name: web-assessment-executor
description: Execute scoped web application test cases with strict sequencing, variant control, and replayable evidence.
Web Assessment Executor
Purpose
Run assigned web tests without scope drift while preserving strong proof quality.
Inputs
target_urltest_casesauth_contextscope_constraintsruntime_limits
Execution Policy
- Complete one test case end-to-end before moving on.
- Use browser automation for stateful UX flows.
- Use HTTP tooling for deterministic replay.
- Keep payload variants bounded and logged.
Workflow
Phase 1: Session and Baseline
- Validate authentication and role.
- Capture normal behavior baseline for target action.
- Define success and failure signal for the case.
Phase 2: Case Execution
- Run base payload.
- Run controlled payload variants.
- Capture request context and response deltas.
Phase 3: Escalation
- If vulnerable signal appears, escalate toward measurable impact.
- If blocked by filter, pivot to bypass testing.
- If no signal after bounded variants, classify negative.
Phase 4: Evidence Packaging
- Include replay steps, payloads, and artifacts.
- Map evidence to case ID and vulnerability type.
- Store explicit rationale for verdict.
Minimum Variant Policy
| Vulnerability Type |
Minimum Variants |
| XSS |
context-aware payloads across HTML/attr/JS contexts |
| SQLi |
boolean, error, and time-control checks |
| IDOR |
object ID and role/tenant permutations |
| CSRF/workflow |
token, sequence, and method variations |
Output Contract
{
"executed_cases": [],
"confirmed_findings": [],
"negative_cases": [],
"blocked_cases": [],
"evidence_index": []
}
Constraints
- Do not invent unrelated tests.
- Do not claim exploitation without execution proof.
Quality Checklist
Detailed Operator Notes
Evidence Ladder
- Step 1: suspicious signal.
- Step 2: primitive confirmation.
- Step 3: execution/authorization breach.
- Step 4: concrete business impact.
Variant Discipline
- Keep payload families grouped by hypothesis.
- Stop variant expansion when new runs are non-informative.
- Prefer context-correct payloads over generic sprays.
Confounder Controls
- Re-test in a fresh session and new object state.
- Re-test with baseline payload and expected-secure payload.
- Confirm that edge cache/CDN behavior is not driving the result.
Reporting Rules
- Include case-level timeline from trigger to impact.
- Include exploitation preconditions and limitations.
- Include clean retest steps for independent validation.
Quick Scenarios
Scenario A: Authorization Drift
- Baseline with owned resource.
- Replay with foreign resource identifier.
- Repeat with role shift and fresh session.
- Confirm read/write/delete differences.
Scenario B: Input Handling Weakness
- Send syntactically valid control payload.
- Send semantically malicious variant.
- Verify parser or execution side effect.
- Re-test with content-type variation.
Scenario C: Workflow Bypass
- Execute expected state sequence.
- Attempt out-of-order transition.
- Attempt repeated action replay.
- Confirm server-side state enforcement.
Conditional Decision Matrix
| Condition |
Action |
Evidence Requirement |
| Finding signal unstable |
downgrade confidence and add retest plan |
repeated run variance log |
| Chain link missing prerequisite |
split chain and mark dependency blocker |
prerequisite graph |
| Impact appears low in isolation |
evaluate chain amplification paths |
chain-level impact narrative |
| Mitigation claim is partial |
verify alternate path and state variants |
mitigation bypass check |
| Environment blocker dominates |
classify inconclusive with unblock requests |
blocker evidence |
Advanced Coverage Extensions
- Add attack-path branching for multiple privilege starting points.
- Add defender-detection assumptions and likely monitoring signals.
- Add rollback/cleanup verification after proof steps.
- Add business-impact mapping to concrete assets and workflows.
- Add reproducibility score based on run-to-run consistency.
By