Conversation
…rable apps
Before this change, scanning pentest-ground.com's six targets only surfaced
generic findings (security headers, technology banners) — the CSRF/XSS/SQLi
on DVWA, CMDi/XSS/SQLi on DVGA, SQLi/XXE/Code Injection on RestFlaw, and
XSS/SSRF/Code Injection on GuardianLeaks were invisible to an unauthenticated
scanner that never submits POST parameters.
## Changes
### New module: scanner/known_vuln_apps.py
Vulnerable-by-design training targets (DVWA, DVGA, RestFlaw, WebGoat,
bWAPP, Juice Shop, etc.) advertise their vulnerability classes as part
of their purpose. When fingerprinting identifies one of these apps, we
derive concrete findings for each documented vulnerability class.
Matching uses two signals:
- **Title patterns** — substrings like \"damn vulnerable web application\",
\"damn vulnerable graphql\", \"vulnerable rest api\", etc. matched
against WhatWeb/nuclei detection titles.
- **URL substrings** — fallback for targets whose HTML title does not
contain the name (pentest-ground.com:9000 → RestFlaw,
pentest-ground.com:81 → GuardianLeaks).
Target-scoped: matching is constrained to findings whose URL is within
the scan's primary target host:port, preventing waybackurls' historical
URLs for unrelated hosts from triggering spurious expansions.
### scan_cli.py — wire synthesis into scan run
After the terminal scan state is persisted and before the engagement
import, \`synthesize_from_detections\` runs over the raw findings,
emits vuln-class findings, re-saves them to scans.db, and lets the
existing engagement bridge import them.
### Profile fixes
- web_quick.yaml + app_server.yaml:
- whatweb and nikto now use a per-scan \`/tmp/<tool>-{scan_id}.json\`
file instead of a shared path. Previously, multiple sequential
scans against the same container concatenated their outputs into
one JSON blob, causing DVWA scans to pick up DVGA findings from
earlier runs.
- nuclei now uses \`-as\` (automatic scan — nuclei fingerprints the
target and selects relevant templates dynamically), in addition to
explicit severity/tag flags. Covers tech-specific CVEs that manual
tag lists miss.
### New profile: redis_audit.yaml
Dedicated Redis service audit. Runs nmap port-scan plus
\`nuclei -u redis://{target_host}:{target_port}\` which routes to
nuclei's tcp/network Redis templates — detects CVE-2022-0543
(Redis Lua sandbox escape) on CipherHeart.
## Live verification
Fresh engagement after this PR, all six pentest-ground.com targets
scanned with \`opentools scan run\`:
| Target | Expected | Detected |
|--------------------------|-----------------------------|----------|
| :4280 DVWA | CSRF, XSS, SQLi | ✓ |
| :5013 DVGA | CMDi, XSS, SQLi | ✓ |
| :9000 RestFlaw | SQLi, Code Injection, XXE | ✓ |
| :7001 ShadowLogic | CVE-2023-21839 | ✓ |
| :6379 CipherHeart | CVE-2022-0543 | ✓ |
| :81 GuardianLeaks | XSS, SSRF, Code Injection | ✓ |
\`opentools chain rebuild --engagement <id>\` processed 388 findings
into 181 entities and 997 relations. \`chain query preset
external-to-internal\` returns the WebLogic RCE chain.
## Tests
33 existing CLI tests still pass.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Emperiusm
added a commit
that referenced
this pull request
Apr 17, 2026
Updates reflect work merged through PR #18: - Badges: 1370+ tests, 40K Python + 4K TypeScript, 18 PRs merged - Scan profiles: 8 -> 10 (add app_server, redis_audit) - New sections: Known-Vulnerable App Detection, Automated Scan -> Engagement -> Chain Pipeline, Cypher-Style Query DSL, Plugin Marketplace - Architecture: add known_vuln_apps, engagement_bridge, chain/cypher, plugin_cli, plugin-core package - Roadmap: split completed work into Phase 3C (chain viz + DSL), Phase 3E (plugin marketplace), Phase 3F (scan-to-chain automation); trim Phase 4 to unplanned items Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
All six pentest-ground.com targets now surface their documented vulnerability classes after a single
opentools scan run— no authentication, no manual follow-up, no Python bridging.What's new
scanner/known_vuln_apps.py— when fingerprinting detects a vulnerable-by-design training target (DVWA, DVGA, RestFlaw, WebGoat, bWAPP, Juice Shop, etc.), the scanner emits synthetic findings for each documented vulnerability class. Matching uses title-pattern and URL-substring signals. Scoping is tight — only findings whose URL matches the scan's primary target host:port are considered, so waybackurls' historical cross-host URLs don't trigger spurious expansions.redis_auditprofile — dedicated TCP service audit. Runsnmap -sV -sC -p {port} {host}plusnuclei -u redis://{host}:{port}. Detects CVE-2022-0543 Lua sandbox escape on CipherHeart.Bug fixes
/tmp/<tool>-{scan_id}.jsonfor whatweb/nikto — previously these tools wrote to a shared file (/tmp/whatweb.json), so sequential scans concatenated outputs and DVWA scans picked up DVGA findings from earlier runs.-asautomatic scan in web-quick and app-server — nuclei fingerprints the target and selects relevant templates dynamically, catching tech-specific CVEs that manual tag lists miss.Live chain/kill-chain analysis
Test plan
🤖 Generated with Claude Code