:2021",
+                )
+            )
+            break  # only flag the first stack-trace pattern that matches
+    return findings
+
+
+def _remediation_for_header(header: str) -> str:
+    return {
+        "Server": (
+            "nginx: `server_tokens off;`. Apache: `ServerTokens Prod`. "
+            "Caddy: omitted by default (Caddy 2.x). IIS: "
+            "URL Rewrite module → outbound rule to strip header. "
+            "ALB / CloudFront: response-header policy to drop Server."
+        ),
+        "X-Powered-By": (
+            "PHP: `expose_php = Off` in php.ini. "
+            "Express: `app.disable('x-powered-by')` or `helmet({hidePoweredBy:true})`. "
+            "ASP.NET: web.config customHeaders → removeHeader X-Powered-By."
+        ),
+        "X-AspNet-Version": ('web.config: `<httpRuntime enableVersionHeader="false" />`.'),
+        "X-AspNetMvc-Version": ("Global.asax: `MvcHandler.DisableMvcResponseHeader = true;`."),
+        "X-Runtime": ("Rails: `config.action_dispatch.runtime_response_header = nil`."),
+        "X-Generator": (
+            "Drupal: settings.php → set $config['system.performance']['cache']['page']['max_age']. "
+            "Wordpress: remove_action('wp_head', 'wp_generator')."
+        ),
+        "X-Drupal-Cache": "Drupal: configure reverse proxy to strip the header before serving.",
+        "X-Drupal-Dynamic-Cache": "Drupal: same as above.",
+        "X-Joomla-Version": "Joomla: remove from template metadata.",
+        "Via": (
+            "If the Via header is from your reverse proxy, configure the proxy "
+            "to omit. nginx: `proxy_set_header Via '';`. CloudFront: "
+            "response-header policy to strip Via."
+        ),
+        "X-Rails-Version": "Rails: middleware customization to strip header.",
+        "X-Django-Version": "Django: middleware to strip header.",
+    }.get(header, f"Configure the web stack to omit the {header} header on outbound responses.")
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(description="Server-software fingerprinter")
+    parser.add_argument("url")
+    parser.add_argument("--authorized", action="store_true")
+    parser.add_argument("--output", default=None)
+    parser.add_argument("--format", choices=("json", "jsonl", "markdown"), default="markdown")
+    parser.add_argument("--min-severity", choices=("critical", "high", "medium", "low", "info"), default="info")
+    parser.add_argument("--timeout", type=float, default=10.0)
+    parser.add_argument(
+        "--trigger-error", action="store_true", help="Send a malformed request to surface error-page disclosure"
+    )
+    args = parser.parse_args(argv)
+
+    require_authorization(args.url, args.authorized)
+
+    sess = make_session(timeout=args.timeout)
+    findings: list[Finding] = []
+
+    # Baseline GET
+    resp = safe_get(sess, args.url, timeout=args.timeout, allow_redirects=False)
+    if resp is None:
+        sys.stderr.write(f"ERROR: target {args.url!r} unreachable\n")
+        return 2
+    headers = dict(resp.headers)
+    findings.extend(_check_version_headers(headers, args.url, "baseline GET"))
+    findings.extend(_check_framework_headers(headers, args.url, "baseline GET"))
+    findings.extend(_check_cookies(headers, args.url))
+    findings.extend(_check_etag(headers, args.url))
+
+    # OPTIONS — different code path may reveal different headers
+    options_resp = safe_options(sess, args.url, timeout=args.timeout)
+    if options_resp is not None:
+        opt_headers = dict(options_resp.headers)
+        # Only flag headers that DIDN'T appear in the GET (dedupe)
+        for h in VERSION_HEADERS + FRAMEWORK_HEADERS:
+            if h in opt_headers and h not in headers:
+                findings.extend(_check_version_headers({h: opt_headers[h]}, args.url, "OPTIONS"))
+                findings.extend(_check_framework_headers({h: opt_headers[h]}, args.url, "OPTIONS"))
+
+    # Optional: error-page disclosure
+    if args.trigger_error:
+        # Send a request with deliberately-malformed path
+        err_url = args.url.rstrip("/") + "/this-route-should-not-exist-" + ("X" * 200)
+        err_resp = safe_get(sess, err_url, timeout=args.timeout, allow_redirects=False)
+        if err_resp is not None and err_resp.status_code >= 400:
+            findings.extend(_check_error_disclosure(err_resp.text, args.url))
+
+    # Severity floor
+    floor = Severity(args.min_severity)
+    findings = [f for f in findings if f.severity.numeric >= floor.numeric]
+
+    emit(findings, args.output, args.format, args.url)
+    return exit_code(findings)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/skills/generating-executive-summary/SKILL.md

@@ -0,0 +1,261 @@
+---
+name: generating-executive-summary
+description: |
+  Compose an exec-readable summary from a unified findings JSONL
+  plus the OWASP coverage report. Computes a single engagement
+  risk score (0-100, severity-weighted with OWASP-breadth and
+  governance terms), rolls up findings into headline counts, names
+  the top-3 remediation priorities with effort + impact estimates,
+  and produces a 1-2 page markdown document for a C-level or board
+  audience. Elides technical detail; the vulnerability report is
+  the deep document.
+  Use when: closing an engagement, preparing the exec-readout
+  meeting, packaging for board review, or producing a one-page
+  narrative for auditor / insurer / board.
+  Threshold: input findings missing produces CRITICAL operational
+  finding; otherwise the deliverable is the document itself.
+  Trigger with: "generate exec summary", "executive summary",
+  "C-level readout", "board pentest summary".
+allowed-tools:
+  - Read
+  - Write
+  - Bash(python3:*)
+  - Glob
+disallowed-tools:
+  - Bash(rm:*)
+  - Bash(curl:*)
+  - Bash(wget:*)
+  - Write(.env)
+  - Edit(.env)
+version: 3.0.0-dev
+author: Jeremy Longshore <jeremy@intentsolutions.io>
+license: MIT
+compatibility: Designed for Claude Code
+tags:
+  - security
+  - reporting
+  - executive-summary
+  - risk-score
+  - pentest
+---
+
+# Generating Executive Summary
+
+## Overview
+
+The vulnerability report is comprehensive — every finding, full
+detail, every reference. The C-level reader doesn't open it. They
+ask their security lead "what should I tell the board?" The
+security lead needs a one-page answer.
+
+That one-page answer is the executive summary. It states the
+engagement's bottom line:
+
+- A single risk score (0-100)
+- Headline counts by severity
+- Top-3 remediation priorities, each with rough effort + impact
+- OWASP Top 10 coverage (where the work landed)
+- Engagement scope and authorization summary (what was tested,
+  under what authority, in what window)
+- Next steps the customer's organization should take
+
+The summary doesn't omit anything important; it just compresses.
+The vulnerability report remains the deep artifact for anyone who
+needs the technical detail.
+
+This skill consumes the enriched findings JSONL (after OWASP
+mapping) + the OWASP coverage report + the ROE, computes the risk
+score, picks the top remediation priorities deterministically,
+and renders the document.
+
+## When the skill produces findings
+
+| Finding | Severity | Threshold | Affected control |
+|---|---|---|---|
+| Input findings file missing | **CRITICAL** | Source JSONL doesn't exist | (operational) |
+| OWASP coverage report missing | **HIGH** | Coverage referenced but not present | (operational) |
+| ROE missing | **MEDIUM** | Can still generate summary but lacks scope/authz context | (operational) |
+| Exec summary written cleanly | **INFO** | Confirmation | (informational) |
+| Risk score >75 (high engagement risk) | **HIGH** | Computed risk score elevated | (advisory) |
+| Risk score >90 (critical engagement risk) | **CRITICAL** | Engagement exposed material risk; needs urgent action | (advisory) |
+
+## Risk score (0-100) composition
+
+The single risk score is the headline number on the exec summary.
+The composition is deterministic and documented:
+
+```
+risk = clamp(0, 100,
+    20 * count(CRITICAL)
+  + 10 * count(HIGH)
+  +  3 * count(MEDIUM)
+  +  1 * count(LOW)
+  +  0 * count(INFO)
+  +  5 * (count(distinct OWASP categories touched) - 5 if >5 else 0)
+  - 10 * 1 if engagement was authorized cleanly and in-scope (governance bonus)
+)
+```
+
+The first five terms weight by severity. The OWASP-coverage term
+adds 5 points per category beyond 5 (a broader-finding engagement
+implies broader risk surface). The governance bonus is a -10
+adjustment when ROE was clean — explicit recognition that finding
+problems in a well-governed engagement is HEALTHIER than finding
+the same problems in a chaotic engagement.
+
+Score interpretation:
+
+| Score | Reading |
+|---|---|
+| 0-25 | Low risk: clean engagement OR very narrow scope |
+| 26-50 | Moderate risk: typical engagement with manageable findings |
+| 51-75 | Elevated risk: significant findings, remediation planning required |
+| 76-90 | High risk: material findings; executive attention warranted |
+| 91-100 | Critical risk: urgent remediation required; consider treating as incident |
+
+## Top-3 remediation priorities
+
+The skill picks top-3 priorities deterministically by:
+
+1. Severity (CRITICAL > HIGH > MEDIUM > LOW)
+2. Reachability — findings affecting many targets weight higher
+3. Tie-breaker: alphabetical by title for stable output
+
+Each priority gets:
+
+- A one-line headline
+- Estimated effort (Hours / Days / Weeks)
+- Estimated impact (Limited / Significant / Material)
+- Pointer to the corresponding finding section in the
+  vulnerability report
+
+Effort + impact are heuristic estimates based on the source
+skill's category — operator can override via `--priority-overrides`
+for cases where the heuristic is wrong.
+
+## Prerequisites
+
+- Python 3.9+
+- Findings JSONL at `engagement/findings/all-with-owasp.jsonl`
+  (output of `mapping-findings-to-owasp-top10`) OR an explicit
+  `--source FILE`
+- OWASP coverage report at `engagement/reports/owasp-coverage.md`
+  (referenced; optional)
+- ROE at `engagement/roe.yaml` (referenced for scope summary)
+
+## Instructions
+
+### Step 1 — Verify the inputs are present
+
+```bash
+ls engagements/acme-2026-q2/findings/all-with-owasp.jsonl
+ls engagements/acme-2026-q2/reports/owasp-coverage.md
+ls engagements/acme-2026-q2/roe.yaml
+```
+
+All three should exist for a complete summary. The skill works
+without the coverage report or ROE but the summary is less
+complete.
+
+### Step 2 — Generate the summary
+
+```bash
+python3 ./scripts/exec_summary.py engagements/acme-2026-q2/
+```
+
+Options:
+
+```
+Usage: exec_summary.py PATH [OPTIONS]
+
+Options:
+  --source FILE              Findings JSONL (default: PATH/findings/all-with-owasp.jsonl)
+  --coverage FILE            OWASP coverage report (default: PATH/reports/owasp-coverage.md)
+  --roe FILE                 ROE (default: PATH/roe.yaml)
+  --summary-output FILE      Output path (default: PATH/reports/executive-summary.md)
+  --output FILE              Operational findings output
+  --format FMT               json | jsonl | markdown (default: markdown)
+  --min-severity SEV         default info
+  --priority-overrides FILE  YAML overriding the top-3 priorities
+```
+
+### Step 3 — Review the risk score
+
+If the score is in 76-100 range, the operator should sanity-check
+before delivering: did the underlying findings actually warrant
+the elevated reading, or did a few INFO-tagged findings get
+mis-categorized as HIGH?
+
+### Step 4 — Hand off
+
+The exec summary is intended as a standalone artifact. Deliver to
+the customer's exec readout meeting, along with the full
+vulnerability report.
+
+## Examples
+
+### Example 1 — End-of-engagement summary
+
+```bash
+python3 ./scripts/exec_summary.py engagements/acme-2026-q2/
+```
+
+### Example 2 — Board-ready summary (force-includes governance section)
+
+```bash
+python3 ./scripts/exec_summary.py engagements/acme-2026-q2/ \
+    --summary-output engagements/acme-2026-q2/reports/board-summary.md
+```
+
+### Example 3 — Override priorities
+
+```yaml
+# priorities-override.yaml
+- title: "Hardcoded AWS access key in source"
+  effort: Hours
+  impact: Material
+  rationale: This is the single highest-priority remediation regardless of count.
+```
+
+```bash
+python3 ./scripts/exec_summary.py engagements/acme-2026-q2/ \
+    --priority-overrides priorities-override.yaml
+```
+
+## Output
+
+JSON / JSONL / Markdown per `lib/report.py` for operational
+findings. PRIMARY output: the executive-summary markdown
+document.
+
+Operational Finding includes:
+
+- `id` — `exec::<issue>`
+- `severity` — varies
+- `category` — `executive-summary`
+- `summary` — what was generated
+- `evidence` — risk score, finding count, top priorities, output path
+
+## Error Handling
+
+- **No findings source** → CRITICAL operational finding, exits 1.
+- **Source JSONL unparseable** → HIGH, exits 1.
+- **No findings at all** → emits LOW operational finding noting
+  the empty engagement; the document is generated but says so.
+- **Coverage report missing** → MEDIUM, document is generated
+  without the coverage-narrative section.
+- **ROE missing** → MEDIUM, document is generated without the
+  scope/authorization section.
+
+## Resources
+
+- `references/THEORY.md` — Executive-summary writing as a
+  technical-communication discipline, single-number risk
+  scoring tradeoffs, why deterministic priority selection beats
+  human-curated for reproducibility, how the score interpretation
+  bands were chosen, comparison with CVSS / DREAD / STRIDE risk
+  models
+- `references/PLAYBOOK.md` — Per-audience customizations (board,
+  C-suite, security leadership, customer auditor), summary length
+  guidelines, common rewrite patterns, integration with the
+  composing + mapping skills, post-delivery follow-up cadence