Pentest Exploit Validation
Purpose
Validate vulnerability findings through proof-driven exploitation using Shannon's 4-level evidence system. Consumes the exploitation queue from white-box code review, attempts structured exploitation with bypass exhaustion, collects mandatory evidence per vulnerability type, and classifies each finding as EXPLOITED, POTENTIAL, or FALSE_POSITIVE.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for active exploitation testing
- Exploitation queue JSON from pentest-whitebox-code-review output
- Test accounts at multiple privilege levels for authz testing
- Data exfiltration approval — confirm acceptable proof-of-concept scope
- Rollback plan for any data-mutating exploits
Environment Setup
- sqlmap for automated SQL injection exploitation
- Burp Suite Professional with Repeater, Intruder, and Turbo Intruder
- curl for manual HTTP request crafting
- Playwright for browser-based exploitation (XSS, CSRF)
- nuclei with custom templates for automated validation
- Isolated testing environment or explicit production testing approval
Core Workflow
- Queue Intake: Parse exploitation queue JSON, validate schema, prioritize by confidence score and impact severity. Group findings by vulnerability type for parallel exploitation.
- Injection Exploitation: Confirm injectable parameter → fingerprint backend (DB type, OS) → enumerate databases/tables → demonstrate data exfiltration with minimal footprint.
- XSS Exploitation: Graph traversal from source → processing → sanitization → sink. Craft context-appropriate payload, demonstrate session hijack or DOM manipulation.
- Auth Exploitation: Attack authentication weaknesses → demonstrate account takeover via credential stuffing, token forgery, or session hijack.
- Authz Exploitation: Horizontal access (cross-user data) → vertical escalation (admin functions) → workflow bypass (state manipulation).
- SSRF Exploitation: Internal service access → cloud metadata retrieval (169.254.169.254) → internal network reconnaissance.
- Bypass Exhaustion: For each finding, attempt 3 initial payloads → if blocked, escalate to 8-10 bypass variations → if still blocked, deploy automated tool variants.
- Impact Escalation: Escalate from proof-of-concept to real impact demonstration — data exfiltration, session hijacking, or remote code execution.
- Evidence Collection: Collect mandatory evidence per vulnerability type using per-type checklists.
- Classification: Assign final classification — EXPLOITED, POTENTIAL, or FALSE_POSITIVE — based on 4-level proof system.
4-Level Proof System
| Level | Description | Classification |
|---|
| L1 | Weakness identified in code but not confirmed exploitable | POTENTIAL |
| L2 | Partial bypass achieved but full exploitation not demonstrated | POTENTIAL |
| L3 | Vulnerability confirmed with reproducible evidence | EXPLOITED |
| L4 | Critical impact demonstrated (data exfil, RCE, account takeover) | EXPLOITED CRITICAL |
Classification Criteria
| Classification | Criteria |
|---|
| EXPLOITED | Reproducible proof with evidence: HTTP request/response, extracted data, or demonstrated impact |
| POTENTIAL | Code-level weakness confirmed but exploitation blocked by defense-in-depth or environment constraints |
| FALSE_POSITIVE | Taint analysis flagged but manual review confirms effective sanitization or unreachable code path |
Tool Categories
| Category | Tools | Purpose |
|---|
| SQL Injection | sqlmap, manual payloads | Automated and manual SQLi exploitation |
| Request Crafting | Burp Repeater, curl | Manual HTTP request manipulation |
| Fuzzing | Burp Intruder, Turbo Intruder | Payload variation and bypass testing |
| Browser Exploitation | Playwright | XSS demonstration, session hijack |
| Automation | nuclei, custom scripts | Template-based vulnerability validation |
| Evidence Capture | Burp Logger, screenshot tools | Request/response logging and proof |
References
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Exploitation workflows, evidence checklists, and classification tree