feat: hot loadable prompts (#17)

* feat: hot loadable prompts * feat: add example directed prompts on vulns * docs: update docs w new feature * docs: scanner done!
dreadnode · Jan 21, 2025 · d6b684e · d6b684e
1 parent db00ce3
commit d6b684e
Show file tree

Hide file tree

Showing 6 changed files with 166 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -62,7 +62,13 @@ Some key features:
   - Additionally, burpference "findings" are created as issues in the Burp Scanner navigation bar available across all tabs in the Burp UI.
 - **Flexible Configuration**: Customize system prompts, API keys, or remote hosts as needed. Use your own configuration files for seamless integration with your workflow.
   - Supports custom configurations, allowing you to load and switch between system prompts, API keys, and remote hosts
-  - [Several examples](configs/README.md) are provided in the repository, and contributions for additional provider plugins are welcome.
+    - [Several examples](configs/README.md) are provided in the repository, and contributions for additional provider plugins are welcome.
+- **Flexible System Prompts**: Specialized [prompt](./prompts/) templates for focused API security testing with some examples:
+  - Authentication bypass and access control analysis
+  - Sensitive data exposure and PII leakage detection
+  - Injection vulnerability assessment across all vectors
+  - Additional templates can be created for specific testing scenarios
+    - Dynamic prompt switching during runtime to tailor analysis based on target endpoints
 
 So grab yer compass, hoist the mainsail, and let **burpference** be yer guide as ye plunder the seven seas of HTTP traffic! Yarrr'!
 
@@ -156,8 +162,6 @@ Longer-term roadmap is a potential Kotlin-based successor (mainly due to the lim
 
 The below bullets are cool ideas for the repo at a further stage or still actively developing.
 
-- **Scanner**
-  - An additional custom one-click "scanner" tab which scans an API target/schema with a selected model and reports findings/payloads and PoCs.
 - **Conversations**
   - Enhanced conversation turns with the model to reflect turns for both HTTP requests and responses to build context.
 - **Prompt Tuning**:
@@ -169,8 +173,6 @@ The below bullets are cool ideas for the repo at a further stage or still active
   - Extend functionality of selecting multiple configurations and sending results across multiple endpoints for optimal results.
   - Introduce judge reward systems for findings.
 
-The following known issues are something that have been reported so far and marked against issues in the repo.
-
 ---
 
 ## Support the Project and Contributing

diff --git a/burpference/burpference.py b/burpference/burpference.py
@@ -92,7 +92,42 @@ def registerExtenderCallbacks(self, callbacks):
         self.configSelector.setForeground(DREADNODE_GREY)
         self.configSelector.addActionListener(self.loadConfiguration)
         c.gridy += 1
-        inputPanel.add(self.configSelector, c)
+
+        # Create a panel for config controls
+        config_panel = JPanel()
+        config_panel.setBackground(DARK_BACKGROUND)
+        configLabel = JLabel("Configuration File: ")
+        configLabel.setForeground(DREADNODE_GREY)
+        config_panel.add(configLabel)
+        config_panel.add(self.configSelector)
+        inputPanel.add(config_panel, c)
+
+        # Create new prompt selector panel
+        c.gridy += 1
+        prompt_panel = JPanel()
+        prompt_panel.setBackground(DARK_BACKGROUND)
+
+        # Add prompt label
+        promptLabel = JLabel("System Prompt: ")
+        promptLabel.setForeground(DREADNODE_GREY)
+        prompt_panel.add(promptLabel)
+
+        # Add prompt selector
+        self.promptFiles = self.loadPromptFiles()
+        self.promptSelector = JComboBox(self.promptFiles)
+        self.promptSelector.setBackground(LIGHTER_BACKGROUND)
+        self.promptSelector.setForeground(DREADNODE_GREY)
+        self.promptSelector.addActionListener(self.loadPromptTemplate)
+        prompt_panel.add(self.promptSelector)
+
+        # Move reload button to prompt panel
+        self.reloadPromptButton = JButton("Reload Prompt")
+        self.reloadPromptButton.setBackground(DREADNODE_ORANGE)
+        self.reloadPromptButton.setForeground(DREADNODE_GREY)
+        self.reloadPromptButton.addActionListener(self.reloadPromptTemplate)
+        prompt_panel.add(self.reloadPromptButton)
+
+        inputPanel.add(prompt_panel, c)
 
         # stopButton
         c.gridy += 1
@@ -406,6 +441,19 @@ def loadConfiguration(self, event):
                 self.scanner.config = None
                 self.scanner.api_adapter = None
 
+    def reloadPromptTemplate(self, event):
+        """Reloads the prompt template file"""
+        try:
+            if os.path.exists(PROXY_PROMPT):
+                with open(PROXY_PROMPT, 'r') as prompt_file:
+                    system_content = prompt_file.read().strip()
+                self._last_system_content = system_content
+                self.log_message("Prompt template reloaded successfully from " + PROXY_PROMPT)
+            else:
+                self.log_message("No prompt file found at " + PROXY_PROMPT)
+        except Exception as e:
+            self.log_message("Error reloading prompt template: %s" % str(e))
+
     def create_inference_logger_tab(self):
         panel = JPanel(BorderLayout())
         panel.setBackground(DARK_BACKGROUND)
@@ -1015,4 +1063,24 @@ def promptForConfiguration(self):
             "Select a configuration file to load in the burpference extension"
             " tab and go brrr",
             "burpference Configuration Required",
-            JOptionPane.INFORMATION_MESSAGE)
+            JOptionPane.INFORMATION_MESSAGE)
+
+    def loadPromptFiles(self):
+        """Load available prompt templates from prompts directory"""
+        if not os.path.exists(PROMPTS_DIR):
+            self.log_message("Prompts directory not found: " + PROMPTS_DIR)
+            return []
+        return [f for f in os.listdir(PROMPTS_DIR) if f.endswith('.txt')]
+
+    def loadPromptTemplate(self, event):
+        """Loads selected prompt template"""
+        selected_prompt = self.promptSelector.getSelectedItem()
+        if selected_prompt:
+            prompt_path = os.path.join(PROMPTS_DIR, selected_prompt)
+            try:
+                with open(prompt_path, 'r') as prompt_file:
+                    system_content = prompt_file.read().strip()
+                self._last_system_content = system_content
+                self.log_message("Loaded prompt template: " + selected_prompt)
+            except Exception as e:
+                self.log_message("Error loading prompt template: %s" % str(e))
diff --git a/burpference/consts.py b/burpference/consts.py
@@ -7,7 +7,8 @@
 # Define paths relative to ROOT_DIR
 CONFIG_DIR = os.path.join(ROOT_DIR, "configs")
 LOG_DIR = os.path.join(ROOT_DIR, "logs")
-PROXY_PROMPT = os.path.join(ROOT_DIR, "prompts", "proxy_prompt.txt")
+PROMPTS_DIR = os.path.join(ROOT_DIR, "prompts")
+PROXY_PROMPT = os.path.join(PROMPTS_DIR, "proxy_prompt.txt")
 SQUID_ASCII_FILE = os.path.join(ROOT_DIR, "assets", "squid_ascii.txt")
 
 # Color constants

diff --git a/prompts/auth_bypass_prompt.txt b/prompts/auth_bypass_prompt.txt
@@ -0,0 +1,29 @@
+You are a web application penetration tester conducting a comprehensive operation focused on authentication and access control mechanisms in APIs.
+Your objective is to examine HTTP requests and responses for authentication bypass opportunities.
+
+This analysis will focus on:
+
+- Authentication Flow Analysis: Examine token handling, session management, and auth state
+- Access Control Patterns: Identify IDOR vulnerabilities and broken level access
+- Token Security: Analyze JWT structure, signature validation, and token reuse potential
+- Authentication Endpoint Security: Test for user enumeration, rate limiting, and lockout bypasses
+
+Look specifically for:
+- Predictable resource IDs
+- Missing access controls
+- Weak session management
+- Authentication token flaws
+- Horizontal/vertical privilege escalation opportunities
+
+Use reasoning and context to identify potential auth bypasses by providing example payloads that could lead to successful exploitation.
+
+If you deem any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line:
diff --git a/prompts/injection_prompt.txt b/prompts/injection_prompt.txt
@@ -0,0 +1,30 @@
+You are a web application penetration tester conducting a comprehensive operation focused on injection vulnerabilities in APIs.
+Your objective is to examine HTTP requests and responses for injection opportunities across all input vectors.
+
+This analysis will focus on:
+
+- Parameter Analysis: Examine all input points for injection patterns
+- Data Type Handling: Identify type confusion and casting vulnerabilities
+- Query Structure: Analyze potential SQL and NoSQL injection points
+- Command Execution: Detect OS command injection opportunities
+- Template Injection: Identify server-side template injection vectors
+
+Look specifically for:
+- Unescaped input handling
+- Dynamic query construction
+- Shell command execution patterns
+- Serialization/deserialization flows
+- Error messages revealing query structure
+
+Use reasoning and context to identify potential injection points by providing example payloads that could lead to successful exploitation.
+
+If you deem any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line:
diff --git a/prompts/sensitive_data_prompt.txt b/prompts/sensitive_data_prompt.txt
@@ -0,0 +1,28 @@
+You are a web application penetration tester conducting a comprehensive operation focused on sensitive data exposure and information disclosure in APIs.
+Your objective is to examine HTTP requests and responses with particular attention to data leakage patterns.
+
+This analysis will focus on:
+
+- PII and Sensitive Data Detection: Identify exposed personal information, credentials, tokens, or system data
+- Response Data Analysis: Examine verbose error messages, debug information, and metadata
+- Directory and Resource Enumeration: Identify exposed paths, endpoints, and internal references
+- Excessive Data Disclosure: Detect overly verbose responses that reveal implementation details
+
+Provide specific examples of any data that should be protected and evaluate the proper implementation of:
+- Data minimization principles
+- Error handling practices
+- Authentication token exposure
+- System information disclosure
+
+Use reasoning and context to identify potential information disclosure by providing example data points that could be leveraged for further exploitation.
+
+If you deem any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line: