Pentest Exploit Validation

Purpose

Validate vulnerability findings through proof-driven exploitation using Shannon's 4-level evidence system. Consumes the exploitation queue from white-box code review, attempts structured exploitation with bypass exhaustion, collects mandatory evidence per vulnerability type, and classifies each finding as EXPLOITED, POTENTIAL, or FALSE_POSITIVE.

Prerequisites

Authorization Requirements

Written authorization

with explicit scope for active exploitation testing

Exploitation queue JSON

from pentest-whitebox-code-review output

Test accounts

at multiple privilege levels for authz testing

Data exfiltration approval

— confirm acceptable proof-of-concept scope

Rollback plan

for any data-mutating exploits

Environment Setup

sqlmap for automated SQL injection exploitation

Burp Suite Professional with Repeater, Intruder, and Turbo Intruder

curl for manual HTTP request crafting

Playwright for browser-based exploitation (XSS, CSRF)

nuclei with custom templates for automated validation

Isolated testing environment or explicit production testing approval

Core Workflow

Queue Intake

Parse exploitation queue JSON, validate schema, prioritize by confidence score and impact severity. Group findings by vulnerability type for parallel exploitation.

Injection Exploitation

Confirm injectable parameter → fingerprint backend (DB type, OS) → enumerate databases/tables → demonstrate data exfiltration with minimal footprint.

XSS Exploitation

Graph traversal from source → processing → sanitization → sink. Craft context-appropriate payload, demonstrate session hijack or DOM manipulation.

Auth Exploitation

Attack authentication weaknesses → demonstrate account takeover via credential stuffing, token forgery, or session hijack.

Authz Exploitation

Horizontal access (cross-user data) → vertical escalation (admin functions) → workflow bypass (state manipulation).

SSRF Exploitation

Internal service access → cloud metadata retrieval (169.254.169.254) → internal network reconnaissance.

Bypass Exhaustion

For each finding, attempt 3 initial payloads → if blocked, escalate to 8-10 bypass variations → if still blocked, deploy automated tool variants.

Impact Escalation

Escalate from proof-of-concept to real impact demonstration — data exfiltration, session hijacking, or remote code execution.

Evidence Collection

Collect mandatory evidence per vulnerability type using per-type checklists.

Classification

Assign final classification — EXPLOITED, POTENTIAL, or FALSE_POSITIVE — based on 4-level proof system. 4-Level Proof System Level Description Classification L1 Weakness identified in code but not confirmed exploitable POTENTIAL L2 Partial bypass achieved but full exploitation not demonstrated POTENTIAL L3 Vulnerability confirmed with reproducible evidence EXPLOITED L4 Critical impact demonstrated (data exfil, RCE, account takeover) EXPLOITED CRITICAL Classification Criteria Classification Criteria EXPLOITED Reproducible proof with evidence: HTTP request/response, extracted data, or demonstrated impact POTENTIAL Code-level weakness confirmed but exploitation blocked by defense-in-depth or environment constraints FALSE_POSITIVE Taint analysis flagged but manual review confirms effective sanitization or unreachable code path Tool Categories Category Tools Purpose SQL Injection sqlmap, manual payloads Automated and manual SQLi exploitation Request Crafting Burp Repeater, curl Manual HTTP request manipulation Fuzzing Burp Intruder, Turbo Intruder Payload variation and bypass testing Browser Exploitation Playwright XSS demonstration, session hijack Automation nuclei, custom scripts Template-based vulnerability validation Evidence Capture Burp Logger, screenshot tools Request/response logging and proof References references/tools.md - Tool function signatures and parameters references/workflows.md - Exploitation workflows, evidence checklists, and classification tree