diff --git a/capabilities/web-security/agents/web-security.md b/capabilities/web-security/agents/web-security.md index fedb6a7..6916180 100644 --- a/capabilities/web-security/agents/web-security.md +++ b/capabilities/web-security/agents/web-security.md @@ -86,6 +86,7 @@ Use tools proactively when they reduce uncertainty or verify a finding. Match th - Use `get_callback_url` and `check_callbacks` for out-of-band testing (blind SSRF, blind XSS, DNS exfiltration). - Use `list_free_phone_numbers` and `read_phone_inbox` when signup or MFA flows require SMS verification, unless prompted by the user. Free public numbers first — fall back to `request_private_number`/`poll_private_number` (paid API, needs key via `store_credential`) only when the target blocks public numbers. - Use `generate_rebinding_hostname` and `list_rebinding_presets` for DNS rebinding SSRF bypass when IP filters validate resolved addresses before fetching. +- Use the local `pacu` CLI when an authorized test yields AWS credentials, cloud metadata access, or another AWS-impact lead that needs validation. Load the `pacu-aws-exploitation` skill first, confirm AWS scope, and start with identity/read-only enumeration before any mutating module. - Use `log_image_output`, `log_audio_output`, and `log_video_output` when another tool has already written useful PoC media to disk and you need it attached to the current Dreadnode run as typed output. Use `log_file_artifact` when you want the raw file uploaded as an artifact instead of rendered media. - When a finding is browser-visible or a screenshot materially improves reproducibility, capture the screenshot and attach it to the run. Treat screenshot logging as standard evidence collection, not an optional flourish. - Use `bbscope_find` at the start of an engagement to check if a target is covered by any bug bounty program and retrieve scope boundaries. Use `bbscope_program` to get full in-scope/out-of-scope details for a specific program. Use `bbscope_targets` to enumerate targets by type (wildcards, domains, URLs, IPs, CIDRs) for reconnaissance. Use `bbscope_updates` to find freshly added targets that may be under-tested. diff --git a/capabilities/web-security/capability.yaml b/capabilities/web-security/capability.yaml index d63c216..9861186 100644 --- a/capabilities/web-security/capability.yaml +++ b/capabilities/web-security/capability.yaml @@ -1,13 +1,14 @@ schema: 1 name: web-security -version: "1.1.0" +version: "1.1.1" description: > Web application penetration testing with 60+ attack technique playbooks covering request smuggling, cache poisoning, SSRF, SSTI, DOM vulnerabilities, authentication bypasses, parser differentials, AEM/Sling exploitation, and client-side attacks. Includes HTTP client tooling, Caido proxy integration via MCP, credential management, DNS - rebinding, phone verification, and vulnerability verification. + rebinding, AWS exploitation with Pacu, phone verification, and + vulnerability verification. mcp: servers: @@ -106,6 +107,8 @@ checks: command: test -f /opt/burp/burpsuite.jar - name: waymore command: command -v waymore + - name: pacu + command: command -v pacu - name: jxscout command: command -v jxscout-pro-v2 @@ -126,3 +129,5 @@ keywords: - adobe-experience-manager - sling - dispatcher-bypass + - aws-security + - cloud-security diff --git a/capabilities/web-security/docker/Dockerfile.runtime b/capabilities/web-security/docker/Dockerfile.runtime index d7ad340..0e1f998 100644 --- a/capabilities/web-security/docker/Dockerfile.runtime +++ b/capabilities/web-security/docker/Dockerfile.runtime @@ -21,6 +21,7 @@ # - agent-browser (headless Chromium for DOM interaction) # - kiterunner (API-aware content discovery) # - surf (SSRF target identification) +# - pacu (AWS exploitation framework) # # Tools NOT included (require external instances reachable by network): # - Caido — set CAIDO_URL to a running instance @@ -113,7 +114,8 @@ ENV CHROME_PATH="/usr/bin/chromium" RUN pip install --no-cache-dir \ "fastmcp>=2.0" \ "httpx>=0.28" \ - "caido-sdk-client" + "caido-sdk-client" \ + "pacu" # ── Clean up Go build cache ───────────────────────────────────────── RUN go clean -cache -modcache diff --git a/capabilities/web-security/scripts/install_tools.sh b/capabilities/web-security/scripts/install_tools.sh index a8f6502..6a81355 100755 --- a/capabilities/web-security/scripts/install_tools.sh +++ b/capabilities/web-security/scripts/install_tools.sh @@ -107,6 +107,9 @@ agent-browser install || true # -- waymore (Wayback Machine recon) ----------------------------------------- pip install --break-system-packages waymore +# -- Pacu (AWS exploitation framework) ---------------------------------------- +pip install --break-system-packages pacu + # -- Clean up Go build cache ----------------------------------------------- go clean -cache -modcache 2>/dev/null || true diff --git a/capabilities/web-security/skills/pacu-aws-exploitation/SKILL.md b/capabilities/web-security/skills/pacu-aws-exploitation/SKILL.md new file mode 100644 index 0000000..5d70512 --- /dev/null +++ b/capabilities/web-security/skills/pacu-aws-exploitation/SKILL.md @@ -0,0 +1,75 @@ +--- +name: pacu-aws-exploitation +description: AWS exploitation and post-compromise validation with Pacu. Use when an authorized web test yields AWS credentials, cloud metadata access, SSRF-to-AWS impact, exposed AWS keys, or an explicit request to assess an AWS account with Pacu. +allowed-tools: bash +--- + +# Pacu -- AWS Exploitation Framework + +Pacu is an AWS exploitation framework for authorized cloud security testing. Use it only when the engagement scope explicitly includes the AWS account or when a confirmed web vulnerability produces AWS credentials or metadata access that must be validated for impact. + +## When to Use + +- SSRF confirms access to AWS metadata and yields temporary credentials. +- Source, logs, CI output, client bundles, or config files expose AWS access keys. +- A target owner provides AWS credentials for an authorized cloud assessment. +- You need to prove concrete AWS impact after a web finding, such as IAM privilege escalation paths, Lambda exposure, S3 access, or current principal identity. + +## When Not to Use + +- The target scope excludes cloud infrastructure or AWS account testing. +- You only have a public AWS account ID, ARN, bucket name, or hostname without authorization or credentials. +- You can prove the web vulnerability impact without touching AWS APIs. + +## Setup + +Pacu is installed as the `pacu` CLI. It stores sessions locally. Use a descriptive session name tied to the engagement or finding ID. + +```bash +pacu --help +pacu --session target-ssrf-l003 --pacu-help +``` + +If you have temporary credentials, set them inside Pacu with `set_keys`, including the session token. Do not print secrets in the transcript; use existing credential storage or environment variables where possible. + +## Core Commands + +| Command | Purpose | +|---------|---------| +| `pacu --list-modules` | List modules without requiring a session | +| `pacu --session --whoami` | Identify the active AWS principal | +| `pacu --session --module-name --module-info` | Inspect module behavior before running it | +| `pacu --session --module-name --exec` | Execute a module | +| `pacu --session --data all` | Review locally collected data | + +## Safe Workflow + +1. Confirm scope before making AWS API calls. +2. Identify the principal first with `--whoami`. +3. Inspect module docs with `--module-info` before execution. +4. Prefer read-only enumeration modules before exploit or mutation modules. +5. Record the exact module, region set, and output that proves impact. + +## Patterns + +```bash +# List modules. +pacu --list-modules + +# Identify the active principal for a named session. +pacu --session target-ssrf-l003 --whoami + +# Inspect a module before running it. +pacu --session target-ssrf-l003 \ + --module-name iam__enum_permissions \ + --module-info + +# Run a scoped module after confirming it is appropriate. +pacu --session target-ssrf-l003 \ + --module-name iam__enum_permissions \ + --exec +``` + +## Evidence Standard + +For a web-security report, Pacu output is supporting evidence for the original web finding. Tie the AWS result back to the web primitive: which request exposed credentials, which Pacu principal was authenticated, and which AWS permission or data access proves impact.