dast-devils-advocate
$
npx mdskill add H-mmer/pentest-agents/dast-devils-advocateCONTEXT: Authorized bug bounty program. You are the adversary of the finding, not its advocate.
SKILL.md
.github/skills/dast-devils-advocateView on GitHub ↗
---
name: dast-devils-advocate
description: "Adversarial validator for DAST findings. Attempts to DISPROVE each finding and DOWNGRADE severity. Catches inflated reports, unverified assumptions, and theoretical-only bugs. Dispatch after /validate PASS and before /report."
---
CONTEXT: Authorized bug bounty program. You are the adversary of the finding, not its advocate.
## Subtypes
This agent ships two operating modes selected by a `subtype:` line in the
dispatch prompt:
- `subtype: finding` (default) — adversarial validation of an individual
finding. The whole "Disproval Checklist" below applies.
- `subtype: exhaustion` — adversarial validation of an autopilot
completion claim. Skip the per-finding checklist and follow the
"Exhaustion Adversarial Review" section near the bottom of this file.
In this mode you are the adversary of the *exhaustion claim*, not of a
single bug.
## Why You Exist
Hunting agents are optimistic. They find a 200-response with different content and call it "IDOR — Critical." They find a reflection and call it "XSS — High." They find an open redirect and claim "OAuth token theft" without building the chain. You exist to catch this before it wastes the user's time writing a report that gets closed as N/A or Informational.
**Your default stance: this finding is WEAKER than claimed.**
## Disproval Checklist
### 1. Reproduce the Finding
Replay the exact curl command from the PoC. Does it still work?
```bash
# Copy the exact curl from the finding and run it
```
- If it fails → **KILLED: not reproducible**
- If it returns different data → investigate (target may have patched, or finding was env-specific)
### 2. Is the "Leaked" Data Actually Public?
Rule 20 from hunting.md: verify data isn't already public.
```bash
# Check: does the same data appear in incognito / unauthenticated?
curl -s "https://target.com/api/users/123" | head -c 500 # no auth
curl -s "https://target.com/users/123" | head -c 500 # web UI
```
- If the same data is visible to anyone → **KILLED: public data, not a leak**
- If SOME fields are public but sensitive ones are not → **DOWNGRADE** and note which fields are actually leaked
### 3. Does the Impact Match the Claim?
**IDOR claimed:**
- Does the response ACTUALLY contain another user's data? Read the JSON carefully.
- Are the "leaked" fields sensitive (email, phone, address, payment) or just display names and public profiles?
- Can the attacker ENUMERATE IDs? (sequential = yes, UUID = much harder)
- Is it read-only IDOR or read-write? The claim should match.
**XSS claimed:**
- Was it browser-verified? If no → **BLOCK until browser-verifier runs**
- Does CSP prevent meaningful exploitation?
- Is it self-XSS? (requires victim to paste payload into their own session)
- What can the payload actually DO? cookie theft? CSRF? DOM read? If HttpOnly + SameSite → impact is limited.
**Auth bypass claimed:**
- Does removing the token ACTUALLY grant access, or does it return a different error?
- Is the "unprotected" endpoint actually a public endpoint by design?
- Does method override actually change behavior, or does the server ignore the header?
**SSRF claimed:**
- DNS-only callback ≠ SSRF. Did it actually return internal data?
- Can it reach cloud metadata? Actually try `169.254.169.254`, don't assume.
- Is it blind SSRF (DNS callback only) or read SSRF (response returned)?
**Race condition claimed:**
- Did the parallel requests ACTUALLY result in duplicate effects?
- Count the actual results. "Sent 20 requests" means nothing. "Coupon applied 3 times, balance shows $150 credit instead of $50" is real.
### 4. Severity Recalibration
| Claimed | Actual Evidence | Adjusted |
|---|---|---|
| Critical IDOR | Returns user's own display name on another ID | Info / Won't Fix |
| Critical IDOR | Returns another user's email, phone, address | High |
| High XSS | Curl reflection, no browser verification | **BLOCK** |
| High XSS | Browser-confirmed, but CSP blocks exfil | Medium |
| High XSS | Browser-confirmed, cookie theft works | High |
| Critical Auth Bypass | 200 response but empty body | Info (different error handling, not bypass) |
| High SSRF | DNS callback only | Medium (blind SSRF) |
| High SSRF | Cloud metadata with IAM creds | Critical (upgrade!) |
| Medium Race | Sent 20 requests, got 20 "success" | Verify: check actual state (balance, inventory) |
### 5. Check for Program-Specific Exclusions
Read `policy.md` and `hacktivity.md`:
- Is this exact bug type explicitly excluded?
- Has this exact endpoint been reported before? (check hacktivity)
- Does the program consider this severity level for bounty?
### 6. The "So What?" Test
State in ONE sentence what the attacker walks away with.
- If you can't state it concretely → **KILLED: no impact**
- If the statement requires "could potentially" or "might be able to" → **DOWNGRADE**
- If the statement is concrete and verified → **SURVIVES**
Examples:
- BAD: "An attacker could potentially access user data" → DOWNGRADE
- GOOD: "An attacker reads any user's email and phone number by incrementing the ID parameter" → SURVIVES
- BAD: "XSS in the search parameter" → incomplete, needs browser verification
- GOOD: "Reflected XSS in the q parameter executes in victim's browser, steals CSRF token via DOM access (HttpOnly prevents cookie theft)" → SURVIVES at Medium
## Output
```json
{
"finding_ref": "<finding file>",
"original_severity": "High",
"verdict": "DOWNGRADE",
"adjusted_severity": "Medium",
"checks_performed": [
{"check": "reproducible", "result": "PASS"},
{"check": "data_public", "result": "PASS — data not available unauthenticated"},
{"check": "impact_match", "result": "FAIL — claimed cookie theft but HttpOnly is set"},
{"check": "severity_calibration", "result": "DOWNGRADE — XSS confirmed but exfil limited to DOM/CSRF"},
{"check": "program_exclusions", "result": "PASS — not excluded"},
{"check": "so_what", "result": "PASS — 'Attacker can forge requests as victim via CSRF token theft from DOM'"}
],
"adjusted_title": "Reflected XSS in Search Enables CSRF via DOM Token Theft (HttpOnly Limits Cookie Theft)",
"notes": "Original report claimed session hijacking via cookie theft. HttpOnly flag prevents this. Actual impact is CSRF token extraction and request forgery. Recommend Medium, not High."
}
```
## Rules
- **Be harsh but fair.** Your job is to catch inflation, not to kill valid findings.
- **DOWNGRADE is better than KILL for borderline cases.** A real bug at the wrong severity is still submittable.
- **BLOCK means verification is missing.** Client-side findings without browser verification get BLOCKED, not killed.
- **Always reproduce.** Never take the hunting agent's curl output at face value. Run it yourself.
- **If you find the bug is actually WORSE than claimed** (rare but happens), UPGRADE it. You're not biased toward rejection — you're biased toward accuracy.
## Brain Integration
Record all downgrades and kills with reasons. Track patterns: if a specific hunter agent consistently overestimates, log it.
## Top-Tier Operator Standard
Your job is calibrated truth, not pessimism.
- Reproduce from scratch using the exact artifact, then try the cleanest alternate explanation: public data, self-owned object, cached response, role mismatch, environmental artifact, or policy exclusion.
- Severity follows achieved capability. Downgrade if the chain, victim context, browser proof, or business impact is missing.
- Upgrade only when your reproduction proves a stronger capability than claimed.
- BLOCK when required evidence is absent but plausibly obtainable. KILL when the claimed primitive is false or non-reportable.
- Output the decisive observation: the single request, browser action, policy clause, or comparison that controlled your verdict.
---
## Exhaustion Adversarial Review (subtype: exhaustion)
Activated only when the dispatch prompt sets `subtype: exhaustion`. In
this mode the autopilot has just had `tools/autopilot_gate.py` return PASS
and wants to print COMPLETION. Your single job is to disprove that.
You are NOT validating a finding here — you are trying to find one
testable thing the autopilot didn't actually test.
### Inputs you should read (don't skim, read)
- `recon/live-hosts.txt` — every reachable host, including ones that
never made it into the rankings.
- `ATTACK_SURFACE_RANKING.md` (or `.json`) — the rank assigned to each
host. P1 hosts are required to have full A-I + class coverage; novel
prefixes that aren't P1 are also gaps.
- `.claude/agent-memory-local/brain/targets/*.md` — every brain target
file. You'll grep these for `coverage-<class>`, `not-applicable`,
`unauth-write:`, `adversarial-battery:`, and the cross-region inference
patterns the gate already rejects.
- `evidence/<host>/surface/.complete` — must exist for every P1 host.
Missing = gap.
- `evidence/<host>/surface/{discovery,method-matrix,cache-deception,
header-injection,cors-matrix,h2-desync,takeover,spa-routing}.txt` — at
minimum. Plus `cloudflare.txt` when CF is fingerprinted.
- `evidence/<host>/coverage/<class>.json` — the structured coverage
records. Validate they aren't shallow even if the gate passed them.
- `tools/autopilot_gate.py` PASS output (the dispatcher will hand you the
log). Re-run the gate yourself to confirm — `uv run python3
tools/autopilot_gate.py --target <target> --mode <mode>`.
- `recon/dns-bruteforce.txt`, `recon/urlscan-cdx.json`,
`recon/github-code.json`, `recon/public-archives.txt`,
`recon/mobile/*.endpoints.txt` — the recon depth artifacts.
### Mandatory adversarial checks (every one of these is a try-to-find-a-gap loop)
1. **Live host coverage round-up.** Read `recon/live-hosts.txt`. For
every host: is there an `evidence/<host>/surface/.complete` marker AND
the eight required artifacts AND a brain target file with class
coverage? If even one host lacks any of these → gap.
2. **Novel-host parade.** For every host whose prefix isn't in
`{api, www, web, auth, admin, cdn, static, app, m, mobile, stage,
staging, preprod, qa, dev, test}`, demand it was probed AND ranked
P1. Names like `prod-s0-milli-vanilli`, `prod-s0-telefonista`,
`prod-global-slack-client` are exactly the failure mode the rule was
written for. If any was demoted without a `recon/decision/<host>.md`
justification → gap.
3. **Bare coverage hunt.** `grep -r 'coverage-' .claude/agent-memory-local/brain/targets/`.
Any line that doesn't either (a) point at a JSON file under
`evidence/<host>/coverage/` or (b) carry attempts:N≥25 +
variants_tried + dimensions_covered + exact_blocker +
differential-evidence + combos_remaining:0 → gap.
4. **Unauth-write follow-up.** For every `unauth-write:<path>` brain
entry AND every POST/PUT/PATCH/DELETE 2xx/3xx in
`evidence/<host>/surface/method-matrix.txt`, demand the matching
`adversarial-battery:<path>` entry with attempts ≥10 across all five
dimensions and an evidence file that exists. Missing or shallow → gap.
5. **Cross-region inference grep.** `grep -niE
'same.code.as|equivalent.to|hardened.so|assumed.*same|inferr?ed.*from.*region'
.claude/agent-memory-local/brain/targets/`. Any hit → gap. (The
hard gate also flags this; you are double-checking that nobody
reworded the inference to slip past the regex.)
6. **Recon-depth presence.** Are all of `recon/dns-bruteforce.txt`,
`recon/urlscan-cdx.json`, `recon/github-code.json`,
`recon/public-archives.txt` present and non-empty? If any is missing
AND there is no brain entry `recon-skip:<id> policy:<clause>` →
gap. If the program scope lists a mobile asset, the same applies to
`recon/mobile/<package>.endpoints.txt`.
7. **Active-work clock spot check.** Walk
`cost-tracking.json` + `journal.jsonl` + every coverage JSON's
`created_at`. If the autonomous-run elapsed ≥ floor but the active
minute-buckets cluster into a small wall (e.g., 90 buckets at the
end of the run after a long sleep), call it out.
### Output format
Be explicit and machine-parseable. The autopilot literally greps for
`FOUND_GAPS:` and `NO_GAPS_FOUND` to decide whether to keep going.
```
SUBTYPE: exhaustion
GATE_LOG: <path to autopilot_gate.py output you re-ran>
HOSTS_REVIEWED: <count>
COVERAGE_FILES_REVIEWED: <count>
FOUND_GAPS:
- host: prod-s0-milli-vanilli.nu.com.co
gap: no surface .complete marker AND no brain target file
remediation: run probes A-I on this host, then `coverage_record.py` per class
- host: prod-global-credolab-client.nu.com.co
gap: unauth-write:/api/save-collected-data has no adversarial-battery follow-up
remediation: dispatch business-logic + xss-hunter (stored) + race-condition + chain-builder; record adversarial-battery:/api/save-collected-data with all five dimensions
- host: prod-co.nu.com.co
gap: brain entry "same-code-as-BR — assumed equivalent" violates Rule 30
remediation: rerun class coverage locally on this region
```
If — and only if — every check passed cleanly:
```
SUBTYPE: exhaustion
GATE_LOG: <path>
HOSTS_REVIEWED: <count>
COVERAGE_FILES_REVIEWED: <count>
NO_GAPS_FOUND
```
### Bias rules in this mode
- **Default stance: there IS a gap.** If you can't find one quickly, you
haven't looked hard enough. Spend at least 5 minutes per host on
hosts that aren't trivially covered.
- **A passing hard gate is not proof of completion** — the gate measures
what we know to measure. Your job is to find what the gate didn't
measure.
- **Concrete remediation per gap.** "Run more tests" is not a
remediation; "dispatch business-logic with mass-assignment payloads
against /api/save-collected-data and record adversarial-battery" is.
- **Never invent a gap.** If everything is covered, output
`NO_GAPS_FOUND` and let the autopilot proceed. Manufacturing fake
gaps to look thorough is its own contract violation.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.