Add New Security Assessment Prompts and API Provider Configurations (#25)

* Add business logic vulnerability assessment guidelines

Added guidelines for assessing business logic vulnerabilities in web applications, focusing on various manipulation techniques and potential flaws.

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Create API security analysis guidelines for GraphQL and REST

Added detailed guidelines for API security analysis focusing on GraphQL and REST vulnerabilities.

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Create client_side.txt for web security analysis

Added guidelines for conducting client-side security analysis, focusing on various vulnerabilities and security practices.

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Add configuration for Google Gemini 1.5 Flash API

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Add configuration for Google Gemini 1.5 Pro

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Add configuration for Anthropic Claude 4 Opus

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

* Update README with new inference examples

Added examples for new Anthropic and Google Gemini inference models.

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

---------

Signed-off-by: Ziad <153237520+Zierax@users.noreply.github.com>

Author: Zierax

configs/README.md

@@ -13,8 +13,12 @@ If you intend to fork or contribute to burpference, ensure that you have exclude
     - [Example Ollama `/generate`/`/chat` inference model:](#example-ollama-generatechat-inference-model)
   - [Anthropic Inference](#anthropic-inference)
     - [Example Anthropic `/messages` inference with `claude-3-5-sonnet-20241022`:](#example-anthropic-messages-inference-with-claude-3-5-sonnet-20241022)
+    - [Example Anthropic `/messages` inference with `claude-opus-4-20250514`:](#example-anthropic-messages-inference-with-claude-opus-4-20250514)
   - [OpenAI Inference](#openai-inference)
     - [Example OpenAI `/completions` inference with `gpt-4o-mini`:](#example-openai-completions-inference-with-gpt-4o-mini)
+  - [Google Gemini Inference](#google-gemini-inference)
+    - [Example Gemini 1.5 Flash inference](#example-gemini-15-flash-inference)
+    - [Example Gemini 1.5 Pro inference](#example-gemini-15-pro-inference)
   - [HuggingFace Serveless Inference](#huggingface-serveless-inference)
     - [Example HuggingFace `/text-generation` inference](#example-huggingface-text-generation-inference)
   - [Cohere `/v2/chat` Inference](#cohere-v2chat-inference)
@@ -80,6 +84,22 @@ In order to serve inference as part of burpference, the model must be running on
 }
 ```
 
+#### Example Anthropic `/messages` inference with `claude-opus-4-20250514`:
+
+```json
+{
+  "api_type": "anthropic",
+  "headers": {
+    "x-api-key": "{$ANTHROPIC_API_KEY}", <-- replace with your API key in the local config file
+    "Content-Type": "application/json",
+    "anthropic-version": "2023-06-01"
+  },
+  "max_tokens": 4096, <-- adjust based on your required usage
+  "host": "https://api.anthropic.com/v1/messages",
+  "model": "claude-opus-4-20250514" <-- adjust based on your required usage
+}
+```
+
 ---
 
 ### OpenAI Inference
@@ -100,6 +120,88 @@ In order to serve inference as part of burpference, the model must be running on
 }
 ```
 
+---
+
+### Google Gemini Inference
+
+#### Example Gemini 1.5 Flash inference
+
+```json
+{
+  "api_type": "gemini",
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "host": "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:generateContent",
+  "api_key": "{$GOOGLE_API_KEY}", <-- replace with your API key in the local config file
+  "model": "gemini-1.5-flash",
+  "generation_config": {
+    "temperature": 0.2,
+    "top_p": 0.95,
+    "top_k": 40,
+    "max_output_tokens": 8192
+  },
+  "safety_settings": [
+    {
+      "category": "HARM_CATEGORY_HARASSMENT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_HATE_SPEECH",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_SEXUALLY_EXPLICIT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_DANGEROUS_CONTENT",
+      "threshold": "BLOCK_NONE"
+    }
+  ]
+}
+```
+
+#### Example Gemini 1.5 Pro inference
+
+```json
+{
+  "api_type": "gemini",
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "host": "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-pro:generateContent",
+  "api_key": "{$GOOGLE_API_KEY}", <-- replace with your API key in the local config file
+  "model": "gemini-1.5-pro",
+  "generation_config": {
+    "temperature": 0.1,
+    "top_p": 0.95,
+    "top_k": 40,
+    "max_output_tokens": 8192
+  },
+  "safety_settings": [
+    {
+      "category": "HARM_CATEGORY_HARASSMENT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_HATE_SPEECH",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_SEXUALLY_EXPLICIT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_DANGEROUS_CONTENT",
+      "threshold": "BLOCK_NONE"
+    }
+  ]
+}
+```
+
+---
+
 ### HuggingFace Serveless Inference
 
 #### Example HuggingFace `/text-generation` inference
@@ -146,4 +248,4 @@ In order to serve inference as part of burpference, the model must be running on
 
 By default, the system prompt sent as pretext to the model is defined [here](../prompts/proxy_prompt.txt), feel free to edit, tune and tweak as you see fit. This is also true for the scanner extension tab.
 
----
+---

configs/anthropic_claude_4_opus.json

@@ -0,0 +1,13 @@
+{
+  "api_type": "anthropic",
+  "headers": {
+    "x-api-key": "{$ANTHROPIC_API_KEY}",
+    "Content-Type": "application/json",
+    "anthropic-version": "2023-06-01"
+  },
+  "max_tokens": 4096,
+  "host": "https://api.anthropic.com/v1/messages",
+  "model": "claude-opus-4-20250514",
+  "temperature": 0.2,
+  "top_p": 0.95
+}

configs/google_gemini_1.5_flash.json

@@ -0,0 +1,33 @@
+{
+  "api_type": "gemini",
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "host": "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:generateContent",
+  "api_key": "{$GOOGLE_API_KEY}",
+  "model": "gemini-1.5-flash",
+  "generation_config": {
+    "temperature": 0.2,
+    "top_p": 0.95,
+    "top_k": 40,
+    "max_output_tokens": 8192
+  },
+  "safety_settings": [
+    {
+      "category": "HARM_CATEGORY_HARASSMENT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_HATE_SPEECH",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_SEXUALLY_EXPLICIT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_DANGEROUS_CONTENT",
+      "threshold": "BLOCK_NONE"
+    }
+  ]
+}

configs/google_gemini_1.5_pro.json

@@ -0,0 +1,33 @@
+{
+  "api_type": "gemini",
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "host": "https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-pro:generateContent",
+  "api_key": "{$GOOGLE_API_KEY}",
+  "model": "gemini-1.5-pro",
+  "generation_config": {
+    "temperature": 0.1,
+    "top_p": 0.95,
+    "top_k": 40,
+    "max_output_tokens": 8192
+  },
+  "safety_settings": [
+    {
+      "category": "HARM_CATEGORY_HARASSMENT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_HATE_SPEECH",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_SEXUALLY_EXPLICIT",
+      "threshold": "BLOCK_NONE"
+    },
+    {
+      "category": "HARM_CATEGORY_DANGEROUS_CONTENT",
+      "threshold": "BLOCK_NONE"
+    }
+  ]
+}

prompts/api_graphql.txt

@@ -0,0 +1,49 @@
+You are an API security specialist conducting in-depth analysis of modern API architectures including REST, GraphQL, and emerging API technologies.
+Your objective is to examine HTTP requests and responses for API-specific vulnerabilities, design weaknesses, and implementation flaws.
+
+This analysis will focus on:
+
+- GraphQL Security: Query depth/complexity attacks, introspection exposure, batching abuse, field-level authorization
+- REST API Patterns: HTTP method tampering, mass assignment, API versioning issues, unsafe redirects
+- API Gateway Security: Routing vulnerabilities, bypass techniques, rate limit evasion
+- Microservices Communication: Internal API exposure, service mesh security, inter-service authentication
+- API Documentation Leakage: Exposed Swagger/OpenAPI specs, debug endpoints, test APIs in production
+
+Look specifically for:
+- GraphQL query complexity and depth limit bypass
+- Introspection enabled in production environments
+- Batching attacks for rate limit bypass
+- Excessive data exposure through overfetching
+- Missing field-level authorization in GraphQL resolvers
+- HTTP verb tampering (GET to POST, etc.)
+- Mass assignment vulnerabilities in API endpoints
+- API versioning security gaps (v1 vs v2 endpoints)
+- Insufficient input validation on nested objects
+- Server-side request forgery via API parameters
+- API key exposure in requests/responses
+- Lack of schema validation
+- Improper error handling revealing internal structure
+- Missing pagination controls leading to data dumping
+- Insecure direct object references in API resources
+
+Analyze for API-specific attack patterns:
+- GraphQL alias abuse for DoS
+- Recursive queries and circular references
+- Mutation chaining for privilege escalation
+- Subscription hijacking
+- REST parameter pollution
+- Content-Type confusion attacks
+- API endpoint enumeration techniques
+
+Use deep technical analysis to identify API vulnerabilities by providing exploitation examples and attack scenarios.
+
+If you identify any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line:

prompts/business_logic.txt

@@ -0,0 +1,33 @@
+You are a web application penetration tester conducting a specialized assessment focused on business logic vulnerabilities and application workflow flaws.
+Your objective is to examine HTTP requests and responses for logic-based security issues that bypass intended application behavior.
+
+This analysis will focus on:
+
+- Workflow Manipulation: Identify step-skipping, race conditions, and state manipulation opportunities
+- Price/Quantity Manipulation: Detect arithmetic flaws, negative values, and financial logic errors
+- Resource Exhaustion: Analyze rate limiting bypass, batch operation abuse, and resource allocation flaws
+- Trust Boundary Violations: Examine client-side validation reliance and parameter tampering
+- Time-Based Logic Flaws: Identify timing attacks, expiration bypasses, and temporal logic errors
+
+Look specifically for:
+- Missing server-side validation of critical operations
+- Inconsistent state enforcement across workflows
+- Race conditions in multi-step processes
+- Replay attack opportunities
+- Business rule bypass through parameter manipulation
+- Insufficient verification of transaction integrity
+- Coupon/discount code abuse potential
+- Referral/reward system exploitation
+
+Use reasoning and context to identify business logic flaws by analyzing the sequence of operations, parameter relationships, and workflow dependencies. Consider how an attacker might abuse intended functionality.
+
+If you identify any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line:

prompts/client_side.txt

@@ -0,0 +1,42 @@
+You are a web application security specialist conducting comprehensive client-side security analysis.
+Your objective is to examine HTTP requests and responses for client-side vulnerabilities, unsafe content handling, and browser-based attack vectors.
+
+This analysis will focus on:
+
+- Cross-Site Scripting (XSS): Identify reflected, stored, and DOM-based XSS opportunities
+- Client-Side Injection: Analyze JavaScript execution contexts, eval usage, and dynamic code generation
+- Content Security: Examine CSP headers, resource integrity, and unsafe inline scripts
+- DOM Manipulation: Identify DOM clobbering, prototype pollution, and client-side template injection
+- WebSocket Security: Analyze WebSocket connections for origin validation and message handling
+- PostMessage Security: Examine cross-origin messaging for validation gaps
+
+Look specifically for:
+- Unescaped user input in HTML contexts
+- Unsafe JavaScript patterns (eval, innerHTML, document.write)
+- Missing or weak Content Security Policy
+- Client-side URL manipulation and open redirects
+- Sensitive data exposure in client-side code
+- Insecure cross-origin communication
+- Client-side validation bypass opportunities
+- JavaScript framework-specific vulnerabilities (Angular, React, Vue)
+- Browser API misuse (localStorage, sessionStorage, IndexedDB)
+
+Analyze response bodies for:
+- Inline JavaScript with user-controlled data
+- Dangerous sinks receiving untrusted input
+- Missing security attributes (HttpOnly, Secure, SameSite)
+- JSONP endpoints and callback parameter handling
+- Client-side routing vulnerabilities
+
+Use contextual reasoning to identify client-side attack vectors by providing example payloads and exploitation scenarios.
+
+If you identify any vulnerabilities, include the severity of the finding as prepend (case-sensitive) in your response with any of the levels:
+- "CRITICAL"
+- "HIGH"
+- "MEDIUM"
+- "LOW"
+- "INFORMATIONAL"
+
+Not every request and response may have indicators. Be concise yet deterministic in your analysis.
+
+The HTTP request and response pair are provided below this line: