Anomaly Detection

Step 2: Detect anomalies (endpoints 11+)

Flag any endpoint that deviates from baseline. Categories:

Timing

• Response > 3x median - test injection, SSRF, file inclusion
• Response < 0.5x median - test cache poisoning, stale data
• Response varies > 50% across identical requests - test race conditions

Headers

• Missing header all others have - different backend, test different attack patterns
• Extra header not seen elsewhere - test header injection, middleware bypass
• Different Server header - test session fixation across backends
• X-Powered-By or X-Debug present - test debug endpoint discovery
• Different CORS policy - test CORS misconfiguration

Response Body

• Different key naming convention (camelCase vs snake_case) - different API version
• Different ID format (numeric vs UUID) - test IDOR via predictable IDs
• Different error format - test info disclosure via verbose errors
• HTML in JSON API response - test SSTI, XSS
• Extra fields not in similar endpoints - test data exposure, mass assignment

Status Code

• 200 where others return 401/403 - test auth bypass
• 403 where others return 401 - test authz bypass
• 500 on normal input where others return 400 - test injection, info disclosure
• 301/302 to unexpected domain - test open redirect, SSRF
• 204 with content-length > 0 - test response splitting

Cookie/Session

• New cookie set uniquely - test session fixation
• Cookie missing Secure/HttpOnly - test session hijacking
• Session token changes - test session fixation, token prediction
• Different cookie domain/path - test cross-service confusion

GATE: Anomalies found? Proceed to Step 3. Zero anomalies after 20+ endpoints? Anomaly detection complete for this target.

Step 3: Score and prioritize

For each anomaly, generate a hypothesis:

Title: "[Anomaly type] on [endpoint] suggests [backend difference]"
Technique: "[attack class]"
Lens: "anomaly_detection"
Testability: 8-10
Novelty: 7-9

Priority adjustments:

• Auth/session anomaly: +2 impact
• Content difference: +1 impact
• Timing only: -1 exploitability

GATE: 2+ anomaly types on same endpoint? That endpoint is convergent - test it FIRST.

Step 4: Convergent signal scoring

• 1 anomaly type: normal priority
• 2 types on same endpoint: elevated (+1)
• 3+ types on same endpoint: highest (+2), interrupt testing order

GATE: 3+ convergent signals? Stop current testing. Test this endpoint next.

Step 5: Output

Write to findings/<program>/tmp/anomaly-profile.json:

{
  "baseline_endpoints_profiled": 25,
  "anomalies_detected": 7,
  "convergent_signals": 2,
  "anomalies": [
    {
      "endpoint": "/api/internal/export",
      "anomaly_types": ["timing", "header", "body", "status"],
      "convergent": true,
      "details": {
        "timing": "800ms vs 50ms median",
        "header": "missing X-RateLimit-Remaining",
        "body": "XML error format vs JSON everywhere else",
        "status": "200 without auth"
      },
      "generated_hypothesis_id": "<sha256>",
      "priority": "critical"
    }
  ]
}

Convergent hypotheses insert at top of Phase 4 queue. All anomalies feed Phase 4b as observation_type: "anomaly_detected".

Integration

• Run continuously during Phase 4, not as a separate pass
• First 10 endpoints: profile only
• Endpoints 11+: profile AND detect in real-time
• Convergent signals (3+): interrupt current order, test next