diff --git a/capabilities/web-security/agents/web-security.md b/capabilities/web-security/agents/web-security.md index 0065228..484cc5e 100644 --- a/capabilities/web-security/agents/web-security.md +++ b/capabilities/web-security/agents/web-security.md @@ -86,6 +86,7 @@ Use tools proactively when they reduce uncertainty or verify a finding. Match th - Use `get_callback_url` and `check_callbacks` for out-of-band testing (blind SSRF, blind XSS, DNS exfiltration). - Use `list_free_phone_numbers` and `read_phone_inbox` when signup or MFA flows require SMS verification, unless prompted by the user. Free public numbers first — fall back to `request_private_number`/`poll_private_number` (paid API, needs key via `store_credential`) only when the target blocks public numbers. - Use `generate_rebinding_hostname` and `list_rebinding_presets` for DNS rebinding SSRF bypass when IP filters validate resolved addresses before fetching. +- Use IP rotation (`flareprox_*` tools or the local `fireprox` CLI at `~/git/fireprox/fire.py`) only when `IPROTATE_ENABLED` is set and the target is rate-limiting, IP-banning, or WAF-blocking normal requests. Load the `ip-rotation` skill for backend selection and lifecycle. Always clean up fireprox proxies to avoid AWS charges. - Use the local `pacu` CLI when an authorized test yields AWS credentials, cloud metadata access, or another AWS-impact lead that needs validation. Load the `pacu-aws-exploitation` skill first, confirm AWS scope, and start with identity/read-only enumeration before any mutating module. - Use `log_image_output`, `log_audio_output`, and `log_video_output` when another tool has already written useful PoC media to disk and you need it attached to the current Dreadnode run as typed output. Use `log_file_artifact` when you want the raw file uploaded as an artifact instead of rendered media. - When a finding is browser-visible or a screenshot materially improves reproducibility, capture the screenshot and attach it to the run. Treat screenshot logging as standard evidence collection, not an optional flourish. diff --git a/capabilities/web-security/capability.yaml b/capabilities/web-security/capability.yaml index ebaebe9..2ecec99 100644 --- a/capabilities/web-security/capability.yaml +++ b/capabilities/web-security/capability.yaml @@ -1,14 +1,15 @@ schema: 1 name: web-security -version: "1.1.2" +version: "1.1.3" description: > Web application penetration testing with 60+ attack technique playbooks covering request smuggling, cache poisoning, SSRF, SSTI, DOM vulnerabilities, authentication bypasses, parser differentials, AEM/Sling exploitation, and client-side attacks. Includes HTTP client tooling, Caido proxy integration via MCP, credential management, DNS - rebinding, AWS exploitation with Pacu, phone verification, and - vulnerability verification. + rebinding, AWS exploitation with Pacu, phone verification, + vulnerability verification, and IP rotation helpers (Flareprox, + fireprox) for bypassing rate limits and IP bans. mcp: servers: @@ -109,6 +110,8 @@ checks: command: command -v waymore - name: pacu command: command -v pacu + - name: fireprox + command: 'test -f "$HOME/git/fireprox/fire.py"' - name: jxscout command: command -v jxscout-pro-v2 @@ -131,3 +134,6 @@ keywords: - dispatcher-bypass - aws-security - cloud-security + - ip-rotation + - waf-bypass + - rate-limit-bypass diff --git a/capabilities/web-security/docker/Dockerfile.runtime b/capabilities/web-security/docker/Dockerfile.runtime index 0e1f998..a5b1f63 100644 --- a/capabilities/web-security/docker/Dockerfile.runtime +++ b/capabilities/web-security/docker/Dockerfile.runtime @@ -117,6 +117,11 @@ RUN pip install --no-cache-dir \ "caido-sdk-client" \ "pacu" +# ── fireprox (AWS API Gateway IP rotation) ────────────────────────── +# Installed to a predictable path; requires AWS credentials at runtime. +RUN git clone --depth 1 https://github.com/ustayready/fireprox /root/git/fireprox \ + && pip install --no-cache-dir -r /root/git/fireprox/requirements.txt + # ── Clean up Go build cache ───────────────────────────────────────── RUN go clean -cache -modcache diff --git a/capabilities/web-security/scripts/install_tools.sh b/capabilities/web-security/scripts/install_tools.sh index 6a81355..8ade306 100755 --- a/capabilities/web-security/scripts/install_tools.sh +++ b/capabilities/web-security/scripts/install_tools.sh @@ -110,6 +110,15 @@ pip install --break-system-packages waymore # -- Pacu (AWS exploitation framework) ---------------------------------------- pip install --break-system-packages pacu +# -- fireprox (AWS API Gateway IP rotation) --------------------------------- +# Requires AWS credentials at runtime. Cloned to a predictable path so the +# ip-rotation skill can reference it directly. +FIREPROX_DIR="$HOME/git/fireprox" +if [ ! -d "$FIREPROX_DIR" ]; then + git clone --depth 1 https://github.com/ustayready/fireprox "$FIREPROX_DIR" +fi +pip install --break-system-packages -r "$FIREPROX_DIR/requirements.txt" + # -- Clean up Go build cache ----------------------------------------------- go clean -cache -modcache 2>/dev/null || true diff --git a/capabilities/web-security/skills/ip-rotation/SKILL.md b/capabilities/web-security/skills/ip-rotation/SKILL.md new file mode 100644 index 0000000..9a7e729 --- /dev/null +++ b/capabilities/web-security/skills/ip-rotation/SKILL.md @@ -0,0 +1,120 @@ +--- +name: ip-rotation +description: Use IP rotation proxies (flareprox and fireprox) to bypass rate limiting, IP bans, and geo-blocking during web security testing. Use only when IPROTATE_ENABLED is set and the target is blocking normal requests. Triggers on "rate limited", "IP banned", "blocked by WAF", "429", "403", "geo-blocked", "rotate IP", "IP rotation", "flareprox", "fireprox". +--- + +# IP Rotation + +**Activation gate:** Only use this skill when the environment variable `IPROTATE_ENABLED` is set (any value). If unset, do not suggest, reference, or offer IP rotation. Do not ask the user to enable it. + +The web-security runtime provides two IP rotation backends: + +- **flareprox** — self-contained Cloudflare Workers proxy (built-in tool, no external install) +- **fireprox** — AWS API Gateway proxy (installed at `~/git/fireprox/fire.py`) + +## When to Use + +Use IP rotation when normal testing hits anti-automation defenses: + +- **Rate limiting:** repeated `429 Too Many Requests` +- **IP ban:** sudden `403 Forbidden` or connection drops after sustained testing +- **WAF block:** Cloudflare/Akamai/Imperva challenges on automated requests +- **Geo-blocking:** target restricts access to specific regions +- **High-volume fuzzing:** content discovery that needs IP diversity + +Do NOT use for: + +- Routine requests that succeed normally +- CORS-sensitive tests (proxies may modify response headers) +- Tests that require exact source-IP attribution + +## Backend Selection + +| Backend | Use When | Cost | Target Binding | Notes | +|---|---|---|---|---| +| **flareprox** | Unauthenticated recon, fuzzing, scraping, multi-target | Free (100K/day) | Dynamic per request | Built-in `flareprox_*` tools | +| **fireprox** | Authenticated testing, session/cookie-based exploits | ~$3.50/1M req | Static: one proxy per target URL | Use `~/git/fireprox/fire.py` CLI | + +**Decision:** +- Need cookies/sessions preserved? Use fireprox. +- Need dynamic multi-target rotation? Use flareprox. +- Unsure? Start with flareprox. + +## flareprox (Cloudflare Workers) + +Built into the capability. No external install required. + +Prerequisites: `CF_API_TOKEN` and `CF_ACCOUNT_ID`. + +Lifecycle: + +```bash +flareprox_status +flareprox_create --count 3 +flareprox_request --url https://target.com/api/endpoint --method GET +flareprox_cleanup +``` + +See the tool descriptions for full argument lists. + +## fireprox (AWS API Gateway) + +Installed in the runtime at `~/git/fireprox/fire.py`. Requires AWS credentials at runtime. + +### Prerequisites + +Set one of: +- `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` +- Or mount `~/.aws/credentials` in the runtime + +### CLI Reference + +Tool path: `python3 ~/git/fireprox/fire.py` + +```bash +python3 ~/git/fireprox/fire.py --command create --url https://target.com --region us-east-1 +python3 ~/git/fireprox/fire.py --command list +python3 ~/git/fireprox/fire.py --command delete --api_id +``` + +### Lifecycle + +```bash +# 1. Create a proxy for a specific target +python3 ~/git/fireprox/fire.py --command create --url https://target.com --region us-east-1 + +# 2. Note the proxy URL from the output, then use it +PROXY="https://.execute-api.us-east-1.amazonaws.com/fireprox/" +curl -x http://localhost:8080 -k "${PROXY}api/endpoint" + +# 3. Clean up when done to avoid AWS charges +python3 ~/git/fireprox/fire.py --command delete --api_id +``` + +`fireprox` creates one API Gateway per target URL. The proxy URL prefix is static for that target; AWS rotates the egress IP automatically. + +## Important Constraints + +- **Always clean up fireprox proxies** after sessions to avoid AWS charges. +- **Do not use for CORS tests** — proxies may add response headers. +- **Cloud IPs are fingerprintable** — sophisticated bot detection may still block known AWS/Cloudflare IP ranges. +- **fireprox = one proxy per target URL** — create a new proxy for each target. +- **flareprox state persists** at `~/.flareprox/workers.json`. + +## Integration with Caido/Burp + +If Caido or Burp is available, chain traffic through them for evidence capture: + +``` +your client → Caido/Burp → flareprox/fireprox → target +``` + +For fireprox: + +```bash +curl -x http://localhost:8080 -k \ + -H "Cookie: session=abc123" \ + "https://.execute-api..amazonaws.com/fireprox/api/endpoint" +``` + +For flareprox, use `flareprox_request` or set `X-Target-URL` when using a worker URL manually.