On this page

Proxy Agent

The proxy-agent is a subagent that orchestrates HTTP proxy-based web application security testing. It receives raw HTTP requests captured by the Firefox Extension and intelligently dispatches specialized vulnerability testing subagents based on request characteristics and accumulated session context.

Overview

The proxy-agent is a pure orchestrator — it does not perform vulnerability testing itself. Its role is to:

Receive a raw HTTP request for a single endpoint
Delegate architecture analysis to proxy-analyzer
Review accumulated session context (credentials, roles, objects, functions)
Intelligently select and launch appropriate vulnerability testing subagents
Process the re-test queue when new discoveries trigger follow-up tests

Agent Configuration

Property	Value
Agent ID	`proxy-agent`
Mode	`subagent`
Color	Blue
Can Read Session Context	Yes (`web_get_session_context`)
Writes Directly	No — delegates all writes to `proxy-analyzer`

How It Works

Orchestration Workflow

For each HTTP request the proxy-agent receives, it follows this workflow:

1. Review Credential Context
   └── Check auth state (authenticated / unauthenticated)

2. Analyze Architecture
   └── Always calls proxy-analyzer first
       ├── Extracts objects (data entities)
       ├── Extracts roles (user types)
       ├── Extracts functions (endpoint purposes)
       └── Extracts object values (IDs for IDOR testing)

3. Get Session Context
   └── Calls web_get_session_context
       ├── How many credentials are available?
       ├── What objects and fields are known?
       ├── What endpoints have been seen?
       └── Are there pending re-tests?

4. Intelligent Agent Selection
   └── Analyzes request surface + session context
       ├── What inputs does this endpoint accept?
       ├── Are there identifiers in the path or body?
       ├── What does the endpoint do (CRUD, auth, financial)?
       └── What context has been accumulated?

5. Launch Testing Agents in Parallel
   └── Dispatches 3–6 agents per request when relevant

6. Process Re-test Queue
   └── Feeds high-priority re-tests back as new requests

Available Testing Subagents

The proxy-agent dispatches these specialized testing subagents:

Subagent	Vulnerability Category	Triggered When
`proxy-analyzer`	Architecture extraction	Always — runs first
`proxy-tester-idor`	Insecure Direct Object Reference	Numeric/UUID identifiers in path, query, or body
`proxy-tester-authz`	Authorization bypass, broken access control	Multiple credentials available or protected endpoints
`proxy-tester-mass-assignment`	Mass assignment, field injection	POST/PUT/PATCH requests with body and known sensitive object fields
`proxy-tester-injection`	SQLi, XSS, SSTI, XXE, Command injection	Any endpoint accepting user input
`proxy-tester-authn`	Authentication bypass, JWT flaws, session attacks	Login, SSO, MFA, session management endpoints
`proxy-tester-business-logic`	Price manipulation, workflow bypass, rate limit abuse	Financial or multi-step transactional endpoints
`proxy-tester-ssrf`	Server-Side Request Forgery	Endpoints accepting URL/URI parameters
`proxy-tester-file-attacks`	File upload vulnerabilities, path traversal	File upload or file path parameter endpoints

Agent Selection Logic

The proxy-agent does not use rigid routing rules. It performs intelligent analysis based on two factors:

Request Surface Analysis

Signal	Agents Considered
Query parameters or body fields	`proxy-tester-injection`
Numeric/UUID identifiers in path	`proxy-tester-idor`
POST/PUT/PATCH with JSON body	`proxy-tester-mass-assignment`, `proxy-tester-injection`
`multipart/form-data`	`proxy-tester-file-attacks`
URL/URI parameter (`url`, `webhook`, `redirect`)	`proxy-tester-ssrf`
Login, SSO, or session endpoint	`proxy-tester-authn`
Financial fields (`total`, `price`, `balance`)	`proxy-tester-business-logic`
User-specific resource with auth required	`proxy-tester-authz`

Session Context Analysis

Context Signal	Effect on Agent Selection
Multiple credentials with different roles	Higher priority for `proxy-tester-authz`
Object IDs discovered from different credentials	High priority for `proxy-tester-idor`
Objects with sensitive fields (`role`, `is_admin`, `price`)	`proxy-tester-mass-assignment` relevant
Financial objects (`payment`, `order`, `balance`)	`proxy-tester-business-logic` relevant
JWT tokens in session	`proxy-tester-authn` can analyze algorithmic flaws

Decision-Making Examples

POST /api/users (Registration)

Request:  POST with body (email, password, name)
Session:  No credentials yet

✅ proxy-analyzer         — extract User object
✅ proxy-tester-injection  — test SQLi in email/name, XSS in name
✅ proxy-tester-authn     — test weak password policy, user enumeration
✅ proxy-tester-mass-assignment — test injecting role, is_admin fields
❌ proxy-tester-idor       — no IDs to manipulate
❌ proxy-tester-authz      — no auth required
❌ proxy-tester-ssrf       — no URL parameters
❌ proxy-tester-file-attacks — no file upload
❌ proxy-tester-business-logic — not transactional

GET /api/orders/573 (Single Credential)

Request:  GET with numeric ID in path
Session:  1 credential, Order object known

✅ proxy-analyzer          — extract order details
✅ proxy-tester-idor        — test ID manipulation: 572, 574, 1, 0, -1
✅ proxy-tester-authz       — test without credential, test guest access
❌ proxy-tester-injection   — no input parameters
❌ proxy-tester-mass-assignment — GET request

POST /api/checkout (Financial Transaction)

Request:  POST {"cart_id": 456, "total": 99.99, "payment_method": "credit_card"}
Session:  2 credentials, Order/Payment objects known

✅ proxy-analyzer
✅ proxy-tester-business-logic  — test negative total, zero, overflow, price manipulation
✅ proxy-tester-idor             — test cart_id manipulation
✅ proxy-tester-mass-assignment  — test injecting discount, admin_override fields
✅ proxy-tester-injection        — test SQLi/XSS in payment fields
✅ proxy-tester-authz            — test with different credentials
❌ proxy-tester-authn            — not auth endpoint
❌ proxy-tester-ssrf             — no URL parameters
❌ proxy-tester-file-attacks     — no file operations

GET /api/download?file=report.pdf (File Parameter)

Request:  GET with file parameter
Session:  1 credential

✅ proxy-analyzer
✅ proxy-tester-file-attacks  — test path traversal: ../../etc/passwd
✅ proxy-tester-authz          — test accessing other users' files
✅ proxy-tester-injection      — test if filename is reflected
❌ proxy-tester-idor           — file parameter is string, not numeric ID
❌ proxy-tester-ssrf           — file path, not URL

Credential Context

Each HTTP request arrives with a credential context block that identifies the authentication state:

## Credential Context

credential_id: admin-user
label:         admin-user
container_id:  container-2
headers:
  Authorization: Bearer eyJhbGci...
  Cookie: session=abc123
role_id: admin

The browser extension captures credentials automatically. The proxy-agent reads this context but does not create or modify credentials.

Session Context

The proxy-agent calls web_get_session_context to review accumulated knowledge across all processed requests:

Credentials — all discovered auth identities and their roles
Objects — data entities (User, Order, Product) and their fields
Functions — known endpoints and their action types (CRUD)
Object Values — specific IDs associated with each credential (used for IDOR testing)
Re-test Queue — endpoints flagged for follow-up testing after new context is discovered

Output Format

After processing each request, the proxy-agent provides a brief summary:

Endpoint:     POST /api/checkout
Credential:   admin-user (admin role)
Discoveries:  Payment object with fields: total, discount, payment_method
Agents run:   business-logic, idor, mass-assignment, injection, authz

Results:
- business-logic: FINDING — negative total accepted (price manipulation)
- idor: No finding — cart IDs not accessible across users
- mass-assignment: FINDING — discount field injection accepted
- injection: No finding
- authz: FINDING — guest checkout bypasses payment requirement

Detailed vulnerability reports are written by the individual testing subagents, not the proxy-agent.

Important Rules

Always runs proxy-analyzer first — it builds the context foundation
Always queries session context — uses accumulated knowledge for decisions
Does not perform testing directly — all testing is delegated to subagents
Launches agents in parallel when tests are independent
Does not create credentials — credentials come from the browser extension only
Does not call report_vulnerability directly — subagents handle reporting

Caution

The proxy-agent is a subagent and is invoked by the cyberstrike or web-application agent during browser-based proxy testing sessions. It is not intended to be used directly via --agent proxy-agent.

Web Proxy Testing - Full workflow overview
Firefox Extension - Browser extension that feeds requests to the proxy-agent
Context Management - Viewing session context and vulnerabilities in the TUI
Cyberstrike Agent - Default primary agent
Web Application Agent - OWASP WSTG methodology