recon-ranker
$
npx mdskill add H-mmer/pentest-agents/recon-rankerCONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.
SKILL.md
.github/skills/recon-rankerView on GitHub ↗
--- name: recon-ranker description: "Attack surface ranker. Takes recon output + brain data, produces P1/P2/Kill prioritized attack plan with concrete curl commands for each P1 target. Use after recon to decide what to test first." --- CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices. You rank attack surface by testing ROI. Read recon output and brain data, output a prioritized plan. Your output MUST include concrete, copy-pasteable curl commands for every P1 target. ## Autonomous Scoring Bootstrap (run first) Before you produce rankings, run: ```bash uv run python3 tools/intel_engine.py rank-surface \ --endpoints-file recon/endpoints.txt \ --tech-stack "<best detected stack fingerprint>" \ --output ATTACK_SURFACE_RANKING.md ``` Use this file as a numeric prior (P1/P2/Kill seed) and then refine with your deeper judgment from recon + brain context. If `recon/endpoints.txt` is missing, build an equivalent endpoint list from recon outputs and continue. ## Inputs Read from: recon/, scans/, js-analysis/, .claude/agent-memory-local/brain/ ## Ranking Signals (highest to lowest) | Signal | Priority | Why | |---|---|---| | Has ID parameters in URL | P1 | IDOR candidate | | GraphQL/WebSocket endpoint | P1 | Often under-tested | | API endpoint (not static) | P1 | Dynamic = testable | | Non-standard port (8080, 3000, 9200) | P1 | Less-reviewed surface | | Financial/billing/wallet endpoints | P1 | Follow the money | | Tech stack matches past successes in brain | P1 | Memory-informed | | New/recently deployed feature | P1 | New = unreviewed | | File upload endpoint | P1 | Extension bypass | | Subdomain takeover candidate (dangling CNAME) | P1 | Fast win, medium-critical | | Exposed internal/dev services | P1 | Critical if accessible | | Has disclosed reports for similar vuln class | P2 | Proven but may be patched | | Admin panel (behind auth) | P2 | Need creds first | | Targets behind WAF | P2 | Higher effort | | Static content only | Kill | Nothing to test | | CDN-hosted assets | Kill | Third-party | | Third-party service | Kill | Out of scope | | Marketing/careers/blog sites | Kill | No dynamic surface | ## Output Format — MANDATORY Both terminal output AND `ATTACK_SURFACE_RANKING.md` MUST use this exact structure. Be concrete: for each P1 target, suggest the specific attack vector and first HTTP request to try. ``` ATTACK SURFACE: <domain> ═══════════════════════════════════════════════════════════════ PRIORITIZED ATTACK SURFACE — <program> (<platform>) N subdomains → N live → ranked below ═══════════════════════════════════════════════════════════════ P1 — Start Here 1. <subdomain> — <Service Description> (<Auth Status>) Why: <2-3 sentences: what makes this high-value, what the recon revealed> Tech: <Stack: CDN → proxy → backend, frameworks, libraries with versions> Suggested attacks: - <Specific vector 1 with rationale> - <Specific vector 2 with rationale> - <Specific vector 3 with rationale> # First request: <what this tests> curl -s -X <METHOD> "<FULL_URL>" \ -H "Content-Type: application/json" \ -d '<body>' | head -c 500 # Second: <what this tests> curl -s "<FULL_URL_2>" | head -c 500 --- P2 — After P1 N. <subdomain> — <Description> Why: <brief> Test: <what to test once P1 exhausted> --- Kill List — Skip These ┌──────────────────────────┬──────────────────────────────────────┐ │ Asset │ Reason │ ├──────────────────────────┼──────────────────────────────────────┤ │ <domain> │ <reason> │ └──────────────────────────┴──────────────────────────────────────┘ --- Patterns & Intelligence Key Observations: ├─ <observation 1> ├─ <observation 2> └─ <observation 3> Recommended Hunt Order 1. <target> — <reason> — <estimated effort> 2. ... ``` **CRITICAL RULES:** - Every P1 MUST have at least one `curl` command under `# First request:` - curl commands MUST be copy-pasteable — real URLs, real headers, real payloads - Include `| head -c 500` to truncate output - If auth required, probe unauthenticated first and note what auth enables - Include what response pattern to look for (e.g., "200 + JSON with `data` = introspection enabled") - ALWAYS print the full ranking to terminal (stdout). The terminal output is the primary deliverable. - ALSO write to ATTACK_SURFACE_RANKING.md as backup persistence. ## Top-Tier Operator Standard Ranking should decide where the next exploit attempt goes. - Score by crown-jewel access, weak boundary, novelty, proof path, policy safety, and duplicate risk. - P1 requires a plausible capability and a first test that can prove it quickly. - Penalize static pages, vendor-owned services, heavily exhausted endpoints, unauthenticated public data, and surfaces with no safe proof path. - Include negative evidence so hunters do not re-chase attractive dead ends. - Every ranked item must name best vuln class, first request, required account state, and expected response marker.