web-exploit-prover
SKILL.md
Web Exploit Prover
Purpose
Convert initial web vulnerability leads into high-confidence exploit outcomes.
Inputs
initial_findingstarget_contextauth_and_role_dataenvironment_constraints
Evidence Levels
L1: suspicious behavior onlyL2: exploit primitive observedL3: code path executed in attacker-controlled wayL4: business impact demonstrated
Workflow
Phase 1: Independent Reproduction
- Reproduce lead with alternate technique.
- Validate preconditions and dependencies.
- Confirm baseline-control difference.
Phase 2: Impact Demonstration
- Move from primitive to measurable impact.
- Demonstrate confidentiality, integrity, or authorization breach.
- Capture minimal proof with clear stop condition.
Phase 3: Robustness Testing
- Re-test across fresh session and role context.
- Re-test with slight payload and transport changes.
- Downgrade confidence on instability.
Phase 4: Final Classification
confirmedwhen L3+ is reproducible.plausiblewhen primitive exists but impact blocked.disputedwhen mitigation is proven.inconclusivewhen environmental blockers remain.
Output Contract
{
"confirmed_exploits": [],
"plausible_findings": [],
"disputed_findings": [],
"inconclusive_findings": [],
"impact_evidence": []
}
Constraints
- No severity inflation from weak indicators.
- Distinguish security mitigation from test-environment failure.
Quality Checklist
- Impact, not just signal, is demonstrated.
- Confirmation uses independent method.
- Confidence aligns with stability.
Detailed Operator Notes
Evidence Ladder
- Step 1: suspicious signal.
- Step 2: primitive confirmation.
- Step 3: execution/authorization breach.
- Step 4: concrete business impact.
Variant Discipline
- Keep payload families grouped by hypothesis.
- Stop variant expansion when new runs are non-informative.
- Prefer context-correct payloads over generic sprays.
Confounder Controls
- Re-test in a fresh session and new object state.
- Re-test with baseline payload and expected-secure payload.
- Confirm that edge cache/CDN behavior is not driving the result.
Reporting Rules
- Include case-level timeline from trigger to impact.
- Include exploitation preconditions and limitations.
- Include clean retest steps for independent validation.
Quick Scenarios
Scenario A: Authorization Drift
- Baseline with owned resource.
- Replay with foreign resource identifier.
- Repeat with role shift and fresh session.
- Confirm read/write/delete differences.
Scenario B: Input Handling Weakness
- Send syntactically valid control payload.
- Send semantically malicious variant.
- Verify parser or execution side effect.
- Re-test with content-type variation.
Scenario C: Workflow Bypass
- Execute expected state sequence.
- Attempt out-of-order transition.
- Attempt repeated action replay.
- Confirm server-side state enforcement.
Conditional Decision Matrix
| Condition | Action | Evidence Requirement |
|---|---|---|
| Finding signal unstable | downgrade confidence and add retest plan | repeated run variance log |
| Chain link missing prerequisite | split chain and mark dependency blocker | prerequisite graph |
| Impact appears low in isolation | evaluate chain amplification paths | chain-level impact narrative |
| Mitigation claim is partial | verify alternate path and state variants | mitigation bypass check |
| Environment blocker dominates | classify inconclusive with unblock requests | blocker evidence |
Advanced Coverage Extensions
- Add attack-path branching for multiple privilege starting points.
- Add defender-detection assumptions and likely monitoring signals.
- Add rollback/cleanup verification after proof steps.
- Add business-impact mapping to concrete assets and workflows.
- Add reproducibility score based on run-to-run consistency.
Weekly Installs
1
Repository
1ikeadragon/awe…c-claudeGitHub Stars
4
First Seen
8 days ago
Security Audits
Installed on
zencoder1
amp1
cline1
openclaw1
opencode1
cursor1