refactor: deduplicate prompt templates with shared content system

Implemented @include() directive system to eliminate ~800 lines of duplicated content across 10 specialist prompt files. All prompt-related content now consolidated under prompts/ directory for better maintainability. Changes: - Added processIncludes() to prompt-manager.js for generic @include() support - Created prompts/shared/ with 5 reusable template files - Refactored all 10 specialist prompts to use @include() for common sections - Moved login_instructions.txt to prompts/shared/ (deleted login_resources/) - Updated CLAUDE.md to reflect new structure Impact: -137 net lines, zero breaking changes, infinitely scalable for future shared content. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-23 16:19:25 -07:00
parent 2966157596
commit 9be2e71ff2
17 changed files with 84 additions and 121 deletions
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -107,13 +94,11 @@ Chain exploits together: Use enumerated users in password attacks. Use created w
 If you only confirmed a vulnerability without attempting to weaponize it, you have not completed the exploitation task.

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -71,12 +58,11 @@ Remember: An unproven vulnerability is worse than no finding at all - it wastes


 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,20 +8,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical> 
@@ -94,13 +81,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -19,20 +19,7 @@ Success criterion: A comprehensive evidence report detailing the outcome for **e
 </objective>

 <exploitation_scope>
-**MANDATORY EXPLOITATION CONSTRAINTS:**
- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
- DO NOT attempt to exploit vulnerabilities that require:
-  - Internal network access (Tailscale, VPN, etc.)
-  - Direct server access
-  - Database console access
-
-**VERDICT CLASSIFICATIONS:**
- EXPLOITED: Successfully demonstrated impact via public interface
- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
- FALSE_POSITIVE: Not actually vulnerable
-
-Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
+@include(shared/_exploit-scope.txt)
 </exploitation_scope>

 <critical>
@@ -92,13 +79,11 @@ After exhaustive bypass attempts, determine:
 </critical>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -0,0 +1,14 @@
+**MANDATORY EXPLOITATION CONSTRAINTS:**
+- ALL exploitation attempts MUST be performed against {{WEB_URL}} from external network
+- DO NOT attempt to exploit vulnerabilities that require:
+  - Internal network access (Tailscale, VPN, etc.)
+  - Direct server access
+  - Database console access
+
+**VERDICT CLASSIFICATIONS:**
+- EXPLOITED: Successfully demonstrated impact via public interface
+- BLOCKED_BY_SECURITY: Valid vulnerability but blocked by WAF/controls
+- OUT_OF_SCOPE_INTERNAL: Requires internal access - DO NOT PURSUE
+- FALSE_POSITIVE: Not actually vulnerable
+
+Only EXPLOITED and BLOCKED_BY_SECURITY should be reported as findings.
@@ -0,0 +1,2 @@
+Rules to Avoid:
+{{RULES_AVOID}}
@@ -0,0 +1 @@
+URL: {{WEB_URL}}
@@ -0,0 +1 @@
+**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
@@ -0,0 +1,82 @@
+<!-- BEGIN:COMMON -->
+**IF you are not already logged in when you open playwright, these are the login instructions** 
+**NOTE: playwright automatically saves sessions so ensure you are not already logged in before executing these steps**
+
+<user_provided_configuration>
+{{user_instructions}}
+</user_provided_configuration>
+
+<authentication_execution>
+Execute the login flow based on the login_type specified in the configuration:
+<!-- END:COMMON -->
+
+<!-- BEGIN:FORM -->
+**Form-based authentication:**
+1. Navigate to the specified login_url using Playwright
+2. Execute each step in the login_flow array sequentially:
+   - Replace $username with the provided username credential
+   - Replace $password with the provided password credential
+   - Replace $totp with generated code using the `generate_totp` MCP tool with the TOTP secret: {{totp_secret}}
+   - Perform the specified actions (type text, click buttons, etc.)
+3. Wait for page navigation/loading to complete after each critical step
+4. Handle any consent dialogs or "Continue as [user]" prompts by clicking appropriate buttons
+<!-- END:FORM -->
+
+<!-- BEGIN:SSO -->
+**SSO authentication:**
+1. Navigate to the specified login_url using Playwright
+2. Execute each step in the login_flow array sequentially:
+   - Click the SSO provider button (e.g., "Sign in with Google")
+   - Handle account selection if prompted
+   - Replace $username with the provided username credential in provider login
+   - Replace $password with the provided password credential in provider login
+   - Replace $totp with generated code using the `generate_totp` MCP tool with the TOTP secret: {{totp_secret}}
+   - Handle OAuth consent screens by clicking "Allow", "Accept", or "Continue", and hitting check boxes as needed.
+   - Handle "Continue as [username]" dialogs by clicking "Continue"
+3. Wait for OAuth callback and final redirect to complete
+4. Ensure all consent and authorization steps are explicitly handled
+<!-- END:SSO -->
+
+<!-- BEGIN:VERIFICATION -->
+</authentication_execution>
+
+<success_verification>
+After completing the login flow, verify successful authentication:
+
+1. **Check Success Condition:**
+   - IF success_condition.type == "url_contains": Verify current URL contains the specified value
+   - IF success_condition.type == "url_equals_exactly": Verify current URL exactly matches the specified value
+   - IF success_condition.type == "element_present": Verify the specified element exists on the page
+
+2. **Confirm Authentication State:**
+   - Page should NOT be on a login screen
+   - Page should NOT show authentication errors
+   - Page should display authenticated user content/interface
+
+3. **Verification Success:** 
+   - Login is successful - proceed with your primary task
+   - You now have an authenticated browser session to work with
+
+4. **Verification Failure:**
+   - Retry the entire login flow ONCE with 5-second wait between attempts
+   - If second attempt fails, report authentication failure and stop task execution
+   - Do NOT proceed with authenticated actions if login verification fails
+
+</success_verification>
+
+<error_handling>
+If login execution fails:
+1. Log the specific step that failed and any error messages
+2. Check for unexpected dialogs, pop-ups, or consent screens that may need handling
+3. Retry the complete login flow once after a 5-second delay
+4. If retry fails, report login failure and halt task execution
+5. Do NOT attempt to proceed with the primary task if authentication is unsuccessful
+
+Common issues to watch for:
+- OAuth consent screens requiring explicit "Allow" or "Accept" clicks
+- "Continue as [user]" or account selection prompts
+- TOTP/2FA code timing issues requiring regeneration
+- Page loading delays requiring explicit waits
+- Redirect handling for multi-step authentication flows
+</error_handling>
+<!-- END:VERIFICATION -->
@@ -9,16 +9,15 @@ Success criterion: A complete, code-backed analysis of every potential authentic
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,17 +8,15 @@ Success criterion: A complete, code-backed analysis of every potential authoriza
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -11,17 +11,15 @@ Success criterion: A complete source-to-sink trace for every identified vulnerab
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
-
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,16 +8,15 @@ Success criterion: A complete source-to-sink trace for every identified SSRF vul
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
@@ -8,16 +8,15 @@ Success criterion: Live confirmation of XSS execution for every vulnerability th
 </objective>

 <scope>
-**EXTERNAL ATTACKER SCOPE:** Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.
+@include(shared/_vuln-scope.txt)
 </scope>

 <target>
-URL: {{WEB_URL}}
+@include(shared/_target.txt)
 </target>

 <rules>
-Rules to Avoid:
-{{RULES_AVOID}}
+@include(shared/_rules.txt)
 </rules>

 <login_instructions>
				`@@ -0,0 +1 @@`
				`EXTERNAL ATTACKER SCOPE: Only report vulnerabilities exploitable via {{WEB_URL}} from the internet. Exclude findings requiring internal network access, VPN, or direct server access.`