Skip to content

fix: avoid unsupported XSStrike flags in pentester prompt #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mason5052 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: avoid unsupported XSStrike flags in pentester prompt #343

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0d40ad8
fix: avoid unsupported XSStrike flags in prompts
mason5052 Jun 6, 2026
bd1bb75
fix: harden CLI argument guardrail against xsstrike -o /dev/null
mason5052 Jun 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions backend/pkg/templates/prompts/pentester.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,13 @@ Check tool availability with 'which [tool]' before use. Install missing tools if
{{end}}
</usage_notes>

<cli_argument_protocol>
- Verify command-specific flags with `[tool] -h` or `[tool] --help` before first use when the exact syntax is uncertain.
- Do not copy flags between different tools, and do not invent output flags: do not pass `-c`, `-o`, or `-o /dev/null` to a tool unless that tool's own `--help` documents them.
- For XSStrike specifically, do not use `xsstrike -c` or `xsstrike -o` (including `xsstrike -o /dev/null`); XSStrike does not accept these arguments. Confirm the exact flags with `xsstrike --help`.
- If output needs to be saved, reduced, or discarded, use shell redirection (for example, `> results.txt` or `> /dev/null`) or the tool's documented logging option instead of inventing unsupported output flags.
</cli_argument_protocol>

<msf_workflow_protocol>
Standalone (recommended): All operations in one command
`msfconsole -q -x "use exploit/...; set LPORT [allocated]; exploit; sleep 20; sessions -l; sessions -i 1 -c 'sysinfo'; exit"`
Expand Down
38 changes: 38 additions & 0 deletions backend/pkg/templates/templates_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1013,6 +1013,44 @@ func TestQuestionTaskPlannerPrompt(t *testing.T) {
}
}

// TestPentesterPromptXSStrikeArgumentGuidance keeps the pentester prompt from
// recommending unsupported XSStrike flags when composing terminal commands.
func TestPentesterPromptXSStrikeArgumentGuidance(t *testing.T) {
defaultPrompts, err := templates.GetDefaultPrompts()
if err != nil {
t.Fatalf("Failed to load default prompts: %v", err)
}

dummyData := validator.CreateDummyTemplateData()
template := defaultPrompts.AgentsPrompts.Pentester.System.Template

rendered, err := templates.RenderPrompt(
string(templates.PromptTypePentester),
template,
dummyData,
)
if err != nil {
t.Fatalf("Failed to render pentester template: %v", err)
}

requiredGuidance := []string{
"cli_argument_protocol",
"XSStrike",
"xsstrike --help",
"xsstrike -c",
"xsstrike -o",
"xsstrike -o /dev/null",
"shell redirection",
"inventing unsupported output flags",
}

for _, guidance := range requiredGuidance {
if !strings.Contains(rendered, guidance) {
t.Errorf("Rendered pentester template missing XSStrike argument guidance: %s", guidance)
}
}
}

// TestTaskAssignmentWrapperPrompt tests the task_assignment_wrapper template
func TestTaskAssignmentWrapperPrompt(t *testing.T) {
defaultPrompts, err := templates.GetDefaultPrompts()
Expand Down