sicario-red-team 0.5.9 → 0.5.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sicario-red-team",
-  "version": "0.5.9",
+  "version": "0.5.10",
   "type": "module",
   "description": "Autonomous Agentic Red-Teaming Swarm Protocol",
   "repository": {

package/src-cli/nodes/breacher.js

@@ -41,12 +41,11 @@ export async function runBreacher(elements, personaType = 'GENERAL') {
 You are a specialized node in the Sicario Autonomous Swarm. 
 ${personaContext}
 
-### VULNERABILITY TARGETING (THE SNIPER RULE):
-RULE 1: Always prioritize basic Parameter Tampering. If you see hidden HTML inputs (type='hidden') related to pricing, IDs, or roles, you MUST attempt to mutate their values to 0, "", or admin before attempting any complex JavaScript or Event Listener exploitation.
-
-Pay special attention to inputs where type='hidden' or marked as isHighValueTarget. 
-These often control critical business logic like pricing, user IDs, or privilege levels. 
-Hunt for logic flaws by attempting to mutate these hidden values (e.g., set price/quantity to 0 or negative, change account roles to 'admin', or swap user session IDs).
+### VULNERABILITY TARGETING (DOM SUPREMACY MODE):
+1. PIERCE THE SHADOW: Elements marked as 'isShadow: true' are encapsulated. Developers often leave internal fields (like price or user_id) unvalidated within custom Web Components.
+2. BEHAVIORAL MAPPING: Analyze elements with custom roles (role="button") or pointer cursors. These are modern SPA action points that bypass traditional form-crawling scanners.
+3. BEHAVIORAL TRIGGERS: Identify the specific trigger selector required to submit the payload (e.g., a <div> with role="button" or an ID like #sync-profile).
+4. THE SNIPER RULE: Always prioritize basic Parameter Tampering. Mutate hidden HTML inputs (type='hidden') related to pricing, IDs, or roles to 0, "", or admin before attempting complex JS exploitation.
     
 ### PHASE 1: REASONING (THINK OUT LOUD)
 Before providing JSON, analyze the DOM elements according to your specific persona.
@@ -62,7 +61,8 @@ Return a VALID JSON object. DO NOT use "null".
   "targetElement": "CSS selector or name",
   "mutation": {
     "selector": "The CSS selector for the hidden field or input to target",
-    "value": "The malicious value to inject (e.g. 0, -1, 'admin', '1e10')"
+    "value": "The malicious value to inject (e.g. 0, -1, 'admin', '1e10')",
+    "trigger": "The CSS selector for the trigger element to click (div[role='button'], #submit, etc.)"
   },
   "mitigation": "Code-level fix"
 }

package/src-cli/nodes/executor.js

@@ -26,16 +26,34 @@ export async function runExecutor(targetUrl, breachReport, options = {}) {
         if (selector && value !== undefined) {
             console.log(pc.yellow(`   [Executor] : Mutating ${selector} -> ${value}`));
             
-            // Apply the mutation to the target element
-            await page.$eval(selector, (el, v) => {
+            // 1. Shadow-Piercing Mutation
+            const targetLocator = page.locator(selector);
+            await targetLocator.evaluate((el, v) => {
                 el.value = v;
-                // Trigger change events if any
+                // Trigger events to bypass React/Next.js state listeners
                 el.dispatchEvent(new Event('change', { bubbles: true }));
                 el.dispatchEvent(new Event('input', { bubbles: true }));
             }, value);
 
-            // Pull the trigger: Find the nearest submit button
-            console.log(pc.red(`   [Executor] : Pulling the trigger (Live POST/PUT)...`));
+            // 2. The Wiretap: Listen for background API traffic (DOM Supremacy)
+            let interceptedNetworkTraffic = "";
+            const responseHandler = async (response) => {
+                const resType = response.request().resourceType();
+                if (resType === 'fetch' || resType === 'xhr') {
+                    try {
+                        const body = await response.text();
+                        // Capture URL and condensed body to bridge the Asynchronous State gap
+                        interceptedNetworkTraffic += `[${response.status()}] ${response.url().split('/').pop()}: ${body.substring(0, 500)} | `;
+                    } catch (e) {
+                        // Ignore opaque or failed body reads
+                    }
+                }
+            };
+            page.on('response', responseHandler);
+
+            // 3. Behavioral Trigger Pull
+            const triggerSelector = mutation.trigger || 'button[type="submit"], input[type="submit"], [role="button"], button';
+            console.log(pc.red(`   [Executor] : Pulling the trigger (${triggerSelector})...`));
             
             await Promise.all([
                 // Wait for either navigation or network to go quiet
@@ -43,23 +61,26 @@ export async function runExecutor(targetUrl, breachReport, options = {}) {
                   page.waitForNavigation({ timeout: 10000 }).catch(() => {}),
                   page.waitForLoadState('networkidle', { timeout: 10000 }).catch(() => {})
                 ]),
-                page.click('button[type="submit"], input[type="submit"], [form] button').catch(async () => {
-                    // Fallback to form submit
+                // Use locator.click() to natively pierce Shadow DOM
+                page.locator(triggerSelector).first().click().catch(async () => {
+                    // Fallback to legacy form submit
                     await page.$eval('form', f => f.submit()).catch(() => {});
                 })
             ]);
 
-            // Wait an extra 500ms for UI rendering
-            await new Promise(r => setTimeout(r, 500));
+            // 4. Capture Window (Wait for async logic to resolve)
+            await new Promise(r => setTimeout(r, 1000));
+            page.off('response', responseHandler);
 
-            // Capture the response
-            const responseText = await page.innerText('body');
+            // 5. Final Intelligence Accumulation
+            const domText = await page.innerText('body');
+            const serverEvidence = `| NETWORK TRAFFIC |\n${interceptedNetworkTraffic || "No AJAX traffic detected."}\n\n| DOM TEXT |\n${domText}`;
             const screenshot = await page.screenshot({ type: 'jpeg', quality: 20 });
 
             await browser.close();
             return {
                 success: true,
-                evidence: responseText.substring(0, 2000), // Limit data
+                evidence: serverEvidence.substring(0, 3000), // Larger limit for network data
                 screenshot
             };
         } else {

package/src-cli/nodes/scout.js

@@ -79,29 +79,51 @@ export async function runScout(url, options = {}) {
         const dismissButton = await page.$('button.close-dialog');
         if (dismissButton) await dismissButton.click();
 
-        // 3. Extract the DOM
+        // 3. Extract the DOM (DOM Supremacy: Shadow Piercing & Behavioral Mapping)
         const interactiveElements = await page.evaluate(() => {
-            const elements = document.querySelectorAll('button, input, a, form');
             const extracted = [];
+            const processedNodes = new Set(); // Prevent duplicates from recursion
 
-            elements.forEach((el) => {
-                const isHiddenInput = el.tagName === 'INPUT' && el.type === 'hidden';
-                const isVisible = el.offsetWidth > 0 && el.offsetHeight > 0;
+            const walk = (root) => {
+                const nodes = root.querySelectorAll('*');
+                nodes.forEach(el => {
+                    if (processedNodes.has(el)) return;
+                    processedNodes.add(el);
 
-                if (isVisible || isHiddenInput) {
-                    extracted.push({
-                        tag: el.tagName.toLowerCase(),
-                        id: el.id || null,
-                        name: el.name || null,
-                        type: el.type || null,
-                        value: el.value || null,
-                        isHighValueTarget: isHiddenInput && el.value !== '',
-                        text: el.innerText ? el.innerText.trim().substring(0, 50) : null,
-                        href: el.href || null
-                    });
-                }
-            });
+                    const tag = el.tagName.toLowerCase();
+                    const style = window.getComputedStyle(el);
+                    
+                    // Behavioral Hooks
+                    const isClickable = style.cursor === 'pointer' || el.getAttribute('onclick') || el.onclick;
+                    const hasRole = ['button', 'link', 'input', 'form', 'checkbox', 'radio'].includes(el.getAttribute('role'));
+                    const isInput = ['input', 'select', 'textarea', 'button'].includes(tag);
+                    const isAnchor = tag === 'a';
+                    const isHiddenInput = tag === 'input' && el.type === 'hidden';
+                    const isVisible = el.offsetWidth > 0 && el.offsetHeight > 0;
+
+                    if ((isVisible && (isInput || isAnchor || isClickable || hasRole)) || isHiddenInput) {
+                        extracted.push({
+                            tag,
+                            id: el.id || null,
+                            name: el.name || null,
+                            type: el.type || null,
+                            value: el.value || null,
+                            role: el.getAttribute('role') || null,
+                            isHighValueTarget: isHiddenInput && el.value !== '',
+                            text: el.innerText ? el.innerText.trim().substring(0, 50) : null,
+                            href: el.href || null,
+                            isShadow: root !== document
+                        });
+                    }
+
+                    // Shadow DOM: Pierce the boundary
+                    if (el.shadowRoot) {
+                        walk(el.shadowRoot);
+                    }
+                });
+            };
 
+            walk(document);
             return extracted;
         });