openhack 0.1.0__py3-none-any.whl

openhack/prompts/feature_hunter.py

@@ -0,0 +1,140 @@
+"""
+Feature Deep Dive hunter prompt templates.
+"""
+
+FEATURE_HUNTER_PROMPT = """You are a security researcher performing a deep audit of a codebase. You work exactly like a human security researcher — you read the code, understand the architecture, decide what's interesting, and go deep on the riskiest areas.
+
+{project_context}
+
+## Application Context
+
+{recon_context}
+
+## How to Work
+
+You are NOT a pattern matcher. You are a researcher. Work like this:
+
+### Step 1: Read the Map
+Start by understanding the application's structure:
+- Read the route definitions / URL config to see every endpoint
+- Read the auth middleware / policies to understand how access control works
+- Read the main config files to understand the tech stack
+- Spend your first 10-15 iterations building a mental model of the app
+
+### Step 2: Pick Your Targets
+Based on what you read, identify 3-5 features that are MOST LIKELY to have vulnerabilities:
+- Features that make outbound HTTP requests (webhooks, notifications, URL fetching, favicon download)
+- Features that serve user-uploaded content (file downloads, image serving, attachments)
+- Features that handle authentication or authorization (login, token exchange, permission checks)
+- Features where similar functionality is implemented in multiple places (compare them for inconsistencies)
+
+Say out loud which features you're targeting and why.
+
+### Step 3: Go Deep on Each Feature
+For each feature you picked:
+
+**Read all the relevant files.** Not just the controller — follow the imports. Read the helper functions, the model definitions, the middleware. Understand the full data flow from user input to dangerous operation.
+
+**Compare similar code paths.** This is where the real bugs are. If two endpoints both make outbound requests, compare their URL validation. If two endpoints both serve files, compare their Content-Type handling. Inconsistencies between similar features are the #1 source of CVEs.
+
+**Check protection completeness.** When you find a security control (blocklist, sanitizer, auth check), ask: is it complete? Does it cover all cases? What's NOT blocked? What's NOT checked?
+
+**Trace cross-file data flows.** When a value is set in file A and used in file B, is it re-validated? Or is it trusted because "it came from our own database"? Look for properties set during creation that change behavior during retrieval.
+
+### Step 4: Report What You Found
+For each finding, provide:
+- The exact vulnerable code (file, line, snippet)
+- The exact protection that's missing or incomplete
+- If it's an inconsistency: show both the secure and insecure version
+- The attack scenario: what request does an attacker send?
+
+## What Makes a Real Finding
+
+**Inconsistencies between similar endpoints** — endpoint A validates URLs, endpoint B doesn't. Both make outbound requests. That's an SSRF.
+
+**Incomplete protection** — a blocklist that blocks 8 out of 50 dangerous values. A sanitizer that handles HTML but not SVG. An auth check that covers the API but not the websocket.
+
+**Cross-file logic bugs** — upload sets mimeType, download uses mimeType to set Content-Type and decides whether to serve inline. If SVGs are processed as images, they get served inline with JavaScript execution.
+
+**Missing await / async bugs** — an auth check that isn't awaited, so it returns a Promise (truthy) instead of the actual auth result. The check appears to pass but never actually runs.
+
+## What is NOT a Finding
+
+- Dev-only fallbacks (`process.env.SECRET || "default"`)
+- UUIDs as object IDs — can't be brute-forced
+- Intentionally public endpoints (forgot-password, signup)
+- Missing security headers without a companion injection
+- Features working as designed in well-maintained projects
+
+## CRITICAL: Production Code Only
+
+Before reporting ANY finding, look at the file path and ask: **"Does this code run in production and is it reachable by attackers?"**
+
+DO NOT report findings in:
+- Test, demo, example, sample, tutorial, playground, benchmark, or documentation code
+- CLI tools or scripts that run on the developer's machine, not on a server
+- Debug/diagnostic utilities not meant for production deployment
+- Code generators, build scripts, or migration scripts
+
+Use your judgment based on the full path and context. A vulnerability in `demos/http3/demo-server.c` is NOT a finding because nobody deploys demo servers. A vulnerability in `src/tls/handshake.c` IS a finding because it runs in every deployment.
+
+**The rule: only report vulnerabilities in code that actually ships to production.**
+
+## Severity Calibration
+
+| Category               | Default  | Raise when...                                      |
+|------------------------|----------|----------------------------------------------------|
+| SQL Injection          | critical | --                                                 |
+| Command Injection      | critical | --                                                 |
+| RCE                    | critical | --                                                 |
+| Authentication Bypass  | critical | --                                                 |
+| SSRF                   | high     | Internal service reachable, metadata endpoint hit  |
+| Path Traversal         | high     | Sensitive files readable                           |
+| IDOR                   | high     | Enumerable IDs, sensitive data exposed             |
+| Stored XSS             | high     | No CSP, account takeover possible                  |
+| Authorization Bypass   | high     | Privilege escalation to admin                      |
+| Data Exposure          | high     | PII or credentials                                 |
+| Open Redirect          | medium   | Only raise if chained with token theft             |
+| CSRF                   | medium   | State-changing on sensitive resource               |
+
+Think out loud at every step. Explain what you're reading, what you're looking for, what you found, and why it matters.
+"""
+
+# Keep the extraction prompt for backward compatibility but it's no longer used
+# in the primary flow
+FEATURE_EXTRACTION_PROMPT = """You are analyzing a security reconnaissance report to identify high-risk features for deep-dive vulnerability analysis.
+
+Given the reconnaissance summary below, extract the 3-5 features that are MOST LIKELY to contain security vulnerabilities.
+
+## What Makes a Feature High-Risk
+
+Prioritize features that:
+1. **Handle user-controlled data crossing trust boundaries** — file uploads, URL fetching/scraping, deserialization, template rendering, webhook/callback URLs
+2. **Have custom security logic** — hand-rolled sanitizers, custom blocklists, bespoke auth checks (NOT library-provided protections like Django ORM, Prisma, etc.)
+3. **Span multiple files** — data set in one place, transformed in another, used in a third. Cross-file data flows are where logic bugs hide.
+4. **Make outbound requests** — webhook delivery, favicon fetching, URL previews, notification services, RSS fetching
+5. **Serve user content** — file downloads, image serving, PDF generation, markdown rendering
+
+Do NOT select:
+- Standard framework-provided features (login with Passport.js, ORM queries, session management)
+- Features that only exist in test/CLI/docs code
+- Pure client-side features with no server component
+
+## Reconnaissance Summary
+
+{recon_summary}
+
+## Attack Surface Data
+
+{attack_surface}
+
+## Output Format
+
+Return a JSON array of features. Each feature must have:
+- `name`: short snake_case identifier (e.g., "file_uploads", "webhook_delivery")
+- `description`: one sentence describing what the feature does
+- `entry_files`: list of 2-5 key file paths to start the analysis from
+- `risk_reason`: one sentence explaining WHY this feature is high-risk
+
+Return ONLY the JSON array, no other text. Keep descriptions under 20 words.
+"""

openhack/prompts/flask/__init__.py

@@ -0,0 +1,29 @@
+"""
+Flask vulnerability detection prompts, organized by attack type.
+"""
+
+from .injection import FLASK_INJECTION_PROMPT
+from .auth_bypass import FLASK_AUTH_BYPASS_PROMPT
+from .idor import FLASK_IDOR_PROMPT
+from .ssrf import FLASK_SSRF_PROMPT
+from .data_exposure import FLASK_DATA_EXPOSURE_PROMPT
+from .misconfiguration import FLASK_MISCONFIGURATION_PROMPT
+
+FLASK_PROMPTS = {
+    "injection": FLASK_INJECTION_PROMPT,
+    "auth_bypass": FLASK_AUTH_BYPASS_PROMPT,
+    "idor": FLASK_IDOR_PROMPT,
+    "ssrf": FLASK_SSRF_PROMPT,
+    "data_exposure": FLASK_DATA_EXPOSURE_PROMPT,
+    "misconfiguration": FLASK_MISCONFIGURATION_PROMPT,
+}
+
+__all__ = [
+    "FLASK_PROMPTS",
+    "FLASK_INJECTION_PROMPT",
+    "FLASK_AUTH_BYPASS_PROMPT",
+    "FLASK_IDOR_PROMPT",
+    "FLASK_SSRF_PROMPT",
+    "FLASK_DATA_EXPOSURE_PROMPT",
+    "FLASK_MISCONFIGURATION_PROMPT",
+]

openhack/prompts/flask/auth_bypass.py

@@ -0,0 +1,86 @@
+"""
+Flask authentication/authorization bypass detection prompt.
+"""
+
+FLASK_AUTH_BYPASS_PROMPT = """## Authentication/Authorization Bypass in Flask
+
+### What to Look For
+
+1. **Missing @login_required decorators**
+2. **Broken Flask-Login is_authenticated checks**
+3. **Unprotected Blueprint routes**
+4. **Flask-Admin without auth**
+
+### Flask-Specific Patterns
+
+**Missing Decorator (Vulnerable)**:
+```python
+# VULNERABLE: No auth on sensitive endpoint
+@app.route('/admin/users', methods=['GET', 'DELETE'])
+def manage_users():
+    if request.method == 'DELETE':
+        User.query.filter_by(id=request.form['id']).delete()
+        db.session.commit()
+    return jsonify([u.to_dict() for u in User.query.all()])
+
+# SAFE: Auth required
+@app.route('/admin/users')
+@login_required
+def manage_users():
+    ...
+```
+
+**Blueprint Without Auth (Vulnerable)**:
+```python
+# VULNERABLE: Entire blueprint has no auth
+admin_bp = Blueprint('admin', __name__, url_prefix='/admin')
+
+@admin_bp.route('/settings')
+def admin_settings():
+    return jsonify(get_all_settings())  # Exposed!
+
+# SAFE: before_request hook for entire blueprint
+@admin_bp.before_request
+@login_required
+def admin_auth():
+    if not current_user.is_admin:
+        abort(403)
+```
+
+**Flask-Admin Exposure (Vulnerable)**:
+```python
+# VULNERABLE: Flask-Admin with no auth
+from flask_admin import Admin
+admin = Admin(app)
+admin.add_view(ModelView(User, db.session))  # Anyone can CRUD users!
+
+# SAFE: Custom ModelView with auth
+class SecureModelView(ModelView):
+    def is_accessible(self):
+        return current_user.is_authenticated and current_user.is_admin
+```
+
+**JWT Misconfiguration (Vulnerable)**:
+```python
+# VULNERABLE: No algorithm restriction
+import jwt
+decoded = jwt.decode(token, secret, algorithms=None)  # Accepts 'none'!
+
+# VULNERABLE: Weak/hardcoded secret
+app.config['JWT_SECRET_KEY'] = 'super-secret'
+```
+
+### Search Patterns
+
+1. `grep` for: `@app\\.route`, `@.*\\.route` -- check for `@login_required`
+2. `grep` for: `Blueprint\\(` -- check if before_request has auth
+3. `grep` for: `Flask-Admin`, `ModelView` -- check for `is_accessible`
+4. `grep` for: `jwt\\.decode`, `JWT_SECRET_KEY`
+
+### Severity Assessment
+
+- **Critical**: Admin panels or management endpoints without auth
+- **High**: User data modification without auth
+- **Medium**: Read access to non-sensitive data
+- **Low**: Informational endpoints exposed
+"""

openhack/prompts/flask/data_exposure.py

@@ -0,0 +1,78 @@
+"""
+Flask data exposure detection prompt.
+"""
+
+FLASK_DATA_EXPOSURE_PROMPT = """## Data Exposure in Flask
+
+### What to Look For
+
+1. **jsonify(model.__dict__) leaking internal fields**
+2. **Marshmallow schemas exposing sensitive fields**
+3. **DEBUG=True with Werkzeug debugger (RCE!)**
+4. **Hardcoded app.secret_key**
+
+### Flask-Specific Patterns
+
+**Model Dump (Vulnerable)**:
+```python
+# VULNERABLE: Dumping full model including password hash
+@app.route('/api/users/<int:uid>')
+def get_user(uid):
+    user = User.query.get_or_404(uid)
+    return jsonify(user.__dict__)  # Includes _sa_instance_state, password_hash!
+
+# VULNERABLE: vars() or to_dict() without filtering
+return jsonify(vars(user))
+return jsonify({c.name: getattr(user, c.name) for c in user.__table__.columns})
+```
+
+**Marshmallow Over-Exposure (Vulnerable)**:
+```python
+# VULNERABLE: Includes sensitive fields
+class UserSchema(Schema):
+    class Meta:
+        fields = ('id', 'username', 'email', 'password_hash', 'is_admin', 'api_key')
+
+# SAFE: Exclude sensitive fields
+class UserSchema(Schema):
+    class Meta:
+        fields = ('id', 'username', 'email')
+```
+
+**Werkzeug Debugger (Critical)**:
+```python
+# VULNERABLE: DEBUG=True in production = Remote Code Execution!
+app.run(debug=True, host='0.0.0.0')
+# The Werkzeug debugger allows arbitrary Python execution in the browser
+# via the interactive console at /__debugger__
+
+# Also check:
+app.config['DEBUG'] = True
+FLASK_DEBUG=1  # in .env or environment
+```
+
+**Secret Key Exposure (Vulnerable)**:
+```python
+# VULNERABLE: Hardcoded secret (session forgery)
+app.secret_key = 'my-secret-key'
+app.config['SECRET_KEY'] = 'dev-secret'
+
+# VULNERABLE: Weak fallback
+app.secret_key = os.environ.get('SECRET_KEY', 'fallback-insecure')
+```
+
+### Search Patterns
+
+1. `grep` for: `jsonify\\(.*__dict__`, `jsonify\\(vars\\(`, `to_dict\\(`
+2. `grep` for: `debug=True`, `DEBUG = True`, `FLASK_DEBUG`
+3. `grep` for: `secret_key =`, `SECRET_KEY`
+4. `grep` for: `class.*Schema` -- check Meta.fields for sensitive columns
+
+### Severity Assessment
+
+- **Critical**: DEBUG=True in production (Werkzeug debugger = RCE)
+- **Critical**: Password hashes or API keys in API responses
+- **High**: Hardcoded SECRET_KEY (session forgery)
+- **High**: PII exposed to unauthorized users
+- **Medium**: Non-sensitive internal data leakage
+"""

openhack/prompts/flask/idor.py

@@ -0,0 +1,83 @@
+"""
+Flask IDOR (Insecure Direct Object Reference) detection prompt.
+"""
+
+FLASK_IDOR_PROMPT = """## IDOR (Insecure Direct Object Reference) Detection in Flask
+
+### What to Look For
+
+1. **URL parameters used directly in SQLAlchemy queries without ownership check**
+2. **Missing filter_by(user_id=current_user.id)**
+3. **Flask-RESTful resources without ownership validation**
+
+### Flask-Specific Patterns
+
+**Direct Query (Vulnerable)**:
+```python
+# VULNERABLE: No ownership check
+@app.route('/api/invoices/<int:invoice_id>')
+@login_required
+def get_invoice(invoice_id):
+    invoice = Invoice.query.get_or_404(invoice_id)
+    return jsonify(invoice.to_dict())  # Any user can view any invoice
+
+# SAFE: Scoped to user
+@app.route('/api/invoices/<int:invoice_id>')
+@login_required
+def get_invoice(invoice_id):
+    invoice = Invoice.query.filter_by(
+        id=invoice_id, user_id=current_user.id
+    ).first_or_404()
+    return jsonify(invoice.to_dict())
+```
+
+**db.session.get (Vulnerable)**:
+```python
+# VULNERABLE: Direct primary key lookup
+@app.route('/api/documents/<int:doc_id>', methods=['PUT'])
+@login_required
+def update_document(doc_id):
+    doc = db.session.get(Document, doc_id)  # No ownership check!
+    doc.title = request.json['title']
+    db.session.commit()
+```
+
+**Flask-RESTful (Vulnerable)**:
+```python
+# VULNERABLE: Resource without ownership
+class OrderResource(Resource):
+    @login_required
+    def get(self, order_id):
+        order = Order.query.get_or_404(order_id)
+        return marshal(order, order_fields)  # Any user's order!
+
+    @login_required
+    def delete(self, order_id):
+        order = Order.query.get_or_404(order_id)
+        db.session.delete(order)  # Can delete anyone's order!
+        db.session.commit()
+```
+
+**Marshmallow Nested (Vulnerable)**:
+```python
+# VULNERABLE: User can set owner in request body
+class ProjectSchema(Schema):
+    id = fields.Int(dump_only=True)
+    name = fields.Str(required=True)
+    owner_id = fields.Int()  # Writable! User can claim any owner
+```
+
+### Search Patterns
+
+1. `grep` for: `\\.get_or_404\\(`, `\\.get\\(`, `db\\.session\\.get\\(`
+2. `grep` for: `query\\.filter_by\\(id=` -- check for user scoping
+3. Check Flask-RESTful `Resource` classes for ownership checks
+4. Look for `request.args`, `request.form`, URL params flowing to queries
+
+### Severity Assessment
+
+- **Critical**: Access to other users' sensitive data (PII, financial)
+- **High**: Modification/deletion of other users' resources
+- **Medium**: Read access to non-sensitive resources
+- **Low**: Informational leaks with no impact
+"""

openhack/prompts/flask/injection.py

@@ -0,0 +1,77 @@
+"""
+Flask injection vulnerabilities detection prompt.
+"""
+
+FLASK_INJECTION_PROMPT = """## Injection Vulnerabilities in Flask
+
+### What to Look For
+
+1. **SQL injection via SQLAlchemy raw queries**
+2. **Jinja2 Server-Side Template Injection (SSTI)**
+3. **Command injection via subprocess/os**
+4. **eval/exec with request data**
+
+### Flask-Specific Patterns
+
+**SQLAlchemy Injection (Vulnerable)**:
+```python
+# VULNERABLE: text() with f-string
+from sqlalchemy import text
+result = db.session.execute(text(f"SELECT * FROM users WHERE name = '{name}'"))
+
+# VULNERABLE: db.engine.execute with format string
+db.engine.execute("SELECT * FROM users WHERE id = %s" % user_id)
+
+# VULNERABLE: filter with string interpolation
+User.query.filter(f"name = '{request.args['name']}'")
+
+# SAFE: Parameterized
+result = db.session.execute(text("SELECT * FROM users WHERE name = :name"), {"name": name})
+```
+
+**Jinja2 SSTI (Vulnerable)**:
+```python
+# VULNERABLE: render_template_string with user input
+from flask import render_template_string
+@app.route('/greet')
+def greet():
+    name = request.args.get('name')
+    return render_template_string(f'Hello {{name}}!')  # SSTI!
+    # Attack: ?name={{config.SECRET_KEY}} or {{''.__class__.__mro__[1].__subclasses__()}}
+
+# SAFE: Use render_template with separate template file
+return render_template('greet.html', name=name)
+```
+
+**Command Injection (Vulnerable)**:
+```python
+# VULNERABLE: shell=True with user input
+import subprocess
+subprocess.call(f"ping {request.form['host']}", shell=True)
+os.system(f"nslookup {request.args['domain']}")
+
+# SAFE: Argument list
+subprocess.call(["ping", "-c", "1", request.form['host']])
+```
+
+**Eval/Exec (Vulnerable)**:
+```python
+# VULNERABLE: eval with request data
+result = eval(request.form['expression'])
+exec(request.json['code'])
+```
+
+### Search Patterns
+
+1. `grep` for: `db\\.session\\.execute`, `db\\.engine\\.execute`, `text\\(`
+2. `grep` for: `render_template_string` -- almost always dangerous
+3. `grep` for: `subprocess`, `os\\.system`, `os\\.popen`, `shell=True`
+4. `grep` for: `eval\\(`, `exec\\(`, `compile\\(`
+
+### Severity Assessment
+
+- **Critical**: SQL injection allowing data extraction
+- **Critical**: SSTI (leads to RCE via Jinja2 sandbox escape)
+- **Critical**: Command injection
+- **High**: eval/exec with partially controlled input
+"""

openhack/prompts/flask/misconfiguration.py

@@ -0,0 +1,73 @@
+"""
+Flask security misconfiguration detection prompt.
+"""
+
+FLASK_MISCONFIGURATION_PROMPT = """## Security Misconfiguration in Flask
+
+### What to Look For
+
+1. **app.secret_key hardcoded or weak**
+2. **DEBUG=True in production (Werkzeug debugger = RCE)**
+3. **Missing session cookie security flags**
+4. **Overly permissive CORS**
+
+### Flask-Specific Patterns
+
+**Secret Key (Vulnerable)**:
+```python
+# VULNERABLE: Hardcoded secret key
+app.secret_key = 'super-secret-key-123'
+app.config['SECRET_KEY'] = 'development'
+
+# VULNERABLE: Predictable or short secret
+app.secret_key = 'secret'
+
+# VULNERABLE: Weak fallback default
+app.secret_key = os.environ.get('SECRET_KEY', 'default-key')
+```
+
+**Cookie Security (Vulnerable)**:
+```python
+# VULNERABLE: Missing security flags
+app.config['SESSION_COOKIE_SECURE'] = False     # Sent over HTTP
+app.config['SESSION_COOKIE_HTTPONLY'] = False    # JS accessible
+app.config['SESSION_COOKIE_SAMESITE'] = None    # Cross-site allowed
+app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=365)  # 1 year sessions!
+```
+
+**CORS Misconfiguration (Vulnerable)**:
+```python
+# VULNERABLE: Allow all origins
+from flask_cors import CORS
+CORS(app)  # Default allows all origins
+
+# VULNERABLE: Wildcard with credentials
+CORS(app, origins='*', supports_credentials=True)
+
+# SAFE: Specific origins
+CORS(app, origins=['https://app.example.com'], supports_credentials=True)
+```
+
+**Host Header (Vulnerable)**:
+```python
+# VULNERABLE: Running on 0.0.0.0 without SERVER_NAME
+app.run(host='0.0.0.0', port=5000)
+# No SERVER_NAME set -- accepts any Host header
+```
+
+### Search Patterns
+
+1. `grep` for: `secret_key`, `SECRET_KEY` in app config
+2. `grep` for: `debug=True`, `DEBUG = True`, `FLASK_DEBUG`
+3. `grep` for: `SESSION_COOKIE_SECURE`, `SESSION_COOKIE_HTTPONLY`
+4. `grep` for: `CORS\\(`, `flask_cors`
+5. `grep` for: `app\\.run\\(` -- check for debug and host params
+
+### Severity Assessment
+
+- **Critical**: DEBUG=True on public host (Werkzeug debugger = RCE)
+- **High**: Hardcoded or weak SECRET_KEY (session forgery, cookie tampering)
+- **Medium**: Missing cookie security flags
+- **Medium**: CORS allowing all origins with credentials
+- **Low**: Missing HTTPS enforcement headers
+"""

openhack/prompts/flask/ssrf.py

@@ -0,0 +1,65 @@
+"""
+Flask SSRF detection prompt.
+"""
+
+FLASK_SSRF_PROMPT = """## SSRF (Server-Side Request Forgery) in Flask
+
+### What to Look For
+
+1. **User-controlled URLs passed to requests/urllib/httpx**
+2. **Webhook/callback URL injection**
+3. **URL fetching in import, preview, or proxy features**
+
+### Flask-Specific Patterns
+
+**Requests Library (Vulnerable)**:
+```python
+# VULNERABLE: User controls URL
+@app.route('/api/preview')
+def preview():
+    url = request.args.get('url')
+    response = requests.get(url)  # SSRF!
+    return jsonify({"content": response.text[:500]})
+
+# VULNERABLE: Webhook callback
+@app.route('/api/webhooks', methods=['POST'])
+@login_required
+def create_webhook():
+    url = request.json['callback_url']
+    Webhook.create(url=url, user_id=current_user.id)
+    # Later: requests.post(webhook.url, json=event) -- hits internal services
+```
+
+**urllib (Vulnerable)**:
+```python
+# VULNERABLE: urlopen with user URL
+from urllib.request import urlopen
+@app.route('/api/import')
+def import_data():
+    url = request.form['source']
+    data = urlopen(url).read()  # file://, http://169.254.169.254, etc.
+    return process(data)
+```
+
+**httpx / aiohttp (Vulnerable)**:
+```python
+# VULNERABLE: async HTTP client with user URL
+import httpx
+async with httpx.AsyncClient() as client:
+    r = await client.get(request.json['url'])
+```
+
+### Search Patterns
+
+1. `grep` for: `requests\\.get\\(`, `requests\\.post\\(`, `requests\\.head\\(`
+2. `grep` for: `urlopen\\(`, `urllib\\.request`
+3. `grep` for: `httpx`, `aiohttp`
+4. Trace whether the URL argument originates from `request.args`, `request.form`, `request.json`
+
+### Severity Assessment
+
+- **High**: SSRF reaching internal services or cloud metadata
+- **High**: SSRF with response body returned to attacker
+- **Medium**: Blind SSRF (request sent, no response returned)
+- **Low**: SSRF limited to specific protocols/hosts by validation
+"""