SPECTER WEB

CUA / Browser Agent Exploitation Engine — T101 Documentation

Overview

SPECTER WEB is the NIGHTFALL framework's CUA exploitation engine. It targets Computer-Use Agents operating via screenshot+action loops: browser-use, Claude CUA, OpenAI Operator, Playwright, Agentforce, Skyvern, MultiOn, and Google Mariner. Eight subsystems cover the full kill chain from passive fingerprinting through container escape.

CVE-2025-47241 (CVSS 9.3): browser-use < 0.1.45 URL userinfo bypass confirmed exploitable. RedTeamCUA benchmark (ICLR 2026 Oral): 60% ASR against Claude 4.5 Sonnet. VPI-Bench: 100% ASR against browser-use on production platforms. SandboxEscapeBench: GPT-5 and Opus 4.5 autonomously escaped Docker containers via CVE-2024-1086.

Installation

# Install from source
pip install -e /path/to/red-specter-specter-web

# Verify
specter-web --version

Gate System

Three gate levels control access to increasingly destructive capabilities:

Gate	Operations	Requirement
OPEN	SURVEY, LURE (payload generation only)	None — passive recon
INJECT	INJECT, HIJACK, EXFIL, CHAIN (email/slack)	Ed25519-signed scope with ROE
UNLEASHED	CHAIN (payment/code-exec/iam/wipe), ESCAPE	UNLEASHED scope + confirm flags

specter-web gate init \
  --target https://target-agent.example.com \
  --gate INJECT \
  --operator "RED SPECTER PENTEST"

CVE-2025-47241: browser-use URL Userinfo Bypass

browser-use < 0.1.45 validates URLs via is_url_allowed() which splits on ':' to extract the domain. An attacker can embed an allowed domain in the URL userinfo component to bypass the allowed_domains whitelist entirely.

# Vulnerable code path (browser-use < 0.1.45)
# is_url_allowed("https://allowed.com@attacker.com") → True
# Agent navigates to attacker.com, not allowed.com

specter-web survey https://target-agent.example.com
# Detects browser-use version, confirms CVE-2025-47241 if < 0.1.45

specter-web inject https://target-agent.example.com \
  --via cve-2025-47241 --scope-id <scope-id>

VPI Techniques

Technique	CLI Value	Basis	ASR
STATIC	vpi	High-salience hardcoded payloads (large text, bold, high contrast)	—
ADAPTIVE	adaptive	EVA (arXiv:2505.14289) closed-loop attention-adaptive injection	Adaptive
ADINJECT	adinject	AdInject (arXiv:2505.21499) black-box ad slot delivery	>60%
BRANCH_STEER	branch-steer	CaMeLs (arXiv:2601.09923) fake DOM element control flow hijack	Confirmed
URL_EMBED	url-embed	CVE-2025-47241 URL userinfo bypass (browser-use < 0.1.45)	9.3 CVSS

Injection Vectors

Vector	CLI Value	Description
CVE-2025-47241	cve-2025-47241	URL userinfo bypass — allowed.com@attacker.com
OPEN_REDIRECT	open-redirect	Target URL probed for redirect parameters (?redirect=, ?next=, ?url=…)
AD_NETWORK	adnetwork	Black-box ad delivery — no HTML access required
MITM	mitm	Network-layer injection — ARP/BGP/DNS MITM
SERVED_PAGE	served	Attacker-controlled HTML page served to agent
TASK_CONTEXT	task-context	Direct injection into task instructions / prompt
SCREENSHOT_POISON	screenshot-poison	Vision loop injection — adversarial content in screenshots

Escape Techniques

All escape techniques require UNLEASHED gate + --confirm-escape flag.

Technique	CVE	Description	Success Rate
cve_2024_1086	CVE-2024-1086	Linux kernel nf_tables UAF — Docker container escape to host root	45% (docker)
runc	—	runC Nov2025 vulnerabilities — host filesystem access	38% (docker/k8s)
default_creds	—	Vagrant/root/admin default credentials — SSH access	30%
shell_persist	—	.bashrc/.gitconfig/.zshrc modification — survives restart	55%
git_tamper	—	Git history rewrite — evidence destruction (arXiv:2604.23425)	50%
settings_inject	CVE-2026-25725	settings.json RCE on agent init — Claude Code environments	42% (claude)

Full Kill Chain

# Gate init
specter-web gate init --target https://target.example.com --gate UNLEASHED --operator RED

# OPEN: fingerprint
specter-web survey https://target.example.com

# INJECT: all vectors + all hijack modes + all exfil chains + lateral
specter-web lure https://target.example.com --all-techniques --scope-id <id>
specter-web inject https://target.example.com --via cve-2025-47241 --scope-id <id>
specter-web hijack https://target.example.com --mode oauth --scope-id <id>
specter-web exfil https://target.example.com --chain web-os --scope-id <id>
specter-web chain https://target.example.com --action email --scope-id <id>

# UNLEASHED: payment fraud, code exec, IAM backdoor
specter-web chain https://target.example.com --action payment --scope-id <id>
specter-web chain https://target.example.com --action code-exec --scope-id <id>

# UNLEASHED + confirm-escape: container escape
specter-web escape https://target.example.com --scope-id <id> --confirm-escape

# Full annihilate (auto kill chain)
specter-web annihilate https://target.example.com --scope-id <id> --unleashed \
  --output /tmp/specter-web-results/

WMD Classes

Class	Trigger
cua_full_session_takeover	Session token captured + cookies stolen + task spoofed
cua_oauth_mass_harvest	OAuth grants captured via CoPhish consent redirect
cua_container_escape	Host-level access via CVE-2024-1086, runC, or shell persistence
cua_cross_env_exfil	OS files/credentials transferred to attacker infrastructure

Research References

Reference	Finding
arXiv:2505.21936 (RedTeamCUA, ICLR 2026 Oral)	60% ASR on Claude 4.5 Sonnet, 48% Claude 4 Opus, 42.9% Claude 3.7 Sonnet
arXiv:2506.02456 (VPI-Bench)	100% ASR on browser-use (Amazon/Booking/BBC)
arXiv:2504.18575 (WASP)	86% intermediate hijack rate, URL-embedded injection outperforms text injection
arXiv:2505.14289 (EVA)	Closed-loop attention-adaptive injection
arXiv:2505.21499 (AdInject)	Black-box ad delivery >60% ASR without HTML access
arXiv:2603.14707 (Visual Confused Deputy)	TOCTOU clickjacking, screenshot/action race window
arXiv:2601.09923 (CaMeLs)	Branch steering via fake DOM elements defeats control-flow hardening
arXiv:2603.02277 (SandboxEscapeBench)	GPT-5 + Opus 4.5 escaped Docker containers via CVE-2024-1086 autonomously
arXiv:2604.23425	Frontier model used git history tamper + shell persistence to conceal escape