Attack Path: Web Application Attack Chain

[samugit83]

Description

Implement a dedicated classified attack path for web application attacks: SQL injection, LFI/RFI, XXE, SSRF, file upload, and webshell deployment — currently all fall to the *-unclassified fallback.

Why the unclassified fallback isn't enough

Web app attacks require a discovery → confirm → exploit → escalate pipeline where each phase demands different tools and techniques:

1. Parameter-aware targeting: the agent must first discover injectable parameters (from Katana crawl results in the graph), then test each one with the right injection type. Without workflow prompts, it fires sqlmap at the homepage URL with no parameters and concludes "not vulnerable."
2. Tool selection depends on vulnerability class: SQLi needs sqlmap with specific --technique, --dbms, and tamper scripts. LFI needs curl with ../ traversal patterns. XXE needs crafted XML payloads. SSRF needs internal IP enumeration. The unclassified path gives no guidance on which tool fits which vuln.
3. Chaining is the real power: LFI alone reads files; LFI + log poisoning = RCE. SSRF alone hits internal endpoints; SSRF + cloud metadata = AWS credential theft. File upload alone stores a file; file upload + webshell = persistent access. These chains require the agent to think two steps ahead — something it won't do without explicit chain templates.
4. WAF bypass requires iteration: modern web apps have WAFs. The agent needs to know encoding tricks (double URL encoding, Unicode normalization, chunked transfer), tamper scripts for sqlmap, and how to detect which WAF is blocking. Without guidance, it gets 403'd and gives up.
5. Evidence collection matters: web attacks produce HTTP request/response pairs that are critical for the triage report. The workflow must ensure the agent captures full requests, not just "it worked."

What already exists

• Nuclei DAST mode for active fuzzing
• execute_curl for HTTP requests
• kali_shell with access to sqlmap
• Metasploit web application modules (Category 8 in README.ATTACK_PATHS.md)
• Parameter classification system (BOLA/IDOR risk detection, id_params, file_params)
• Katana/GAU crawl results with discovered parameters in the Neo4j graph

What needs to be built

• New attack path classification: web_application_attack
• Workflow prompts with web attack methodology (discover params → classify injection type → exploit → escalate)
• sqlmap integration guidance (URL format, parameter specification, tamper scripts, WAF bypass)
• LFI-to-RCE chain templates (log poisoning, /proc/self/environ, PHP wrappers)
• SSRF exploitation templates (cloud metadata, internal port scanning, protocol smuggling)
• File upload bypass guidance (extension filtering, content-type spoofing, magic bytes)
• Graph query integration to pull discovered parameters and endpoints from recon data