-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathbugtraceaicli.conf
More file actions
377 lines (295 loc) · 11.8 KB
/
bugtraceaicli.conf
File metadata and controls
377 lines (295 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
# ==============================================================================
# BUGTRACE AI CLI - CONFIGURATION FILE (bugtraceaicli.conf)
# ==============================================================================
# Operational settings for the autonomous DAST/SAST framework.
# API keys belong in .env — this file is for tuning behavior.
#
# Sections follow the scan pipeline order:
# CORE → LLM → SCAN → ANALYSIS → EXPLOITATION → VALIDATION → REPORTING
# ==============================================================================
# =============================================================================
# 1. CORE — Global Settings
# =============================================================================
[CORE]
# Debug mode: verbose terminal output and detailed error tracking.
DEBUG = False
# Safe Mode: only simulates attacks, no real payloads injected.
SAFE_MODE = False
[PATHS]
# Directory for scan logs (jsonl, errors)
LOG_DIR = logs
# Directory for final vulnerability reports
REPORT_DIR = reports
# =============================================================================
# 2. PROVIDER — LLM Provider Selection
# =============================================================================
[PROVIDER]
# Active LLM provider: openrouter (recommended), zai
# openrouter: Recommended — multiple providers, best model per task (requires OPENROUTER_API_KEY in .env)
# zai: Z.ai direct API, single-provider option (requires GLM_API_KEY in .env)
#
# Changing provider auto-configures all models from its preset.
# Override individual models below in [LLM_MODELS] if needed.
ACTIVE = openrouter
# =============================================================================
# 3. LLM MODELS — Model Selection (overrides provider defaults)
# =============================================================================
[LLM_MODELS]
# Orchestration and strategy (few calls, needs reliability)
DEFAULT_MODEL = qwen/qwen3-coder
# Code analysis, payload generation, bypass logic
CODE_MODEL = qwen/qwen3-coder
# DASTySAST analysis (high-volume: 1 call per URL, must be FAST)
ANALYSIS_MODEL = qwen/qwen3-coder
# Fallback chain (comma-separated, tried in order)
PRIMARY_MODELS = qwen/qwen3-coder,x-ai/grok-4-fast
# Vision-Language Model for screenshot and UI analysis
VISION_MODEL = google/gemini-3-flash-preview
# WAF signature detection (few calls)
WAF_DETECTION_MODELS = qwen/qwen3-coder,x-ai/grok-4-fast
# Payload mutation and WAF bypass
MUTATION_MODEL = x-ai/grok-4-fast
# Per-finding skeptical review (high volume, must be fast)
SKEPTICAL_MODEL = anthropic/claude-haiku-4.5
# Report generation (PoC enrichment, CVSS scoring)
REPORTING_MODEL = anthropic/claude-haiku-4.5
# Minimum OpenRouter credits (USD) to start a scan
MIN_CREDITS = 2.0
[OPENROUTER]
# Enable online mode for models that support internet access
ONLINE = True
[ANTHROPIC]
# Direct Anthropic API via OAuth — $0 on Claude Pro/Max plan.
# 1. Run: bash tools/anthropic_login.sh
# 2. Set ENABLED = True below
ENABLED = False
# =============================================================================
# 3. SCAN — Target & Crawling Configuration
# =============================================================================
[SCAN]
# Maximum depth for the visual crawler (BFS)
MAX_DEPTH = 5
# Maximum number of unique URLs to scan
MAX_URLS = 50
# Maximum concurrent URLMasterAgents
# Range: 5-20, Recommended: 5-10
MAX_CONCURRENT_URL_AGENTS = 5
# Collapse URLs with same path pattern before DAST (/products/1, /products/2 → 1)
# Saves LLM calls on targets with many parameterized endpoints
URL_PATTERN_DEDUP = True
# GoSpider: Don't follow redirects (catches .env, .htaccess leaks)
GOSPIDER_NO_REDIRECT = False
# GoSpider: Query external archives (Wayback Machine, CommonCrawl, VirusTotal)
# Set to False for more consistent URL counts across runs (archives return variable results)
GOSPIDER_USE_ARCHIVES = True
# GoSpider: Crawler thread count (lower = more deterministic, higher = faster)
# Range: 1-20, Recommended: 3-5
GOSPIDER_CONCURRENCY = 5
[CRAWLER]
# Wait time in ms for SPA hydration (React/Vue/Angular rendering)
SPA_WAIT_MS = 1000
# Maximum internal queue size to prevent memory explosion
MAX_QUEUE_SIZE = 100
# Extensions to EXCLUDE from analysis (static files)
EXCLUDE_EXTENSIONS = .js,.css,.jpg,.jpeg,.png,.gif,.svg,.ico,.woff,.woff2,.ttf,.eot,.pdf,.zip,.rar,.mp3,.mp4,.webm,.webp
# Only analyze URLs with these extensions (empty = all except excluded)
INCLUDE_EXTENSIONS =
[URL_PRIORITIZATION]
# Scan high-value URLs first (admin, API, login) before low-priority ones.
# Scoring: +10 high-value path, +5 sensitive param, +15 has params, -20 static file
ENABLED = True
LOG_SCORES = True
# Custom high-priority paths/params (comma-separated, adds to defaults)
CUSTOM_PATHS =
CUSTOM_PARAMS =
[ASSET_DISCOVERY]
# Comprehensive asset discovery and subdomain enumeration
# True = full recon (subdomains, Wayback, cloud storage)
# False = only the provided target URL
ENABLE_ASSET_DISCOVERY = False
ENABLE_DNS_ENUMERATION = True
ENABLE_CERTIFICATE_TRANSPARENCY = True
ENABLE_WAYBACK_DISCOVERY = True
ENABLE_CLOUD_STORAGE_ENUM = True
ENABLE_COMMON_PATHS = True
MAX_SUBDOMAINS = 50
# =============================================================================
# 4. ANALYSIS — DAST/SAST Analysis Phase
# =============================================================================
[PARALLELIZATION]
# Per-phase concurrency control. Each agent makes LLM calls independently.
# Discovery Phase - GoSpider crawling (single-threaded by design)
MAX_CONCURRENT_DISCOVERY = 1
# Analysis Phase - DASTySASTAgents analyzing URLs in parallel
# Range: 1-10, Recommended: 5
MAX_CONCURRENT_ANALYSIS = 5
# Exploitation Phase - Specialist agents (XSS, SQLi, CSTI, etc.)
# Range: 1-20, Recommended: 7-10
MAX_CONCURRENT_SPECIALISTS = 7
# NOTE: Validation concurrency is HARDCODED to 1 (CDP crashes with concurrent sessions)
[ANALYSIS]
# Enable/disable pre-exploitation analysis
ENABLE_ANALYSIS = True
# DAST Analysis Timeout — seconds per URL (probes + all LLM calls)
# Each URL runs multiple parallel LLM approaches + SQLi/Cookie probes
# Increase if you see timeout errors during analysis phase
DAST_ANALYSIS_TIMEOUT = 180.0
# Approach execution mode:
# ALL = run all enabled approaches in parallel (max coverage)
# AUTO = wave-based: pentester+bug_bounty first, if empty → code_auditor+red_team
# researcher is skipped in AUTO mode. Saves 20-60% LLM calls.
APPROACH_MODE = AUTO
# Individual approach toggles (True/False, only used in ALL mode)
# skeptical_agent always runs as final reviewer (not togglable)
APPROACH_PENTESTER = True
APPROACH_BUG_BOUNTY = True
APPROACH_CODE_AUDITOR = True
APPROACH_RED_TEAM = True
APPROACH_RESEARCHER = True
# Per-approach models (split across providers for resilience)
PENTESTER_MODEL = qwen/qwen3-coder
BUG_BOUNTY_MODEL = qwen/qwen3-coder
AUDITOR_MODEL = qwen/qwen3-coder
RED_TEAM_MODEL = google/gemini-3-flash-preview
RESEARCHER_MODEL = google/gemini-3-flash-preview
# Confidence thresholds for forwarding to exploitation
CONFIDENCE_THRESHOLD = 0.5
SKIP_THRESHOLD = 0.3
# Models required to agree for "consensus" (1=sensitive, 3=precise)
CONSENSUS_VOTES = 1
[SKEPTICAL_THRESHOLDS]
# Minimum confidence score (0-10) for findings to pass to specialists
# Lower = more permissive, Higher = stricter
# CRITICAL
RCE = 4
SQL = 6
# HIGH
XXE = 5
SSRF = 5
LFI = 5
# MEDIUM
XSS = 5
JWT = 6
FILE_UPLOAD = 6
# LOW
IDOR = 6
# Fallback
DEFAULT = 5
[THINKING]
# ThinkingConsolidationAgent — filters findings before specialists
# Minimum fp_confidence to forward (DOM XSS typically ~0.4)
FP_THRESHOLD = 0.3
[CONDUCTOR]
# Conductor V2 Anti-Hallucination System
DISABLE_VALIDATION = False
CONTEXT_REFRESH_INTERVAL = 300
MIN_CONFIDENCE = 0.6
ENABLE_FP_DETECTION = True
# =============================================================================
# 5. EXPLOITATION — Specialist Agents & Attack Configuration
# =============================================================================
[SCANNING]
# Stop scan on critical vulnerability (SQLi, RCE, XXE = full compromise)
STOP_ON_CRITICAL = False
CRITICAL_TYPES = SQLi,RCE,XXE
# Require SQLMap validation for ALL SQLi findings (mandatory)
MANDATORY_SQLMAP_VALIDATION = True
# Skip parameters already validated (avoid redundant scans)
SKIP_VALIDATED_PARAMS = True
# Exploitation depth: quick (L0-L1) | standard (L0-L3) | thorough (L0-L4 + SQLMap)
SCAN_DEPTH = standard
[AUTHORITY]
# Allow specialist agents to self-validate findings
ENABLE_SELF_VALIDATION = True
XSS_SELF_VALIDATE = True
SQLI_SELF_VALIDATE = True
RCE_SELF_VALIDATE = True
[MANIPULATOR]
# HTTP Exploitation Tool — Intelligent Breakouts System
GLOBAL_RATE_LIMIT = 2.0
USE_GLOBAL_RATE_LIMITER = True
ENABLE_LLM_EXPANSION = True
ENABLE_AGENTIC_FALLBACK = False
BREAKOUT_PRIORITY_LEVEL = 3
MAX_LLM_PAYLOADS = 100
[WAF_BYPASS]
# Auto-detected WAFs: cloudflare, modsecurity, aws_waf, akamai, imperva,
# f5_bigip, sucuri, fortiweb, nginx_naxsi, barracuda, generic
#
# Encoding strategies (auto-selected by Q-Learning):
# Basic: url_encode, double_url_encode, unicode_encode, html_entity_encode,
# html_entity_hex, base64_encode
# Advanced: case_mixing, null_byte_injection, comment_injection,
# whitespace_obfuscation, overlong_utf8, backslash_escape
# SQL: concat_string, hex_encode, scientific_notation
# Buffer: buffer_overflow, newline_injection
[QLEARNING]
# Q-Learning hyperparameters for WAF bypass strategy selection
# UCB1 formula: UCB = success_rate + c * sqrt(ln(total) / attempts)
INITIAL_EPSILON = 0.3
MIN_EPSILON = 0.05
DECAY_RATE = 0.995
UCB_CONSTANT = 2.0
MAX_BACKUPS = 5
# Learning data persists in: bugtrace/data/waf_strategy_learning.json
# System gets smarter with each scan.
# =============================================================================
# 6. VALIDATION — Browser & Vision Verification
# =============================================================================
[BROWSER]
# Headless mode (False to watch the crawler in real-time)
HEADLESS = True
# User Agent string
USER_AGENT = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
# Browser viewport
VIEWPORT_WIDTH = 1280
VIEWPORT_HEIGHT = 720
# Navigation timeout (ms)
TIMEOUT_MS = 15000
# DOM Click Strategy for Open Redirect detection
DOM_CLICK_MAX_LINKS = 5
DOM_CLICK_MAX_TEXT_LINKS = 10
DOM_CLICK_WAIT_SEC = 2.0
DOM_CLICK_INITIAL_WAIT_SEC = 1.0
[VALIDATION]
# Vision-based XSS screenshot validation
VISION_MODEL = google/gemini-3-flash-preview
VISION_ENABLED = True
VISION_ONLY_FOR_XSS = True
MAX_VISION_CALLS_PER_URL = 3
[BROWSER_ADVANCED]
# Navegación y carga
NAVIGATION_TIMEOUT_MS = 90000
NETWORKIDLE_TIMEOUT_MS = 30000
PAYLOAD_EXECUTION_WAIT_MS = 8000
SCREENSHOT_TIMEOUT_MS = 15000
SCREENSHOT_MAX_RETRIES = 3
# Estrategias de espera
WAIT_STRATEGY = staggered
STAGGERED_WAIT_INITIAL = 5000
STAGGERED_WAIT_EXTRA = 3000
# Captura de evidencia
SCREENSHOT_FULL_PAGE = False
SCREENSHOT_ON_ERROR = True
# =============================================================================
# 7. REPORTING & OPTIMIZATION
# =============================================================================
[REPORT]
# Only include validated findings in the final report
# True = only findings with evidence, False = includes "Potential" findings
ONLY_VALIDATED = False
[OPTIMIZATION]
# Early exit after first finding per URL
# True = bug bounty speed (70% faster), False = full audit coverage
EARLY_EXIT_ON_FINDING = False
# =============================================================================
# 8. AUTONOMOUS AGENTS
# =============================================================================
[LONEWOLF]
# Autonomous exploration agent — runs in parallel with pipeline
# Finds vulns the structured pipeline might miss using raw HTTP + LLM reasoning
ENABLED = False
MODEL = moonshotai/kimi-k2.5
RATE_LIMIT = 1.0
MAX_CONTEXT = 20
RESPONSE_TRUNCATE = 2000