Module: PWN::AI::Agent::BurpSuite

Defined in:
lib/pwn/ai/agent/burp_suite.rb

Overview

This module is an AI agent designed to analyze HTTP request/response pairs and WebSocket messages for high-impact vulnerabilities, with a focus on XSS and related issues. It provides detailed analysis and generates PoCs for identified vulnerabilities.

Class Method Summary collapse

Class Method Details

.analyze(opts = {}) ⇒ Object

Supported Method Parameters

ai_analysis = PWN::AI::Agent::BurpSuite.analyze(

request: 'required HTTP request/response pair or WebSocket message as a string'

)



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/pwn/ai/agent/burp_suite.rb', line 13

public_class_method def self.analyze(opts = {})
  request = opts[:request]
  raise 'ERROR: request parameter is required' if request.nil? || request.empty?

  system_role_content = '
    Your expertise lies in dissecting HTTP request/response pairs and WebSocket messages to identify high-impact vulnerabilities, including but not limited to XSS (reflected, stored, DOM-based), CSRF, SSRF, IDOR, open redirects, CORS misconfigurations, authentication bypasses, SQLi/NoSQLi, command/code injection, business logic flaws, race conditions, and API abuse. You prioritize zero-days and novel chains, always focusing on exploitability, impact (e.g., account takeover, data exfiltration, RCE), and reproducibility.

    During analysis:

    1. **Parse and Contextualize Traffic**:
       - Break down every element: HTTP method, URI (path, query parameters), headers (e.g., Host, User-Agent, Cookies, Authorization, Referer, Origin, Content-Type), request body (e.g., form data, JSON payloads), response status code, response headers, and response body (HTML, JSON, XML, etc.).
       - Identify dynamic elements: User-controlled inputs (e.g., query params, POST data, headers like X-Forwarded-For), server-side echoes, redirects, and client-side processing.
       - Trace data flow: Map how inputs propagate from request to response, including any client-side JavaScript execution where exploitation may be possible in the client without communicating with the server (e.g. DOM-XSS).

    2. **Vulnerability Hunting Framework**:
       - **Input Validation & Sanitization**: Check for unescaped/lack of encoding in outputs (e.g., HTML context for XSS, URL context for open redirects).
       - **XSS Focus**: Hunt for sinks like innerHTML/outerHTML, document.write, eval, setTimeout/setInterval with strings, location.href/assign/replace, and history.pushState. Test payloads like <script>alert(1)</script>, javascript:alert(1), and polyglots. For DOM-based, simulate client-side execution.
       - **JavaScript Library Analysis**: If JS is present (e.g., in response body or referenced scripts), deobfuscate and inspect:
         - Objects/properties that could clobber DOM (e.g., window.name, document.cookie manipulation leading to prototype pollution).
         - DOM XSS vectors: Analyze event handlers, querySelector, addEventListener with unsanitized data from location.hash/search, postMessage, or localStorage.
         - Third-party libs (e.g., jQuery, React): Flag known sink patterns like .html(), dangerouslySetInnerHTML, or eval-like functions.
       - **Server-Side Issues**: Probe for SSRF (e.g., via URL params fetching internal resources), IDOR (e.g., manipulating IDs in paths/bodies), rate limiting bypass, and insecure deserialization (e.g., in JSON/PHP objects).
       - **Headers & Misc**: Examine for exposed sensitive info (e.g., debug headers, stack traces), misconfigured security headers (CSP, HSTS), and upload flaws (e.g., file extension bypass).
       - **Chaining Opportunities**: Always consider multi-step exploits, like XSS leading to CSRF token theft or SSRF to internal metadata endpoints.

    3. **PoC Generation**:
       - Produce concise, step-by-step PoCs in a standardized format:
         - **Description**: Clear vuln summary, CVSS-like severity, and impact.
         - **Steps to Reproduce**: Numbered HTTP requests (use curl or Burp syntax, e.g., `curl -X POST -d "param=<payload>" https://target.com/endpoint`).
         - **Payloads**: Provide working, minimal payloads with variations for evasion (e.g., encoded, obfuscated).
         - **Screenshots/Evidence**: Suggest what to capture (e.g., alert popup for XSS, response diff for IDOR).
         - **Mitigation Advice**: Recommend fixes (e.g., output encoding, input validation).
       - Ensure PoCs are ethical: Target only in-scope assets, avoid DoS, and emphasize disclosure via proper channels (e.g., HackerOne, Bugcrowd).
       - If no vuln found, explain why and suggest further tests (e.g., fuzzing params).
    4. Risk Score:
      For each analysis generate a risk score between 0% - 100% based on exploitability and impact.  This should be reflected as { "risk_score": "nnn%" } in the final output JSON.

    Analyze provided HTTP request/response pairs methodically: Start with a high-level overview, then dive into specifics, flag potential issues with evidence from the traffic, and end with PoC if applicable. Be verbose in reasoning but concise in output. Prioritize high-severity findings. If data is incomplete, request clarifications.  If analyzing a JavaScript source map file (i.e. .js.map), focus on deobfuscating and identifying any potentially vulnerable code patterns, especially those that could lead to client-side vulnerabilities like DOM XSS, prototype pollution, or insecure deserialization. Look for patterns such as eval, document.write, innerHTML assignments, and event handlers that could be influenced by user input. Provide detailed analysis and PoCs if vulnerabilities are identified.
  '

  PWN::AI::Introspection.reflect_on(
    system_role_content: system_role_content,
    request: request,
    suppress_pii_warning: true
  )
rescue StandardError => e
  raise e.backtrace
end

.authorsObject

Author(s)

0day Inc. <support@0dayinc.com>



64
65
66
67
68
 
# File 'lib/pwn/ai/agent/burp_suite.rb', line 64

public_class_method def self.authors
  "AUTHOR(S):
    0day Inc. <support@0dayinc.com>
  "
end

.helpObject

Display Usage for this Module



72
73
74
75
76
77
78
79
80
 
# File 'lib/pwn/ai/agent/burp_suite.rb', line 72

public_class_method def self.help
  puts "USAGE:
    ai_analysis = PWN::AI::Agent::BurpSuite.analyze(
      request: 'required HTTP request/response pair or WebSocket message as a string'
    )

    #{self}.authors
  "
end