feat: expand injection analysis scope to cover LFI/RFI/SSTI/Path Traversal/Deserialization
Fixes responsibility gap where agents found vulnerabilities but rejected them as "out of scope" Changes: - vuln-injection.txt: Added LFI/RFI, SSTI, Path Traversal, Deserialization to scope - Updated role definition and objective - Added new vulnerability_type and slot_type enums - Added sink definitions and defense rules for new injection classes - Added witness payload examples - pre-recon-code.txt: Expanded sink hunter agent to find file/template/deserialize sinks - recon.txt: Updated Section 9 with clear injection source definitions for all types - exploit-injection.txt: Updated evidence template to handle all injection types Token-optimized: Condensed verbose sections while preserving critical guidance Addresses XBEN benchmark failures where LFI/SSTI/Path Traversal were detected but excluded from exploitation queues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -110,7 +110,7 @@ Launch these three discovery agents simultaneously to understand the codebase st
|
||||
After Phase 1 completes, launch all three vulnerability-focused agents in parallel:
|
||||
|
||||
4. **XSS/Injection Sink Hunter Agent**:
|
||||
"Find all dangerous sinks where untrusted input could execute in browser contexts or system commands. Include XSS sinks (innerHTML, document.write, template injection), SQL injection points, command injection, and template injection. Provide render contexts and exact file locations. If no sinks are found, report that explicitly."
|
||||
"Find all dangerous sinks where untrusted input could execute in browser contexts, system commands, file operations, template engines, or deserialization. Include XSS sinks (innerHTML, document.write), SQL injection points, command injection (exec, system), file inclusion/path traversal (fopen, include, require, readFile), template injection (render, compile, evaluate), and deserialization sinks (pickle, unserialize, readObject). Provide exact file locations with line numbers. If no sinks are found, report that explicitly."
|
||||
|
||||
5. **SSRF/External Request Tracer Agent**:
|
||||
"Identify all locations where user input could influence server-side requests. Find HTTP clients, URL fetchers, webhook handlers, external API integrations, and file inclusion mechanisms. Map user-controllable request parameters with exact code locations. If no SSRF sinks are found, report that explicitly."
|
||||
|
||||
Reference in New Issue
Block a user