zen-ai-pentest 2.0.0__py3-none-any.whl

autonomous/exploit_validator.py

@@ -0,0 +1,1537 @@
+#!/usr/bin/env python3
+"""
+Exploit Validator System for Zen AI Pentest Framework
+
+Automatisierte Validierung und Beweisführung von Exploits in isolierten Umgebungen.
+
+Features:
+- Docker-Container-basierte Sandboxed-Ausführung
+- Proof-of-Exploit Generierung (Screenshots, HTTP-Capture, PCAP)
+- Evidence Collection mit Chain-of-Custody
+- Unterstützung für verschiedene Exploit-Typen
+- Safety Features (Read-Only, Scope-Validierung, Kill-Switch)
+
+FOR AUTHORIZED SECURITY TESTING ONLY
+
+Author: SHAdd0WTAka
+Version: 1.0.0
+"""
+
+import asyncio
+import hashlib
+import json
+import logging
+import os
+import shlex
+import tempfile
+import time
+import uuid
+
+from dataclasses import dataclass, field, asdict
+from datetime import datetime
+from enum import Enum, auto
+from typing import Any, Dict, List, Optional, Tuple
+from urllib.parse import urlparse
+import warnings
+
+# Optional imports - handle gracefully if not available
+try:
+    import docker
+    from docker.errors import DockerException, ContainerError, ImageNotFound
+    DOCKER_AVAILABLE = True
+except ImportError:
+    DOCKER_AVAILABLE = False
+    warnings.warn("Docker SDK not available. Container isolation disabled.")
+
+try:
+    import aiohttp
+    AIOHTTP_AVAILABLE = True
+except ImportError:
+    AIOHTTP_AVAILABLE = False
+
+try:
+    from playwright.async_api import async_playwright
+    PLAYWRIGHT_AVAILABLE = True
+except ImportError:
+    PLAYWRIGHT_AVAILABLE = False
+    warnings.warn("Playwright not available. Screenshot capture disabled.")
+
+# Configure logging
+logger = logging.getLogger("ZenAI.ExploitValidator")
+
+
+class ExploitType(Enum):
+    """Enumeration of supported exploit types."""
+    WEB_SQLI = "web_sqli"
+    WEB_XSS = "web_xss"
+    WEB_LFI = "web_lfi"
+    WEB_RFI = "web_rfi"
+    WEB_RCE = "web_rce"
+    WEB_CMD_INJECTION = "web_cmd_injection"
+    WEB_CSRF = "web_csrf"
+    WEB_SSRF = "web_ssrf"
+    WEB_XXE = "web_xxe"
+    WEB_PATH_TRAVERSAL = "web_path_traversal"
+    SERVICE = "service"
+    PRIVESC = "privilege_escalation"
+    POST_EXPLOITATION = "post_exploitation"
+    LOCAL = "local"
+
+
+class ExploitStatus(Enum):
+    """Status of exploit execution."""
+    PENDING = auto()
+    RUNNING = auto()
+    SUCCESS = auto()
+    FAILED = auto()
+    TIMEOUT = auto()
+    BLOCKED = auto()
+    ERROR = auto()
+
+
+class SafetyLevel(Enum):
+    """Safety levels for exploit execution."""
+    READ_ONLY = 1       # Passive validation only, no modifications
+    VALIDATE_ONLY = 2   # Validate exploit without full execution
+    CONTROLLED = 3      # Controlled execution with limits
+    FULL = 4            # Full exploitation (requires explicit approval)
+
+
+@dataclass
+class ScopeConfig:
+    """Configuration for scope validation."""
+    allowed_hosts: List[str] = field(default_factory=list)
+    allowed_ports: List[int] = field(default_factory=lambda: [80, 443, 8080])
+    blocked_hosts: List[str] = field(default_factory=lambda: [
+        "localhost", "127.0.0.1", "::1", "0.0.0.0",
+        "169.254.169.254"  # AWS metadata
+    ])
+    blocked_ports: List[int] = field(default_factory=lambda: [
+        22, 23, 25, 53, 110, 143, 587, 993, 995  # Email/DNS services
+    ])
+    require_https: bool = False
+    max_redirects: int = 5
+    allowed_schemes: List[str] = field(default_factory=lambda: ["http", "https"])
+
+    def validate_target(self, target: str) -> Tuple[bool, Optional[str]]:
+        """
+        Validate if target is within scope.
+
+        Args:
+            target: Target URL or host
+
+        Returns:
+            Tuple of (is_valid, error_message)
+        """
+        try:
+            # Parse URL if it's a full URL
+            if "//" in target:
+                parsed = urlparse(target)
+                host = parsed.hostname
+                port = parsed.port
+                scheme = parsed.scheme
+
+                if not host:
+                    return False, "Could not parse host from target"
+
+                # Check scheme
+                if scheme not in self.allowed_schemes:
+                    return False, f"Scheme '{scheme}' not allowed"
+            else:
+                host = target.split(":")[0]
+                port = int(target.split(":")[1]) if ":" in target else None
+
+            # Check blocked hosts
+            if host in self.blocked_hosts:
+                return False, f"Host '{host}' is in blocklist"
+
+            # Check IP ranges
+            try:
+                import ipaddress
+                ip = ipaddress.ip_address(host)
+                # Block private IPs unless explicitly allowed
+                if ip.is_private and host not in self.allowed_hosts:
+                    return False, f"Private IP '{host}' not in allowed list"
+                if ip.is_loopback:
+                    return False, f"Loopback address '{host}' not allowed"
+                if ip.is_multicast:
+                    return False, f"Multicast address '{host}' not allowed"
+            except ValueError:
+                # Not an IP, continue with hostname check
+                pass
+
+            # Check blocked ports
+            if port and port in self.blocked_ports:
+                return False, f"Port {port} is blocked"
+
+            # Check allowed hosts (if specified)
+            if self.allowed_hosts and host not in self.allowed_hosts:
+                # Allow wildcards
+                allowed = any(
+                    host.endswith(allowed.replace("*.", ".")) or host == allowed
+                    for allowed in self.allowed_hosts
+                )
+                if not allowed:
+                    return False, f"Host '{host}' not in allowed scope"
+
+            return True, None
+
+        except Exception as e:
+            return False, f"Validation error: {str(e)}"
+
+
+@dataclass
+class Evidence:
+    """Collection of evidence from exploit execution."""
+    screenshots: List[str] = field(default_factory=list)
+    http_responses: List[Dict[str, Any]] = field(default_factory=list)
+    pcap_file: Optional[str] = None
+    shell_session: Optional[str] = None
+    video_recording: Optional[str] = None
+    logs: List[str] = field(default_factory=list)
+    files: Dict[str, str] = field(default_factory=dict)
+    metadata: Dict[str, Any] = field(default_factory=dict)
+    timestamps: Dict[str, datetime] = field(default_factory=dict)
+    hashes: Dict[str, str] = field(default_factory=dict)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary with serializable values."""
+        result = asdict(self)
+        # Convert timestamps to ISO format
+        result['timestamps'] = {
+            k: v.isoformat() if isinstance(v, datetime) else v
+            for k, v in self.timestamps.items()
+        }
+        return result
+
+    def compute_hashes(self) -> None:
+        """Compute SHA256 hashes for all evidence files."""
+        for attr in ['screenshots', 'pcap_file', 'video_recording']:
+            value = getattr(self, attr)
+            if value:
+                if isinstance(value, list):
+                    for f in value:
+                        self._hash_file(f)
+                else:
+                    self._hash_file(value)
+
+    def _hash_file(self, filepath: str) -> None:
+        """Compute hash for a single file."""
+        try:
+            if os.path.exists(filepath):
+                sha256 = hashlib.sha256()
+                with open(filepath, 'rb') as f:
+                    for chunk in iter(lambda: f.read(8192), b''):
+                        sha256.update(chunk)
+                self.hashes[filepath] = sha256.hexdigest()
+        except Exception as e:
+            logger.warning(f"Failed to hash {filepath}: {e}")
+
+
+@dataclass
+class ExploitResult:
+    """Result of exploit validation."""
+    success: bool
+    exploit_type: ExploitType
+    target: str
+    timestamp: datetime
+    evidence: Evidence
+    output: str
+    status: ExploitStatus = ExploitStatus.PENDING
+    error: Optional[str] = None
+    remediation: Optional[str] = None
+    cvss_score: Optional[float] = None
+    severity: Optional[str] = None
+    execution_time: float = 0.0
+    validator_id: str = field(default_factory=lambda: str(uuid.uuid4()))
+    chain_of_custody: List[Dict[str, Any]] = field(default_factory=list)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary."""
+        return {
+            'success': self.success,
+            'exploit_type': self.exploit_type.value,
+            'target': self.target,
+            'timestamp': self.timestamp.isoformat(),
+            'evidence': self.evidence.to_dict(),
+            'output': self.output,
+            'status': self.status.name,
+            'error': self.error,
+            'remediation': self.remediation,
+            'cvss_score': self.cvss_score,
+            'severity': self.severity,
+            'execution_time': self.execution_time,
+            'validator_id': self.validator_id,
+            'chain_of_custody': self.chain_of_custody
+        }
+
+    def to_json(self) -> str:
+        """Convert to JSON string."""
+        return json.dumps(self.to_dict(), indent=2, default=str)
+
+
+@dataclass
+class SandboxConfig:
+    """Configuration for sandboxed execution."""
+    use_docker: bool = True
+    use_gvisor: bool = False  # Experimental gVisor support
+    network_isolated: bool = True
+    cpu_limit: float = 1.0  # CPU cores
+    memory_limit: str = "512m"
+    timeout: int = 60
+    read_only_root: bool = True
+    tmpfs_size: str = "100m"
+    cap_drop: List[str] = field(default_factory=lambda: [
+        "ALL"
+    ])
+    cap_add: List[str] = field(default_factory=lambda: [
+        "NET_BIND_SERVICE"
+    ])
+    dns_servers: List[str] = field(default_factory=lambda: [
+        "8.8.8.8", "1.1.1.1"
+    ])
+    image: str = "zenai/exploit-sandbox:latest"
+
+
+class ExploitValidator:
+    """
+    Main class for validating exploits in sandboxed environments.
+
+    This validator provides comprehensive exploit testing capabilities
+    with strong isolation, evidence collection, and safety controls.
+
+    Usage:
+        validator = ExploitValidator(
+            safety_level=SafetyLevel.CONTROLLED,
+            scope_config=ScopeConfig(allowed_hosts=["example.com"])
+        )
+
+        result = await validator.validate(
+            exploit_code="...",
+            target="https://example.com/vuln",
+            exploit_type=ExploitType.WEB_SQLI
+        )
+    """
+
+    def __init__(
+        self,
+        safety_level: SafetyLevel = SafetyLevel.CONTROLLED,
+        scope_config: Optional[ScopeConfig] = None,
+        sandbox_config: Optional[SandboxConfig] = None,
+        output_dir: Optional[str] = None,
+        enable_playwright: bool = True
+    ):
+        """
+        Initialize the ExploitValidator.
+
+        Args:
+            safety_level: Maximum allowed safety level
+            scope_config: Scope validation configuration
+            sandbox_config: Sandbox execution configuration
+            output_dir: Directory for evidence storage
+            enable_playwright: Enable Playwright for screenshot capture
+        """
+        self.safety_level = safety_level
+        self.scope_config = scope_config or ScopeConfig()
+        self.sandbox_config = sandbox_config or SandboxConfig()
+        self.output_dir = output_dir or tempfile.gettempdir()
+        self.enable_playwright = enable_playwright and PLAYWRIGHT_AVAILABLE
+
+        # Initialize Docker client if available
+        self.docker_client = None
+        if DOCKER_AVAILABLE and self.sandbox_config.use_docker:
+            try:
+                self.docker_client = docker.from_env()
+                logger.info("Docker client initialized")
+            except DockerException as e:
+                logger.warning(f"Docker not available: {e}")
+
+        # Rate limiting
+        self._rate_limiter = asyncio.Semaphore(5)  # Max 5 concurrent exploits
+        self._last_execution: Dict[str, float] = {}
+        self._min_interval = 1.0  # Minimum seconds between executions to same target
+
+        # Kill switch
+        self._killed = False
+
+        # Evidence storage
+        self._evidence_counter = 0
+
+        logger.info(f"ExploitValidator initialized (safety={safety_level.name})")
+
+    async def validate(
+        self,
+        exploit_code: str,
+        target: str,
+        exploit_type: ExploitType,
+        parameters: Optional[Dict[str, Any]] = None,
+        timeout: Optional[int] = None
+    ) -> ExploitResult:
+        """
+        Validate an exploit against a target.
+
+        Args:
+            exploit_code: The exploit code/payload to execute
+            target: Target URL, host, or service
+            exploit_type: Type of exploit being tested
+            parameters: Additional exploit parameters
+            timeout: Execution timeout override
+
+        Returns:
+            ExploitResult with execution details and evidence
+        """
+        start_time = time.time()
+        timestamp = datetime.utcnow()
+        validator_id = str(uuid.uuid4())
+
+        # Initialize chain of custody
+        chain_of_custody = [
+            {
+                'action': 'validation_started',
+                'timestamp': timestamp.isoformat(),
+                'validator_id': validator_id,
+                'hash': hashlib.sha256(exploit_code.encode()).hexdigest()[:16]
+            }
+        ]
+
+        # Check kill switch
+        if self._killed:
+            return ExploitResult(
+                success=False,
+                exploit_type=exploit_type,
+                target=target,
+                timestamp=timestamp,
+                evidence=Evidence(),
+                output="",
+                status=ExploitStatus.BLOCKED,
+                error="Kill switch activated",
+                chain_of_custody=chain_of_custody
+            )
+
+        # Validate scope
+        is_valid, error_msg = self.scope_config.validate_target(target)
+        if not is_valid:
+            return ExploitResult(
+                success=False,
+                exploit_type=exploit_type,
+                target=target,
+                timestamp=timestamp,
+                evidence=Evidence(),
+                output="",
+                status=ExploitStatus.BLOCKED,
+                error=f"Scope validation failed: {error_msg}",
+                chain_of_custody=chain_of_custody
+            )
+
+        chain_of_custody.append({
+            'action': 'scope_validated',
+            'timestamp': datetime.utcnow().isoformat()
+        })
+
+        # Rate limiting check
+        await self._check_rate_limit(target)
+
+        # Check safety level compatibility
+        if not self._is_safety_compatible(exploit_type):
+            return ExploitResult(
+                success=False,
+                exploit_type=exploit_type,
+                target=target,
+                timestamp=timestamp,
+                evidence=Evidence(),
+                output="",
+                status=ExploitStatus.BLOCKED,
+                error=f"Exploit type {exploit_type.value} exceeds safety level {self.safety_level.name}",
+                chain_of_custody=chain_of_custody
+            )
+
+        # Execute with semaphore for rate limiting
+        async with self._rate_limiter:
+            try:
+                if self.sandbox_config.use_docker and self.docker_client:
+                    result = await self._execute_docker_sandboxed(
+                        exploit_code, target, exploit_type,
+                        parameters or {}, timeout or self.sandbox_config.timeout
+                    )
+                else:
+                    result = await self._execute_local_sandboxed(
+                        exploit_code, target, exploit_type,
+                        parameters or {}, timeout or self.sandbox_config.timeout
+                    )
+
+                result.chain_of_custody = chain_of_custody + result.chain_of_custody
+                result.execution_time = time.time() - start_time
+                return result
+
+            except asyncio.TimeoutError:
+                execution_time = time.time() - start_time
+                return ExploitResult(
+                    success=False,
+                    exploit_type=exploit_type,
+                    target=target,
+                    timestamp=timestamp,
+                    evidence=Evidence(),
+                    output="",
+                    status=ExploitStatus.TIMEOUT,
+                    error=f"Execution timeout after {timeout or self.sandbox_config.timeout}s",
+                    execution_time=execution_time,
+                    validator_id=validator_id,
+                    chain_of_custody=chain_of_custody
+                )
+            except Exception as e:
+                execution_time = time.time() - start_time
+                logger.exception("Exploit validation failed")
+                return ExploitResult(
+                    success=False,
+                    exploit_type=exploit_type,
+                    target=target,
+                    timestamp=timestamp,
+                    evidence=Evidence(),
+                    output="",
+                    status=ExploitStatus.ERROR,
+                    error=f"Execution error: {str(e)}",
+                    execution_time=execution_time,
+                    validator_id=validator_id,
+                    chain_of_custody=chain_of_custody
+                )
+
+    async def execute_sandboxed(
+        self,
+        command: str,
+        timeout: int = 60,
+        network_access: bool = False
+    ) -> Dict[str, Any]:
+        """
+        Execute a command in a sandboxed environment.
+
+        Args:
+            command: Command to execute
+            timeout: Execution timeout
+            network_access: Whether to allow network access
+
+        Returns:
+            Dictionary with stdout, stderr, return_code, and execution details
+        """
+        if self.sandbox_config.use_docker and self.docker_client:
+            return await self._execute_docker_command(command, timeout, network_access)
+        else:
+            return await self._execute_local_command(command, timeout)
+
+    async def capture_evidence(
+        self,
+        target: str,
+        exploit_type: ExploitType,
+        capture_screenshot: bool = True,
+        capture_http: bool = True,
+        capture_pcap: bool = False
+    ) -> Evidence:
+        """
+        Capture evidence from target interaction.
+
+        Args:
+            target: Target URL
+            exploit_type: Type of exploit
+            capture_screenshot: Capture browser screenshot
+            capture_http: Capture HTTP responses
+            capture_pcap: Capture network traffic (requires permissions)
+
+        Returns:
+            Evidence object with collected artifacts
+        """
+        evidence = Evidence()
+        evidence.timestamps['started'] = datetime.utcnow()
+
+        # Create evidence directory
+        evidence_dir = os.path.join(
+            self.output_dir,
+            f"evidence_{int(time.time())}_{self._evidence_counter}"
+        )
+        self._evidence_counter += 1
+        os.makedirs(evidence_dir, exist_ok=True)
+
+        try:
+            # Capture HTTP responses
+            if capture_http and AIOHTTP_AVAILABLE:
+                http_evidence = await self._capture_http_evidence(target, evidence_dir)
+                evidence.http_responses = http_evidence
+
+            # Capture screenshot for web exploits
+            if capture_screenshot and self.enable_playwright and self._is_web_exploit(exploit_type):
+                screenshot_path = await self._capture_screenshot(target, evidence_dir)
+                if screenshot_path:
+                    evidence.screenshots.append(screenshot_path)
+
+            # Capture PCAP (if enabled and running as root)
+            if capture_pcap:
+                pcap_path = await self._capture_pcap(target, evidence_dir)
+                if pcap_path:
+                    evidence.pcap_file = pcap_path
+
+            # Collect metadata
+            evidence.metadata = {
+                'target': target,
+                'exploit_type': exploit_type.value,
+                'evidence_dir': evidence_dir,
+                'user_agent': 'ZenAI-ExploitValidator/1.0',
+                'source_ip': await self._get_source_ip()
+            }
+
+            evidence.timestamps['completed'] = datetime.utcnow()
+            evidence.compute_hashes()
+
+        except Exception as e:
+            logger.error(f"Evidence capture failed: {e}")
+            evidence.metadata['error'] = str(e)
+
+        return evidence
+
+    def generate_remediation(self, vulnerability: Dict[str, Any]) -> str:
+        """
+        Generate remediation advice for a vulnerability.
+
+        Args:
+            vulnerability: Vulnerability details dictionary
+
+        Returns:
+            Remediation advice as markdown text
+        """
+        vuln_type = vulnerability.get('type', 'unknown')
+        severity = vulnerability.get('severity', 'medium')
+
+        remediation_templates = {
+            ExploitType.WEB_SQLI.value: """
+## SQL Injection Remediation
+
+### Immediate Actions
+1. **Use Parameterized Queries**: Replace all dynamic SQL with prepared statements
+2. **Input Validation**: Validate and sanitize all user inputs
+3. **Least Privilege**: Ensure database user has minimal permissions
+
+### Code Example (Python/Flask)
+```python
+# VULNERABLE
+cursor.execute(f"SELECT * FROM users WHERE id = '{user_id}'")
+
+# SECURE
+cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
+```
+
+### Long-term Recommendations
+- Implement Web Application Firewall (WAF)
+- Enable SQL query logging and monitoring
+- Regular security code reviews
+- Use ORM frameworks that prevent SQL injection
+""",
+            ExploitType.WEB_XSS.value: """
+## Cross-Site Scripting (XSS) Remediation
+
+### Immediate Actions
+1. **Output Encoding**: Encode all output based on context (HTML, JS, URL, CSS)
+2. **Content Security Policy**: Implement strict CSP headers
+3. **Input Validation**: Validate input against expected patterns
+
+### Code Example
+```python
+# VULNERABLE
+<div>{{ user_input }}</div>
+
+# SECURE (with Jinja2 autoescape)
+<div>{{ user_input | e }}</div>
+```
+
+### Headers to Implement
+```
+Content-Security-Policy: default-src 'self'
+X-XSS-Protection: 1; mode=block
+X-Content-Type-Options: nosniff
+```
+""",
+            ExploitType.WEB_RCE.value: """
+## Remote Code Execution Remediation
+
+### Immediate Actions
+1. **Disable Dangerous Functions**: Disable eval(), exec(), system() in PHP/Python
+2. **Input Sanitization**: Never pass user input to system commands
+3. **Sandboxing**: Run application in restricted environment
+
+### Code Example
+```python
+# VULNERABLE
+os.system(f"ping {user_input}")
+
+# SECURE
+allowed_hosts = ['8.8.8.8', '1.1.1.1']
+if user_input in allowed_hosts:
+    subprocess.run(['ping', '-c', '4', user_input], check=True)
+```
+
+### Critical Recommendations
+- Remove all command execution functionality if not essential
+- Use allowlists for allowed commands/arguments
+- Implement strong network segmentation
+""",
+            ExploitType.WEB_LFI.value: """
+## Local File Inclusion Remediation
+
+### Immediate Actions
+1. **Path Validation**: Validate and sanitize file paths
+2. **Allowlist**: Use allowlist of allowed files
+3. **Disable Remote Includes**: Set allow_url_include=Off in PHP
+
+### Code Example
+```php
+// VULNERABLE
+include($_GET['page']);
+
+// SECURE
+$allowed = ['home', 'about', 'contact'];
+$page = $_GET['page'];
+if (in_array($page, $allowed)) {
+    include("pages/" . $page . ".php");
+}
+```
+""",
+            'default': f"""
+## Vulnerability Remediation
+
+**Severity**: {severity}
+**Type**: {vuln_type}
+
+### General Recommendations
+1. **Update Software**: Apply latest security patches
+2. **Input Validation**: Validate all user inputs
+3. **Principle of Least Privilege**: Minimize permissions
+4. **Security Headers**: Implement security headers
+5. **Monitoring**: Enable comprehensive logging
+
+### Verification
+After applying fixes:
+1. Re-run the vulnerability scan
+2. Test functionality to ensure no breakage
+3. Monitor for any suspicious activity
+"""
+        }
+
+        return remediation_templates.get(vuln_type, remediation_templates['default'])
+
+    async def safe_execute(self, exploit: Dict[str, Any]) -> bool:
+        """
+        Safely execute an exploit with comprehensive checks.
+
+        Args:
+            exploit: Exploit dictionary with code, target, type
+
+        Returns:
+            True if exploit execution was successful
+        """
+        try:
+            # Pre-execution checks
+            if not self._validate_exploit_structure(exploit):
+                logger.error("Invalid exploit structure")
+                return False
+
+            # Execute validation
+            result = await self.validate(
+                exploit_code=exploit['code'],
+                target=exploit['target'],
+                exploit_type=ExploitType(exploit.get('type', 'web_rce')),
+                parameters=exploit.get('parameters', {})
+            )
+
+            return result.success
+
+        except Exception as e:
+            logger.error(f"Safe execution failed: {e}")
+            return False
+
+    def kill_switch(self) -> None:
+        """Activate kill switch to stop all executions."""
+        logger.warning("Kill switch activated!")
+        self._killed = True
+
+    def reset_kill_switch(self) -> None:
+        """Reset kill switch."""
+        logger.info("Kill switch reset")
+        self._killed = False
+
+    # Private helper methods
+
+    def _is_safety_compatible(self, exploit_type: ExploitType) -> bool:
+        """Check if exploit type is compatible with current safety level."""
+        safety_mapping = {
+            SafetyLevel.READ_ONLY: [],
+            SafetyLevel.VALIDATE_ONLY: [
+                ExploitType.WEB_XSS, ExploitType.WEB_SQLI,
+                ExploitType.WEB_LFI, ExploitType.WEB_CSRF
+            ],
+            SafetyLevel.CONTROLLED: [
+                ExploitType.WEB_XSS, ExploitType.WEB_SQLI, ExploitType.WEB_LFI,
+                ExploitType.WEB_RFI, ExploitType.WEB_RCE, ExploitType.WEB_CMD_INJECTION,
+                ExploitType.WEB_SSRF, ExploitType.WEB_XXE, ExploitType.WEB_PATH_TRAVERSAL,
+                ExploitType.SERVICE
+            ],
+            SafetyLevel.FULL: list(ExploitType)
+        }
+
+        allowed = safety_mapping.get(self.safety_level, [])
+        return exploit_type in allowed or self.safety_level == SafetyLevel.FULL
+
+    def _is_web_exploit(self, exploit_type: ExploitType) -> bool:
+        """Check if exploit type is web-based."""
+        return exploit_type.value.startswith('web_')
+
+    async def _check_rate_limit(self, target: str) -> None:
+        """Check and enforce rate limiting."""
+        now = time.time()
+        host = urlparse(target).hostname or target
+
+        if host in self._last_execution:
+            elapsed = now - self._last_execution[host]
+            if elapsed < self._min_interval:
+                wait_time = self._min_interval - elapsed
+                logger.debug(f"Rate limiting: waiting {wait_time:.2f}s for {host}")
+                await asyncio.sleep(wait_time)
+
+        self._last_execution[host] = now
+
+    def _validate_exploit_structure(self, exploit: Dict[str, Any]) -> bool:
+        """Validate exploit dictionary structure."""
+        required_fields = ['code', 'target', 'type']
+        return all(field in exploit for field in required_fields)
+
+    async def _execute_docker_sandboxed(
+        self,
+        exploit_code: str,
+        target: str,
+        exploit_type: ExploitType,
+        parameters: Dict[str, Any],
+        timeout: int
+    ) -> ExploitResult:
+        """Execute exploit in Docker sandbox."""
+        timestamp = datetime.utcnow()
+        chain_of_custody = []
+
+        # Prepare exploit script
+        script_content = self._generate_exploit_script(
+            exploit_code, target, exploit_type, parameters
+        )
+
+        # Create temporary directory for volumes
+        with tempfile.TemporaryDirectory() as tmpdir:
+            script_path = os.path.join(tmpdir, 'exploit.py')
+            with open(script_path, 'w') as f:
+                f.write(script_content)
+
+            # Output directory for results
+            output_dir = os.path.join(tmpdir, 'output')
+            os.makedirs(output_dir, exist_ok=True)
+
+            try:
+                # Build container configuration
+                container_config = {
+                    'image': self.sandbox_config.image,
+                    'command': ['python3', '/exploit/exploit.py'],
+                    'volumes': {
+                        tmpdir: {'bind': '/exploit', 'mode': 'ro'},
+                        output_dir: {'bind': '/output', 'mode': 'rw'}
+                    },
+                    'network_disabled': self.sandbox_config.network_isolated,
+                    'mem_limit': self.sandbox_config.memory_limit,
+                    'cpu_quota': int(self.sandbox_config.cpu_limit * 100000),
+                    'read_only': self.sandbox_config.read_only_root,
+                    'cap_drop': self.sandbox_config.cap_drop,
+                    'cap_add': self.sandbox_config.cap_add,
+                    'dns': self.sandbox_config.dns_servers,
+                    'detach': True,
+                    'auto_remove': True
+                }
+
+                # Run container
+                chain_of_custody.append({
+                    'action': 'container_created',
+                    'timestamp': datetime.utcnow().isoformat(),
+                    'image': self.sandbox_config.image
+                })
+
+                container = self.docker_client.containers.run(**container_config)
+
+                # Wait for completion with timeout
+                try:
+                    result = container.wait(timeout=timeout)
+                    logs = container.logs().decode('utf-8', errors='ignore')
+
+                    # Read output files
+                    output_data = {}
+                    for filename in os.listdir(output_dir):
+                        filepath = os.path.join(output_dir, filename)
+                        try:
+                            with open(filepath, 'r') as f:
+                                output_data[filename] = f.read()
+                        except Exception:
+                            output_data[filename] = '[binary]'
+
+                    # Parse results
+                    success = result.get('StatusCode', 1) == 0
+
+                    # Capture evidence
+                    evidence = await self.capture_evidence(
+                        target, exploit_type,
+                        capture_screenshot=self._is_web_exploit(exploit_type)
+                    )
+
+                    chain_of_custody.append({
+                        'action': 'execution_completed',
+                        'timestamp': datetime.utcnow().isoformat(),
+                        'exit_code': result.get('StatusCode', -1)
+                    })
+
+                    return ExploitResult(
+                        success=success,
+                        exploit_type=exploit_type,
+                        target=target,
+                        timestamp=timestamp,
+                        evidence=evidence,
+                        output=logs + "\n" + json.dumps(output_data, indent=2),
+                        status=ExploitStatus.SUCCESS if success else ExploitStatus.FAILED,
+                        chain_of_custody=chain_of_custody
+                    )
+
+                except Exception:
+                    container.kill()
+                    raise
+
+            except ContainerError as e:
+                return ExploitResult(
+                    success=False,
+                    exploit_type=exploit_type,
+                    target=target,
+                    timestamp=timestamp,
+                    evidence=Evidence(),
+                    output=str(e),
+                    status=ExploitStatus.ERROR,
+                    error=f"Container error: {str(e)}",
+                    chain_of_custody=chain_of_custody
+                )
+            except ImageNotFound:
+                return ExploitResult(
+                    success=False,
+                    exploit_type=exploit_type,
+                    target=target,
+                    timestamp=timestamp,
+                    evidence=Evidence(),
+                    output="",
+                    status=ExploitStatus.ERROR,
+                    error=f"Docker image '{self.sandbox_config.image}' not found",
+                    chain_of_custody=chain_of_custody
+                )
+
+    async def _execute_local_sandboxed(
+        self,
+        exploit_code: str,
+        target: str,
+        exploit_type: ExploitType,
+        parameters: Dict[str, Any],
+        timeout: int
+    ) -> ExploitResult:
+        """Execute exploit locally with restrictions."""
+        timestamp = datetime.utcnow()
+        chain_of_custody = []
+
+        # Generate and execute exploit script
+        script_content = self._generate_exploit_script(
+            exploit_code, target, exploit_type, parameters
+        )
+
+        with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
+            f.write(script_content)
+            script_path = f.name
+
+        try:
+            chain_of_custody.append({
+                'action': 'local_execution_started',
+                'timestamp': datetime.utcnow().isoformat()
+            })
+
+            # Execute with timeout
+            process = await asyncio.create_subprocess_exec(
+                'python3', script_path,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE
+            )
+
+            try:
+                stdout, stderr = await asyncio.wait_for(
+                    process.communicate(), timeout=timeout
+                )
+
+                output = stdout.decode('utf-8', errors='ignore')
+                error = stderr.decode('utf-8', errors='ignore')
+
+                success = process.returncode == 0 and not error
+
+                # Capture evidence
+                evidence = await self.capture_evidence(
+                    target, exploit_type,
+                    capture_screenshot=self._is_web_exploit(exploit_type)
+                )
+
+                chain_of_custody.append({
+                    'action': 'execution_completed',
+                    'timestamp': datetime.utcnow().isoformat(),
+                    'exit_code': process.returncode
+                })
+
+                return ExploitResult(
+                    success=success,
+                    exploit_type=exploit_type,
+                    target=target,
+                    timestamp=timestamp,
+                    evidence=evidence,
+                    output=output,
+                    status=ExploitStatus.SUCCESS if success else ExploitStatus.FAILED,
+                    error=error if error else None,
+                    chain_of_custody=chain_of_custody
+                )
+
+            except asyncio.TimeoutError:
+                process.kill()
+                raise
+
+        finally:
+            os.unlink(script_path)
+
+    async def _execute_docker_command(
+        self,
+        command: str,
+        timeout: int,
+        network_access: bool
+    ) -> Dict[str, Any]:
+        """Execute a command in Docker container."""
+        try:
+            container = self.docker_client.containers.run(
+                image=self.sandbox_config.image,
+                command=['sh', '-c', command],
+                network_disabled=not network_access,
+                mem_limit=self.sandbox_config.memory_limit,
+                detach=True,
+                auto_remove=True
+            )
+
+            result = container.wait(timeout=timeout)
+            logs = container.logs().decode('utf-8', errors='ignore')
+
+            return {
+                'stdout': logs,
+                'stderr': '',
+                'return_code': result.get('StatusCode', -1),
+                'success': result.get('StatusCode', 1) == 0
+            }
+
+        except Exception as e:
+            return {
+                'stdout': '',
+                'stderr': str(e),
+                'return_code': -1,
+                'success': False
+            }
+
+    async def _execute_local_command(
+        self,
+        command: str,
+        timeout: int
+    ) -> Dict[str, Any]:
+        """Execute command locally."""
+        try:
+            process = await asyncio.create_subprocess_shell(
+                command,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE
+            )
+
+            stdout, stderr = await asyncio.wait_for(
+                process.communicate(), timeout=timeout
+            )
+
+            return {
+                'stdout': stdout.decode('utf-8', errors='ignore'),
+                'stderr': stderr.decode('utf-8', errors='ignore'),
+                'return_code': process.returncode,
+                'success': process.returncode == 0
+            }
+
+        except asyncio.TimeoutError:
+            process.kill()
+            return {
+                'stdout': '',
+                'stderr': 'Timeout',
+                'return_code': -1,
+                'success': False
+            }
+
+    async def _capture_http_evidence(
+        self,
+        target: str,
+        evidence_dir: str
+    ) -> List[Dict[str, Any]]:
+        """Capture HTTP response evidence."""
+        responses = []
+
+        if not AIOHTTP_AVAILABLE:
+            return responses
+
+        try:
+            # Ensure URL has scheme
+            if not target.startswith(('http://', 'https://')):
+                target = f"http://{target}"
+
+            timeout = aiohttp.ClientTimeout(total=30)
+            async with aiohttp.ClientSession(timeout=timeout) as session:
+                async with session.get(target, ssl=False) as response:
+                    body_text = await response.text()
+                    response_data = {
+                        'url': str(response.url),
+                        'status': response.status,
+                        'headers': dict(response.headers),
+                        'timestamp': datetime.utcnow().isoformat(),
+                        'body': body_text[:10000]  # Limit body size
+                    }
+                    responses.append(response_data)
+
+                    # Save to file
+                    http_file = os.path.join(evidence_dir, 'http_response.json')
+                    with open(http_file, 'w') as f:
+                        json.dump(response_data, f, indent=2, default=str)
+
+        except Exception as e:
+            logger.warning(f"HTTP capture failed: {e}")
+
+        return responses
+
+    async def _capture_screenshot(
+        self,
+        target: str,
+        evidence_dir: str
+    ) -> Optional[str]:
+        """Capture browser screenshot using Playwright."""
+        if not PLAYWRIGHT_AVAILABLE or not self.enable_playwright:
+            return None
+
+        screenshot_path = None
+
+        try:
+            # Ensure URL has scheme
+            if not target.startswith(('http://', 'https://')):
+                target = f"http://{target}"
+
+            async with async_playwright() as p:
+                browser = await p.chromium.launch(headless=True)
+                context = await browser.new_context(
+                    viewport={'width': 1920, 'height': 1080},
+                    user_agent='ZenAI-ExploitValidator/1.0'
+                )
+
+                page = await context.new_page()
+
+                try:
+                    await page.goto(target, wait_until='networkidle', timeout=30000)
+
+                    # Capture screenshot
+                    screenshot_path = os.path.join(evidence_dir, 'screenshot.png')
+                    await page.screenshot(path=screenshot_path, full_page=True)
+
+                    # Also capture page content
+                    content = await page.content()
+                    html_path = os.path.join(evidence_dir, 'page.html')
+                    with open(html_path, 'w', encoding='utf-8') as f:
+                        f.write(content)
+
+                except Exception as e:
+                    logger.warning(f"Page navigation failed: {e}")
+
+                await browser.close()
+
+        except Exception as e:
+            logger.warning(f"Screenshot capture failed: {e}")
+
+        return screenshot_path
+
+    async def _capture_pcap(
+        self,
+        target: str,
+        evidence_dir: str
+    ) -> Optional[str]:
+        """Capture network traffic using tcpdump."""
+        # PCAP capture requires root and is complex in async context
+        # This is a placeholder implementation
+        logger.debug("PCAP capture not implemented - requires elevated privileges")
+        return None
+
+    async def _get_source_ip(self) -> str:
+        """Get the source IP address."""
+        try:
+            # Connect to a public DNS server to determine outbound IP
+            reader, writer = await asyncio.wait_for(
+                asyncio.open_connection('8.8.8.8', 53),
+                timeout=5
+            )
+            sock = writer.get_extra_info('socket')
+            ip = sock.getsockname()[0]
+            writer.close()
+            await writer.wait_closed()
+            return ip
+        except Exception:
+            return 'unknown'
+
+    def _generate_exploit_script(
+        self,
+        exploit_code: str,
+        target: str,
+        exploit_type: ExploitType,
+        parameters: Dict[str, Any]
+    ) -> str:
+        """Generate a safe exploit execution script."""
+
+        # Sanitize inputs
+        safe_target = shlex.quote(target)
+
+        script = f'''#!/usr/bin/env python3
+"""
+Auto-generated exploit validation script
+Generated: {datetime.utcnow().isoformat()}
+Exploit Type: {exploit_type.value}
+Target: {target}
+"""
+
+import json
+import sys
+import os
+
+def main():
+    target = {safe_target}
+    parameters = {json.dumps(parameters)}
+
+    # Output directory
+    output_dir = "/output" if os.path.exists("/output") else "."
+
+    result = {{
+        "success": False,
+        "target": target,
+        "output": "",
+        "error": None
+    }}
+
+    try:
+        # User exploit code
+{self._indent_code(exploit_code, 8)}
+
+        result["success"] = True
+        result["output"] = "Exploit executed successfully"
+
+    except Exception as e:
+        result["error"] = str(e)
+        result["output"] = f"Exploit failed: {{e}}"
+
+    # Write results
+    with open(os.path.join(output_dir, "result.json"), "w") as f:
+        json.dump(result, f, indent=2)
+
+    print(json.dumps(result))
+    return 0 if result["success"] else 1
+
+if __name__ == "__main__":
+    sys.exit(main())
+'''
+        return script
+
+    def _indent_code(self, code: str, indent: int) -> str:
+        """Indent code block for script generation."""
+        lines = code.split('\n')
+        spaces = ' ' * indent
+        return '\n'.join(spaces + line for line in lines)
+
+
+class ExploitValidatorPool:
+    """
+    Pool of ExploitValidators for concurrent execution.
+
+    Manages multiple validators with load balancing and
+    resource management.
+    """
+
+    def __init__(
+        self,
+        pool_size: int = 3,
+        safety_level: SafetyLevel = SafetyLevel.CONTROLLED,
+        scope_config: Optional[ScopeConfig] = None
+    ):
+        """
+        Initialize validator pool.
+
+        Args:
+            pool_size: Number of validators in pool
+            safety_level: Safety level for all validators
+            scope_config: Scope configuration
+        """
+        self.pool_size = pool_size
+        self.safety_level = safety_level
+        self.scope_config = scope_config or ScopeConfig()
+
+        self._validators: List[ExploitValidator] = []
+        self._queue: asyncio.Queue = asyncio.Queue()
+        self._semaphore = asyncio.Semaphore(pool_size)
+
+        # Statistics
+        self._stats = {
+            'total_executed': 0,
+            'successful': 0,
+            'failed': 0,
+            'blocked': 0
+        }
+
+    async def initialize(self) -> None:
+        """Initialize all validators in the pool."""
+        for i in range(self.pool_size):
+            validator = ExploitValidator(
+                safety_level=self.safety_level,
+                scope_config=self.scope_config
+            )
+            self._validators.append(validator)
+        logger.info(f"Validator pool initialized with {self.pool_size} validators")
+
+    async def submit(
+        self,
+        exploit_code: str,
+        target: str,
+        exploit_type: ExploitType,
+        parameters: Optional[Dict[str, Any]] = None
+    ) -> ExploitResult:
+        """
+        Submit an exploit for validation.
+
+        Args:
+            exploit_code: Exploit code to execute
+            target: Target for exploitation
+            exploit_type: Type of exploit
+            parameters: Additional parameters
+
+        Returns:
+            ExploitResult from validation
+        """
+        async with self._semaphore:
+            # Round-robin selection
+            validator = self._validators[
+                self._stats['total_executed'] % len(self._validators)
+            ]
+
+            self._stats['total_executed'] += 1
+
+            result = await validator.validate(
+                exploit_code=exploit_code,
+                target=target,
+                exploit_type=exploit_type,
+                parameters=parameters
+            )
+
+            # Update statistics
+            if result.success:
+                self._stats['successful'] += 1
+            elif result.status == ExploitStatus.BLOCKED:
+                self._stats['blocked'] += 1
+            else:
+                self._stats['failed'] += 1
+
+            return result
+
+    async def submit_batch(
+        self,
+        exploits: List[Dict[str, Any]]
+    ) -> List[ExploitResult]:
+        """
+        Submit multiple exploits for validation.
+
+        Args:
+            exploits: List of exploit dictionaries
+
+        Returns:
+            List of ExploitResults
+        """
+        tasks = []
+        for exploit in exploits:
+            task = self.submit(
+                exploit_code=exploit['code'],
+                target=exploit['target'],
+                exploit_type=ExploitType(exploit.get('type', 'web_rce')),
+                parameters=exploit.get('parameters', {})
+            )
+            tasks.append(task)
+
+        return await asyncio.gather(*tasks, return_exceptions=True)
+
+    def get_stats(self) -> Dict[str, int]:
+        """Get pool statistics."""
+        return self._stats.copy()
+
+    def kill_all(self) -> None:
+        """Activate kill switch on all validators."""
+        for validator in self._validators:
+            validator.kill_switch()
+
+
+# Convenience functions for common use cases
+
+async def validate_sql_injection(
+    target: str,
+    parameter: str,
+    payload: str,
+    method: str = "GET",
+    **kwargs
+) -> ExploitResult:
+    """
+    Validate SQL injection vulnerability.
+
+    Args:
+        target: Target URL
+        parameter: Vulnerable parameter
+        payload: SQL injection payload
+        method: HTTP method
+        **kwargs: Additional options for ExploitValidator
+
+    Returns:
+        ExploitResult
+    """
+    exploit_code = f'''
+import requests
+
+url = "{target}"
+params = {{"{parameter}": "{payload}"}}
+response = requests.{method.lower()}(url, params=params, timeout=30)
+
+# Check for SQL error indicators
+sql_errors = [
+    "sql syntax", "mysql_fetch", "pg_query", "ora-",
+    "sqlserver", "jdbc", "odbc", "syntax error"
+]
+
+found_error = any(err in response.text.lower() for err in sql_errors)
+print(f"Response status: {{response.status_code}}")
+print(f"SQL error detected: {{found_error}}")
+print(f"Response length: {{len(response.text)}}")
+'''
+
+    validator = ExploitValidator(**kwargs)
+    return await validator.validate(
+        exploit_code=exploit_code,
+        target=target,
+        exploit_type=ExploitType.WEB_SQLI
+    )
+
+
+async def validate_xss(
+    target: str,
+    parameter: str,
+    payload: str = "<script>alert(1)</script>",
+    **kwargs
+) -> ExploitResult:
+    """
+    Validate XSS vulnerability.
+
+    Args:
+        target: Target URL
+        parameter: Vulnerable parameter
+        payload: XSS payload
+        **kwargs: Additional options for ExploitValidator
+
+    Returns:
+        ExploitResult
+    """
+    exploit_code = f'''
+import requests
+
+url = "{target}"
+payload = "{payload}"
+response = requests.get(url, params={{"{parameter}": payload}}, timeout=30)
+
+# Check if payload is reflected
+is_reflected = payload in response.text
+print(f"Payload reflected: {{is_reflected}}")
+print(f"Response status: {{response.status_code}}")
+
+if is_reflected:
+    print("XSS vulnerability confirmed - payload reflected")
+else:
+    print("Payload not reflected in response")
+'''
+
+    validator = ExploitValidator(**kwargs)
+    return await validator.validate(
+        exploit_code=exploit_code,
+        target=target,
+        exploit_type=ExploitType.WEB_XSS
+    )
+
+
+async def validate_command_injection(
+    target: str,
+    parameter: str,
+    command: str = "echo ZENAI_TEST",
+    **kwargs
+) -> ExploitResult:
+    """
+    Validate command injection vulnerability.
+
+    Args:
+        target: Target URL
+        parameter: Vulnerable parameter
+        command: Command to inject
+        **kwargs: Additional options for ExploitValidator
+
+    Returns:
+        ExploitResult
+    """
+    exploit_code = f'''
+import requests
+import time
+
+url = "{target}"
+
+# Test command injection with timing
+payload = "; {command}; #"
+start = time.time()
+response = requests.get(url, params={{"{parameter}": payload}}, timeout=60)
+elapsed = time.time() - start
+
+print(f"Response time: {{elapsed:.2f}}s")
+print(f"Response status: {{response.status_code}}")
+
+# Check for command output
+if "ZENAI_TEST" in response.text:
+    print("Command injection confirmed - output reflected")
+elif elapsed > 4:
+    print("Possible blind command injection - timing detected")
+else:
+    print("Command injection not confirmed")
+'''
+
+    validator = ExploitValidator(**kwargs)
+    return await validator.validate(
+        exploit_code=exploit_code,
+        target=target,
+        exploit_type=ExploitType.WEB_CMD_INJECTION
+    )
+
+
+# Export public API
+__all__ = [
+    'ExploitValidator',
+    'ExploitValidatorPool',
+    'ExploitResult',
+    'ExploitType',
+    'ExploitStatus',
+    'SafetyLevel',
+    'Evidence',
+    'ScopeConfig',
+    'SandboxConfig',
+    'validate_sql_injection',
+    'validate_xss',
+    'validate_command_injection',
+]