181 lines
7.0 KiB
XML
181 lines
7.0 KiB
XML
<tools>
|
|
<tool name="create_note">
|
|
<description>Create a personal note for observations, findings, and research during the scan.</description>
|
|
<details>Use this tool for documenting discoveries, observations, methodology notes, and questions.
|
|
This is your personal and shared run memory for recording information you want to remember or reference later.
|
|
Use category "wiki" for repository source maps shared across agents in the same run.
|
|
For tracking actionable tasks, use the todo tool instead.</details>
|
|
<parameters>
|
|
<parameter name="title" type="string" required="true">
|
|
<description>Title of the note</description>
|
|
</parameter>
|
|
<parameter name="content" type="string" required="true">
|
|
<description>Content of the note</description>
|
|
</parameter>
|
|
<parameter name="category" type="string" required="false">
|
|
<description>Category to organize the note (default: "general", "findings", "methodology", "questions", "plan", "wiki")</description>
|
|
</parameter>
|
|
<parameter name="tags" type="string" required="false">
|
|
<description>Tags for categorization</description>
|
|
</parameter>
|
|
</parameters>
|
|
<returns type="Dict[str, Any]">
|
|
<description>Response containing: - note_id: ID of the created note - success: Whether the note was created successfully</description>
|
|
</returns>
|
|
<examples>
|
|
# Document an interesting finding
|
|
<function=create_note>
|
|
<parameter=title>Authentication Bypass Findings</parameter>
|
|
<parameter=content>Discovered multiple authentication bypass vectors in the login system:
|
|
|
|
1. SQL Injection in username field
|
|
- Payload: admin'--
|
|
- Result: Full authentication bypass
|
|
- Endpoint: POST /api/v1/auth/login
|
|
|
|
2. JWT Token Weakness
|
|
- Algorithm confusion attack possible (RS256 -> HS256)
|
|
- Token expiration is 24 hours but no refresh rotation
|
|
- Token stored in localStorage (XSS risk)
|
|
|
|
3. Password Reset Flow
|
|
- Reset tokens are only 6 digits (brute-forceable)
|
|
- No rate limiting on reset attempts
|
|
- Token valid for 48 hours
|
|
|
|
Next Steps:
|
|
- Extract full database via SQL injection
|
|
- Test JWT manipulation attacks
|
|
- Attempt password reset brute force</parameter>
|
|
<parameter=category>findings</parameter>
|
|
<parameter=tags>["auth", "sqli", "jwt", "critical"]</parameter>
|
|
</function>
|
|
|
|
# Methodology note
|
|
<function=create_note>
|
|
<parameter=title>API Endpoint Mapping Complete</parameter>
|
|
<parameter=content>Completed comprehensive API enumeration using multiple techniques:
|
|
|
|
Discovered Endpoints:
|
|
- /api/v1/auth/* - Authentication endpoints (login, register, reset)
|
|
- /api/v1/users/* - User management (profile, settings, admin)
|
|
- /api/v1/orders/* - Order management (IDOR vulnerability confirmed)
|
|
- /api/v1/admin/* - Admin panel (403 but may be bypassable)
|
|
- /api/internal/* - Internal APIs (should not be exposed)
|
|
|
|
Methods Used:
|
|
- Analyzed JavaScript bundles for API calls
|
|
- Bruteforced common paths with ffuf
|
|
- Reviewed OpenAPI/Swagger documentation at /api/docs
|
|
- Monitored traffic during normal application usage
|
|
|
|
Priority Targets:
|
|
The /api/internal/* endpoints are high priority as they appear to lack authentication checks based on error message differences.</parameter>
|
|
<parameter=category>methodology</parameter>
|
|
<parameter=tags>["api", "enumeration", "recon"]</parameter>
|
|
</function>
|
|
</examples>
|
|
</tool>
|
|
<tool name="delete_note">
|
|
<description>Delete a note.</description>
|
|
<parameters>
|
|
<parameter name="note_id" type="string" required="true">
|
|
<description>ID of the note to delete</description>
|
|
</parameter>
|
|
</parameters>
|
|
<returns type="Dict[str, Any]">
|
|
<description>Response containing: - success: Whether the note was deleted successfully</description>
|
|
</returns>
|
|
<examples>
|
|
<function=delete_note>
|
|
<parameter=note_id>note_123</parameter>
|
|
</function>
|
|
</examples>
|
|
</tool>
|
|
<tool name="list_notes">
|
|
<description>List existing notes with optional filtering and search (metadata-first by default).</description>
|
|
<parameters>
|
|
<parameter name="category" type="string" required="false">
|
|
<description>Filter by category</description>
|
|
</parameter>
|
|
<parameter name="tags" type="string" required="false">
|
|
<description>Filter by tags (returns notes with any of these tags)</description>
|
|
</parameter>
|
|
<parameter name="search" type="string" required="false">
|
|
<description>Search query to find in note titles and content</description>
|
|
</parameter>
|
|
<parameter name="include_content" type="boolean" required="false">
|
|
<description>Include full note content in each list item (default: false)</description>
|
|
</parameter>
|
|
</parameters>
|
|
<returns type="Dict[str, Any]">
|
|
<description>Response containing: - notes: List of matching notes (metadata + optional content/content_preview) - total_count: Total number of notes found</description>
|
|
</returns>
|
|
<examples>
|
|
# List all findings
|
|
<function=list_notes>
|
|
<parameter=category>findings</parameter>
|
|
</function>
|
|
|
|
# Search for SQL injection related notes
|
|
<function=list_notes>
|
|
<parameter=search>SQL injection</parameter>
|
|
</function>
|
|
|
|
# Search within a specific category
|
|
<function=list_notes>
|
|
<parameter=search>admin</parameter>
|
|
<parameter=category>findings</parameter>
|
|
</function>
|
|
|
|
# Load shared repository wiki notes
|
|
<function=list_notes>
|
|
<parameter=category>wiki</parameter>
|
|
</function>
|
|
</examples>
|
|
</tool>
|
|
<tool name="get_note">
|
|
<description>Get a single note by ID, including full content.</description>
|
|
<parameters>
|
|
<parameter name="note_id" type="string" required="true">
|
|
<description>ID of the note to fetch</description>
|
|
</parameter>
|
|
</parameters>
|
|
<returns type="Dict[str, Any]">
|
|
<description>Response containing: - note: Note object including content - success: Whether note lookup succeeded</description>
|
|
</returns>
|
|
<examples>
|
|
# Read a specific wiki note after listing note IDs
|
|
<function=get_note>
|
|
<parameter=note_id>abc12</parameter>
|
|
</function>
|
|
</examples>
|
|
</tool>
|
|
<tool name="update_note">
|
|
<description>Update an existing note.</description>
|
|
<parameters>
|
|
<parameter name="note_id" type="string" required="true">
|
|
<description>ID of the note to update</description>
|
|
</parameter>
|
|
<parameter name="title" type="string" required="false">
|
|
<description>New title for the note</description>
|
|
</parameter>
|
|
<parameter name="content" type="string" required="false">
|
|
<description>New content for the note</description>
|
|
</parameter>
|
|
<parameter name="tags" type="string" required="false">
|
|
<description>New tags for the note</description>
|
|
</parameter>
|
|
</parameters>
|
|
<returns type="Dict[str, Any]">
|
|
<description>Response containing: - success: Whether the note was updated successfully</description>
|
|
</returns>
|
|
<examples>
|
|
<function=update_note>
|
|
<parameter=note_id>note_123</parameter>
|
|
<parameter=content>Updated content with new findings...</parameter>
|
|
</function>
|
|
</examples>
|
|
</tool>
|
|
</tools>
|