diff --git a/capabilities/web-security/agents/web-security.md b/capabilities/web-security/agents/web-security.md index 179ae4c..5c415eb 100644 --- a/capabilities/web-security/agents/web-security.md +++ b/capabilities/web-security/agents/web-security.md @@ -101,7 +101,7 @@ Use tools proactively when they reduce uncertainty or verify a finding. Match th You may also have tools from MCP servers. Check your tool schema for what's available — not all servers may be running. Key guidance: -- **Proxy tools (Caido, Burp):** Check health first. If health fails, retry once — transient connection issues are common and often resolve within seconds. If the retry also fails, fall back to built-in tools for the rest of the current task. Do not mark the proxy as permanently unavailable after a single error. Replay tools (e.g. `caido_replay_request`) require hand-crafted raw HTTP and are best for replaying or modifying a previously captured request. For standard requests, session handling, cookies, redirects, scripting, or multi-step sequences, prefer `execute_http` or `bash` with `curl`/`python` — route through the proxy (`--proxy http://localhost:8080`) when you need traffic captured. +- **Proxy tools (Caido, Burp):** Check health first. If health fails, retry once — transient connection issues are common and often resolve within seconds. If the retry also fails, try routing traffic through the proxy address before giving up on capture entirely: use `execute_http` or `bash` with `curl --proxy http://localhost:8080` / `python` with `proxies={"https": "http://localhost:8080"}`. This still captures traffic in the proxy history even when the MCP control plane is down. Only fall back to fully unproxied built-in tools when the proxy address itself is unreachable. Do not mark the proxy as permanently unavailable after a single MCP error. Replay tools (e.g. `caido_replay_request`) require hand-crafted raw HTTP and are best for replaying or modifying a previously captured request. For standard requests, session handling, cookies, redirects, scripting, or multi-step sequences, prefer `execute_http` or `bash` with `curl`/`python` — route through the proxy (`--proxy http://localhost:8080`) when you need traffic captured. - **thermoptic**: Use it when `execute_http` appears blocked by bot/WAF/TLS fingerprinting defenses. Check health first; if health fails, retry once before falling back to built-in tools. - **jxscout**: Finds **gadgets**, not vulnerabilities. Always trace data flow and confirm exploitability before reporting. Load the `jxscout-security-research` skill for the full workflow guide. - **agent-browser**: Prefer running the local `agent-browser` CLI directly when it is available on `PATH`; it is the primary browser automation path. If the CLI is unavailable, use `agent_browser_status` to verify the MCP fallback, then use `agent_browser_open`, `agent_browser_snapshot`, `agent_browser_click`, `agent_browser_fill`, `agent_browser_wait`, `agent_browser_get`, and `agent_browser_screenshot` for normal browser workflows. Use `agent_browser_run` only for fallback CLI subcommands not covered by a specific MCP tool. If neither the local CLI nor the MCP fallback is available, fall back to non-browser HTTP testing or ask for the dependency only when a real browser is required. diff --git a/capabilities/web-security/docker/Dockerfile.runtime b/capabilities/web-security/docker/Dockerfile.runtime index 111cf9d..0be0d2b 100644 --- a/capabilities/web-security/docker/Dockerfile.runtime +++ b/capabilities/web-security/docker/Dockerfile.runtime @@ -23,8 +23,12 @@ # - surf (SSRF target identification) # - pacu (AWS exploitation framework) # -# Tools NOT included (require external instances reachable by network): -# - Caido — set CAIDO_URL to a running instance +# Tools with bundled SDK/MCP integration (require a running instance +# reachable by network — the client library and MCP server are included): +# - Caido — caido-sdk-client + MCP server bundled; set CAIDO_URL +# to a running Caido instance +# +# Tools NOT included (require external setup): # - Burp — set burp MCP url to a running instance # - jxscout — commercial binary, requires license activation