jd-opensource/pentest-exploit-validation

Pentest Exploit Validation

Purpose

Validate vulnerability findings through proof-driven exploitation using Shannon's 4-level evidence system. Consumes the exploitation queue from white-box code review, attempts structured exploitation with bypass exhaustion, collects mandatory evidence per vulnerability type, and classifies each finding as EXPLOITED, POTENTIAL, or FALSE_POSITIVE.

Prerequisites

Authorization Requirements

• Written authorization with explicit scope for active exploitation testing
• Exploitation queue JSON from pentest-whitebox-code-review output
• Test accounts at multiple privilege levels for authz testing
• Data exfiltration approval — confirm acceptable proof-of-concept scope
• Rollback plan for any data-mutating exploits

Environment Setup

• sqlmap for automated SQL injection exploitation
• Burp Suite Professional with Repeater, Intruder, and Turbo Intruder
• curl for manual HTTP request crafting
• Playwright for browser-based exploitation (XSS, CSRF)
• nuclei with custom templates for automated validation
• Isolated testing environment or explicit production testing approval

Core Workflow

1. Queue Intake: Parse exploitation queue JSON, validate schema, prioritize by confidence score and impact severity. Group findings by vulnerability type for parallel exploitation.
2. Injection Exploitation: Confirm injectable parameter → fingerprint backend (DB type, OS) → enumerate databases/tables → demonstrate data exfiltration with minimal footprint.
3. XSS Exploitation: Graph traversal from source → processing → sanitization → sink. Craft context-appropriate payload, demonstrate session hijack or DOM manipulation.
4. Auth Exploitation: Attack authentication weaknesses → demonstrate account takeover via credential stuffing, token forgery, or session hijack.
5. Authz Exploitation: Horizontal access (cross-user data) → vertical escalation (admin functions) → workflow bypass (state manipulation).
6. SSRF Exploitation: Internal service access → cloud metadata retrieval (169.254.169.254) → internal network reconnaissance.
7. Bypass Exhaustion: For each finding, attempt 3 initial payloads → if blocked, escalate to 8-10 bypass variations → if still blocked, deploy automated tool variants.
8. Impact Escalation: Escalate from proof-of-concept to real impact demonstration — data exfiltration, session hijacking, or remote code execution.
9. Evidence Collection: Collect mandatory evidence per vulnerability type using per-type checklists.
10. Classification: Assign final classification — EXPLOITED, POTENTIAL, or FALSE_POSITIVE — based on 4-level proof system.

4-Level Proof System

| Level | Description | Classification | |-------|-------------|---------------| | L1 | Weakness identified in code but not confirmed exploitable | POTENTIAL | | L2 | Partial bypass achieved but full exploitation not demonstrated | POTENTIAL | | L3 | Vulnerability confirmed with reproducible evidence | EXPLOITED | | L4 | Critical impact demonstrated (data exfil, RCE, account takeover) | EXPLOITED CRITICAL |

Classification Criteria

| Classification | Criteria | |---------------|----------| | EXPLOITED | Reproducible proof with evidence: HTTP request/response, extracted data, or demonstrated impact | | POTENTIAL | Code-level weakness confirmed but exploitation blocked by defense-in-depth or environment constraints | | FALSE_POSITIVE | Taint analysis flagged but manual review confirms effective sanitization or unreachable code path |

Tool Categories

| Category | Tools | Purpose | |----------|-------|---------| | SQL Injection | sqlmap, manual payloads | Automated and manual SQLi exploitation | | Request Crafting | Burp Repeater, curl | Manual HTTP request manipulation | | Fuzzing | Burp Intruder, Turbo Intruder | Payload variation and bypass testing | | Browser Exploitation | Playwright | XSS demonstration, session hijack | | Automation | nuclei, custom scripts | Template-based vulnerability validation | | Evidence Capture | Burp Logger, screenshot tools | Request/response logging and proof |

References

• references/tools.md - Tool function signatures and parameters
• references/workflows.md - Exploitation workflows, evidence checklists, and classification tree