starred/shannon-KeygraphHQ
1
0
Fork 0
mirror of https://github.com/KeygraphHQ/shannon.git synced 2026-04-25 01:25:52 +03:00
Code Issues 18 Projects Releases Packages Wiki Activity

[PR #154] feat: add IDOR testing as a 6th parallel pipeline #148

New issue
Open
opened 2026-02-27 08:09:27 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 08:09:27 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/KeygraphHQ/shannon/pull/154
Author: @mesutgungor
Created: 2/21/2026
Status: 🔄 Open

Base: mainHead: main

📝 Commits (1)

  • bcd0f43 feat: add IDOR testing as a 6th parallel pipeline

📊 Changes

11 files changed (+798 additions, -7 deletions)

View changed files

📝 mcp-server/src/types/deliverables.ts (+8 -0)
prompts/exploit-idor.txt (+325 -0)
prompts/pipeline-testing/exploit-idor.txt (+31 -0)
prompts/pipeline-testing/vuln-idor.txt (+37 -0)
prompts/vuln-idor.txt (+347 -0)
📝 src/services/queue-validation.ts (+4 -0)
📝 src/services/reporting.ts (+2 -1)
📝 src/session-manager.ts (+23 -3)
📝 src/temporal/activities.ts (+8 -0)
📝 src/temporal/workflows.ts (+8 -1)
📝 src/types/agents.ts (+5 -2)

📄 Description

Implements Insecure Direct Object Reference (IDOR) vulnerability analysis and exploitation as a new parallel agent pair in the pentesting pipeline, addressing a gap in the Business Logic Testing coverage (WSTG-BUSLOGIC).

The IDOR agent is distinct from the existing authz agent: authz checks whether access control guards exist on endpoints, while IDOR specifically audits whether object ownership is enforced at the data access layer (e.g. missing AND user_id = $currentUser in queries).

Changes:

  • Add idor-vuln and idor-exploit agents to ALL_AGENTS and VulnType
  • Add playwright-agent6 for isolated parallel browser execution
  • Register agents in AGENTS, AGENT_PHASE_MAP, MCP_AGENT_MAPPING, AGENT_VALIDATORS
  • Add idor to VULN_TYPE_CONFIG in queue-validation service
  • Include idor_exploitation_evidence.md in final report assembly
  • Add IDOR_ANALYSIS, IDOR_QUEUE, IDOR_EVIDENCE deliverable types to MCP server
  • Add runIdorVulnAgent and runIdorExploitAgent activity functions
  • Wire IDOR into buildPipelineConfigs (pipeline grows from 5 to 6 pairs)
  • Add vuln-idor.txt: full analysis prompt covering direct/indirect references, mass assignment, cross-object references, and enumeration feasibility
  • Add exploit-idor.txt: exploitation prompt with sequential enumeration, UUID substitution, filename forging, and write/delete IDOR techniques
  • Add pipeline-testing variants for fast iteration

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/KeygraphHQ/shannon/pull/154 **Author:** [@mesutgungor](https://github.com/mesutgungor) **Created:** 2/21/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (1) - [`bcd0f43`](https://github.com/KeygraphHQ/shannon/commit/bcd0f43720781cd0f921bff691004d55479ee78c) feat: add IDOR testing as a 6th parallel pipeline ### 📊 Changes **11 files changed** (+798 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `mcp-server/src/types/deliverables.ts` (+8 -0) ➕ `prompts/exploit-idor.txt` (+325 -0) ➕ `prompts/pipeline-testing/exploit-idor.txt` (+31 -0) ➕ `prompts/pipeline-testing/vuln-idor.txt` (+37 -0) ➕ `prompts/vuln-idor.txt` (+347 -0) 📝 `src/services/queue-validation.ts` (+4 -0) 📝 `src/services/reporting.ts` (+2 -1) 📝 `src/session-manager.ts` (+23 -3) 📝 `src/temporal/activities.ts` (+8 -0) 📝 `src/temporal/workflows.ts` (+8 -1) 📝 `src/types/agents.ts` (+5 -2) </details> ### 📄 Description Implements Insecure Direct Object Reference (IDOR) vulnerability analysis and exploitation as a new parallel agent pair in the pentesting pipeline, addressing a gap in the Business Logic Testing coverage (WSTG-BUSLOGIC). The IDOR agent is distinct from the existing authz agent: authz checks whether access control guards exist on endpoints, while IDOR specifically audits whether object ownership is enforced at the data access layer (e.g. missing AND user_id = $currentUser in queries). Changes: - Add idor-vuln and idor-exploit agents to ALL_AGENTS and VulnType - Add playwright-agent6 for isolated parallel browser execution - Register agents in AGENTS, AGENT_PHASE_MAP, MCP_AGENT_MAPPING, AGENT_VALIDATORS - Add idor to VULN_TYPE_CONFIG in queue-validation service - Include idor_exploitation_evidence.md in final report assembly - Add IDOR_ANALYSIS, IDOR_QUEUE, IDOR_EVIDENCE deliverable types to MCP server - Add runIdorVulnAgent and runIdorExploitAgent activity functions - Wire IDOR into buildPipelineConfigs (pipeline grows from 5 to 6 pairs) - Add vuln-idor.txt: full analysis prompt covering direct/indirect references, mass assignment, cross-object references, and enumeration feasibility - Add exploit-idor.txt: exploitation prompt with sequential enumeration, UUID substitution, filename forging, and write/delete IDOR techniques - Add pipeline-testing variants for fast iteration --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/npx-integration
Readme-Update
feat/telemetry
ctf-mode
v1.1.0
v1.0.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/shannon-KeygraphHQ#148
No description provided.