Red Team Agent
The Red Team Agent performs offensive security testing from an attacker’s perspective to identify exploitable vulnerabilities.
Overview
Agent Name: RedTeamerAgent
Scan Type: red-team
Credit Cost: 1 credit (standard), 0.5 (quick), 2 (comprehensive)
Target Types: Web applications, APIs, mobile backends
Capabilities
Offensive Testing
-
Authentication Bypass
- Default credentials testing
- Authentication logic flaws
- Session fixation
- Password reset vulnerabilities
-
Authorization Flaws
- Insecure Direct Object Reference (IDOR)
- Privilege escalation
- Missing function-level access control
- Horizontal/vertical privilege escalation
-
API Security
- REST API vulnerabilities
- GraphQL injection
- API rate limiting bypass
- Mass assignment vulnerabilities
-
Injection Attacks
- SQL injection
- NoSQL injection
- Command injection
- LDAP/XML injection
-
Session Management
- Session hijacking vectors
- Cookie security issues
- JWT vulnerabilities
- Token manipulation
-
CORS & Security Headers
- CORS misconfiguration
- Missing security headers
- Clickjacking vulnerabilities
- Content Security Policy bypasses
Usage
CLI
# Basic red team scan
alprina scan https://api.example.com --type red-team
# Comprehensive penetration test
alprina scan https://api.example.com --type red-team --profile comprehensive
# Quick vulnerability check
alprina scan https://api.example.com --type red-team --profile quick
# With specific tests
alprina scan https://api.example.com --type red-team \
--test-authentication \
--test-authorization \
--test-injectionAPI
curl -X POST https://api.alprina.com/v1/scan/red-team \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"target": "https://api.example.com",
"scan_profile": "comprehensive",
"options": {
"test_authentication": true,
"test_authorization": true,
"test_rate_limiting": true,
"test_injection": true,
"test_cors": true
}
}'Configuration Options
| Option | Type | Default | Description |
|---|---|---|---|
test_authentication | boolean | true | Test auth bypass techniques |
test_authorization | boolean | true | Test privilege escalation |
test_rate_limiting | boolean | true | Test rate limit bypasses |
test_injection | boolean | true | Test injection vulnerabilities |
test_cors | boolean | true | Test CORS misconfigurations |
test_session | boolean | true | Test session management |
max_depth | integer | 3 | API endpoint discovery depth |
aggressive | boolean | false | Enable aggressive testing |
Example Output
{
"scan_id": "scan_red123",
"status": "completed",
"agent": "RedTeamerAgent",
"findings": [
{
"id": "finding_001",
"severity": "critical",
"category": "broken_authentication",
"title": "JWT Token Lacks Expiration",
"description": "JWT tokens do not have an expiration time, allowing indefinite access if stolen",
"endpoint": "POST /api/auth/login",
"exploit_scenario": "Attacker steals token via XSS, uses it indefinitely without re-authentication",
"proof_of_concept": "curl -H 'Authorization: Bearer old_token_from_2023' https://api.example.com/api/user",
"recommendation": "Add 'exp' claim to JWT with reasonable TTL (e.g., 1 hour). Implement token refresh mechanism.",
"cvss_score": 9.1,
"attack_complexity": "low",
"cwe": "CWE-613",
"owasp": "A07:2021 - Identification and Authentication Failures"
},
{
"id": "finding_002",
"severity": "high",
"category": "authorization",
"title": "IDOR Allows Access to Other Users' Data",
"description": "User ID in URL can be modified to access other users' data without authorization check",
"endpoint": "GET /api/users/{user_id}/profile",
"exploit_scenario": "Attacker changes user_id parameter to view/modify other users' profiles",
"proof_of_concept": "GET /api/users/123/profile (viewing user 456's profile)",
"recommendation": "Implement proper authorization checks. Verify that authenticated user has permission to access requested resource.",
"cvss_score": 8.2,
"attack_complexity": "low"
}
],
"attack_surface": {
"endpoints_tested": 47,
"vulnerable_endpoints": 5,
"authentication_bypasses": 1,
"authorization_issues": 3,
"injection_points": 1
},
"summary": {
"total_findings": 12,
"critical": 1,
"high": 4,
"medium": 5,
"low": 2
}
}Attack Scenarios Tested
1. Authentication Bypass
Tests:
- SQL injection in login
- Default credentials
- Password reset token vulnerabilities
- Multi-factor authentication bypass
Example Finding:
Finding: SQL injection in login form allows authentication bypass
Payload: admin' OR '1'='1'--
Impact: Full account takeover without credentials2. IDOR (Insecure Direct Object Reference)
Tests:
- User ID manipulation
- Document ID enumeration
- Order ID brute forcing
Example Finding:
Finding: User profile accessible via predictable ID
Request: GET /api/users/12345/profile
Attack: Change ID to 12346 to view other user's data3. Privilege Escalation
Tests:
- Role manipulation
- Admin endpoint access
- Feature flag bypass
Example Finding:
Finding: Regular user can access admin panel
Request: GET /api/admin/dashboard
Method: No authorization check on admin endpoints4. JWT Vulnerabilities
Tests:
- Algorithm confusion (none attack)
- Token expiration bypass
- Key confusion attacks
Example Finding:
Finding: JWT accepts 'none' algorithm
Attack: {"alg":"none","typ":"JWT"} with removed signature
Impact: Forge arbitrary authentication tokensBest Practices
1. Safe Testing
Always get authorization:
# Only test systems you own or have written permission to test
alprina scan https://your-staging-api.com --type red-teamUse safe-only mode:
# Prevents potentially harmful tests
alprina scan https://api.example.com --type red-team --safe-only2. Scope Definition
Define what’s in scope:
# .alprina-policy.yaml
allowed_targets:
- "https://staging.example.com/*"
- "https://dev.example.com/*"
blocked_targets:
- "https://production.example.com/*"
- "https://api.thirdparty.com/*"3. Responsible Disclosure
When vulnerabilities are found:
- Document the finding
- Report to security team immediately
- Do not exploit beyond proof of concept
- Follow responsible disclosure timeline
4. Integration with CI/CD
Run red team tests in staging:
# GitHub Actions
- name: Red Team Security Test
run: alprina scan https://staging.example.com --type red-team --fail-on critical
env:
ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}Common Vulnerabilities Found
SQL Injection
Detection:
Request: GET /api/search?q=test' OR '1'='1
Response: Database error or unexpected dataFix:
# Bad
query = f"SELECT * FROM users WHERE name = '{user_input}'"
# Good
query = "SELECT * FROM users WHERE name = ?"
cursor.execute(query, (user_input,))Broken Access Control
Detection:
Request: GET /api/admin/users (as regular user)
Response: 200 OK with user listFix:
# Add authorization check
@require_role('admin')
def get_all_users():
return User.query.all()CORS Misconfiguration
Detection:
Request: Origin: https://evil.com
Response: Access-Control-Allow-Origin: *Fix:
// Bad
res.header('Access-Control-Allow-Origin', '*');
// Good
const allowedOrigins = ['https://app.example.com'];
if (allowedOrigins.includes(origin)) {
res.header('Access-Control-Allow-Origin', origin);
}Performance Tips
-
Start with Quick Profile: Fast initial assessment
alprina scan https://api.example.com --type red-team --profile quick -
Target Specific Endpoints: Faster focused testing
alprina scan https://api.example.com/api/v1 --type red-team -
Use Allowlist: Test only relevant endpoints
endpoints: - /api/auth/* - /api/users/*
Limitations
- Does not perform active exploitation beyond proof of concept
- May miss vulnerabilities requiring complex attack chains
- Cannot test client-side vulnerabilities (XSS in browser)
- Requires network access to target
- Rate limiting may slow down comprehensive scans
Compliance
Red Team Agent helps identify issues related to:
- OWASP Top 10 2021
- PCI DSS - Requirement 6.5 (Secure Coding)
- ISO 27001 - A.14.2 (Security in Development)
- NIST 800-53 - SA-11 (Developer Security Testing)
Related
- Blue Team Agent - Defensive perspective
- API Reference - Red Team Scanning
- Penetration Testing Guide
- Responsible Disclosure
Last updated on