GHOST_PROXY: The Browser Is the Terminal

The browser used to be a window. Now it's the terminal.

That shift happened quietly — enterprises moving their entire stack to SaaS, authentication migrating from the server to the client, identity becoming the perimeter. The result is that the most interesting attack surface in 2026 isn't a misconfigured S3 bucket or an unpatched CVE. It's the trust boundary the browser already lives inside. You've authenticated. The IAP verified you. The WAF waved you through. Everything that happens next happens inside a context the perimeter has already blessed.

You build understanding of a problem like that slowly. You break things methodically, every day, until the way the modern detection landscape thinks starts to feel legible. Until you know what a UI Sentinel is looking for before you've written a line. Until you understand the stealth requirements not because you read a paper but because you've watched an intercept fail in real time and had to figure out why.

GHOST_PROXY is what that understanding produces when you give it a form.

It is not a proxy manager. It is not a script injector with a nice UI. It is a full-stack red-team command center distributed as a UserScript — TypeScript, Vite, React with Motion — built for the engagement loop that actually exists in 2026. Tampermonkey or Violentmonkey, no extension store review, no waiting. You modify, deploy, audit from the console. The iteration is live. The footprint is minimal. The tool does not announce itself. That is not an accident. That is the design.

---

The Behavioral Model Already Running When You Inject

If you inject a script into a modern enterprise application, something is already watching. Not a human. A behavioral model. UI Sentinels that monitor for DOM mutations, global variable pollution, unauthorized event listeners, timing anomalies in API calls. The detection layer isn't signature-based. It is behavioral. It doesn't look for known bad patterns. It looks for anything that deviates from how a normal authenticated session moves through the application.

Static intercepts fail in this environment. A regex that finds what you're looking for also looks like a regex to the thing watching your script execute. The timing of your method calls, the order you touch the DOM, the variables you introduce into the global scope — all of it is being scored against a baseline you never got to see.

GHOST_AGENT is the answer to this. An integrated Gemini Pro link that operates as a code-level neural architect. Not a chatbot. A system you feed the target context — the WAF version, the detection behavior you're seeing, the framework underneath the application — and it generates bypass logic, suggests payload mutations, helps you harden intercepts in real time. The difference between a tool that gives you a starting point and one that evolves with the environment you're operating in.

---

The Stealth Architecture

Modern enterprise applications instrument their own environment. They check fetch and XMLHttpRequest for signs of tampering. They audit the event listener registry. They scan for globals that shouldn't exist. The naive response to this is a different execution context. The right response is to make the environment report clean when inspected — to wrap the intercept in a layer that shows investigators exactly what they expect to see.

STEALTH_ACTIVE does this with Proxy-based monkey patches. Sensitive global objects get wrapped so their .toString() calls return the original native signature. The application's own defense scripts check for tampering and find nothing. The intercept logic runs underneath, invisible to the inspection layer above it.

// GHOST_PROXY: Stealth Cloak Interceptor
window.stealthPatch = function(obj, prop, replacementFunc) {
    const original = obj[prop];
    const proxy = new Proxy(replacementFunc, {
        get: (target, key) => {
            // Return native signature on inspection
            if (key === 'toString') return () => original.toString();
            return target[key];
        }
    });
    obj[prop] = proxy;
};

// Cloaking the event listener
// getEventListeners() sees nothing
stealthPatch(EventTarget.prototype, 'addEventListener', function(type, listener, options) {
    return originalAddEventListener.apply(this, arguments);
});

The UI layer goes further. Every control lives in a closed Shadow Root — an isolated DOM environment that the host page's JavaScript cannot traverse. The main document encounters a randomized container ID and an empty div. The actual augmentation interface exists in a layer that the document's own scripts have no access to. The tool operates in the same browser the site lives in and the site cannot see it.

This is the architecture the Ghost Protocol: Stealth Cloak module implements. It is also the architecture you need to understand to detect it, which is the point of running it in a controlled environment before you encounter it in the wild.

---

The Protocols

The first cut of the workshop shipped with five specialized intercepts. Each one targets a specific surface of the modern attack landscape. Each one is a starting point for understanding, not a finished weapon. (v1.4 grew the lab into a ten-module sandbox — see the coda at the bottom; the five below are the spine the rest grew around.)

The UI Sentinel runs real-time monitoring for high-altitude overlays and DOM poisoning — watching for the same techniques the tool uses against target applications. The reason is deliberate. Understanding how injection gets detected is the same knowledge as understanding how to inject cleanly. You cannot build one without the other.

The E-Comm Auditor is platform-aware. It knows the specific DOM structure and API patterns of Shopify and WooCommerce. It surfaces price tampering vectors, discount enumeration, IDOR exposure, and parameter pollution in checkout flows. The surgical precision comes from the platform knowledge. A generic probe finds generic results. This finds the things that are actually there.

The Source Secret Scanner runs passively in the background, auditing the DOM for leaked credentials — Stripe sk_live_ prefixes, AWS AKIA key patterns, Firebase configs surfaced in client-side JavaScript. The number of production applications leaking real API keys into their own frontend is not a small number. It is a finding that appears on almost every engagement where someone looks.

The Hydra Polymorph simulates AI-driven polymorphic payload behavior. It mutates its own signature on every execution using dynamic constructors and math constants instead of static strings. What signature-based WAFs are designed to catch and why they increasingly cannot. You cannot build detection that works against this class of technique without first understanding what it looks like from the inside.

The Sec+ Educational Suite covers Shadow UI Spoofing and JWT Token Harvesting with visual mock-attacks built for understanding. The JWT piece is worth dwelling on: tokens in LocalStorage or SessionStorage are accessible to any script running in the same origin. Any XSS vulnerability anywhere in the application is a credential harvest. The attack requires almost nothing. The prevalence of the underlying pattern in production code is the real finding every time.

---

The 2026 Threat Model

Three patterns define where the aggressor is operating right now.

Polymorphic neural payloads — LLM-generated code that rewrites its own signature before execution. The WAF has never seen this version of the payload. It never will, because the next version will be different too. Signature databases are retrospective instruments. They are built against what was seen yesterday. This technique ensures yesterday never repeats.

Identity-first exfiltration — the target is the JWT in LocalStorage, not the server. The data is already on the client. It arrived through the authentication flow the perimeter was built to protect. Exfiltrating it doesn't touch the server at all. The perimeter has no visibility into what leaves through the browser session it already trusted.

Supply chain ghost hooks — compromised third-party dependencies injecting silent listeners into the host page's event stream. The script is trusted because it came from a CDN the host application explicitly loaded. It has been there for weeks. It is indistinguishable from the legitimate version of itself except in what it does with the data it sees.

GHOST_PROXY doesn't automate attacks against any of these. It gives you the environment to understand how they operate, build detection logic against them, and test your assumptions before someone with worse intentions tests them for you.

---

The hardest vulnerabilities are not in the code. They're in the assumptions. The assumption that the perimeter stops things it was never designed to stop. The assumption that the authenticated session is clean. The assumption that a behavioral model watching for known patterns will catch techniques it has never been trained on.

The browser passed the visual scan. The interceptor disagreed. That gap — between what the system believes and what is actually true — is the space this tool was built to inhabit.

Build in it. Break things in it. Come out understanding the detection landscape well enough to work both sides of it.

Authorized engagements only. Written permission required. The exposure from running these techniques against targets you don't own is not hypothetical.

---

Where Ghost Proxy is now (v1.4).

The five protocols above are still in the workshop. They became the spine of a ten-module offensive/defensive sandbox.

• THREAT_SIMULATOR — thirteen kill-chain scenarios, from Collateral Injection & Oracle Drift and Messaging Layer Spoofing across LayerZero/CCIP, through PyPI Supply Chain Injection and ERP Legacy RCE on Oracle EBS, to Match Group Vishing & SSO Hijack and Windows Shell Zero-Click NTLM Theft (CVE-2026-32202). WAF Evasion Entropy tracked per run.
• NEURAL_LAB — AI red teaming proper: indirect prompt injection, Base64/token smuggling, semantic sharding bypass, DAN-style model hijacking, NTLM relay orchestration, shell handler path confusion.
• CYBER_SOC — Neural Defense Center. Memory Forensics, Actor Correlation, the AI-native SIEM/EDR layer with ten active event types under correlation (Oracle-Collateral Sync Anomaly, Protocol-Level Message Forgery, LSASS Memory Dump with LLM-mutated obfuscators, Neural WAF Bypass via Semantic Sharding, etc.).
• SHADOW_OSINT — Neural Forensic Suite for artifact reconstruction from LLM leaks.
• DECEPTION_ENGINE — Honey-Token deployment and C2 node tracing.
• PF_FIREWALL — macOS/BSD stateful packet filter orchestrator with pf.conf export.
• PRIVACY_ENGINE — Epsilon Tuning and K-Anonymity Factor for differential privacy work.
• GHOST_ACADEMY — nine-domain mastery with Red/Blue Scenario Labs (the Sec+ Suite from above grew into this).
• GRC_COMMAND — Enterprise Governance: JIT Access and Data Classification Audit.

The Suarez Infrastructure Orchestrator wraps the lab with sixteen security guardrails — Oracle Price-Deviation pauses, Admin Action Quorum, CI/CD SBOM Integrity, Identity Spoofing, Path Poisoning, Ghost Fields, State Shortcutting, RPC Shadowing, Failover Forced Drift, Omnichain Proof Hijack, NTLMv2 Coercion, LNK Path Traversal, Zero-Click SMB Leak, and the rest. The Purple Command Center pairs each red move with its blue counterpart so the lab can be run from either side of the bench.

Same browser-as-terminal thesis. Same Zero-Telemetry architecture. Wider bench. github.com/ghostintheprompt/ghost_proxy.

---

GhostInThePrompt.com // The browser passed the visual scan. The interceptor disagreed.