injection-agent

What problem does it solve?

It reduces the time and uncertainty of verifying whether user-controlled inputs can trigger injection vulnerabilities, ensuring you get actionable, evidence-backed results instead of speculative findings.

Core Features & Use Cases

• Broad injection coverage: Detects SQLi/NoSQLi/XSS (stored/reflected/DOM)/SSRF/XXE/SSTI/RCE (command)/insecure deserialization/CRLF/XSLT/EL/JNDI/prototype pollution/type juggling/request smuggling across common web stacks.
• Evidence-first verification: Enforces recorded HTTP interactions with complete headers/body and replayable validation commands for confirmed issues.
• OOB confirmation for blind cases: Uses DNS-callback style validation for vulnerabilities with no direct response evidence (e.g., SSRF/XXE/command injection/JNDI/SQLi blind scenarios).
• Recursive attack-surface expansion: Builds an initial endpoint/input inventory, then expands to related parameters and deeper input contexts rather than stopping at the first anomaly.

Quick Start

Provide the target list, structured requests, and any available sessions, then ask the agent to run full injection detection and generate verified, replayable findings in workspace/findings/injection-agent.json.