@pensar/apex 2.0.1 → 2.0.2-canary.9e4e15cf
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{agent-x7n47c84.js → agent-1jp62njk.js} +9 -9
- package/build/{agent-6nhperp2.js → agent-1zfxfgfr.js} +9 -7
- package/build/agent-ssm6x6qs.js +19 -0
- package/build/{apps-2ac4vt09.js → apps-2qd57k2z.js} +20 -15
- package/build/{auth-bmt98hz0.js → auth-bwb51krx.js} +15 -15
- package/build/authentication-3p84dzrr.js +19 -0
- package/build/blackboxAgent-dn68r23n.js +19 -0
- package/build/{blackboxPentest-xngbtdxb.js → blackboxPentest-txe2h6h0.js} +13 -13
- package/build/{cli-0yptvbbm.js → cli-0t1j4jh4.js} +9 -8
- package/build/{cli-fxtbkw2f.js → cli-3n78e7hs.js} +3 -3
- package/build/{cli-hk03x6fq.js → cli-8pw332mm.js} +2 -1
- package/build/{cli-z1dapp7v.js → cli-dk63pna5.js} +48 -11
- package/build/{cli-mfzkhttr.js → cli-e450tvx3.js} +11 -9
- package/build/{cli-f93g10xk.js → cli-jd0bfde5.js} +2 -2
- package/build/{cli-w2st266h.js → cli-jh6k2m9z.js} +31 -2
- package/build/{cli-88bhxzr1.js → cli-kj5vjbnd.js} +1 -1
- package/build/{cli-eptabm2j.js → cli-kxpba6jy.js} +1 -1
- package/build/{cli-1f5zzrxj.js → cli-nc2yvszh.js} +1 -1
- package/build/{cli-8g5cwvbm.js → cli-p904s2yj.js} +1 -1
- package/build/{cli-fa7nrded.js → cli-ppq4kh08.js} +3 -3
- package/build/{cli-zpdmnz8c.js → cli-qdh225p7.js} +353 -227
- package/build/{cli-cc13ydyx.js → cli-w1nb1y6h.js} +1 -1
- package/build/{cli-pyzw545d.js → cli-xcr4rax4.js} +23 -5
- package/build/{cli-ddtmgbqv.js → cli-za4t23gh.js} +2 -2
- package/build/cli.js +44 -39
- package/build/{config-j0gfjhrm.js → config-6s6jsd2a.js} +3 -3
- package/build/{doctor-zn8ms7gs.js → doctor-yh7zdmgt.js} +6 -6
- package/build/{fixes-d8ytvyzn.js → fixes-0xebnr67.js} +15 -15
- package/build/{index-528cyewc.js → index-k3f1hxpe.js} +17 -17
- package/build/{index-3cbcjqw1.js → index-kjky8ack.js} +9 -9
- package/build/{index-hjvqqkem.js → index-qfveae0v.js} +4 -4
- package/build/{index-a1sy2zak.js → index-ss31xhpj.js} +2 -2
- package/build/{index-9d2es97h.js → index-t3rffyf8.js} +3 -3
- package/build/{index-2t2cg8x0.js → index-w81kvhhz.js} +8 -8
- package/build/{index-k6ttkac6.js → index-zgr0dv9e.js} +6 -6
- package/build/{issues-17kdjtdg.js → issues-zjybm91e.js} +15 -15
- package/build/{logs-r4rjar4m.js → logs-t0vtg96a.js} +15 -15
- package/build/{offesecAgent-azd8ahkm.js → offesecAgent-kfjetqzw.js} +8 -8
- package/build/pentest-043y2x03.js +28 -0
- package/build/{pentests-npjb5q1h.js → pentests-h2mk21aq.js} +15 -15
- package/build/{targetedPentest-m24wvscc.js → targetedPentest-m6k9nde8.js} +9 -9
- package/build/targets-pknexde1.js +113 -0
- package/build/threatModel-mb9340cz.js +26 -0
- package/build/{uninstall-7pm6zcah.js → uninstall-bnamn9pn.js} +1 -1
- package/build/{upload-wg0vxmk0.js → upload-xrbxx4hz.js} +6 -6
- package/build/{utils-gd1y4t26.js → utils-6e1wgez0.js} +5 -5
- package/package.json +9 -8
- package/build/agent-4g69jwmq.js +0 -19
- package/build/authentication-c0aj9zaz.js +0 -19
- package/build/blackboxAgent-sgph70e4.js +0 -19
- package/build/pentest-2vsjf0j8.js +0 -28
- package/build/threatModel-7akmfzzm.js +0 -26
|
@@ -2,13 +2,13 @@ import {
|
|
|
2
2
|
OffensiveSecurityAgent,
|
|
3
3
|
isMemoryEnabled,
|
|
4
4
|
readPlan
|
|
5
|
-
} from "./cli-
|
|
5
|
+
} from "./cli-qdh225p7.js";
|
|
6
6
|
import {
|
|
7
7
|
createLogger,
|
|
8
8
|
init_lazyLogger,
|
|
9
9
|
init_structured,
|
|
10
10
|
scopedLogger
|
|
11
|
-
} from "./cli-
|
|
11
|
+
} from "./cli-dk63pna5.js";
|
|
12
12
|
import {
|
|
13
13
|
exports_external1 as exports_external,
|
|
14
14
|
init_zod
|
|
@@ -170,6 +170,27 @@ var SECTION_CREDENTIAL_DISCOVERY = `Credential & Secret Discovery:
|
|
|
170
170
|
- Mention the public identifiers only as supporting context, not as additional secrets
|
|
171
171
|
- When validating an exposed key, verify what access it actually grants. A key that returns 200 on a single endpoint is less severe than a key that provides access to user data, admin functions, or billing APIs.
|
|
172
172
|
- Title findings precisely: "Exposed Backend API Key" is better than "Hardcoded API Keys and AWS Infrastructure Configuration" which conflates secret and non-secret data.`;
|
|
173
|
+
var SECTION_FINDING_QUALITY = `Finding Framing, Titles & Remediation:
|
|
174
|
+
|
|
175
|
+
Lead with the strongest demonstrated impact:
|
|
176
|
+
- The title and the FIRST sentence of the description must state the strongest impact you actually PROVED, not the weakest observable symptom. If your POC reads file/record contents belonging to another tenant, the finding is "unauthorized cross-tenant data access" / IDOR — NOT "enumeration" or "status-code oracle", even if an oracle is how you first noticed it. Frame around the data you accessed, then mention the oracle/mechanism as the technique.
|
|
177
|
+
- Do not bury a high-impact result inside a low-impact framing. If you can access content, your evidence must show the content you accessed (and that the test identity should not have access to it), not merely that an ID exists.
|
|
178
|
+
|
|
179
|
+
Title hygiene:
|
|
180
|
+
- A title names the vulnerability class + the affected component or root cause (e.g. "Authorization Bypass Leaks Page Content for All /dev Routes via RSC 307 Body").
|
|
181
|
+
- When the root cause is systemic (one shared layout, middleware, or helper affecting many routes), title it for the systemic cause, NOT a single example route. Do not title a class-wide issue after one instance like "/dev/colors" when the body says "any /dev page".
|
|
182
|
+
- No editorial asides or comparisons in titles (e.g. drop "(Distinct from the Egnyte Callback)"). The title must be consistent with the scope stated in the description.
|
|
183
|
+
|
|
184
|
+
Prove the access-model delta (authorization / IDOR / data-exposure findings):
|
|
185
|
+
- Explicitly state the access model: which identity/role you tested as, and what that identity should vs should not be able to see.
|
|
186
|
+
- Prove the boundary was actually crossed: show that the data returned belongs to a DIFFERENT tenant/user, or is admin-only data a member should not see. A 200 response or a bypassed redirect is NOT sufficient on its own — demonstrate that the exposed data is sensitive and out-of-scope for the test identity.
|
|
187
|
+
- If you bypassed an authorization boundary but the data returned is non-sensitive or plausibly same-tenant/expected-visible, say so plainly in the evidence and impact. This is still a boundary failure worth reporting, but do not overstate the confidentiality impact — let the CVSS reflect what was actually exposed.
|
|
188
|
+
- When you cannot confirm whether exposed data is cross-tenant vs same-tenant, state the uncertainty rather than assuming the worst case.
|
|
189
|
+
|
|
190
|
+
Remediation quality:
|
|
191
|
+
- Give specific, root-cause remediation — not generic "add an authorization check".
|
|
192
|
+
- For authorization failures, emphasize enforcing the check AT the data-access boundary (in the data-fetching function / handler), not relying solely on layout-, middleware-, or routing-level protection that streaming, prefetch, or direct calls can bypass. Name the anti-pattern when present.
|
|
193
|
+
- OAuth state / CSRF / PKCE: the core requirement is a state value that is unguessable (high-entropy random), bound to the user/session that initiated the flow, single-use, and validated on return — or PKCE as an equivalent fix. Frame these as the primary remediation. HMAC-signing or encrypting the state is valid defense-in-depth, but do NOT present "lacks cryptographic signature" as the core issue when an unguessable, properly-bound, validated state (or PKCE) resolves it.`;
|
|
173
194
|
var SECTION_SECURITY_HEADERS_CORS = `Security Headers & CORS:
|
|
174
195
|
- Do NOT recommend X-XSS-Protection — it is deprecated by all major browsers (Chrome, Firefox, Edge). Recommend Content-Security-Policy instead.
|
|
175
196
|
- CORS analysis must account for the endpoint's authentication model:
|
|
@@ -239,6 +260,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
|
|
|
239
260
|
|
|
240
261
|
${SECTION_SECURITY_HEADERS_CORS}
|
|
241
262
|
|
|
263
|
+
${SECTION_FINDING_QUALITY}
|
|
264
|
+
|
|
242
265
|
${SECTION_STATE_CHECKPOINTING}`;
|
|
243
266
|
var PENTEST_SYSTEM_PROMPT_EXFIL = `You are an expert penetration tester performing a targeted security assessment with the goal of demonstrating full exploit impact.
|
|
244
267
|
|
|
@@ -283,6 +306,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
|
|
|
283
306
|
|
|
284
307
|
${SECTION_SECURITY_HEADERS_CORS}
|
|
285
308
|
|
|
309
|
+
${SECTION_FINDING_QUALITY}
|
|
310
|
+
|
|
286
311
|
${SECTION_STATE_CHECKPOINTING}`;
|
|
287
312
|
var PENTEST_SYSTEM_PROMPT_TASK_DRIVEN = `You are an expert penetration tester performing a targeted security assessment.
|
|
288
313
|
|
|
@@ -321,6 +346,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
|
|
|
321
346
|
|
|
322
347
|
${SECTION_SECURITY_HEADERS_CORS}
|
|
323
348
|
|
|
349
|
+
${SECTION_FINDING_QUALITY}
|
|
350
|
+
|
|
324
351
|
${SECTION_STATE_CHECKPOINTING}`;
|
|
325
352
|
var PENTEST_SYSTEM_PROMPT_TASK_DRIVEN_EXFIL = `You are an expert penetration tester performing a targeted security assessment with the goal of demonstrating full exploit impact.
|
|
326
353
|
|
|
@@ -359,6 +386,8 @@ ${SECTION_CREDENTIAL_DISCOVERY}
|
|
|
359
386
|
|
|
360
387
|
${SECTION_SECURITY_HEADERS_CORS}
|
|
361
388
|
|
|
389
|
+
${SECTION_FINDING_QUALITY}
|
|
390
|
+
|
|
362
391
|
${SECTION_STATE_CHECKPOINTING}`;
|
|
363
392
|
function buildPentestSystemPrompt(session, role = "orchestrator") {
|
|
364
393
|
if (role === "orchestrator") {
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-qdh225p7.js";
|
|
4
4
|
import {
|
|
5
5
|
detectOSAndEnhancePrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-w1nb1y6h.js";
|
|
7
7
|
import {
|
|
8
8
|
createLogger,
|
|
9
9
|
hasToolCall,
|
|
@@ -11,7 +11,7 @@ import {
|
|
|
11
11
|
init_lazyLogger,
|
|
12
12
|
init_structured,
|
|
13
13
|
scopedLogger
|
|
14
|
-
} from "./cli-
|
|
14
|
+
} from "./cli-dk63pna5.js";
|
|
15
15
|
|
|
16
16
|
// src/core/agents/specialized/authenticationAgent/agent.ts
|
|
17
17
|
init_dist();
|