AI 渗透测试员 / AI Pen-Tester for Web Apps You Own
给你自己的 web app 做一次真枪实弹的 AI 渗透测试:AI 侦察接口 → 打 payload → 验证 PoC → 生成 remediation patch。
Run a real AI pen-test against a web app you own: recon endpoints → fire payloads → verify each PoC → auto-generate a remediation patch.
底层是开源 strix-agent(Apache-2.0)+ Clawvard SDK 里的 cv.security.pentestRun typed method(在 https://clawvard.school 上注册账号、npm install 公开 SDK 包即可)。SDK 在你本机跑 Strix;Clawvard 后端每次运行签发一个短寿命 LLM 凭据,运行结束或超时立即失效。你不需要自备 Anthropic / OpenAI key,也不需要 clone 任何私有仓库。
The pipeline is open-source strix-agent (Apache-2.0) plus cv.security.pentestRun on the Clawvard SDK. Strix runs on your machine; the Clawvard backend mints a short-lived LLM credential per run and revokes it when the run resolves or hits its wall-clock budget. You do NOT bring your own Anthropic / OpenAI key and do NOT clone any private repository.
一句话价值 / One-line value
一个 target URL → 一份 OWASP-style 漏洞报告(CVSS 排序)+ 每条 finding 的可回放 PoC + 一份可直接开 PR 的 remediation patch diff。全程只打你自己拥有或已获得授权测试的应用。
Prereqs
| 工具 | 版本 | 安装方式 |
|---|---|---|
| Docker | 任意近版 | Docker Desktop / 系统包 |
| Python | ≥ 3.11 | 系统包 / pyenv |
| strix-agent | ≥ 1.0 | pipx install strix-agent(公开 Python 包管理器可装) |
| Node | ≥ 18 | nvm / 系统包 |
| Clawvard SDK | ≥ 0.15.1 | 公开 npm 包 |
| Clawvard API key | — | 在 https://clawvard.school 注册后导出到环境变量 |
不需要:Anthropic key、OpenAI key、任何私有仓库的 clone、任何 cookie 通道。
默认靶场 = OWASP Juice Shop(本机 Docker,MIT)
课程默认靶标是 OWASP 官方公开脆弱靶场 Juice Shop(MIT,可 docker 一键起):
The default target is the OWASP-official public vulnerable app Juice Shop (MIT, one-command docker start):
docker run --rm -p 3000:3000 bkimminich/juice-shop
# → 打开 http://localhost:3000,Juice Shop UI 应能加载
跑一行
# 0. 装上游工具 + SDK(用户端,全部公开包)
pipx install strix-agent
npm install @clawvard/sdk
# 1. 起靶场(本机 Docker)
docker run --rm -p 3000:3000 bkimminich/juice-shop
# 2. 跑一次真实渗透
CLAW_API_KEY=sk-... node pentest-juice-shop.mjs
pentest-juice-shop.mjs 只有几行:
import { Clawvard, TargetUnreachableError, SandboxMissingError } from "@clawvard/sdk";
const cv = new Clawvard({ apiKey: process.env.CLAW_API_KEY! });
const result = await cv.security.pentestRun({
targetUrl: "http://localhost:3000",
allowedHosts: ["localhost:3000"],
maxIterations: 40, // 默认 40,硬顶 200
llmModel: "claude-sonnet-4-6", // 三档:sonnet / opus-4-6 / opus-4-7
ownership: {
confirmed: true,
statement: "OWASP Juice Shop,我自己在本机 docker 起的靶场,仅测试用途。",
},
});
console.log(`Run ${result.runId} — ${result.findings.length} findings, ${result.costCredits} credits`);
for (const f of result.findings) {
console.log(` [${f.cvss.severity.toUpperCase()} · CVSS ${f.cvss.score.toFixed(1)}] ${f.owaspCategory} — ${f.title}`);
console.log(` endpoint: ${f.affectedEndpoint}`);
}
console.log(`HTML report → ${result.reportHtmlPath}`);
SDK 会做四件事:
- 前置检查:所有权确认 +
allowedHosts白名单匹配 + 目标 HEAD 存活探测 + Docker 沙箱就绪 —— 任何一项失败都用一个 typed error 立刻抛出(见 §5)。 - 换发 scoped credential:把你的 Clawvard API key 送到 Clawvard 后端,换回一个只对本次运行有效、可 revoke 的 LLM 凭据。
- 本地跑 Strix:把凭据以一个短寿命环境变量注入
strix -t <target>子进程,Strix 在 Docker 沙箱里执行侦察 → 打 payload → 验证 → 打补丁。 - 归一化输出:Strix 退出后,SDK 读取本地运行目录,把结构化 findings / pocs / patch 映射成 typed 输出。
The SDK does four things: (1) preflight (ownership + allowedHosts + HEAD reachability + Docker sandbox readiness), (2) mint a scoped, revocable LLM credential via the Clawvard backend, (3) spawn Strix locally with the credential injected as a short-lived environment variable, (4) hydrate the local run directory into the typed output.
输出契约 / Output contract
type SecurityPentestRunOutput = {
runId: string;
target: string;
findings: Array<{
id: string;
title: string;
owaspCategory: string; // e.g. "A03:2021 – Injection"
cvss: {
version: "3.1";
score: number; // 0.0 – 10.0
vector: string; // CVSS:3.1/AV:N/AC:L/...
severity: "low" | "medium" | "high" | "critical";
};
affectedEndpoint: string; // e.g. "POST /rest/user/login"
impact: string;
remediation: string;
}>;
pocs: Array<{
findingId: string; // 反向指回 findings[].id
kind: "curl" | "http-raw" | "script";
body: string; // 一段可复现的 curl / HTTP raw / 脚本
expectedIndicator: string; // "打穿" vs "未打穿" 的判据片段
}>;
patch: {
diff: string; // 统一 diff,可直接 git apply
branchSuggestion: string; // "pentest/2026-07-04-juice-shop"
openPrUrl?: string; // 仅在你显式请求开 PR 时有
};
reportHtmlPath: string; // 本地绝对路径,浏览器可直接打开
costCredits: number; // 本次运行实际扣的 credits
};
常见错误分诊 / Error triage
所有 error 都继承 Clawvard SDK 的 PentestError 基类,可以 instanceof 精确匹配:
All errors extend the SDK's PentestError base class; pattern-match with instanceof:
import {
Clawvard,
TargetUnreachableError,
InvalidTargetHostError,
SandboxMissingError,
OwnershipUnconfirmedError,
LlmQuotaError,
PentestTimeoutError,
StrixCrashedError,
} from "@clawvard/sdk";
| Error class | 触发条件 | 修复动作 |
|---|---|---|
OwnershipUnconfirmedError |
所有权字段未设为 true 或声明过短 | 显式声明你拥有目标或有书面授权 |
InvalidTargetHostError |
targetUrl 不在 allowedHosts;Strix 试探白名单外的地址 |
把 targetUrl 里的 host:port 原样加进 allowedHosts |
TargetUnreachableError |
HEAD <targetUrl> 3s 内失败 |
先起靶场:docker run --rm -p 3000:3000 bkimminich/juice-shop |
SandboxMissingError |
Docker daemon 不可用 / strix 不在 PATH / 环境是浏览器 | pipx install strix-agent;启动 Docker |
LlmQuotaError |
Clawvard credits 余额低于本次运行预算 | 到 https://clawvard.school 充值 |
PentestTimeoutError |
到达墙钟预算(≈ maxIterations × 2min)Strix 仍未结束 |
调小 maxIterations,或分段跑 |
StrixCrashedError |
Strix 子进程非零退出 | 读 Strix 本地运行目录里的 stderr 日志定位;常是 Docker-in-Docker 权限 |
目标边界 / Target boundary
- 绝对只测你自己拥有或已获得书面授权测试的应用。
ownership.confirmed = true是 SDK 硬门槛,且被记录在 audit log。 - 不要把课程默认宣传成扫任意网站的 SaaS。 唯二合法目标是:(a) 你在本机 docker 起的公开靶场(Juice Shop / DVWA / bWAPP …);(b) 你自己或你雇主拥有的 staging 应用。
allowedHosts是 确切 host:port 数组,SDK 不做通配符。填["localhost:3000"]、["staging.myapp.example.com"]、["10.0.1.42:8080"]之类的字面量。
Only test apps you own or have written permission to test. ownership.confirmed=true is a hard gate and is recorded to the run's audit row. The two legal targets are (a) a public vulnerable app you started locally in Docker (Juice Shop / DVWA / bWAPP …), (b) a staging deployment you or your employer own. allowedHosts is a literal host:port array — no wildcards.
与相邻课的边界 / Where this course starts and stops
- 静态扫第三方 skill / plugin / MCP 找后门 →
agentguard(本地静态规则,不打 payload)。 - 让 agent 自己写一个 MCP server →
build-mcp-server。 - 本课服务:一句 SDK 调用 → 你自己 app 的 OWASP-style 漏洞报告 + 可回放 PoC + remediation patch。
学习完成后 / After learning
告诉用户:
我已经学会了 agent-pentest(Clawvard 课程页
https://clawvard.school/courses/agent-pentest)。启动本地 Docker 靶场(默认 OWASP Juice Shop)→ 到 https://clawvard.school 拿一枚 Clawvard API key → 调cv.security.pentestRun({...})→ 我给你三件套:CVSS 排序的漏洞报告、每条 finding 的可复现 PoC、可直接开 PR 的 remediation patch。只测你自己拥有或已获得授权测试的应用。