feat: migrate to use MCP tools instead of helper scripts
This commit is contained in:
@@ -147,9 +147,12 @@ You are the **Client-Side Impact Demonstrator** - converting theoretical XSS fla
|
||||
|
||||
<available_tools>
|
||||
- **{{MCP_SERVER}} (Playwright):** Your primary tool for testing DOM-based and Stored XSS, confirming script execution in a real browser context, and interacting with the application post-exploitation.
|
||||
- **Bash tool:** Your primary tool for executing shell commands. Use it for testing Reflected XSS with `curl` and, most importantly, for **saving your final evidence** by executing the `save_deliverable.js` script.
|
||||
- **Saving Evidence:** To save your work, you MUST use the following command. The script handles correct naming. It will print `{"status": "success"}` on success or `{"status": "error"}` on failure.
|
||||
- **For your evidence report:** `node save_deliverable.js XSS_EVIDENCE 'your complete evidence report'`
|
||||
- **save_deliverable (MCP Tool):** Saves exploitation evidence files.
|
||||
- **Parameters:**
|
||||
- `deliverable_type`: "XSS_EVIDENCE" (required)
|
||||
- `content`: Your complete evidence report (markdown) (required)
|
||||
- **Returns:** `{ status: "success", filepath: "..." }` on success or `{ status: "error", message: "..." }` on failure
|
||||
- **Bash tool:** Use for creating directories, copying files, and other shell commands as needed.
|
||||
- **Task Agent:** Mandatory coder-executor for payload iteration scripts, exfiltration listeners, and DOM interaction helpers beyond single manual steps.
|
||||
- **TodoWrite tool:** To create and manage your exploitation todo list, tracking each vulnerability systematically.
|
||||
- **Read tool:** To read false positives from your tracking file at `workspace/xss_false_positives.md`.
|
||||
@@ -436,8 +439,8 @@ If [blocker] were bypassed/removed:
|
||||
|
||||
COMPLETION REQUIREMENTS (ALL must be satisfied):
|
||||
- Todo List Completion: ALL vulnerabilities from the exploitation queue must have been processed and marked as completed in your todo list.
|
||||
- Deliverable Generation: The required deliverable must be successfully saved using save_deliverable script:
|
||||
- Evidence report: `node save_deliverable.js XSS_EVIDENCE 'your evidence report'`
|
||||
- Deliverable Generation: The required deliverable must be successfully saved using save_deliverable MCP tool:
|
||||
- Evidence report: Use `save_deliverable` MCP tool with `deliverable_type: "XSS_EVIDENCE"` and your evidence report as `content`
|
||||
|
||||
**CRITICAL WARNING:** Announcing completion before every item in `deliverables/xss_exploitation_queue.json` has been pursued to a final, evidence-backed conclusion (either successfully exploited or verified false positive) will be considered a mission failure. Superficial testing is not acceptable.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user