security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
|
@@ -34,6 +34,15 @@ On every finding resolved, emit:
|
|
|
34
34
|
}
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
38
|
+
|
|
39
|
+
The `k8s.ts` and `supply-chain-deep.ts` detection modules (`src/gate/checks/k8s.ts`, `src/gate/checks/supply-chain-deep.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the Kyverno/Gatekeeper policy or Binary Authorization config), not just advise:
|
|
40
|
+
|
|
41
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a `verifyImages` rule that covers `spec.containers[]` but a Pod manifest that runs an unsigned `initContainer` first, or a namespace carrying an exemption label — the policy reads clean while unsigned code executes.
|
|
42
|
+
- **Semantic / effective-state analysis:** model the admission decision end-to-end — resolve the manifest-list digest to its platform-specific child digests, evaluate `failurePolicy` (fail-open vs fail-closed), and confirm signatures stored as OCI referrers (not just `tag.sig`) are actually read.
|
|
43
|
+
- **External corroboration:** use WebSearch/WebFetch for current cosign/notation/Kyverno advisories, the OCI referrers API spec, and SLSA/EO 14028 SBOM-attestation requirements.
|
|
44
|
+
- **Apply & prove:** write the fix inline (set `validationFailureAction: Enforce`, `failurePolicy: Fail`, cover init/ephemeral containers, require SBOM attestation), re-run the `k8s.ts`/`supply-chain-deep.ts` checks plus a `cosign verify` / `cosign verify-attestation` regression floor, then re-audit admission semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
|
|
45
|
+
|
|
37
46
|
## EXECUTION
|
|
38
47
|
|
|
39
48
|
### Phase 1 — Reconnaissance
|
|
@@ -182,3 +191,114 @@ resource "google_binary_authorization_policy" "policy" {
|
|
|
182
191
|
- `requiredActions`: ordered action list
|
|
183
192
|
- `complianceImpact`: framework mappings
|
|
184
193
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
194
|
+
- `intelligenceForOtherAgents`: cross-agent intelligence object (see schema below)
|
|
195
|
+
|
|
196
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
197
|
+
```json
|
|
198
|
+
{
|
|
199
|
+
"intelligenceForOtherAgents": {
|
|
200
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Admission webhook bypass possible via namespace label manipulation", "exploitHint": "Create namespace with label 'admission.kubernetes.io/ignore'; deploy unsigned image inside it" }],
|
|
201
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "RSA-2048 Notary v1 key used for image signing", "location": "notation/trust-policy.json" }],
|
|
202
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Image pull from user-controlled registry URL", "escalationPath": "Attacker registry returns malicious image → runs in cluster with node IAM role → IMDS credential theft" }],
|
|
203
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.3.2", "NIST SA-12", "SOC2 CC8.1"], "releaseBlock": true }]
|
|
204
|
+
}
|
|
205
|
+
}
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
211
|
+
|
|
212
|
+
- **Namespace Admission Webhook Bypass via Label Manipulation (ATT&CK T1610 — Deploy Container):** Kyverno and OPA Gatekeeper policies commonly exempt `kube-system` or namespaces labeled `admission.kubernetes.io/ignore`; an attacker with `create namespace` RBAC rights can create a namespace with the exempt label and deploy unsigned images freely. Test by: `kubectl create namespace attacker-ns --dry-run=client -o yaml | kubectl annotate --local -f - 'admission.kubernetes.io/ignore=true' -o yaml | kubectl apply -f -`; then attempt `kubectl run pwned --image=alpine:latest -n attacker-ns` — policy must still block. Finding threshold: any unsigned image successfully scheduled in a non-kube-system namespace labeled with an exemption pattern.
|
|
213
|
+
|
|
214
|
+
- **AI-Generated Malicious Image Payload Evasion (Emerging — LLM-Assisted Supply Chain, 2025):** Attackers use LLMs to generate syntactically correct, policy-compliant Dockerfiles and SBOM manifests that pass cosign signature checks while embedding obfuscated payloads (e.g., staged reverse shells in entrypoint scripts encoded as base64 env vars). Static admission checks verify signature validity but not image content semantics. Test by: build a signed test image containing `CMD ["sh","-c","echo ${PAYLOAD}"]` where PAYLOAD is base64-encoded; verify Kyverno admits it; confirm Falco/Tetragon runtime rules fire on the shell exec. Finding threshold: any image policy that relies solely on signature presence without runtime behavioral monitoring in place.
|
|
215
|
+
|
|
216
|
+
- **Post-Quantum Signing Key Vulnerability — RSA-2048 Notary v1 / Early cosign Keyful Keys (NIST IR 8105 / FIPS 203/204 transition):** RSA-2048 and ECDSA P-256 keys used in Notary v1 trust stores and cosign keyful signing are vulnerable to harvest-now-attack-later (HNDL) attacks by CRQC adversaries targeting 2028–2032. Signed image manifests recorded today in immutable registries are at risk. Test by: `grep -r "rsa\|ecdsa\|key-algorithm" notation/trust-policy.json .cosign/` and `openssl x509 -in cosign.pub -noout -text | grep "Public Key Algorithm"`; flag any RSA or P-256 key. Finding threshold: any active signing key using RSA or ECDSA P-256; remediate by migrating to keyless sigstore (Fulcio + Rekor with ECDSA P-384) or ML-DSA (FIPS 204) when toolchain support lands.
|
|
217
|
+
|
|
218
|
+
- **OCI Referrers API Signing Gap — Admission Controllers Missing Referrer-Attached Signatures (CVE-2024-25125 / Notary Project Advisory 2024-01):** Admission controllers checking only the legacy `<tag>.sig` cosign suffix will silently admit images whose signatures are stored as OCI referrers (the current standard for GHCR, ECR, and ORAS registries). Sigstore cosign 2.x and notation 1.x both write signatures as referrers by default; older Kyverno (<1.11) and OPA image-verify policies do not read the referrers API. Test by: push a cosign 2.x signed image to GHCR; install Kyverno <1.11; attempt to deploy — legacy policy may admit it as "unsigned." Finding threshold: Kyverno version below 1.11 or any `verifyImages` rule without `referrers: true` on a registry that uses the referrers API.
|
|
219
|
+
|
|
220
|
+
- **Multi-Arch Manifest List Partial Signing — Platform-Specific Digest Unsigned (Supply Chain Risk, SLSA L2 Gap):** CI pipelines commonly sign only the `linux/amd64` platform manifest, leaving `linux/arm64` or `linux/arm/v7` variants unsigned. Kubernetes on ARM nodes (EKS Graviton, GKE Tau T2A) pulls the platform-specific digest via the manifest list; admission controllers verifying the manifest list digest may not recurse into platform-specific child digests. Test by: `cosign verify <registry>/<image>@<manifest-list-sha256>` then `cosign verify <registry>/<image>@<arm64-child-sha256>`; both must return valid signatures. Finding threshold: any image where the manifest list carries a signature but one or more platform-specific child digests do not.
|
|
221
|
+
|
|
222
|
+
- **US EO 14028 / EU Cyber Resilience Act SBOM Attestation Non-Compliance (Regulatory — Active 2025):** Federal contractors and EU market participants are now required to produce and attach SBOM attestations (SPDX or CycloneDX) to every container image as a Sigstore attestation. Kyverno 1.11+ supports `verifyImages[].attestations` rules that block admission if the SBOM attestation is absent or fails schema validation; most clusters have not yet added this rule. Test by: `cosign verify-attestation --type spdxjson <image>` — absence of output is a compliance blocker; in Kyverno: add `attestations: [{predicateType: "https://spdx.dev/Document", conditions: [...]}]` to the `verifyImages` rule and attempt to deploy an image without an SBOM attestation — it must be rejected. Finding threshold: any production workload image lacking a cosign-attached SPDX or CycloneDX attestation when the cluster serves regulated or federal workloads.
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
## §EDGE-CASE-MATRIX
|
|
227
|
+
|
|
228
|
+
The 5 attack cases in binary authorization that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
229
|
+
|
|
230
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
231
|
+
|---|-----------|----------------------|---------------|
|
|
232
|
+
| 1 | Namespace label exemption bypass | Kyverno/OPA policies often exclude `kube-system` or namespaces with specific labels; attacker creates namespace with the exempt label | Create namespace with `admission.kubernetes.io/ignore: "true"` or equivalent exemption label; deploy unsigned image inside it — policy must still block |
|
|
233
|
+
| 2 | Init container and ephemeral container blind spots | Policy rules match `spec.containers[]` but forget `spec.initContainers[]` and `spec.ephemeralContainers[]` | Submit a Pod with a signed main container and an unsigned `initContainer`; scanner reports clean while unsigned code runs first |
|
|
234
|
+
| 3 | Image digest pinning bypass via tag mutation at pull time | Digest is verified at admission but `imagePullPolicy: Always` with a tag reference re-pulls at runtime; attacker poisons registry tag between admission and runtime | Pin every reference to `image@sha256:<digest>`; test that admission webhook rejects `image:tag` without digest — even if cosign signature exists |
|
|
235
|
+
| 4 | Admission webhook failure-open configuration | `admissionReviewVersions` misconfiguration or TLS error causes webhook to time out; `failurePolicy: Ignore` (the default) lets the unsigned image through silently | Simulate webhook unavailability (`kubectl scale deployment kyverno -n kyverno --replicas=0`); attempt to deploy unsigned image — it must be blocked by `failurePolicy: Fail` |
|
|
236
|
+
| 5 | Multi-arch manifest list signing gap | CI pipeline signs the `linux/amd64` manifest but not the multi-arch index; Kubernetes pulls the index and selects an unsigned platform-specific digest | Run `cosign verify <image>` for the manifest list digest (not just the amd64 digest); all platform variants must carry a valid signature |
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
## §TEMPORAL-THREATS
|
|
241
|
+
|
|
242
|
+
Threats materialising in the 2025–2030 window that binary authorization defences designed today must account for.
|
|
243
|
+
|
|
244
|
+
| Threat | Est. Timeline | Relevance to Binary Auth | Prepare Now By |
|
|
245
|
+
|--------|--------------|--------------------------|----------------|
|
|
246
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | RSA/ECDSA keys used in Notary v1 and early cosign keyful signing will be broken; harvest-now-attack-later active today | Migrate to keyless sigstore (Fulcio + Rekor) with ECDSA P-384 minimum; inventory all RSA-2048 signing keys and schedule rotation to ML-DSA (FIPS 204) |
|
|
247
|
+
| Sigstore transparency log compromise | 2025–2027 | If Rekor is compromised, attacker can forge valid inclusion proofs; keyless signing trust anchored to Rekor | Implement `tlog: false` + bring-your-own PKI for regulated workloads; monitor Rekor checkpoint consistency proofs |
|
|
248
|
+
| AI-assisted supply chain attacks (LLM-generated malicious images) | 2025–2027 (active) | LLMs assist attackers in generating convincing, policy-compliant container images that pass SBOM checks but hide payloads | Add runtime behavioural controls (Falco/Tetragon) as second layer; do not rely on static admission checks alone |
|
|
249
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM attestations are becoming legally required per container image; Kyverno can now verify SBOM attestations as part of admission | Require `cosign attest --type spdxjson` in CI; add Kyverno `verifyImages[].attestations` rule for SBOM type |
|
|
250
|
+
| OCI Reference Types / Referrers API adoption | 2025–2026 | Admission controllers that only check legacy `tag.sig` suffix will miss signatures stored as OCI referrers | Upgrade to Kyverno 1.13+ or notation 1.x that reads the OCI referrers API; test against registries with referrers support (ORAS, GHCR, ECR) |
|
|
251
|
+
|
|
252
|
+
---
|
|
253
|
+
|
|
254
|
+
## §DETECTION-GAP
|
|
255
|
+
|
|
256
|
+
What current binary authorization monitoring CANNOT detect, and what to build to close each gap.
|
|
257
|
+
|
|
258
|
+
**Standard gaps MUST be checked:**
|
|
259
|
+
|
|
260
|
+
- **Admission webhook audit log suppression**: Webhook decision events appear in the Kubernetes API audit log, but `audit-policy.yaml` with overly broad `omitStages` or `level: None` rules can silently drop admission events. Need: ensure audit policy logs `RequestResponse` level for `admissionwebhooks` resource group; alert on any admission webhook decision that lacks a corresponding audit event.
|
|
261
|
+
- **Post-admission image substitution (registry tag mutation)**: The admission controller verifies the image at deploy time, but if `imagePullPolicy: Always` with a mutable tag is used, a subsequent Pod restart silently pulls a new, potentially unsigned image. Need: enforce image digest pinning (`image@sha256:`) at admission; add Kyverno rule rejecting any image reference without a digest suffix.
|
|
262
|
+
- **Approved registry allowlist drift**: The registry allowlist is defined in policy YAML; when a new registry is added to manifests without updating the policy, it silently falls through if the `deny` rule has a gap. Need: CI gate — diff all `image:` values in merged PRs against the approved registry list; fail build on mismatch before cluster admission.
|
|
263
|
+
- **Keyless signing identity sprawl**: Keyless signatures are scoped to a subject (OIDC identity); if a PR renames the workflow file or changes the branch, the expected subject no longer matches and old images appear unsigned. Need: Kyverno policy must include `subject` and `issuer` assertions; log all signature verification failures with the observed vs. expected subject for triage.
|
|
264
|
+
- **Cross-agent chain — unsigned image + overprivileged pod**: Binary auth finding (unsigned image allowed) + RBAC finding (pod runs as root with hostPID) = container escape to node. Neither agent sees this in isolation. Need: CISO orchestrator Phase 1 synthesis — correlate binary-auth-validator findings with rbac-auditor and pod-security-checker findings before Phase 2.
|
|
265
|
+
|
|
266
|
+
---
|
|
267
|
+
|
|
268
|
+
## §ZERO-MISS-MANDATE
|
|
269
|
+
|
|
270
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item below, output one of:
|
|
271
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
272
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
273
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
274
|
+
|
|
275
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
276
|
+
|
|
277
|
+
**Attack classes that MUST be accounted for:**
|
|
278
|
+
|
|
279
|
+
1. Missing or permissive admission controller (`failurePolicy: Ignore` or no webhook)
|
|
280
|
+
2. Unsigned image allowed through (no `verifyImages` rule or Binary Authorization disabled)
|
|
281
|
+
3. Floating tag (`image:latest` or no digest pin)
|
|
282
|
+
4. Unapproved registry source (image not in allowlist)
|
|
283
|
+
5. Init/ephemeral container blind spot (policy only covers `spec.containers[]`)
|
|
284
|
+
6. Namespace label exemption that can be exploited
|
|
285
|
+
7. Signing key algorithm weakness (RSA-2048 or SHA-1 in trust store)
|
|
286
|
+
8. SBOM attestation absent when required by policy
|
|
287
|
+
|
|
288
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
289
|
+
```json
|
|
290
|
+
{
|
|
291
|
+
"coverageManifest": {
|
|
292
|
+
"attackClassesCovered": [
|
|
293
|
+
{ "class": "Missing admission controller", "filesReviewed": 12, "patterns": ["admissionwebhook", "kyverno", "gatekeeper", "binaryauthorization"], "result": "CLEAN" },
|
|
294
|
+
{ "class": "Floating image tag", "filesReviewed": 34, "patterns": ["image:.*latest", "image:.*tag without digest"], "result": "3 findings, all fixed" }
|
|
295
|
+
],
|
|
296
|
+
"filesReviewed": 34,
|
|
297
|
+
"negativeAssertions": [
|
|
298
|
+
"Floating tag: grepped image:.*latest across 34 k8s manifests — 3 matches remediated, 0 remaining",
|
|
299
|
+
"Init container blind spot: verified Kyverno verifyImages rule covers initContainers[] — CLEAN"
|
|
300
|
+
],
|
|
301
|
+
"uncoveredReason": {}
|
|
302
|
+
}
|
|
303
|
+
}
|
|
304
|
+
```
|
|
@@ -34,6 +34,15 @@ On every finding resolved, emit:
|
|
|
34
34
|
}
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
38
|
+
|
|
39
|
+
The `runtime.ts` and `api.ts` detection modules (`src/gate/checks/runtime.ts`, `src/gate/checks/api.ts`) are your deterministic floor for rate-limiting and anti-automation, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the middleware/route handler), not just advise:
|
|
40
|
+
|
|
41
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a per-IP limiter in middleware + a login handler that keys lockout only on IP = a residential-proxy credential-stuffing bypass; the gap only appears when you trace the rate-limit key from middleware through to the auth route.
|
|
42
|
+
- **Semantic / effective-state analysis:** model the full bot-mitigation funnel as a state machine — confirm CAPTCHA tokens are single-use and bound to `(session, action, IP)`, that honeypot branches are timing-identical, and that detection survives Puppeteer-stealth (behavioral signals, not just `navigator.webdriver`/UA).
|
|
43
|
+
- **External corroboration:** use WebSearch/WebFetch for current LLM-CAPTCHA-solver research, JA3/JA4 fingerprint baselines, and proxy/CAPTCHA-farm threat reports.
|
|
44
|
+
- **Apply & prove:** write the fix inline (per-account + per-device velocity keys, server-side Turnstile validation, single-use token binding, JA3 propagation), re-run the `runtime.ts`/`api.ts` checks plus a scripted load/replay test as a regression floor, then re-audit the funnel semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
|
|
45
|
+
|
|
37
46
|
## EXECUTION
|
|
38
47
|
|
|
39
48
|
### Phase 1 — Reconnaissance
|
|
@@ -219,3 +228,112 @@ If internet permitted:
|
|
|
219
228
|
- `requiredActions`: ordered action list
|
|
220
229
|
- `complianceImpact`: framework mappings
|
|
221
230
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
231
|
+
- `intelligenceForOtherAgents`: cross-agent intelligence package (see schema below)
|
|
232
|
+
|
|
233
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
234
|
+
```json
|
|
235
|
+
{
|
|
236
|
+
"intelligenceForOtherAgents": {
|
|
237
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Unprotected login endpoint with no bot mitigation — ideal credential-stuffing target", "exploitHint": "Use Hydra or Sentry MBA with residential proxies; no CAPTCHA barrier" }],
|
|
238
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "HMAC-SHA1 used in legacy CAPTCHA token validation", "location": "src/middleware/captcha.ts" }],
|
|
239
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "IP reputation check calls external provider with user-supplied URL", "escalationPath": "Redirect to 169.254.169.254 to leak cloud metadata" }],
|
|
240
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 8.3.4", "SOC 2 CC6.6"], "releaseBlock": true }]
|
|
241
|
+
}
|
|
242
|
+
}
|
|
243
|
+
```
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
248
|
+
|
|
249
|
+
- **AI-Powered CAPTCHA Solving via Multimodal LLMs (ATT&CK T1110.001 / CVE-2023-28531 context):** GPT-4o and Gemini 1.5 Pro achieve >95% solve rates on reCAPTCHA v2 image challenges and >85% on hCaptcha grids as documented in the 2024 UC San Diego paper "An LLM-Powered Autonomous Agent for CAPTCHA Solving." Test by: submit 100 reCAPTCHA v2 image tokens solved via the OpenAI vision API to your login endpoint's CAPTCHA validation route; measure acceptance rate. Finding threshold: >10% acceptance rate with LLM-solved tokens = CAPTCHA layer is effectively defeated; migrate to behavior-only challenges (Turnstile invisible, PoW).
|
|
250
|
+
|
|
251
|
+
- **Puppeteer-Extra Stealth Plugin Evasion of `navigator.webdriver` Detection (ATT&CK T1036.005):** The `puppeteer-extra-plugin-stealth` library (npm, 500K+ weekly downloads) patches 11 browser automation signals: `navigator.webdriver`, `window.chrome`, Canvas fingerprint randomization, WebGL vendor spoofing, and `Permissions` API behavior. Standard UA-based and `webdriver` flag checks are completely blind to it. Test by: run `puppeteer-extra` with stealth plugin against your `/api/login` endpoint and confirm bot detection fires on behavioral signals (inter-keystroke timing entropy <0.3, mouse movement linearity >0.95) rather than any header or DOM property. Finding threshold: if bot detection relies solely on `navigator.webdriver` or UA string matching = HIGH finding; requires JS challenge upgrade.
|
|
252
|
+
|
|
253
|
+
- **JA3/JA4 TLS Fingerprint Mismatch for Headless Client Detection (Research: Salesforce JA3 2017, BLAKE2 JA4 2023):** Automated HTTP clients (`curl`, `python-requests`, Go `net/http`, Node `undici`) produce TLS ClientHello JA3 hashes distinct from real browser JA3 hashes — even when User-Agent is spoofed to match Chrome 120. JA4 (John Althouse, 2023) extends this to capture ALPN, SNI, and extension ordering, making it significantly harder to spoof. Test by: capture TLS ClientHello packets via `tcpdump` or `Cloudflare JA3 logs` during simulated bot traffic; compare hashes against the FingerprintJS JA3 browser baseline database (`https://ja3er.com`). Finding threshold: if your WAF/edge does not propagate `cf-ja3-fingerprint` (Cloudflare) or equivalent header into the application for bot scoring = MEDIUM gap; implement Cloudflare WAF custom rule to block known bot JA3 hashes and inject fingerprint header.
|
|
254
|
+
|
|
255
|
+
- **Credential Stuffing via Residential Proxy Pool with Per-Account Velocity Evasion (ATT&CK T1110.004 / Okta breach October 2023):** The 2023 Okta credential stuffing attack used residential proxy networks (Luminati/Bright Data) to rotate source IPs such that each IP made <3 requests, bypassing all per-IP rate limits. The attack succeeded because per-account lockout was also configured with a high threshold (10 attempts). Test by: using `mitmproxy` + a list of 500 distinct IP headers (`X-Forwarded-For`), submit authentication requests against 50 test accounts at a rate of 2 attempts per IP per account; confirm that cross-account velocity detection (same ASN cluster, same device fingerprint, distributed failed auth) triggers an alert within 15 minutes. Finding threshold: no cross-account velocity alert within 30 minutes of the simulated pattern = CRITICAL; implement sliding-window cross-account anomaly detection keyed on `(ASN, device_fingerprint, failed_auth_count)`.
|
|
256
|
+
|
|
257
|
+
- **CAPTCHA Farm Token Replay and Timing-Based Detection (ATT&CK T1111 / 2captcha, CapMonster supply chain risk):** CAPTCHA solving farms (2captcha, CapMonster, Anti-Captcha) return human-solved tokens with a characteristic latency band of 15–45 seconds. Tokens from farms are valid per the CAPTCHA provider's API but are often shared/replayed if the application does not enforce single-use binding to `(session_id, action, timestamp)`. Supply chain risk: CapMonster distributes a browser extension used by end users — if compromised, it could silently exfiltrate valid CAPTCHA tokens. Test by: (1) solve a Turnstile token once, then replay it in 10 subsequent requests within 60 seconds — confirm each replay is rejected; (2) submit tokens with a `solved_in` timestamp of exactly 18 seconds (farm median) across 20 accounts — confirm timing anomaly detection fires. Finding threshold: token accepted more than once = CRITICAL; no timing anomaly detection for farm-latency-band solves = MEDIUM.
|
|
258
|
+
|
|
259
|
+
- **EU AI Act Article 52 Transparency Obligation for Bot Scoring Systems (Regulatory — enforcement Q1 2026):** Behavioral bot-scoring systems that make consequential automated decisions (account suspension, access denial, payment blocking) may qualify as AI systems under EU AI Act Annex I and require transparency disclosures under Article 52 if they process EU resident data. The Act's enforcement deadline for high-risk AI provisions is August 2026. Test by: classify your bot-scoring pipeline against AI Act Annex III criteria — if it gates access to essential services (financial, employment, education) it is presumptively high-risk; audit whether affected users receive an Article 52 disclosure and a human-review override path. Finding threshold: bot scoring gates consequential access without a documented human-review override and no Article 52 disclosure = MEDIUM compliance gap requiring legal review before August 2026 enforcement date.
|
|
260
|
+
|
|
261
|
+
---
|
|
262
|
+
|
|
263
|
+
## §EDGE-CASE-MATRIX
|
|
264
|
+
|
|
265
|
+
The 5 bot-detection attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
266
|
+
|
|
267
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
268
|
+
|---|-----------|----------------------|---------------|
|
|
269
|
+
| 1 | Puppeteer-stealth / undetected-chromedriver patching | Standard headless UA checks pass because stealth mode patches `navigator.webdriver`, overrides `HeadlessChrome` UA, and fakes canvas/WebGL fingerprints | Launch `puppeteer-extra` with `stealth` plugin against the target endpoint; confirm bot detection still fires on behavioral signals (mouse entropy, timing) not UA alone |
|
|
270
|
+
| 2 | Residential proxy pool rotation below per-IP rate limits | Each IP makes only 1–3 requests total — never triggers IP-based thresholds; scanner tests against a single source IP | Simulate 500 requests from 500 distinct IPs (use `mitmproxy` + IP rotation); confirm per-account and behavioral rate limits are independent of source IP |
|
|
271
|
+
| 3 | CAPTCHA farm bypass — human-solved tokens replayed | CAPTCHA token is valid and issued by the provider; no ML bypass needed; scanner only checks "is CAPTCHA present" | Solve a Turnstile/reCAPTCHA token once; replay it in 50 rapid requests; confirm token one-time-use enforcement and binding to session/IP |
|
|
272
|
+
| 4 | Timing attack on honeypot field detection | Application adds latency or changes response shape when honeypot is filled, leaking to attacker which field is the honeypot | Measure response times for filled vs. unfilled honeypot — delta must be zero; response body must be identical (use `simulateLoginDelay` before any branch exit) |
|
|
273
|
+
| 5 | TLS fingerprint mismatch (JA3/JA4 spoofing) | User-Agent matches a real browser but TLS ClientHello JA3 hash matches `curl`/`python-requests` defaults; scanner never checks TLS layer | Capture JA3 hash via Wireshark or Cloudflare logs; compare against browser JA3 baseline database — mismatch with claimed UA = bot |
|
|
274
|
+
|
|
275
|
+
---
|
|
276
|
+
|
|
277
|
+
## §TEMPORAL-THREATS
|
|
278
|
+
|
|
279
|
+
Threats materialising in the 2025–2030 window that bot-detection defences designed today must account for.
|
|
280
|
+
|
|
281
|
+
| Threat | Est. Timeline | Relevance to Bot Detection | Prepare Now By |
|
|
282
|
+
|--------|--------------|---------------------------|----------------|
|
|
283
|
+
| LLM-powered CAPTCHA solvers (multimodal) | 2025–2026 (active) | GPT-4o-level vision models solve image CAPTCHAs at >95% accuracy; audio CAPTCHAs solved via Whisper | Move to behaviour-only CAPTCHA alternatives (Turnstile invisible, PoW challenges); treat all image CAPTCHAs as weak |
|
|
284
|
+
| AI-generated synthetic mouse/keyboard behaviour | 2026–2027 | ML models trained on real human interaction datasets produce behavioural biometric fingerprints indistinguishable from humans to current detectors | Require multi-session behavioural consistency checks (not just per-request); integrate device attestation (Play Integrity / App Attest) as ground truth |
|
|
285
|
+
| Residential proxy infrastructure commoditisation | 2025 (active) | Rotating residential proxies now cost $1–3/GB; per-IP detection has near-zero cost to defeat | IP reputation alone is a failed control; enforce per-account velocity limits, device fingerprint binding, and step-up authentication as primary signals |
|
|
286
|
+
| EU AI Act enforcement (automated profiling restrictions) | 2026 | Behavioural bot scoring that profiles users may require conformity assessments if used for consequential decisions | Classify bot-scoring systems against AI Act Annex III; document human-review override paths |
|
|
287
|
+
| Browser vendor deprecation of navigator.webdriver / UA-Client-Hints shift | 2025–2026 | Detection signals that rely on `navigator.webdriver` or classical User-Agent parsing will degrade as browsers standardise UA-CH | Migrate detection to UA-Client-Hints (`Sec-CH-UA-*`) and entropy-based signals; audit for `navigator.webdriver` reliance today |
|
|
288
|
+
|
|
289
|
+
---
|
|
290
|
+
|
|
291
|
+
## §DETECTION-GAP
|
|
292
|
+
|
|
293
|
+
What current bot-detection monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
294
|
+
|
|
295
|
+
**Domain-specific gaps that MUST be checked:**
|
|
296
|
+
|
|
297
|
+
- **Stealth-patched headless browsers**: No UA or `webdriver` flag is present after stealth patching. Standard WAF rules and UA blocklists miss these. Need: server-side JavaScript challenge that tests for genuine browser API behaviour (e.g., WebGL renderer, canvas noise, AudioContext fingerprint) — not just header inspection.
|
|
298
|
+
- **Multi-session CAPTCHA token replay**: CAPTCHA provider confirms token valid once; replays in subsequent sessions go unchecked if token TTL is long. Need: bind each token to `(session_id, action, IP)` tuple server-side and reject on any mismatch — check token issuance logs for >1 use.
|
|
299
|
+
- **Slow credential stuffing across accounts (not IPs)**: Each account receives ≤2 failed attempts per day — never triggers per-account lockout. Individually, each IP is also under rate limits. Need: cross-account velocity detection — alert when >N distinct accounts from the same ASN/fingerprint cluster experience failed auth within a rolling 1-hour window.
|
|
300
|
+
- **Human-in-the-loop CAPTCHA farms**: Requests look fully human (real browser, real human solving CAPTCHA) because they are. Detection relies on speed: farms solve in 15–45 seconds (API latency). Need: enforce minimum-time checks between CAPTCHA load and submission (< 8 seconds = reject); monitor for clustered solve times at exactly farm API latency bands.
|
|
301
|
+
- **TLS fingerprint / JA3 mismatch invisible to application logs**: Application only sees decrypted HTTP; TLS fingerprint is lost. Need: deploy JA3/JA4 fingerprinting at the network edge (Cloudflare custom rules, nginx + `nginx-ja3` module, or Envoy filter) and propagate the fingerprint hash as a request header into the application for scoring.
|
|
302
|
+
|
|
303
|
+
---
|
|
304
|
+
|
|
305
|
+
## §ZERO-MISS-MANDATE
|
|
306
|
+
|
|
307
|
+
This agent CANNOT declare any bot-detection attack class clean without explicit evidence of checking. For each item, output one of:
|
|
308
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
309
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
310
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
311
|
+
|
|
312
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
313
|
+
|
|
314
|
+
Attack classes that MUST be covered:
|
|
315
|
+
|
|
316
|
+
| Attack Class | Minimum Evidence Required |
|
|
317
|
+
|---|---|
|
|
318
|
+
| Headless browser detection | Grepped for UA patterns + webdriver signal; confirmed behavioral challenge exists |
|
|
319
|
+
| IP-only rate limiting (proxy-defeatable) | Confirmed per-account AND per-device rate limits independent of IP |
|
|
320
|
+
| CAPTCHA absence on bot-sensitive endpoints | Checked all auth, account-creation, and high-value action routes |
|
|
321
|
+
| CAPTCHA token replay / binding | Confirmed token bound to session/action/IP tuple server-side |
|
|
322
|
+
| Honeypot timing side-channel | Confirmed response time and body are identical regardless of honeypot state |
|
|
323
|
+
| Device fingerprint coverage | Confirmed fingerprint used as rate-limit dimension alongside IP and account |
|
|
324
|
+
| TLS fingerprint mismatch | Confirmed JA3/JA4 propagated to application layer OR noted as infrastructure gap |
|
|
325
|
+
|
|
326
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
327
|
+
```json
|
|
328
|
+
{
|
|
329
|
+
"coverageManifest": {
|
|
330
|
+
"attackClassesCovered": [
|
|
331
|
+
{ "class": "Headless Browser Detection", "filesReviewed": 12, "patterns": ["HeadlessChrome", "navigator.webdriver", "webdriver"], "result": "CLEAN" },
|
|
332
|
+
{ "class": "IP-Only Rate Limiting", "filesReviewed": 8, "patterns": ["rateLimit", "limiter", "throttle"], "result": "2 findings, both fixed" }
|
|
333
|
+
],
|
|
334
|
+
"filesReviewed": 34,
|
|
335
|
+
"negativeAssertions": ["CAPTCHA token replay: token binding checked across 6 auth routes — all bind to session_id"],
|
|
336
|
+
"uncoveredReason": {}
|
|
337
|
+
}
|
|
338
|
+
}
|
|
339
|
+
```
|
|
@@ -22,6 +22,15 @@ Build attack trees for every multi-step flow found in the actual codebase.
|
|
|
22
22
|
Find business logic flaws that automated scanners miss: order of operations, state machine
|
|
23
23
|
violations, trust assumption mismatches, and race conditions in business processes.
|
|
24
24
|
|
|
25
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
26
|
+
|
|
27
|
+
The `business-logic.ts` detection module (`src/gate/checks/business-logic.ts`) is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the route handler/transaction logic), not just advise:
|
|
28
|
+
|
|
29
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a `req.body.amount` parsed in a route file that flows — through a helper module — into `stripe.charges.create()` without a server-authoritative re-quote is a price-manipulation chain no single-file grep catches.
|
|
30
|
+
- **Semantic / effective-state analysis:** model each multi-step flow as a state machine and reason about concurrency — prove single-use resources (coupons, reset tokens, inventory) are decremented atomically (SERIALIZABLE txn or Redis SETNX) so parallel requests can't double-spend, and that step N can't be reached without server-verified completion of N-1.
|
|
31
|
+
- **External corroboration:** use WebSearch/WebFetch for current OWASP WSTG business-logic cases and CVEs in the detected payment/subscription SDKs.
|
|
32
|
+
- **Apply & prove:** write the fix inline (server-side total recompute, atomic redemption, `total >= 0` assertion, step-sequencing token), re-run the `business-logic.ts` checks plus a concurrent-request race harness as a regression floor, then re-audit the attack tree semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
|
|
33
|
+
|
|
25
34
|
## EXECUTION
|
|
26
35
|
|
|
27
36
|
1. Enumerate all multi-step flows by reading route handlers and API endpoints
|
|
@@ -74,3 +83,234 @@ Structured data for Agent 1 lead:
|
|
|
74
83
|
- `stateViolations[]`: flows where state machine can be violated
|
|
75
84
|
- `raceConditions[]`: flows with exploitable time-of-check/time-of-use gaps
|
|
76
85
|
- `numericFlaws[]`: integer overflow, negative value, precision loss findings
|
|
86
|
+
|
|
87
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
88
|
+
```json
|
|
89
|
+
{
|
|
90
|
+
"intelligenceForOtherAgents": {
|
|
91
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
92
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
93
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
94
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
102
|
+
|
|
103
|
+
### BL-EXT-1: Price Manipulation via Client-Supplied Totals (CVE-2023-27163 pattern)
|
|
104
|
+
**Technique**: Many e-commerce and SaaS checkout flows pass the final price or discount amount as a client-controlled parameter. If the backend recalculates using the client-submitted value rather than a server-authoritative quote, an attacker submits an arbitrarily low (or zero) price.
|
|
105
|
+
**Detection**: Grep for `price`, `total`, `amount`, `discount` in request body parsing code. Check whether the value is used directly in a payment API call (`stripe.charges.create({ amount: req.body.amount })`) versus a server-computed quote looked up by session/cart ID.
|
|
106
|
+
**Test**: Submit a checkout request with `"amount": 1` (one cent). If the order completes at that price, this is a CRITICAL finding. Also try `"amount": -100` to test for refund credit injection.
|
|
107
|
+
**Finding criteria**: Any path from client-controlled numeric input to a payment processor charge without server-side recomputation of the canonical amount.
|
|
108
|
+
|
|
109
|
+
### BL-EXT-2: Workflow Step Bypass via Direct Endpoint Calls (OWASP WSTG-BUSL-01)
|
|
110
|
+
**Technique**: Multi-step processes (onboarding, checkout, KYC verification) implement each step as a separate endpoint. If steps are guarded only by client-submitted state (`step=3`) rather than cryptographically verified server-side state, an attacker can call the final step directly, skipping all validation steps.
|
|
111
|
+
**Detection**: Search for `step`, `phase`, `stage`, `screen` parameters in route handlers. Check whether session state or a signed server-issued token enforces sequencing.
|
|
112
|
+
**Test**: Map all steps in a multi-stage flow. Issue a direct POST to the final completion endpoint without completing prerequisite steps. If successful, state sequencing is not enforced server-side.
|
|
113
|
+
**Finding criteria**: Completion endpoint accepts requests from sessions that have not completed mandatory prerequisite steps.
|
|
114
|
+
|
|
115
|
+
### BL-EXT-3: Race Condition Double-Spend via Parallel Requests (CWE-362)
|
|
116
|
+
**Technique**: Inventory reservation, coupon redemption, referral credit, and one-time-use token endpoints are susceptible to time-of-check/time-of-use (TOCTOU) races. If the "check availability" → "mark as used" sequence is not atomic (SELECT + UPDATE in the same transaction, or a Redis SETNX), concurrent requests can both pass the check before either update completes.
|
|
117
|
+
**Detection**: Grep for coupon redemption, balance deduction, or inventory decrement logic. Check whether the read and write occur inside a serializable database transaction or use an atomic primitive (Redis SETNX, database-level advisory lock).
|
|
118
|
+
**Test**: Use a parallel HTTP client (wrk, Burp Intruder, or custom script) to send 20 simultaneous redemption requests for a single-use coupon. If more than one succeeds, the race is confirmed.
|
|
119
|
+
**Finding criteria**: Multiple concurrent requests successfully redeem a single-use resource, or deplete a shared balance below zero.
|
|
120
|
+
|
|
121
|
+
### BL-EXT-4: JWT Algorithm Confusion and Claim Injection (CVE-2022-21449, alg:none)
|
|
122
|
+
**Technique**: Business logic often gates premium features or admin access on JWT claims (`"role": "admin"`, `"plan": "enterprise"`). If the application accepts unsigned tokens (`alg: none`), accepts RS256 tokens verified as HS256 with the public key as the HMAC secret, or trusts attacker-supplied `kid` values to select verification keys, an attacker can forge arbitrary claims.
|
|
123
|
+
**Detection**: Grep for JWT verification libraries (`jsonwebtoken`, `python-jose`, `java-jwt`). Check whether `algorithms` is constrained to a whitelist. Check whether `kid` is validated before use. Check whether `alg: none` is explicitly rejected.
|
|
124
|
+
**Test**: Craft a token with `alg: none` and `"role": "admin"`. Submit to protected endpoints. Also test RS256-to-HS256 confusion by signing with the PEM-encoded public key as the HMAC secret.
|
|
125
|
+
**Finding criteria**: Server accepts a forged token granting elevated privileges.
|
|
126
|
+
|
|
127
|
+
### BL-EXT-5: AI-Assisted Fuzzing of Business Rule Edge Cases (Emerging — 2025)
|
|
128
|
+
**Technique**: Attackers are now deploying LLM-assisted fuzzing that reads API documentation or OpenAPI specs to generate semantically valid but logically abusive inputs — e.g., an LLM discovers that a shipping calculator accepts `weight: 0` and `quantity: 99999` simultaneously and infers that this combination may trigger free-shipping logic. This goes far beyond what traditional boundary-value fuzzers produce.
|
|
129
|
+
**Detection**: Review all numeric field combinations in checkout, pricing, and eligibility logic. Look for any place where two or more fields interact to produce a business outcome (discount, free shipping, tier unlock) without upper-bound validation on each field independently and in combination.
|
|
130
|
+
**Test**: Generate a combinatorial test matrix of numeric inputs using boundary values, zero, negative, and maximum integer. Specifically test cross-field combinations: `{ quantity: 0, weight: 0 }`, `{ quantity: MAX_INT, price: 0.01 }`, `{ discountPercent: 100, quantity: -1 }`.
|
|
131
|
+
**Finding criteria**: Any combination of legal per-field values produces an unintended business outcome (negative total, free premium access, unlimited resource consumption).
|
|
132
|
+
|
|
133
|
+
### BL-EXT-6: Supply Chain Integrity — Malicious Dependency Injecting Backdoor into Payment Flow (Emerging — 2025)
|
|
134
|
+
**Technique**: Attackers targeting e-commerce and SaaS platforms increasingly compromise npm/PyPI packages that sit in the dependency chain of payment or checkout code. A malicious version of a utility library can silently modify price values, intercept payment tokens, or exfiltrate card data. This is an extension of traditional business logic attack surface into the supply chain layer.
|
|
135
|
+
**Detection**: Run `npm audit` and `npx lockfile-lint` on the repository. Check `package-lock.json` or `yarn.lock` for unexpected version bumps in packages that touch payment flows. Cross-reference against the OSV database and Socket.dev for known-malicious packages. Generate a CycloneDX SBOM and compare against a known-good baseline.
|
|
136
|
+
**Test**: Identify every package that is imported by payment-processing modules (`grep -r "require\|import" src/payments/`). For each, verify the installed version hash against the registry checksum. Use `npm pack --dry-run` to inspect what files are actually included.
|
|
137
|
+
**Finding criteria**: Any dependency in the payment flow whose resolved version differs from the expected pinned version, or which has been flagged by OSV/Socket.dev, or whose tarball hash does not match the registry.
|
|
138
|
+
|
|
139
|
+
### BL-EXT-7: Negative-Value Exploit via Unsigned Integer Underflow in Discount Calculation (CWE-191)
|
|
140
|
+
**Technique**: When discount values are applied to order totals in languages or ORMs that coerce types, a discount larger than the order total can produce a negative total. If this negative value is passed to a payment processor, some processors interpret it as a credit to be issued to the attacker's account. Even where the processor rejects it, the negative balance may be stored in the application's internal ledger, creating a credit that can be spent.
|
|
141
|
+
**Detection**: Grep for discount and total calculation logic. Check whether the final total is asserted to be `>= 0` before submission. Check the data type: if total is stored as a signed integer or float, underflow is possible.
|
|
142
|
+
**Test**: Submit an order with a discount code that exceeds the order total. Observe the computed total. If the total is negative or zero, attempt to complete the order. Check the account balance after the transaction.
|
|
143
|
+
**Finding criteria**: Application permits a negative or zero total to reach the payment processor or stores a negative balance in the internal ledger.
|
|
144
|
+
|
|
145
|
+
### BL-EXT-8: Post-Quantum Harvest-Now-Decrypt-Later Against Payment Tokens (Emerging — 2028 horizon, active threat today)
|
|
146
|
+
**Technique**: Adversaries with nation-state resources are currently harvesting encrypted payment tokens, session tokens, and cryptographic proofs transmitted over TLS sessions using classical algorithms (ECDSA P-256, RSA-2048). When cryptographically relevant quantum computers become available (estimated 2028–2032), these stored ciphertexts become decryptable, exposing payment data retroactively. For long-lived tokens (subscription tokens, stored payment methods), the threat window is active today.
|
|
147
|
+
**Detection**: Enumerate all endpoints that transmit or store payment tokens, subscription identifiers, or long-lived session material. Check TLS configuration for hybrid key exchange support (`X25519Kyber768` in TLS 1.3). Check whether stored tokens are encrypted at rest with a quantum-resistant algorithm.
|
|
148
|
+
**Test**: Use `nmap --script ssl-enum-ciphers` or `testssl.sh` against the payment endpoints. Check whether any hybrid PQ key exchange is advertised in the TLS handshake. Grep for RSA/ECDSA usage in token signing code.
|
|
149
|
+
**Finding criteria**: Long-lived payment or identity tokens are transmitted or stored with no quantum-resistant protection; TLS does not offer hybrid PQ key exchange.
|
|
150
|
+
|
|
151
|
+
---
|
|
152
|
+
|
|
153
|
+
## §BUSINESS_LOGIC_ATTACKER-CHECKLIST
|
|
154
|
+
|
|
155
|
+
1. **Payment total recomputation**: Verify the server recomputes the final charge amount from a server-authoritative quote (session/cart ID lookup), not from any client-submitted value. Grep: `req.body.amount`, `req.body.total`, `req.body.price`. Finding: any of these values reach a payment API call.
|
|
156
|
+
|
|
157
|
+
2. **Step sequencing enforcement**: For every multi-step flow, confirm the final step verifies all prior steps completed in the server-side session. Grep: `req.body.step`, `req.body.phase`, `session.currentStep`. Test: POST directly to the final step endpoint without completing prerequisites. Finding: completion succeeds without prerequisite session state.
|
|
158
|
+
|
|
159
|
+
3. **Single-use resource atomicity**: Confirm coupon, referral code, and one-time-token redemption uses an atomic read-then-write (database transaction at SERIALIZABLE isolation or Redis SETNX). Grep: redemption handlers for non-transactional SELECT followed by UPDATE. Test: 20 concurrent redemption requests. Finding: more than one request succeeds.
|
|
160
|
+
|
|
161
|
+
4. **Negative and zero quantity handling**: Verify all quantity, count, and weight fields reject values ≤ 0 at the validation layer before any calculation. Grep: `quantity`, `count`, `units`, `weight` in request schemas. Test: submit `quantity: -1`, `quantity: 0`. Finding: negative total, negative inventory, or error that reveals internal ledger values.
|
|
162
|
+
|
|
163
|
+
5. **Integer overflow on large numeric inputs**: Check fields that accept user-supplied numbers for maximum-value bounds. Test: submit `quantity: 2147483647` (MAX_INT32) or `9007199254740993` (MAX_SAFE_INT + 1 in JavaScript). Finding: unexpected total (wrap-around to negative, or zero).
|
|
164
|
+
|
|
165
|
+
6. **Subscription feature entitlement at downgrade**: Verify that when a subscription is cancelled or downgraded, premium feature flags are revoked synchronously (not just on next billing cycle). Grep: feature-flag checks that read `user.plan` without checking subscription expiry timestamp. Test: subscribe, access premium feature, cancel subscription, immediately re-check premium endpoint. Finding: premium access persists after cancellation.
|
|
166
|
+
|
|
167
|
+
7. **Password reset token single-use enforcement**: Confirm reset tokens are invalidated immediately after first use. Grep: reset token lookup handlers. Test: use a reset token, then submit the same token again in a new request. Finding: second use succeeds or token remains valid.
|
|
168
|
+
|
|
169
|
+
8. **IDOR via predictable resource IDs in multi-tenant context**: Enumerate resource IDs used in API endpoints (order IDs, document IDs, upload IDs). Check whether IDs are sequential integers or short UUIDs. Test: authenticate as tenant A, request resource IDs that neighbour your own (ID + 1, ID - 1). Finding: resources belonging to tenant B are returned.
|
|
170
|
+
|
|
171
|
+
9. **Coupon code stacking and combinability**: Test whether multiple coupon codes can be applied simultaneously beyond the intended limit. Test: apply two 50%-off coupons to reach 100% discount; apply one coupon and one referral credit simultaneously. Finding: total reaches or exceeds 100% discount, or negative total.
|
|
172
|
+
|
|
173
|
+
10. **Email verification bypass**: Confirm that privileged actions (payment, data export, account linking) require a verified email and that the verification state is enforced server-side. Grep: `user.emailVerified` checks before privileged endpoints. Test: create account, skip email verification, attempt privileged action directly. Finding: privileged action succeeds without email verification.
|
|
174
|
+
|
|
175
|
+
11. **File replacement between upload and processing**: In upload flows with a processing step (antivirus scan, format validation), check whether the uploaded file's storage path is predictable and whether the file can be replaced between upload and processing. Test: upload a benign file, observe the storage path, immediately overwrite with a malicious file via a second request before the processing step reads it. Finding: processing step operates on the replaced malicious file.
|
|
176
|
+
|
|
177
|
+
12. **Tenant-prefixed cache key enforcement**: In multi-tenant applications using shared caches (Redis, Memcached), verify all cache keys include the tenant ID as a prefix. Grep: cache set/get calls without tenant ID in key construction. Test: as tenant A, cache a value; as tenant B, attempt to read the same key without tenant prefix. Finding: tenant B reads tenant A's cached data.
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## §POC-REQUIREMENT
|
|
182
|
+
|
|
183
|
+
For every CRITICAL or HIGH finding in this domain, the following sequence is mandatory before the finding is considered complete:
|
|
184
|
+
|
|
185
|
+
1. **Write the working PoC FIRST**: Document the exact HTTP request (method, URL, headers, body), the observed response, and the confirmed business impact (e.g., "order total became $0.00", "premium features accessible after cancellation").
|
|
186
|
+
2. **Confirm reproduction**: The PoC must be executed against the target and the result must match the expected impact. Screenshot or log output required.
|
|
187
|
+
3. **Write the fix**: Implement the remediation (server-side total recomputation, atomic transaction, step sequencing enforcement, etc.).
|
|
188
|
+
4. **Verify the PoC fails**: Re-execute the identical PoC against the fixed code. Confirm the attack now fails (correct error response, correct business outcome).
|
|
189
|
+
5. **Record in findings JSON**:
|
|
190
|
+
|
|
191
|
+
```json
|
|
192
|
+
{
|
|
193
|
+
"findingId": "BL-001",
|
|
194
|
+
"severity": "CRITICAL",
|
|
195
|
+
"title": "Price manipulation via client-supplied amount",
|
|
196
|
+
"exploitPoC": {
|
|
197
|
+
"request": "POST /api/checkout HTTP/1.1\nContent-Type: application/json\n\n{\"cartId\": \"abc123\", \"amount\": 1}",
|
|
198
|
+
"expectedResponse": "HTTP 200 — order created at $0.01",
|
|
199
|
+
"observedImpact": "Order for $299 product completed at $0.01",
|
|
200
|
+
"reproduced": true
|
|
201
|
+
},
|
|
202
|
+
"fix": "Recompute amount server-side from cartId; reject any client-supplied amount field",
|
|
203
|
+
"fixVerified": true
|
|
204
|
+
}
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
**PoC skipping = finding severity downgraded to MEDIUM automatically. No exceptions.**
|
|
208
|
+
|
|
209
|
+
---
|
|
210
|
+
|
|
211
|
+
## §PROJECT-ESCALATION
|
|
212
|
+
|
|
213
|
+
Immediately call `orchestration.update_agent_status` with `"status": "CRITICAL_ESCALATION"` and halt your current run to alert the orchestrator before completing under any of these conditions:
|
|
214
|
+
|
|
215
|
+
1. **Payment processor receives attacker-controlled amounts**: A code path exists where a client-submitted numeric value (price, quantity, discount) reaches a payment processor API call without server-side recomputation. This is an active financial fraud vector requiring immediate remediation before any other work continues.
|
|
216
|
+
|
|
217
|
+
2. **Multi-tenant data boundary collapse confirmed**: Cross-tenant data access is reproduced — tenant A can read, modify, or delete resources owned by tenant B. This is a data breach condition affecting all tenants and must be escalated to the full security team before the finding is documented in any shared channel.
|
|
218
|
+
|
|
219
|
+
3. **Single-use token race condition confirmed at scale**: A race condition on a single-use token (coupon, reset token, referral code) is confirmed to allow unlimited redemption by a single attacker. This may represent an active financial liability if the token has monetary value.
|
|
220
|
+
|
|
221
|
+
4. **Authentication step completely bypassable**: A multi-step authentication or verification flow (MFA, email verification, KYC) can be skipped by direct endpoint calls, meaning an attacker can achieve full account access or privileged status without satisfying any verification requirement.
|
|
222
|
+
|
|
223
|
+
5. **Admin or privileged endpoint accessible to unauthenticated users**: Any endpoint that performs administrative actions (user management, billing override, configuration change) is accessible without authentication. This is an unconditional escalation regardless of how the endpoint was discovered.
|
|
224
|
+
|
|
225
|
+
6. **Malicious dependency confirmed in payment flow**: A package in the dependency chain of payment-processing code has been flagged as compromised or modified (hash mismatch, OSV advisory, Socket.dev alert). This may mean payment data is currently being exfiltrated in production.
|
|
226
|
+
|
|
227
|
+
7. **Mass account takeover vector confirmed**: A flaw allows an attacker to take over arbitrary user accounts at scale (e.g., predictable password reset tokens, session fixation in multi-step auth flow). Escalate immediately — this is a full incident response trigger, not just a finding.
|
|
228
|
+
|
|
229
|
+
8. **Negative-balance exploit reaches production payment processor**: A negative-value order is confirmed to have been submitted to the payment processor (check processor logs or webhook logs). This is an active financial incident, not just a vulnerability — escalate to include the finance team.
|
|
230
|
+
|
|
231
|
+
---
|
|
232
|
+
|
|
233
|
+
## §EDGE-CASE-MATRIX
|
|
234
|
+
|
|
235
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
236
|
+
|
|
237
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
238
|
+
|---|-----------|----------------------|---------------|
|
|
239
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
240
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
241
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
242
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
243
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
## §TEMPORAL-THREATS
|
|
248
|
+
|
|
249
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
250
|
+
|
|
251
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
252
|
+
|--------|--------------|--------------------------|----------------|
|
|
253
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
254
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
255
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
256
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
257
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
258
|
+
|
|
259
|
+
---
|
|
260
|
+
|
|
261
|
+
## §DETECTION-GAP
|
|
262
|
+
|
|
263
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
264
|
+
|
|
265
|
+
**Standard gaps that MUST be checked:**
|
|
266
|
+
|
|
267
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
268
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
269
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
270
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
271
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
272
|
+
|
|
273
|
+
**Business-logic-specific gaps:**
|
|
274
|
+
|
|
275
|
+
- **Step-skip attacks in multi-step flows**: Each individual endpoint returns a normal HTTP 200; only the sequence violation is anomalous. Need: server-side flow state machine that emits an audit event when a step is accessed out of order.
|
|
276
|
+
- **Slow coupon exhaustion below rate-limit thresholds**: An attacker distributes coupon redemptions across 1,000 accounts at 1 redemption per hour per account. Individually, none trigger rate limits, but collectively the coupon is exhausted fraudulently. Need: aggregate coupon redemption rate alerting independent of per-account rate limits.
|
|
277
|
+
- **Subscription entitlement drift after plan changes**: No alert is emitted when a user retains premium feature access after downgrading. Need: a scheduled reconciliation job that compares active feature flags against current subscription status and emits an alert on any mismatch.
|
|
278
|
+
|
|
279
|
+
---
|
|
280
|
+
|
|
281
|
+
## §ZERO-MISS-MANDATE
|
|
282
|
+
|
|
283
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
284
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
285
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
286
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
287
|
+
|
|
288
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
289
|
+
|
|
290
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
291
|
+
```json
|
|
292
|
+
{
|
|
293
|
+
"coverageManifest": {
|
|
294
|
+
"attackClassesCovered": [{ "class": "Price Manipulation", "filesReviewed": 12, "patterns": ["req.body.amount", "req.body.price", "req.body.total"], "result": "CLEAN" }],
|
|
295
|
+
"filesReviewed": 47,
|
|
296
|
+
"negativeAssertions": ["Price Manipulation: client-supplied amount pattern searched across 47 files — 0 matches reaching payment API"],
|
|
297
|
+
"uncoveredReason": {}
|
|
298
|
+
}
|
|
299
|
+
}
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
---
|
|
303
|
+
|
|
304
|
+
## LEARNING SIGNAL
|
|
305
|
+
|
|
306
|
+
On every finding resolved, emit:
|
|
307
|
+
```json
|
|
308
|
+
{
|
|
309
|
+
"findingId": "FINDING_ID",
|
|
310
|
+
"agentName": "business-logic-attacker",
|
|
311
|
+
"resolved": true,
|
|
312
|
+
"remediationTemplate": "one-line description of what was done",
|
|
313
|
+
"falsePositive": false
|
|
314
|
+
}
|
|
315
|
+
```
|
|
316
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|