T101 — TOOL 101
NIGHTFALL TOOL 101 — CUA / BROWSER AGENT EXPLOITATION ENGINE

SPECTER WEB

CUA / Browser Agent Exploitation Engine

The world's first commercial offensive security framework for Computer-Use Agent attack surfaces. WEB targets vision+action loop exploitation, adversarial web content injection, and full kill-chain automation against browser agents (Claude CUA, OpenAI Operator, browser-use, Playwright, Agentforce, Skyvern, MultiOn, Google Mariner). CVE-2025-47241 (CVSS 9.3) confirmed exploitable. RedTeamCUA 60% ASR on Claude 4.5 Sonnet. VPI-Bench 100% ASR. SandboxEscapeBench container escape confirmed. Ed25519-signed WEB-{hex12} reports. OPEN/INJECT/UNLEASHED gate.

4
CVEs
309
Tests
8
Subsystems
4
WMD Classes
VIEW DOCS NIGHTFALL FRAMEWORK
Attack Surface

Four CVEs. Eight Agent Platforms. Zero Click Required.

SPECTER WEB exploits the vulnerabilities that CUA security reviews ignore: the URL parser, the vision loop, the OAuth redirect, the container runtime. Browser agents are trusted proxies to sensitive systems. Compromise the agent, own everything it can reach.

IDComponentVulnerabilityCVSSGate
CVE-2025-47241browser-use < 0.1.45URL userinfo bypass — https://allowed.com@attacker.com defeats is_url_allowed() allowed_domains whitelist. Zero-click agent navigation to attacker-controlled endpoints.9.3INJECT
CVE-2024-1086Linux kernel < 6.3.1nf_tables use-after-free — GPT-5 and Opus 4.5 autonomously escaped Docker-hosted CUA containers (arXiv:2603.02277, UK AISI/Oxford).7.8UNLEASHED
CVE-2026-25725Claude Code-adjacentsettings.json injection — malicious settings.json triggers arbitrary shell command execution on agent session initialisation.8.1UNLEASHED
CVE-2025-59536Claude Code-adjacentMCP server injection via poisoned project directory — agent loads attacker-controlled tool definitions on startup.9.1INJECT
Architecture

Eight Subsystems

01

SURVEY

Real HTTP fingerprinting: platform detection via PLATFORM_SIGNATURES (headers + body), browser-use version extraction, tool set enumeration, sandbox type, OAuth scope discovery. Attack surface scoring 0.0–1.0. CVE applicability mapping. OPEN gate.

02

LURE

Five VPI techniques: STATIC (hardcoded high-salience), ADAPTIVE (EVA closed-loop attention), ADINJECT (black-box ad slot delivery), BRANCH_STEER (CaMeLs fake DOM elements), URL_EMBED (CVE-2025-47241 bypass). ARMORY cua_* category integration. Adversarial page assembly. INJECT gate.

03

INJECT

Seven injection vectors: CVE-2025-47241 (URL userinfo bypass), OPEN_REDIRECT (10 patterns), AD_NETWORK (black-box ad delivery), MITM (network layer), SERVED_PAGE (attacker-controlled HTML), TASK_CONTEXT (direct instruction injection), SCREENSHOT_POISON (vision loop). INJECT gate.

04

HIJACK

Five session hijack modes: TOCTOU (arXiv:2603.14707 screenshot/action race window), OAUTH (CoPhish consent redirect), COOKIE (JS exfiltration), TASK_SPOOF (arXiv:2511.20067 goal substitution), FORM (data rerouting). INJECT gate.

05

EXFIL

Five exfil chains: WEB_OS (agent reads OS files → cloud upload, 60% ASR), CREDENTIAL (env/config/token harvest), CHAT (Slack/Teams/email routing), SCREENSHOT (sensitive page capture), CLOUD (S3/GDrive/Dropbox staging). INJECT gate.

06

CHAIN

Six post-compromise actions: EMAIL + SLACK lateral phishing (INJECT gate); PAYMENT fraud, CODE_EXEC (stage-2 shell), IAM backdoor creation, WIPE destruction (all UNLEASHED gate). --confirm-destroy required for WIPE. Real tool access via hijacked agent.

07

ESCAPE

Six container/sandbox escape techniques: CVE-2024-1086 kernel UAF, runC Nov2025, default credentials (Vagrant/root/admin), shell persistence (.bashrc/.gitconfig), git history tamper (arXiv:2604.23425), settings.json injection (CVE-2026-25725). UNLEASHED + --confirm-escape.

08

REPORT

Ed25519-signed WEB-{hex12} reports. MITRE ATLAS AML.T0043/T0048/T0051/T0054. OWASP LLM01/LLM02/LLM06/LLM08 + Agentic AST01-AST09. CVSS 3.1 scoring. WMD class mapping. Financial blast radius. JSON + Markdown output.

Visual Prompt Injection

Five VPI Techniques. 100% ASR Confirmed.

VPI-Bench (arXiv:2506.02456) confirmed 100% Attack Success Rate against browser-use agents on Amazon, Booking, and BBC platforms. RedTeamCUA (arXiv:2505.21936, ICLR 2026 Oral) demonstrated 60% ASR against Claude 4.5 Sonnet and 48% against Claude 4 Opus. SPECTER WEB LURE implements all five technique classes.

STATIC + ADAPTIVE (EVA)

STATIC: high-salience hardcoded payloads in large text, bold formatting, and high-contrast colour. ADAPTIVE: EVA (arXiv:2505.14289) closed-loop attention-adaptive injection — monitors attention gradients to place injection text precisely where the vision model focuses. Both confirmed effective against screenshot-based agents.

ADINJECT (AdInject)

AdInject (arXiv:2505.21499): black-box ad delivery injection. Adversarial instructions embedded in HTML ad slots without modifying the target page directly. SPECTER WEB generates ad-network-compatible payloads in standard IAB formats (300x250, 728x90, 160x600). Greater than 60% ASR demonstrated without any HTML access to target.

BRANCH_STEER (CaMeLs)

CaMeLs (arXiv:2601.09923): fake DOM elements that hijack the agent's control flow graph. Phantom buttons, invisible links, and misleading labels intercept navigation decisions before the agent reaches its intended destination. Defeats control-flow hardening by operating at the vision layer rather than the instruction layer.

URL_EMBED (CVE-2025-47241)

browser-use < 0.1.45: URL userinfo bypass. is_url_allowed() splits on ':' without validating the authority component. Embedding a whitelisted domain in URL userinfo (https://allowed.com@attacker.com) bypasses the allowed_domains whitelist. CVSS 9.3. Zero-click agent navigation to attacker-controlled endpoints. No user interaction required.

WMD Classification

Four WMD Classes. UNLEASHED Gate Required.

cua_full_session_takeover

Complete agent session compromise: session token captured, cookies stolen, task spoofed, OAuth grants revoked and reassigned to attacker. The agent now acts as an attacker-controlled proxy to all systems within its permission scope.

cua_oauth_mass_harvest

OAuth consent grant hijacking via CoPhish technique: agent redirected to attacker-controlled OAuth consent page on a trusted domain, granting attacker persistent API access to all connected services including email, calendar, drive, and third-party SaaS.

cua_container_escape

Container or sandbox escape confirmed: host-level access obtained via CVE-2024-1086 kernel UAF, runC runtime exploit, default credentials, or shell config file poisoning. Attacker now has host-level access beyond the agent's intended boundary.

cua_cross_env_exfil

Cross-environment data exfiltration confirmed: OS files, credentials, or sensitive internal data transferred from the agent's environment to attacker-controlled infrastructure via web→OS chain, cloud staging, or chat platform routing.

Kill Chain

Full Annihilation Command

# Gate init — UNLEASHED for full kill chain specter-web gate init --target https://target-agent.example.com --gate UNLEASHED --operator RED # OPEN gate: fingerprint CUA platform, map attack surface specter-web survey https://target-agent.example.com # INJECT gate: generate adversarial payloads, deliver CVE-2025-47241 specter-web lure https://target-agent.example.com --technique url-embed --scope-id <scope-id> specter-web inject https://target-agent.example.com --via cve-2025-47241 --scope-id <scope-id> specter-web hijack https://target-agent.example.com --mode oauth --scope-id <scope-id> # INJECT gate: exfil OS files + credentials via web→OS chain specter-web exfil https://target-agent.example.com --chain web-os --scope-id <scope-id> specter-web chain https://target-agent.example.com --action email --scope-id <scope-id> # UNLEASHED gate: container escape specter-web escape https://target-agent.example.com --scope-id <scope-id> --confirm-escape # Full kill chain: SURVEY→LURE(all)→INJECT(all)→HIJACK(all)→EXFIL(all)→CHAIN(all)→ESCAPE→REPORT specter-web annihilate https://target-agent.example.com --scope-id <scope-id> --unleashed \ --output /tmp/web-annihilate/