Skip to content

feat: ads/cap 984 build xss verifier with agent browser#20

Open
GangGreenTemperTatum wants to merge 2 commits into
mainfrom
ads/cap-984-build-xss-verifier-with-agent-browser
Open

feat: ads/cap 984 build xss verifier with agent browser#20
GangGreenTemperTatum wants to merge 2 commits into
mainfrom
ads/cap-984-build-xss-verifier-with-agent-browser

Conversation

@GangGreenTemperTatum
Copy link
Copy Markdown
Contributor

@GangGreenTemperTatum GangGreenTemperTatum commented May 22, 2026

summary

  • adds xss verifier tool that uses agent-browser eval to inject a javascript canary and programmatically verify xss payload execution
  • three-step workflow: inject canary (overrides alert/confirm/prompt + mutationobserver for script tags) → agent triggers payload → verify checks if js actually executed
  • returns structured verdicts: confirmed (dialog intercepted), partial (script injected but no dialog proof), not_detected (with diagnostic guidance)
  • uses per-session nonce via json.dumps interpolation to prevent cycle collisions and avoid template injection
  • raises for genuine errors (no canary, parse failure), returns informational strings for recoverable states (canary_lost, nonce_mismatch)

test plan

  • 20 unit tests passing covering all verdict paths, error propagation, multi-cycle workflows
  • ruff lint clean, ruff format clean
  • manual integration test with agent-browser against a vulnerable target

GangGreenTemperTatum and others added 2 commits May 22, 2026 15:45
@GangGreenTemperTatum @claude
feat(web-security): add programmatic XSS verifier tool (CAP-984)
10a8027 
Adds XssVerifier toolset that uses agent-browser eval to inject a
JavaScript canary (dialog override + MutationObserver) and verify
whether an XSS payload achieved actual JS execution vs mere reflection.

Three-step workflow: inject_canary → trigger payload → verify.
Returns CONFIRMED / PARTIAL / NOT_DETECTED verdicts with evidence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@GangGreenTemperTatum @claude
fix(web-security): address review feedback on XSS verifier (CAP-984)
bb3001e 
- Replace .format() nonce interpolation with json.dumps + str.replace
  to eliminate fragile JS template escaping
- Raise RuntimeError for genuine error conditions (no canary, parse
  failure) instead of returning error strings — catch=True surfaces them
- Add error propagation tests (eval timeout, command not found)
- Apply ruff formatting

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GangGreenTemperTatum