---
name: webapp-exploit-hunter
description: Automated web application vulnerability scanner and exploit generator starting from domains or URLs. Tests for SQLi, XSS, SSRF, IDOR, SSTI, authentication bypass, file upload bypass, and race conditions. Generates working PoC for each finding. Use when user asks to "find vulnerabilities", "scan web app", "test for XSS/SQLi/SSRF", "hunt bugs", "bug bounty scan", or provides a domain for web security testing. For authorized testing only.
metadata:
  author: orizon.one
  version: 1.0.0
---

# Webapp Exploit Hunter

Intelligent web application vulnerability scanner. Context-aware testing that adapts to the target's technology stack.

## Important

CRITICAL: Only test web applications you have explicit authorization to test (pentest agreement, bug bounty program, or own infrastructure).

## Instructions

### Step 1: Target Setup
Accept input as:
1. Single domain or URL
2. List of domains/URLs (from recon-dominator output or manual list)
3. Specific endpoint to test

For each target, determine:
- Is it in scope?
- What technology stack is it running? (use tech_fingerprint.py from recon-dominator or fingerprint inline)
- Are there any testing restrictions (rate limits, no automated scanning, etc.)?

### Step 2: Crawling and Endpoint Discovery

```bash
python scripts/crawler.py --target {url} --depth 3
```

Intelligent crawling:
1. Spider all linked pages up to configured depth
2. Extract forms and input parameters
3. Identify API endpoints from JavaScript files
4. Parse robots.txt and sitemap.xml for hidden paths
5. Fuzz for common hidden endpoints

Output: Structured map of all endpoints with parameters.

### Step 3: Parameter Classification

For each discovered parameter, classify:
- **Input type**: string, numeric, email, URL, file path, JSON, XML
- **Reflection**: Is input reflected in response? Where? (HTML body, attribute, JS, header)
- **Sink type**: Database query, file system, HTTP request, template, command, redirect
- **Authentication**: Does the endpoint require auth?

This classification determines which vulnerability tests are relevant.

### Step 4: Vulnerability Testing

Run tests based on parameter classification. Order by severity:

#### 4a. SQL Injection

```bash
python scripts/sqli_tester.py --target {url} --params {param_file}
```

Test types:
- Error-based: Single quote, double quote, comment injection
- Boolean-based blind: True/false condition comparison
- Time-based blind: SLEEP/WAITFOR/pg_sleep injection
- UNION-based: Column count detection + data extraction
- Second-order: Stored input used later in queries

For each finding: extract DBMS type, confirm exploitability, extract sample data as PoC.

#### 4b. Cross-Site Scripting (XSS)

```bash
python scripts/xss_tester.py --target {url} --params {param_file}
```

Context-aware payloads:
- **HTML body**: `<script>`, `<img onerror>`, `<svg onload>`
- **HTML attribute**: Event handlers, attribute breaking
- **JavaScript context**: String breaking, template literals
- **URL context**: javascript: protocol, data: URIs
- **CSS context**: expression(), url()

Test for:
- Reflected XSS (immediate response)
- Stored XSS (submit then check display page)
- DOM-based XSS (analyze client-side JS)

Bypass techniques: encoding, case variation, tag alternatives, WAF bypass patterns.

#### 4c. Server-Side Request Forgery (SSRF)

```bash
python scripts/ssrf_tester.py --target {url} --params {param_file}
```

Test URL/redirect parameters for:
- Internal network access: 127.0.0.1, 0.0.0.0, localhost
- Cloud metadata: 169.254.169.254 (AWS), metadata.google.internal (GCP)
- Internal services: common ports on internal IPs
- Protocol smuggling: file://, gopher://, dict://
- Bypass techniques: decimal IP, hex IP, DNS rebinding, URL parsing tricks

#### 4d. Insecure Direct Object Reference (IDOR)

```bash
python scripts/idor_tester.py --target {url} --endpoints {endpoint_file}
```

For endpoints with IDs (numeric, UUID, sequential):
- Test horizontal access: Change ID to access other users' resources
- Test vertical access: Access admin-only endpoints with regular user
- Test with different HTTP methods (GET vs POST vs PUT vs DELETE)
- Pattern detection: Sequential IDs, predictable UUIDs, encoded IDs

#### 4e. Server-Side Template Injection (SSTI)

```bash
python scripts/ssti_tester.py --target {url} --params {param_file}
```

Template engine detection and exploitation:
- Jinja2: `{{7*7}}`, `{{config}}`, `{{''.__class__.__mro__}}`
- Twig: `{{7*7}}`, `{{_self.env.registerUndefinedFilterCallback("system")}}`
- Freemarker: `${7*7}`, `<#assign ex="freemarker.template.utility.Execute"?new()>`
- ERB: `<%= 7*7 %>`, `<%= system('id') %>`
- Smarty: `{php}system('id');{/php}`

Polyglot detection: `${{<%[%'"}}%\.`

#### 4f. Authentication and Session Testing

```bash
python scripts/auth_tester.py --target {url}
```

Test for:
- Default credentials (based on detected technology)
- Password reset flaws (token prediction, no rate limit)
- Session fixation
- JWT vulnerabilities (none algorithm, weak secret, key confusion)
- OAuth/OIDC misconfigurations (open redirect, token leakage)
- 2FA bypass patterns

#### 4g. File Upload Testing

```bash
python scripts/upload_tester.py --target {url} --upload-endpoint {endpoint}
```

Bypass techniques:
- Double extension: shell.php.jpg
- Null byte: shell.php%00.jpg
- Content-Type manipulation
- Magic bytes injection (GIF89a + PHP)
- Polyglot files (valid image + valid PHP)
- Case variation: .pHp, .PhP
- Alternative extensions: .phtml, .php5, .phar

#### 4h. Race Condition Testing

```bash
python scripts/race_tester.py --target {url} --endpoint {endpoint}
```

Test on:
- Financial transactions (double spend)
- Coupon/discount application
- Account creation (duplicate accounts)
- File operations (TOCTOU)

Method: Send N parallel requests to same endpoint simultaneously.

### Step 5: PoC Generation
For each confirmed vulnerability:

```bash
python scripts/generate_poc.py --findings {findings_file}
```

Generate:
1. **curl command** that demonstrates the vulnerability
2. **Python script** for automated exploitation
3. **Step-by-step reproduction** guide
4. **Screenshot description** (what to look for in response)
5. **Impact assessment** (CVSS score, business impact)

### Step 6: Report Generation

```bash
python scripts/vuln_report.py --findings {findings_file} --format {md|json}
```

Bug bounty ready report per finding:
- Title (vulnerability type + location)
- Severity (Critical/High/Medium/Low with CVSS)
- URL and parameter affected
- Reproduction steps
- PoC (curl/script)
- Impact description
- Remediation recommendation

## Error Handling

### WAF Blocking Requests
If requests are blocked:
1. Reduce request rate: `--delay 2`
2. Use WAF bypass payloads: `--waf-bypass`
3. Rotate User-Agent headers: `--random-ua`
4. If persistent, inform user and suggest manual testing approach

### Authentication Required
If endpoints require authentication:
1. Ask user for session cookie or auth token
2. Use: `--cookie "session=abc123"` or `--header "Authorization: Bearer token"`
3. If no creds available, test only unauthenticated endpoints

### Rate Limiting
If 429 errors occur:
1. Scripts auto-adjust rate with exponential backoff
2. Override with: `--rate-limit 1` (1 request per second)
3. For bug bounty: always respect program's rate limit policy

## Examples

### Example 1: Full Scan on Single Domain
User says: "Find all vulnerabilities on app.example.com"

Actions:
1. Crawl the application
2. Classify all parameters
3. Run all applicable test modules
4. Generate PoCs for findings
5. Produce report

### Example 2: Targeted XSS Hunt
User says: "Test for XSS on example.com/search?q="

Actions:
1. Focus on the search parameter
2. Determine reflection context
3. Test context-appropriate payloads
4. Try WAF bypass if blocked
5. Generate PoC for any finding

### Example 3: Bug Bounty Scope Scan
User says: "Scan these 20 subdomains for the HackerOne program"

Actions:
1. Verify all targets are in scope
2. Crawl each subdomain
3. Prioritize testing by technology/attack surface
4. Respect rate limits
5. Generate bug bounty formatted report for each finding