feat: AI-driven automated penetration testing (#12)

2026-03-12 14:42:54 +00:00
parent 3ec1456b0d
commit acc5b86aa4
52 changed files with 11729 additions and 98 deletions
--- a/docs/features/dast.md
+++ b/docs/features/dast.md
@@ -67,7 +67,7 @@ Navigate to **DAST > Findings** to see all discovered vulnerabilities. Each find

 | Column | Description |
 |--------|-------------|
-| Severity | Critical, High, Medium, or Low |
+| Severity | Critical, High, Medium, Low, or Info |
 | Type | Vulnerability category (SQL Injection, XSS, SSRF, etc.) |
 | Title | Description of the vulnerability |
 | Endpoint | The HTTP path that is vulnerable |
@@ -76,6 +76,19 @@ Navigate to **DAST > Findings** to see all discovered vulnerabilities. Each find

 Click a finding to see full details including the CWE identifier, vulnerable parameter, remediation guidance, and evidence showing the exact request/response pairs that triggered the finding.

+### Filtering Findings
+
+The findings page provides several filters to help you focus on what matters:
+
+| Filter | Description |
+|--------|-------------|
+| **Search** | Free-text search across finding titles and descriptions |
+| **Severity** | Filter by severity level (Critical, High, Medium, Low, Info) |
+| **Vulnerability Type** | Filter by vulnerability category -- supports all 21 DAST vulnerability types including SQL Injection, XSS, SSRF, CORS Misconfiguration, CSP Bypass, and more |
+| **Exploitable** | Show only confirmed-exploitable findings, or only unconfirmed |
+
+Filters can be combined. A count indicator shows how many findings match the current filters out of the total (e.g. "Showing 12 of 76 findings"). When no findings match the active filters, a message distinguishes between "no findings exist" and "no findings match your current filters."
+
 ::: tip
 Findings marked as **Confirmed** exploitable were verified with a successful attack payload. **Unconfirmed** findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.
 :::
--- a/docs/features/pentest.md
+++ b/docs/features/pentest.md
@@ -0,0 +1,110 @@
+# AI Pentest
+
+The AI Pentest module provides autonomous, LLM-driven penetration testing against your DAST targets. It orchestrates a chain of security tools guided by AI reasoning to discover vulnerabilities that traditional scanning may miss.
+
+## Overview
+
+Navigate to **Pentest** in the sidebar to see the pentest dashboard.
+
+The dashboard shows:
+
+- Total pentest sessions run
+- Aggregate finding counts with severity breakdown
+- Tool invocation statistics and success rates
+- Session cards with status, target, strategy, and finding count
+
+## Starting a Pentest Session
+
+1. Click **New Pentest** on the dashboard
+2. Select a **DAST target** (must be configured under DAST > Targets first)
+3. Choose a **strategy**:
+
+| Strategy | Description |
+|----------|-------------|
+| **Comprehensive** | Full-spectrum test covering recon, API analysis, injection testing, auth checks, and more |
+| **Focused** | Targets specific vulnerability categories based on initial reconnaissance |
+
+4. Optionally provide an initial **message** to guide the AI's focus
+5. Click **Start** to begin the session
+
+The AI orchestrator will autonomously select and execute security tools in phases, using the output of each phase to inform the next.
+
+## Session View
+
+Click any session card to open the detailed session view. It shows:
+
+### Summary Cards
+
+- **Findings** — total vulnerabilities discovered
+- **Exploitable** — confirmed-exploitable findings
+- **Tool Invocations** — total tools executed
+- **Success Rate** — percentage of tools that completed successfully
+
+### Severity Distribution
+
+A bar showing the breakdown of findings by severity level (Critical, High, Medium, Low, Info).
+
+### Findings Tab
+
+Lists all discovered vulnerabilities with:
+
+- Severity badge and title
+- Vulnerability type and exploitability status
+- HTTP method and endpoint
+- CWE identifier
+- Description and remediation recommendation
+- Correlated SAST finding references (when available)
+
+### Attack Chain Tab
+
+A visual DAG (directed acyclic graph) showing the sequence of tools executed during the pentest. Nodes are grouped into phases:
+
+- **Phase-based layout** — tools are organized top-down by execution phase (reconnaissance, analysis, testing, exploitation, etc.)
+- **Category icons** — each tool displays an icon indicating its category (recon, XSS, SQLi, SSRF, auth, headers, cookies, TLS, CORS, etc.)
+- **Status indicators** — color-coded status dots (green = completed, yellow = running, red = failed)
+- **Finding badges** — red badge showing the number of findings produced by each tool
+- **Interactive** — hover for details, click to select, scroll to zoom, drag to pan
+
+### Stopping a Session
+
+Running sessions can be stopped from the dashboard by clicking the **Stop** button on the session card. This immediately halts all tool execution.
+
+## Exporting Reports
+
+Click **Export Report** on any session to generate a professional pentest report.
+
+### Export Process
+
+1. Enter an **encryption password** (minimum 8 characters)
+2. Click **Export** to generate and download the report
+
+The export produces a **password-protected ZIP archive** (AES-256 encryption) that can be opened with any standard archive tool (7-Zip, WinRAR, macOS Archive Utility, etc.).
+
+### Archive Contents
+
+| File | Description |
+|------|-------------|
+| `report.html` | Professional HTML report with executive summary, methodology, tools, findings with recommendations, and attack chain timeline |
+| `findings.json` | Raw findings data in JSON format for programmatic processing |
+| `attack-chain.json` | Raw attack chain data showing tool execution sequence and relationships |
+
+### Report Features
+
+The HTML report includes:
+
+- Company logo and CONFIDENTIAL banner
+- Requester information
+- Executive summary with overall risk rating
+- Severity distribution chart
+- Methodology and tools section
+- Detailed findings with severity, CWE, endpoint, evidence, remediation guidance, and linked SAST references
+- Attack chain timeline
+- Print-friendly layout (dark theme on screen, light theme for print)
+
+### Integrity Verification
+
+After export, the dashboard displays the **SHA-256 checksum** of the archive with a copy-to-clipboard button. Use this to verify the archive has not been tampered with after distribution.
+
+::: warning
+Only run pentests against applications you own or have explicit written authorization to test. AI-driven pentesting sends real attack payloads that may trigger alerts or cause unintended side effects.
+:::