feat: add Pacu to web-security capability

capabilities/web-security/agents/web-security.md

@@ -86,6 +86,7 @@ Use tools proactively when they reduce uncertainty or verify a finding. Match th
 - Use `get_callback_url` and `check_callbacks` for out-of-band testing (blind SSRF, blind XSS, DNS exfiltration).
 - Use `list_free_phone_numbers` and `read_phone_inbox` when signup or MFA flows require SMS verification, unless prompted by the user. Free public numbers first — fall back to `request_private_number`/`poll_private_number` (paid API, needs key via `store_credential`) only when the target blocks public numbers.
 - Use `generate_rebinding_hostname` and `list_rebinding_presets` for DNS rebinding SSRF bypass when IP filters validate resolved addresses before fetching.
+- Use the local `pacu` CLI when an authorized test yields AWS credentials, cloud metadata access, or another AWS-impact lead that needs validation. Load the `pacu-aws-exploitation` skill first, confirm AWS scope, and start with identity/read-only enumeration before any mutating module.
 - Use `log_image_output`, `log_audio_output`, and `log_video_output` when another tool has already written useful PoC media to disk and you need it attached to the current Dreadnode run as typed output. Use `log_file_artifact` when you want the raw file uploaded as an artifact instead of rendered media.
 - When a finding is browser-visible or a screenshot materially improves reproducibility, capture the screenshot and attach it to the run. Treat screenshot logging as standard evidence collection, not an optional flourish.
 - Use `bbscope_find` at the start of an engagement to check if a target is covered by any bug bounty program and retrieve scope boundaries. Use `bbscope_program` to get full in-scope/out-of-scope details for a specific program. Use `bbscope_targets` to enumerate targets by type (wildcards, domains, URLs, IPs, CIDRs) for reconnaissance. Use `bbscope_updates` to find freshly added targets that may be under-tested.

capabilities/web-security/capability.yaml

@@ -1,13 +1,14 @@
 schema: 1
 name: web-security
-version: "1.1.0"
+version: "1.1.1"
 description: >
   Web application penetration testing with 60+ attack technique playbooks
   covering request smuggling, cache poisoning, SSRF, SSTI, DOM
   vulnerabilities, authentication bypasses, parser differentials,
   AEM/Sling exploitation, and client-side attacks. Includes HTTP client
   tooling, Caido proxy integration via MCP, credential management, DNS
-  rebinding, phone verification, and vulnerability verification.
+  rebinding, AWS exploitation with Pacu, phone verification, and
+  vulnerability verification.
 
 mcp:
   servers:
@@ -106,6 +107,8 @@ checks:
     command: test -f /opt/burp/burpsuite.jar
   - name: waymore
     command: command -v waymore
+  - name: pacu
+    command: command -v pacu
   - name: jxscout
     command: command -v jxscout-pro-v2
 
@@ -126,3 +129,5 @@ keywords:
   - adobe-experience-manager
   - sling
   - dispatcher-bypass
+  - aws-security
+  - cloud-security

capabilities/web-security/docker/Dockerfile.runtime

@@ -21,6 +21,7 @@
 #   - agent-browser       (headless Chromium for DOM interaction)
 #   - kiterunner          (API-aware content discovery)
 #   - surf                (SSRF target identification)
+#   - pacu                (AWS exploitation framework)
 #
 # Tools NOT included (require external instances reachable by network):
 #   - Caido   — set CAIDO_URL to a running instance
@@ -113,7 +114,8 @@ ENV CHROME_PATH="/usr/bin/chromium"
 RUN pip install --no-cache-dir \
         "fastmcp>=2.0" \
         "httpx>=0.28" \
-        "caido-sdk-client"
+        "caido-sdk-client" \
+        "pacu"
 
 # ── Clean up Go build cache ─────────────────────────────────────────
 RUN go clean -cache -modcache

capabilities/web-security/scripts/install_tools.sh

@@ -107,6 +107,9 @@ agent-browser install || true
 # -- waymore (Wayback Machine recon) -----------------------------------------
 pip install --break-system-packages waymore
 
+# -- Pacu (AWS exploitation framework) ----------------------------------------
+pip install --break-system-packages pacu
+
 # -- Clean up Go build cache -----------------------------------------------
 go clean -cache -modcache 2>/dev/null || true
 

capabilities/web-security/skills/pacu-aws-exploitation/SKILL.md

@@ -0,0 +1,75 @@
+---
+name: pacu-aws-exploitation
+description: AWS exploitation and post-compromise validation with Pacu. Use when an authorized web test yields AWS credentials, cloud metadata access, SSRF-to-AWS impact, exposed AWS keys, or an explicit request to assess an AWS account with Pacu.
+allowed-tools: bash
+---
+
+# Pacu -- AWS Exploitation Framework
+
+Pacu is an AWS exploitation framework for authorized cloud security testing. Use it only when the engagement scope explicitly includes the AWS account or when a confirmed web vulnerability produces AWS credentials or metadata access that must be validated for impact.
+
+## When to Use
+
+- SSRF confirms access to AWS metadata and yields temporary credentials.
+- Source, logs, CI output, client bundles, or config files expose AWS access keys.
+- A target owner provides AWS credentials for an authorized cloud assessment.
+- You need to prove concrete AWS impact after a web finding, such as IAM privilege escalation paths, Lambda exposure, S3 access, or current principal identity.
+
+## When Not to Use
+
+- The target scope excludes cloud infrastructure or AWS account testing.
+- You only have a public AWS account ID, ARN, bucket name, or hostname without authorization or credentials.
+- You can prove the web vulnerability impact without touching AWS APIs.
+
+## Setup
+
+Pacu is installed as the `pacu` CLI. It stores sessions locally. Use a descriptive session name tied to the engagement or finding ID.
+
+```bash
+pacu --help
+pacu --session target-ssrf-l003 --pacu-help
+```
+
+If you have temporary credentials, set them inside Pacu with `set_keys`, including the session token. Do not print secrets in the transcript; use existing credential storage or environment variables where possible.
+
+## Core Commands
+
+| Command | Purpose |
+|---------|---------|
+| `pacu --list-modules` | List modules without requiring a session |
+| `pacu --session <name> --whoami` | Identify the active AWS principal |
+| `pacu --session <name> --module-name <module> --module-info` | Inspect module behavior before running it |
+| `pacu --session <name> --module-name <module> --exec` | Execute a module |
+| `pacu --session <name> --data all` | Review locally collected data |
+
+## Safe Workflow
+
+1. Confirm scope before making AWS API calls.
+2. Identify the principal first with `--whoami`.
+3. Inspect module docs with `--module-info` before execution.
+4. Prefer read-only enumeration modules before exploit or mutation modules.
+5. Record the exact module, region set, and output that proves impact.
+
+## Patterns
+
+```bash
+# List modules.
+pacu --list-modules
+
+# Identify the active principal for a named session.
+pacu --session target-ssrf-l003 --whoami
+
+# Inspect a module before running it.
+pacu --session target-ssrf-l003 \
+  --module-name iam__enum_permissions \
+  --module-info
+
+# Run a scoped module after confirming it is appropriate.
+pacu --session target-ssrf-l003 \
+  --module-name iam__enum_permissions \
+  --exec
+```
+
+## Evidence Standard
+
+For a web-security report, Pacu output is supporting evidence for the original web finding. Tie the AWS result back to the web primitive: which request exposed credentials, which Pacu principal was authenticated, and which AWS permission or data access proves impact.