operant-mcp

Test WHERE clause bypass via OR 1=1 variants. Sends multiple payloads (OR 1=1--, OR '1'='1, OR 1=1/*, etc.) against the target parameter and compares response lengths to the baseline. Returns baseline_length and results array. Side effects: None (read-only GET requests). Sends 7 requests total.

Bypass login via SQL comment truncation (administrator'--). Extracts CSRF token from form, then POSTs with SQLi in the username field. The -- comment truncates the password check. Returns csrf_extracted, status_code, response_length, headers, likely_bypass.

Step-by-step UNION-based data extraction. 1. Finds column count via ORDER BY. 2. Identifies string-displayable columns via UNION SELECT. 3. Extracts database name and version. 4. Lists tables and columns. Returns column_count, string_columns, db_name, db_version, tables, user_columns. Side effects: Read-only GET requests. Sends ~30 requests depending on column count.

Boolean-based blind SQLi with binary search character enumeration. Uses ASCII(SUBSTRING(...))>N technique with binary search for efficiency. Determines true/false by comparing response lengths. Returns extracted_value, characters_found, requests_sent. Side effects: Read-only. Sends ~8 requests per character (binary search on ASCII 32-126).

Time-based blind SQLi detection for MySQL, PostgreSQL, and MSSQL. Sends sleep-inducing payloads and measures response time to detect injection. Returns vulnerable, dbtype, and results array with payload, response_time, triggered. Side effects: Read-only but slow (each payload waits up to delay_seconds). Sends 3 requests.

Read server files via UNION SELECT LOAD_FILE(). Requires MySQL FILE privilege. Uses LOAD_FILE() in a UNION SELECT. Returns file_content, success, target_file. Errors: FILE privilege required. Returns empty if privilege denied.

Test multiple reflected XSS vectors against a parameter. Sends 10 payloads (script tags, event handlers, SVG, attribute injection, case variation, template literals) and checks if they appear unescaped in the response. Returns results array with reflected/encoded/status per payload, and vulnerable_count. Side effects: Read-only GET requests. Sends 10 requests.

Generate context-appropriate XSS payloads with optional filter evasion. Returns a list of payloads tailored to the injection context and filter bypass requirements. Returns context, filter_bypass, payloads array, notes. Side effects: None. Pure payload generation, no network requests.

Test command injection using various shell operators. Tests ;, &&, ||, |, backtick, $(), and %0a (newline) operators with 'id' and 'whoami' as detection commands. Returns results array with operator, payload, status, output_snippet, likely_vulnerable. Side effects: Read-only detection commands (id, whoami). Sends ~14 requests.

Detect blind command injection via time delay and OOB callbacks. Tests sleep-based delay detection and optional out-of-band (curl/nslookup to callback). Returns time_based results array and oob_payloads list. Side effects: Executes sleep on target if vulnerable. OOB payloads call back to callback_url.

Test path traversal with encoding variants at multiple depths. Tries plain ../, URL-encoded %2e%2e/, double-encoded %252e%252e/, and null-byte/truncation bypasses. Returns results array with payload, status, length, contains_target per attempt, and vulnerable_payloads list. Side effects: Read-only GET requests. Sends ~32 requests.

Test SSRF with localhost bypass variants. Sends 10+ representations of localhost (127.0.0.1, 0, decimal, hex, IPv6, etc.) to check if the server fetches internal resources. Returns results array with variant, payload_url, status, length, different_from_baseline per attempt. Side effects: May cause the target server to make internal requests.

Test SSRF access to cloud metadata endpoints (AWS/GCP/Azure). Attempts to reach instance metadata services through the SSRF vector. Returns results array with provider, endpoint, status, length, response_snippet. Side effects: May cause target to request cloud metadata. Could expose IAM credentials if successful.

Get protocol hierarchy and endpoint statistics from a PCAP. Returns protocol_hierarchy, endpoints, packet_count, and capture_info. Read-only file analysis, no network access.

Extract credentials from FTP, HTTP, and SMTP traffic. Returns ftp_credentials, http_authorization_headers, http_post_data, and smtp_data. Read-only, may contain sensitive credentials.

Extract and analyze DNS queries from a PCAP. Returns dns_queries_by_frequency, dns_servers, and ipv6_dns_endpoints. Read-only file analysis.

Export HTTP objects (files) from a PCAP to a directory. Returns exported_count, output_dir, files list, and tshark_output. Creates files in the output directory.

Detect port scans by analyzing SYN packets without ACK. Returns scanners (ip + syn_count), top_scanned_ports, and a hint. Read-only file analysis.

Follow a TCP/UDP/HTTP stream in a PCAP. Returns stream_content, stream_num, and protocol. Read-only file analysis.

Analyze TLS handshakes, SNI values, and certificate data in a PCAP. Returns sni_values, tls_versions, server_ephemeral_keys, and client_randoms. Read-only file analysis.

Detect LLMNR poisoning and extract NTLM credentials from SMB. Returns llmnr_queries, ntlm_auth_entries, counts, and poisoning_indicators. Read-only file analysis.

Quick reconnaissance: robots.txt, security.txt, common dirs, response headers. Returns robots_txt, security_txt, response_headers, accessible_directories, and error_page_snippet. Read-only, sends ~10 GET requests.

Full DNS enumeration: A, AAAA, MX, TXT, NS, CNAME, AXFR, BIND version. Returns records object, axfr_result, and bind_version. Read-only DNS queries.

Brute-force virtual hosts by fuzzing the Host header. Returns baseline_length, results (vhost/status/length/length_delta), unique_vhosts, and tested count. Read-only, sends one request per wordlist entry.

Extract Subject Alternative Names from the TLS certificate. Returns common_name, subject_alternative_names, issuer, validity, and san_count. Read-only TLS handshake.

Directory brute-force using parallel curl requests. Returns results (path/status/length), found_count, and paths_tested. Read-only GET requests, sends one request per wordlist entry per extension.

Search git history for secrets: commit messages, author info, branches, deleted files. Returns secrets_in_code_history, unique_authors, branches, deleted_files_summary, and suspicious_commit_messages. Read-only git operations on local repository.

Test an S3 bucket for public access (listing, reading). Returns bucket_url, listable, listing_snippet, and readable_files. Read-only requests to S3.

Run a Volatility 2 Linux plugin against a memory dump. Returns plugin, profile, success, output, and errors. Read-only analysis. Requires volatility2 (vol.py) on PATH.

Run a Volatility 3 Windows plugin against a memory dump. Returns plugin, success, output, and errors. Read-only analysis, Volatility 3 auto-detects OS. Requires vol3 (vol) on PATH.

Check for rootkits via syscall table tampering and hidden kernel modules. Runs linux_check_syscall and linux_hidden_modules plugins. Returns syscall_check, hidden_modules, rootkit_indicators, and likely_compromised. Read-only analysis.

Full malware document analysis pipeline.

1. oledump.py — list OLE streams, identify macro-containing streams (marked 'M')

2. olevba — extract VBA macro code

3. Identify auto-execution triggers (Document_open, AutoOpen, Workbook_Open)

4. Look for obfuscation patterns and base64 payloads

5. Search for PowerShell, WMI, and shell execution indicators

Returns: {"ole_streams": str, "vba_macros": str, "auto_exec_triggers": [str], "suspicious_strings": [str], "iocs": [str]}.

Side effects: Read-only file analysis. Does NOT execute any payloads.

Errors: Requires oledump.py and olevba (pip install oletools).

Extract raw VBA macros from an OLE document.

Returns: {"macros": str, "stream_count": int, "macro_streams": [str]}.

Side effects: Read-only file analysis.

Parse and analyze AWS CloudTrail logs.

Extracts event timeline, unique users, event types, and source IPs.

Returns: {"event_count": int, "unique_users": [str], "event_types": [str], "source_ips": [str], "timeline": str}.

Side effects: Read-only file analysis. Requires jq.

Find anomalies in CloudTrail logs: non-AWS IPs, unusual API calls, role assumptions.

Returns: {"non_aws_ips": [str], "unusual_events": [str], "role_assumptions": [str], "data_exfil_indicators": [str]}.

Side effects: Read-only file analysis.

Extract CSRF tokens from HTML forms.

Searches for the token in hidden input fields, meta tags, and script blocks.

Returns: {"tokens_found": [{"source": str, "value": str}], "cookies": [str]}.

Side effects: Single GET request.

Username enumeration and credential brute-force.

First enumerates valid usernames (if failure messages differ), then brute-forces passwords against confirmed usernames.

Returns: {"username_enumeration": [{"username": str, "exists": bool}], "valid_credentials": [{"username": str, "password": str}], "requests_sent": int}.

Side effects: Sends login requests. May trigger account lockout.

Errors: Rate limiting may block requests. Use realistic credentials to avoid WAF detection.

Test cookie manipulation for privilege escalation.

Sends requests with tampered cookie values and checks for access.

Returns: {"results": [{"cookies": dict, "status": int, "length": int, "response_snippet": str}]}.

Side effects: Sends GET requests with manipulated cookies.

Test Insecure Direct Object References by iterating through IDs/GUIDs.

Sends requests with each ID and compares response status codes and lengths. Differing responses suggest IDOR — the server returns data for other users' objects without proper authorization checks.

Returns: {"baseline": dict, "results": [{"id": str, "status": int, "length": int, "different": bool, "snippet": str}], "idor_candidates": [str]}.

Side effects: Read-only requests. Sends len(id_list) + 1 requests.

Errors: ConnectionError if target unreachable.

Test cookie/parameter-based role escalation.

Sends requests with various role cookie values (Admin=true, roleid=2, etc.) and checks for privilege escalation. Also tests JSON body field manipulation for profile update endpoints.

Returns: {"baseline": dict, "results": [{"value": str, "status": int, "length": int, "escalated": bool}], "escalation_candidates": [str]}.

Side effects: If json_body is set, sends POST/PUT requests that may modify state.

Test client-side price manipulation by sending modified price values.

Sends price=0, price=1, price=-1, and negative quantity variants to check if the server validates prices server-side.

Returns: {"results": [{"test_case": str, "payload": str, "status": int, "length": int, "accepted": bool, "snippet": str}]}.

Side effects: May add items to cart or create orders at manipulated prices.

Test coupon stacking and alternation bypass.

Tests each coupon individually, then alternates between coupons to see if discounts compound past the intended limit.

Returns: {"individual_results": [...], "stacking_results": [...], "stacking_possible": bool}.

Side effects: Applies coupons to the cart. May modify cart totals.

Check X-Frame-Options and CSP frame-ancestors headers; generate PoC iframe HTML. Fetches response headers and checks for framing protections. If protections are missing, generates a ready-to-use PoC HTML page that embeds the target in a transparent iframe with a decoy button overlay. Returns: {headers, x_frame_options, csp_frame_ancestors, vulnerable, poc_html}. Side effects: Single HEAD/GET request.

Test sandbox attribute bypass for JavaScript frame busters. Generates PoC HTML that uses iframe sandbox='allow-forms' to disable JavaScript execution (neutralizing frame-busting code) while still allowing form submission for clickjacking. Also checks if the target page contains common frame-busting patterns. Returns: {frame_buster_detected, patterns_found, sandbox_poc_html}. Side effects: Single GET request to detect frame-busting code.

Test CORS misconfigurations: origin reflection, null origin trust, subdomain wildcards. Sends requests with various Origin headers and checks Access-Control-Allow-Origin and Access-Control-Allow-Credentials in the response. Misconfigurations allow attacker sites to read authenticated API responses. Returns: {results: [{test, origin_sent, acao, acac, vulnerable}], exploit_html}. Side effects: Read-only requests with custom Origin headers. Sends ~8 requests.

Test web shell upload with Content-Type bypass variants. Attempts to upload a PHP web shell using various techniques: 1) Direct .php upload 2) .php with image/jpeg Content-Type (Content-Type bypass) 3) Alternative extensions (.php5, .phtml, .phar, .php7, .phps) 4) Double extension (.php.jpg) 5) Null byte (.php%00.jpg). After each upload, attempts to access the uploaded file to check execution. Returns: {results: [{technique, upload_status, execution_status, output, successful}]}. Side effects: Uploads files to the server. May achieve remote code execution.

Test NoSQL operator injection ($ne, $gt, $regex) for authentication bypass. Sends payloads that abuse MongoDB query operators to bypass password checks. E.g., {"username":"admin","password":{"$ne":""}} matches any non-empty password. Returns: {results: [{payload_name, status, length, likely_bypass, snippet}]}. Side effects: Sends POST requests to the login endpoint. May create sessions.

Test NoSQL injection detection in query parameters. Tests MongoDB operator injection ($ne, $gt, $regex, $where) in GET parameters and JSON body to detect NoSQL injection points. Returns: {baseline, results: [{payload_name, status, length, different}], injectable}. Side effects: Read-only. Sends ~10 requests.

Detect and manipulate serialized objects in cookies. Analyzes cookie values for serialization patterns (PHP serialize, Java, .NET ViewState, base64-encoded JSON). If a serialized format is detected, attempts privilege escalation by modifying fields (admin=1, role=admin). Returns: {detection: {format, decoded, fields}, manipulation_results: [...]}. Side effects: Sends requests with modified cookies. May escalate privileges if successful.

Run introspection query to enumerate all types, fields, and mutations. Sends the standard GraphQL introspection query (__schema) to discover the full API schema including hidden/undocumented fields, mutations, and types. Returns: {introspection_enabled, types: [{name, kind, fields: [str]}], mutations: [str], queries: [str]}. Side effects: Single POST request. Read-only.

Find hidden/undocumented fields on a GraphQL type using field suggestion errors. Sends queries with intentionally misspelled field names to trigger GraphQL's field suggestion feature, which reveals valid field names. Also tries common sensitive field names directly. Returns: {discovered_fields: [str], suggestion_results: [...], direct_probe_results: [...]}. Side effects: Read-only POST requests. Sends ~25 requests.