一键导入
cross-wave-delta-analysis
Compare recon waves to find NEW, REGRESSED, PERSISTENT findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Compare recon waves to find NEW, REGRESSED, PERSISTENT findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | cross-wave-delta-analysis |
| description | Compare recon waves to find NEW, REGRESSED, PERSISTENT findings. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| tags | ["meta","wave","delta","comparison","analysis"] |
| category | meta |
| related_skills | ["recon-playbook","cross-attack-chains","cors-credential-wordpress","xmlrpc-exploitation","attack-patterns-reference","parallel-recon-triad"] |
Methodology for comparing findings across multiple recon waves on the same target set. Detects NEW findings, REGRESSIONS (previously open now blocked), PERSISTENT vulnerabilities, and CHANGES over time. Distilled from 9 waves across 7 deep targets that revealed missed CORS findings, new port exposures, and infrastructure drift.
/root/output/recon_us/deep/waveN/./root/output/recon_us/deep/waveN+1/.# Produce a delta report comparing WaveN to WaveN+1
# Read wave outputs, compare per-target, classify findings
| Category | Label | Meaning | Example |
|---|---|---|---|
| NEW | ++ | Finding that didn't exist in any prior wave | Port 3306 (MySQL) now OPEN |
| REGRESSION | -- | Service that was accessible but is now blocked | XMLRPC 200 -> 405 (hardened) |
| PERSISTENT | == | Vulnerability unchanged across all waves | CORS still reflecting since wave6 |
| CHANGE | ~ | Configuration changed but not a regression | WP users: 10 in wave7, 9 in wave9 |
| REVERSED | -> | A regression that was later undone (mitigation removed) | XMLRPC 405 (W9) -> 200 active (W10) |
Reversed findings are regressions that later reverted to the original vulnerable state. This happens when:
Treat REVERSED as actionable: the security team either doesn't know or doesn't care. These targets are high-priority because their protection is unreliable.
| Field | How to Check | What Delta Means |
|---|---|---|
| XMLRPC status | HTTP status of POST /xmlrpc.php | 200 -> 405 = REGRESSION (hardened) |
| CORS headers | ACAO + ACAC on /wp/v2/users | Reflecting -> No headers = REGRESSION |
| WP Users | Count from /wp/v2/users | Count change = CHANGE |
| Open ports | nmap or naabu output | New port = NEW (surface expanded) |
| Subdomains | subfinder output | New subs = NEW |
| Sensitive paths | HTTP status for .env, info.php, etc | Previously 200 -> 403 = REGRESSION |
WAVE_OLD="/root/output/recon_us/deep/wave6"
WAVE_NEW="/root/output/recon_us/deep/wave7"
echo "=== Comparing $WAVE_OLD vs $WAVE_NEW ==="
For each target present in both waves, compare XMLRPC status, CORS headers, open ports, WP users, and subdomains. Flag findings as NEW (not in prior wave), REGRESSION (previously working, now blocked), PERSISTENT (unchanged), or CHANGE (different but not blocked).
Signal critical deltas: new port 3306 (MySQL), new CORS credential reflections, new WP install pages, new subdomains with admin/staging patterns.
| Target | Wave8 State | Wave9 Delta | Category |
|---|---|---|---|
| wines.com | XMLRPC 200 (76 methods) | 200->301 redirect | REGRESSION |
| wines.com | No ports reported | MySQL 3306 + FTP 21 + IMAP 143 OPEN | NEW (6 ports) |
| restonic.com | NOT documented as CORS target | ALL endpoints reflect | NEW (missed W6-8) |
| realpro.com | CORS known | Exchange OWA + SSH 22 + VPN portal | NEW (10+ subdomains) |
| toolking.com | SliderRev known | CORS on ALL endpoints | NEW (missed W6-8) |
| patientportal.com | MySQL 3306 open | Still OPEN (4 waves!) | PERSISTENT |
Key insight: CORS was MISSED on restonic.com and toolking.com across 3 waves because only /wp/v2/users was tested. Always test ALL endpoints.
attack-patterns-reference — match findings to pattern IDs (P-01 to P-25)recon-playbook — the 4-phase pipeline that produces wave dataparallel-recon-triad — eternal cron orchestration that generates wavescross-attack-chains — chain NEW findings into critical impactcors-credential-wordpress — verify CORS findings classificationxmlrpc-exploitation — verify XMLRPC regression status