diff --git a/src/AI/README.md b/src/AI/README.md index 166744525b5..533c9878058 100644 --- a/src/AI/README.md +++ b/src/AI/README.md @@ -80,4 +80,13 @@ AI-MCP-Servers.md AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md {{#endref}} +### Web Black-Box AI Pentester Bots + +LLM-powered agents can automate long-running black-box web pentesting workflows when they are supported by observability, orchestration, authenticated session handling, and adversarial validation: + + +{{#ref}} +Web-Black-Box-AI-Pentester-Bots.md +{{#endref}} + {{#include ../banners/hacktricks-training.md}} diff --git a/src/AI/Web-Black-Box-AI-Pentester-Bots.md b/src/AI/Web-Black-Box-AI-Pentester-Bots.md new file mode 100644 index 00000000000..6d7f1238913 --- /dev/null +++ b/src/AI/Web-Black-Box-AI-Pentester-Bots.md @@ -0,0 +1,97 @@ +# Web Black-Box AI Pentester Bots + +{{#include ../banners/hacktricks-training.md}} + +LLMs can run **long-lived black-box web pentesting workflows**. The useful abstraction is not "ask the model to find bugs", but "wrap the model in a harness that forces evidence collection, persistence, and skeptical validation". + +## 1. Observability first + +An autonomous agent without logs quickly becomes an expensive false-positive generator. Keep **full session telemetry** for every run: + +- shell commands +- HTTP requests and responses +- browser actions +- intermediate conclusions +- final evidence used in the report + +The logs are often more valuable than the report because they show **why** the agent stopped, which assumptions it made, and which branches deserve another pass. + +## 2. Keep the agent hacking + +A single prompt usually stops at the first plausible explanation. In practice, the agent should run in an **iterative loop**: + +1. perform recon / analysis +2. score the result +3. create follow-up tasks +4. revisit suspicious branches +5. stop only on an explicit budget or low-signal decision + +This is especially useful for web targets where weak signals often hide real issues: reflected parameters, strange redirects, feature flags, hidden API paths, source-map leaks, or partially working authorization bypasses. + +## 3. Add an orchestrator + +Pure persistence burns tokens on thin targets. Put an **orchestrator** above the worker to: + +- kill low-signal targets early +- extend runs on promising attack surfaces +- fan out work into recon / analysis / validation sub-agents +- re-queue interesting artifacts (JS bundles, source maps, leaked configs, suspicious endpoints) + +## 4. Use an adversarial validator + +A separate agent should try to **disprove** every finding before it is reported: + +- alleged XSS → break the source-to-sink chain +- alleged SSRF → prove whether the request actually crossed the trust boundary +- alleged IDOR/BOLA → confirm object ownership really changes with only the identifier mutated +- alleged OAuth issue → replay the exact callback/token exchange and confirm client, redirect, or `postMessage` abuse is real + +This reduces "AI slop" and forces the system to keep only evidence-backed bugs. + +## 5. Split login from hacking + +For post-auth web testing, do **not** waste most of the budget fighting anti-bot login flows. A practical pattern is: + +- keep a **local real-browser session broker** (real Chrome profile, normal fingerprint) +- refresh cookies/tokens there +- hand live authenticated sessions to the cloud worker +- keep the worker focused on post-auth attack surface + +This is especially relevant for high-value classes such as [IDOR/BOLA](../pentesting-web/idor.md), [account takeover](../pentesting-web/account-takeover.md), [registration weaknesses](../pentesting-web/registration-vulnerabilities.md), and [reset/OTP flows](../pentesting-web/reset-password.md). + +## 6. Web-specific artifact mining for agents + +Autonomous web agents work best when explicitly instructed to harvest and prioritize: + +- JS bundles and **source maps** for hidden routes, mock paths, API keys, role strings, and service filenames +- client-side message handlers for [`postMessage`](../pentesting-web/postmessage-vulnerabilities/README.md) sinks and origin-trust mistakes +- OAuth/OIDC callback handlers and Dynamic Client Registration flows ([OAuth to account takeover](../pentesting-web/oauth-to-account-takeover.md)) +- Firebase / Identity Toolkit / Firestore configuration leaks +- unsafe DOM sinks such as `innerHTML`, even on detached nodes, for DOM-XSS review +- Web3 metadata rendered into trusted origins, where XSS can become wallet-signing abuse ([DApps](../pentesting-web/dapps-DecentralizedApplications.md)) + +## 7. High-signal web heuristics to encode as skills + +When you turn the workflow into reusable skills/prompts, explicitly bias the agent toward patterns that repeatedly produce real bugs: + +- **Leaked Google / Firebase keys**: test exposed keys against Identity Toolkit-style project configuration endpoints, recover authorized domains, and compare those domains against real portals, self-registration paths, and domain-trust onboarding logic. +- **Customer lookup / recovery APIs**: prioritize endpoints that accept phone numbers, partial names, DOB, email, or account numbers; check whether any field is only syntactically required and can be abused for bulk enumeration. +- **Reset / OTP validators**: diff success and failure responses looking for leaked OTP hashes, secret material, retry metadata, or account identifiers that turn online verification into offline cracking. +- **Detached-node HTML decoders**: flag helpers that assign attacker input to `innerHTML` on temporary elements, because parsing and event-handler execution can happen before the returned value is re-escaped. +- **Source-map mining**: grep `sourcesContent` for mock paths, hidden assets, API route names, service filenames, feature flags, and committed tokens; use the findings to drive the next fuzzing/validation loop. +- **dApp signing hooks**: if XSS lands on a wallet-connected origin, immediately inspect whether the page can tamper with `signTransaction`, `signAndSendTransaction`, or similar signing methods to change the transaction after the UI intent is established. + +## 8. Good agent outputs + +The best output of an autonomous hacking agent is usually **not** a polished report. It is a queue of: + +- reproducible request/response pairs +- validated exploit paths +- high-signal artifacts worth human review +- concrete follow-up prompts for the next agent pass + +## References + +- [Joseph Thacker & xssdoctor - The Bug Bounty Singularity: Our Hackbot](https://josephthacker.com/hacking/2026/07/01/we-built-a-hackbot.html) + +{{#include ../banners/hacktricks-training.md}} diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 163ae4e7ef5..e90feec105a 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -943,6 +943,7 @@ # 🤖 AI - [AI Security](AI/README.md) - [Ai Assisted Fuzzing And Vulnerability Discovery](AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md) + - [Web Black-Box AI Pentester Bots](AI/Web-Black-Box-AI-Pentester-Bots.md) - [AI Security Methodology](AI/AI-Deep-Learning.md) - [Burp MCP: LLM-assisted traffic review](AI/AI-Burp-MCP.md) - [AI MCP Security](AI/AI-MCP-Servers.md)