@pensar/apex 2.1.2 → 2.1.3-canary.15e34bf1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/agent-3ktj43z9.js +19 -0
- package/build/{agent-vdrtakz4.js → agent-3s7c1qrd.js} +10 -10
- package/build/{agent-737mxp3v.js → agent-v3d0ssgy.js} +8 -8
- package/build/{apps-j0bwey0w.js → apps-rk071a9p.js} +16 -16
- package/build/{auth-5stxpmga.js → auth-cnc8b1tj.js} +16 -16
- package/build/authentication-hrwp9bw8.js +19 -0
- package/build/blackboxAgent-fzp5cyvr.js +19 -0
- package/build/{blackboxPentest-2edr9rj3.js → blackboxPentest-b6cpqtkh.js} +14 -14
- package/build/{cli-9vzc18m5.js → cli-1kgqgq0a.js} +30 -17
- package/build/{cli-f7d23ded.js → cli-29yqhrjq.js} +936 -1775
- package/build/{cli-0gk2x2sc.js → cli-2zbvtnrx.js} +16 -18
- package/build/{cli-gbkj2has.js → cli-49kwknjj.js} +3 -3
- package/build/{cli-35czfv00.js → cli-4xz6rqg5.js} +70821 -79369
- package/build/{cli-ks60cc3h.js → cli-7y6dwmn8.js} +30 -30
- package/build/{cli-whtdyc0e.js → cli-84pr5q33.js} +4 -4
- package/build/{cli-dqkdnd3c.js → cli-8vaa0frx.js} +88 -49
- package/build/{cli-jd0c0b91.js → cli-9m9d9vtm.js} +1 -1
- package/build/{cli-hj3t87r2.js → cli-dh7tfkre.js} +1 -1
- package/build/{cli-6vs0mtsb.js → cli-eh6nrt6s.js} +2 -2
- package/build/{cli-9z6vwf30.js → cli-h7w8nj1x.js} +1 -1
- package/build/{cli-v1aqbv58.js → cli-nm2jskqg.js} +25040 -26995
- package/build/{cli-6wwpk9d9.js → cli-r5n86ej6.js} +1 -1
- package/build/{cli-xnnkeg5p.js → cli-td2vwxvv.js} +1 -1
- package/build/{cli-yjbkaqvy.js → cli-xe08y0nv.js} +43 -13
- package/build/{cli-tw3fe8bj.js → cli-yqtxtvg8.js} +2 -2
- package/build/cli.js +109 -88
- package/build/{config-s5ryv5ez.js → config-nvgzsffk.js} +3 -3
- package/build/{doctor-f08gegwc.js → doctor-785qvedj.js} +7 -7
- package/build/{fixes-qf4s92z2.js → fixes-xhr8ghx7.js} +16 -16
- package/build/{index-s8gw83d6.js → index-2edcw64j.js} +17 -11
- package/build/{index-sqjve2bm.js → index-e9rxwzqv.js} +2 -2
- package/build/{index-gakk2t5q.js → index-kx3w10s2.js} +18 -18
- package/build/{index-mgng15va.js → index-n1yh9e86.js} +909 -456
- package/build/{index-exvkbve0.js → index-ng1a7q8g.js} +4 -4
- package/build/{index-x4xefngs.js → index-qcf9f2n7.js} +3 -3
- package/build/{index-5h1hjhzw.js → index-y5bdx5j1.js} +10 -10
- package/build/{index-c6qz0gve.js → index-z35ctxx8.js} +7 -7
- package/build/{issues-5anqrh2j.js → issues-jwfdctks.js} +16 -16
- package/build/{logs-q6ankt6m.js → logs-8h7pwx7s.js} +16 -16
- package/build/{main-3zneyg7p.js → main-3d7dfdvs.js} +17 -93
- package/build/{offesecAgent-hsej0pfc.js → offesecAgent-yxaxnxwk.js} +9 -9
- package/build/pentest-a87kxj2v.js +28 -0
- package/build/{pentests-hyx3c3qa.js → pentests-6nhr9rdv.js} +16 -16
- package/build/{targetedPentest-ws0a7frk.js → targetedPentest-jyzcm9cx.js} +18 -11
- package/build/{targets-9cqrshet.js → targets-wbxhcpb8.js} +16 -16
- package/build/threatModel-0qpzh1jb.js +26 -0
- package/build/{uninstall-1j469qj7.js → uninstall-57tdyecc.js} +1 -1
- package/build/{upload-ymvhkyq5.js → upload-tvad5wre.js} +7 -7
- package/build/{utils-d1ed6jzf.js → utils-e14mz7h9.js} +6 -6
- package/package.json +30 -30
- package/build/agent-8w9h3tnw.js +0 -19
- package/build/authentication-qswvctj4.js +0 -19
- package/build/blackboxAgent-vwm9t3h4.js +0 -19
- package/build/pentest-1e30q7rs.js +0 -28
- package/build/threatModel-z9b213x8.js +0 -26
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-4xz6rqg5.js";
|
|
4
4
|
import {
|
|
5
5
|
detectOSAndEnhancePrompt
|
|
6
|
-
} from "./cli-
|
|
6
|
+
} from "./cli-r5n86ej6.js";
|
|
7
7
|
import {
|
|
8
8
|
createLogger,
|
|
9
9
|
hasToolCall,
|
|
@@ -11,7 +11,7 @@ import {
|
|
|
11
11
|
init_lazyLogger,
|
|
12
12
|
init_structured,
|
|
13
13
|
scopedLogger
|
|
14
|
-
} from "./cli-
|
|
14
|
+
} from "./cli-nm2jskqg.js";
|
|
15
15
|
|
|
16
16
|
// src/core/agents/specialized/authenticationAgent/agent.ts
|
|
17
17
|
init_dist();
|
|
@@ -37,9 +37,9 @@ Obtain valid credentials/sessions that other agents can use for authenticated te
|
|
|
37
37
|
# Available Tools
|
|
38
38
|
|
|
39
39
|
## API Authentication
|
|
40
|
-
- \`
|
|
41
|
-
|
|
42
|
-
|
|
40
|
+
- \`execute_command\` — Run curl (or other shell commands) to submit credentials via form POST,
|
|
41
|
+
JSON POST, or HTTP Basic auth, and to capture the Set-Cookie / token response. Use this for all
|
|
42
|
+
custom and complex API auth flows.
|
|
43
43
|
|
|
44
44
|
## Browser Authentication
|
|
45
45
|
- \`browser_navigate\` — Navigate to login page
|
|
@@ -77,11 +77,11 @@ Look for:
|
|
|
77
77
|
## Step 2: Authenticate
|
|
78
78
|
|
|
79
79
|
### API path (use when target is an API or has a simple form):
|
|
80
|
-
1.
|
|
81
|
-
- \`
|
|
82
|
-
- \`
|
|
83
|
-
- \`
|
|
84
|
-
2.
|
|
80
|
+
1. Use \`execute_command\` with curl to submit the credentials, matching the target's scheme:
|
|
81
|
+
- \`curl -i -d 'username=...&password=...' <loginUrl>\` for HTML form POST
|
|
82
|
+
- \`curl -i -H 'Content-Type: application/json' -d '{"username":"...","password":"..."}' <loginUrl>\` for JSON APIs
|
|
83
|
+
- \`curl -i -u '<user>:<pass>' <url>\` for HTTP Basic
|
|
84
|
+
2. Inspect the response (\`-i\` shows headers) — capture any \`Set-Cookie\` value or token to use as the session credential.
|
|
85
85
|
|
|
86
86
|
### Browser path (use for SPAs, OAuth, JS-rendered forms):
|
|
87
87
|
1. \`browser_navigate\` to the login URL
|
|
@@ -113,7 +113,7 @@ If both API and browser approaches fail, use \`delegate_to_auth_subagent\` for c
|
|
|
113
113
|
**First**, call \`complete_authentication\` with:
|
|
114
114
|
- \`success\`: whether auth succeeded
|
|
115
115
|
- \`summary\`: what happened and what credentials/cookies were obtained
|
|
116
|
-
- \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or
|
|
116
|
+
- \`exportedCookies\`: the cookie string for downstream HTTP requests (from browser_get_cookies cookieHeader or the Set-Cookie header in the curl response)
|
|
117
117
|
- \`exportedHeaders\`: auth headers map, e.g. {"Authorization": "Bearer <token>"} (from browser_evaluate localStorage tokens or API response)
|
|
118
118
|
- \`strategy\`: method used ("browser", "form_post", "json_post", "basic_auth", "bearer")
|
|
119
119
|
- \`authBarrier\`: if a barrier was encountered (captcha, mfa, etc.)
|
|
@@ -199,7 +199,6 @@ class AuthenticationAgent extends OffensiveSecurityAgent {
|
|
|
199
199
|
toolChoice: "auto",
|
|
200
200
|
activeTools: [
|
|
201
201
|
"execute_command",
|
|
202
|
-
"authenticate_session",
|
|
203
202
|
"complete_authentication",
|
|
204
203
|
"browser_navigate",
|
|
205
204
|
"browser_snapshot",
|
|
@@ -294,17 +293,16 @@ function buildAuthPrompt(target, authHints, credentialManager, context) {
|
|
|
294
293
|
if (credBlock) {
|
|
295
294
|
parts.push(`INSTRUCTIONS:
|
|
296
295
|
You have credentials available via credential IDs — authenticate immediately.
|
|
297
|
-
1.
|
|
298
|
-
2.
|
|
296
|
+
1. For API/form logins, use execute_command (curl) to submit credentials and capture the Set-Cookie / token response
|
|
297
|
+
2. For browser-based logins, use the browser tools. For browser_fill on password/secret fields,
|
|
299
298
|
pass credentialId + credentialField (e.g. credentialField="password") instead of the raw value —
|
|
300
299
|
the secret is resolved securely at execution time. NEVER type a password directly.
|
|
301
300
|
3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
302
301
|
} else {
|
|
303
302
|
parts.push(`INSTRUCTIONS:
|
|
304
303
|
1. Probe the target with execute_command (curl) to determine the auth mechanism
|
|
305
|
-
2. Attempt authentication with
|
|
306
|
-
3.
|
|
307
|
-
4. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
304
|
+
2. Attempt authentication with execute_command (curl) or the browser tools
|
|
305
|
+
3. Call complete_authentication with exported cookies/headers to persist credentials and end the run`);
|
|
308
306
|
}
|
|
309
307
|
return parts.join(`
|
|
310
308
|
`);
|
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
import {
|
|
2
2
|
OffensiveSecurityAgent
|
|
3
|
-
} from "./cli-
|
|
3
|
+
} from "./cli-4xz6rqg5.js";
|
|
4
4
|
import {
|
|
5
5
|
hasToolCall,
|
|
6
6
|
init_dist
|
|
7
|
-
} from "./cli-
|
|
7
|
+
} from "./cli-nm2jskqg.js";
|
|
8
8
|
import {
|
|
9
9
|
exports_external,
|
|
10
10
|
init_zod,
|
|
11
11
|
tool
|
|
12
|
-
} from "./cli-
|
|
12
|
+
} from "./cli-29yqhrjq.js";
|
|
13
13
|
|
|
14
14
|
// src/core/agents/specialized/whiteboxAttackSurface/agent.ts
|
|
15
15
|
init_dist();
|