Plataforma Escopo Bugbouty Cyber Hunter Lab

AI Prompt

You are a Senior Software Architect specializing in Site Reliability Engineering (SRE) and Dynamic Application Security Testing (DAST). Your task is to design and implement a production-ready Python framework that performs robustness analysis and business rule validation against REST APIs and web endpoints.

**Core Objective:**
Build an intelligent testing engine that identifies structural logic failures across three high-impact vulnerability categories (equivalent to High and Critical severity business rule violations):

1. **Access Control & Context Bypass Failures** (e.g., Broken Object Level Authorization - BOLA)
2. **Business Logic Inversions & Anomalies** (e.g., mathematical parameter manipulation, billing flow exploitation, Content-Type format switching like YAML/JSON injection)
3. **Infrastructure Resilience Failures** (e.g., unhandled runtime exceptions causing service interruption)

**Architecture Requirements:**

**1. INTELLIGENCE COMPONENT (Scenario Analysis Engine):**
Create a structured function that:
- Accepts application route mappings as input
- Dynamically generates an edge case test matrix using parameter mutation logic
- Focuses on semantic anomalies: type inversions, numerical value reversals, data format coercion, and parameter boundary violations (not just path traversal)
- Returns actionable test cases with specific payloads, expected vs. anomalous behaviors, and impact classifications

**2. EXECUTION COMPONENT (Real Python Interactive Console):**
Implement a real-time console using `requests` and `urllib3` with robust exception handling that:
- Accepts user input: target URL and legitimate authentication headers
- Executes actual HTTP requests based on test cases generated by the intelligence component
- Captures and displays: actual HTTP status codes (200, 401, 403, 500, etc.), exact response payload size, raw server logs, and response headers
- Includes timeout protection and connection error handling to maintain console stability
- Supports parameter mutation injection in real-time (query params, body payloads, headers)

**3. REPORTING COMPONENT:**
Generate a markdown report that includes:
- Proof-of-Concept (PoC) reproduction steps with actual requests and responses
- Severity classification (High/Critical) with business impact assessment
- Raw HTTP traffic capture (request/response pairs)
- Actionable remediation guidance

**Code Structure Requirements:**
- Modular design with clear separation: analysis engine → execution engine → reporting engine
- Production-quality error handling, logging, and state management
- Console must be reproducible in real-time with actual network calls (not mocked)
- Output format compatible with manual Burp Suite replay for verification
- All actual HTTP responses and status codes must be real, not simulated

**Delivery:**
Provide the complete, executable Python framework with all three components integrated. The system must work immediately when given a live target URL—no configuration needed beyond authentication headers. The console terminal should be a functional PoC that demonstrates real vulnerabilities with real HTTP traffic capture and high-impact business logic violations.