strix-agent 0.4.0__py3-none-any.whl

strix/prompts/vulnerabilities/idor.jinja

@@ -0,0 +1,195 @@
+<idor_vulnerability_guide>
+<title>INSECURE DIRECT OBJECT REFERENCE (IDOR)</title>
+
+<critical>Object- and function-level authorization failures (BOLA/IDOR) routinely lead to cross-account data exposure and unauthorized state changes across APIs, web, mobile, and microservices. Treat every object reference as untrusted until proven bound to the caller.</critical>
+
+<scope>
+- Horizontal access: access another subject's objects of the same type
+- Vertical access: access privileged objects/actions (admin-only, staff-only)
+- Cross-tenant access: break isolation boundaries in multi-tenant systems
+- Cross-service access: token or context accepted by the wrong service
+</scope>
+
+<methodology>
+1. Build a Subject × Object × Action matrix (who can do what to which resource).
+2. For each resource type, obtain at least two principals: owner and non-owner (plus admin/staff if applicable). Capture at least one valid object ID per principal.
+3. Exercise every action (R/W/D/Export) while swapping IDs, tokens, tenants, and channels (web, mobile, API, GraphQL, WebSocket, gRPC).
+4. Track consistency: the same rule must hold regardless of transport, content-type, serialization, or gateway.
+</methodology>
+
+<discovery_techniques>
+<parameter_analysis>
+- Object references appear in: paths, query params, JSON bodies, form-data, headers, cookies, JWT claims, GraphQL arguments, WebSocket messages, gRPC messages
+- Identifier forms: integers, UUID/ULID/CUID, Snowflake, slugs, composite keys (e.g., {orgId}:{userId}), opaque tokens, base64/hex-encoded blobs
+- Relationship references: parentId, ownerId, accountId, tenantId, organization, teamId, projectId, subscriptionId
+- Expansion/projection knobs: fields, include, expand, projection, with, select, populate (often bypass authorization in resolvers or serializers)
+- Pagination/cursors: page[offset], page[limit], cursor, nextPageToken (often reveal or accept cross-tenant/state)
+</parameter_analysis>
+
+<advanced_enumeration>
+- Alternate types: {% raw %}{"id":123}{% endraw} vs {% raw %}{"id":"123"}{% endraw}, arrays vs scalars, objects vs scalars, null/empty/0/-1/MAX_INT, scientific notation, overflows, unknown attributes retained by backend
+- Duplicate keys/parameter pollution: id=1&id=2, JSON duplicate keys {% raw %}{"id":1,"id":2}{% endraw} (parser precedence differences)
+- Case/aliasing: userId vs userid vs USER_ID; alt names like resourceId, targetId, account
+- Path traversal-like in virtual file systems: /files/user_123/../../user_456/report.csv
+- Directory/list endpoints as seeders: search/list/suggest/export often leak object IDs for secondary exploitation
+</advanced_enumeration>
+</discovery_techniques>
+
+<high_value_targets>
+- Exports/backups/reporting endpoints (CSV/PDF/ZIP)
+- Messaging/mailbox/notifications, audit logs, activity feeds
+- Billing: invoices, payment methods, transactions, credits
+- Healthcare/education records, HR documents, PII/PHI/PCI
+- Admin/staff tools, impersonation/session management
+- File/object storage keys (S3/GCS signed URLs, share links)
+- Background jobs: import/export job IDs, task results
+- Multi-tenant resources: organizations, workspaces, projects
+</high_value_targets>
+
+<exploitation_techniques>
+<horizontal_vertical>
+- Swap object IDs between principals using the same token to probe horizontal access; then repeat with lower-privilege tokens to probe vertical access
+- Target partial updates (PATCH, JSON Patch/JSON Merge Patch) for silent unauthorized modifications
+</horizontal_vertical>
+
+<bulk_and_batch>
+- Batch endpoints (bulk update/delete) often validate only the first element; include cross-tenant IDs mid-array
+- CSV/JSON imports referencing foreign object IDs (ownerId, orgId) may bypass create-time checks
+</bulk_and_batch>
+
+<secondary_idor>
+- Use list/search endpoints, notifications, emails, webhooks, and client logs to collect valid IDs, then fetch or mutate those objects directly
+- Pagination/cursor manipulation to skip filters and pull other users' pages
+</secondary_idor>
+
+<job_task_objects>
+- Access job/task IDs from one user to retrieve results for another (export/{jobId}/download, reports/{taskId})
+- Cancel/approve someone else's jobs by referencing their task IDs
+</job_task_objects>
+
+<file_object_storage>
+- Direct object paths or weakly scoped signed URLs; attempt key prefix changes, content-disposition tricks, or stale signatures reused across tenants
+- Replace share tokens with tokens from other tenants; try case/URL-encoding variations
+</file_object_storage>
+</exploitation_techniques>
+
+<advanced_techniques>
+<graphql>
+- Enforce resolver-level checks: do not rely on a top-level gate. Verify field and edge resolvers bind the resource to the caller on every hop
+- Abuse batching/aliases to retrieve multiple users' nodes in one request and compare responses
+- Global node patterns (Relay): decode base64 IDs and swap raw IDs; test {% raw %}node(id: "...base64..."){...}{% endraw %}
+- Overfetching via fragments on privileged types; verify hidden fields cannot be queried by unprivileged callers
+- Example:
+{% raw %}
+query IDOR {
+  me { id }
+  u1: user(id: "VXNlcjo0NTY=") { email billing { last4 } }
+  u2: node(id: "VXNlcjo0NTc=") { ... on User { email } }
+}
+{% endraw %}
+</graphql>
+
+<microservices_gateways>
+- Token confusion: a token scoped for Service A accepted by Service B due to shared JWT verification but missing audience/claims checks
+- Trust on headers: reverse proxies or API gateways injecting/trusting headers like X-User-Id, X-Organization-Id; try overriding or removing them
+- Context loss: async consumers (queues, workers) re-process requests without re-checking authorization
+</microservices_gateways>
+
+<multi_tenant>
+- Probe tenant scoping through headers, subdomains, and path params (e.g., X-Tenant-ID, org slug). Try mixing org of token with resource from another org
+- Test cross-tenant reports/analytics rollups and admin views which aggregate multiple tenants
+</multi_tenant>
+
+<uuid_and_opaque_ids>
+- UUID/ULID are not authorization: acquire valid IDs from logs, exports, JS bundles, analytics endpoints, emails, or public activity, then test ownership binding
+- Time-based IDs (UUIDv1, ULID) may be guessable within a window; combine with leakage sources for targeted access
+</uuid_and_opaque_ids>
+
+<blind_channels>
+- Use differential responses (status, size, ETag, timing) to detect existence; error shape often differs for owned vs foreign objects
+- HEAD/OPTIONS, conditional requests (If-None-Match/If-Modified-Since) can confirm existence without full content
+</blind_channels>
+</advanced_techniques>
+
+<bypass_techniques>
+<parser_and_transport>
+- Content-type switching: application/json ↔ application/x-www-form-urlencoded ↔ multipart/form-data; some paths enforce checks per parser
+- Method tunneling: X-HTTP-Method-Override, _method=PATCH; or using GET on endpoints incorrectly accepting state changes
+- JSON duplicate keys/array injection to bypass naive validators
+</parser_and_transport>
+
+<parameter_pollution>
+- Duplicate parameters in query/body to influence server-side precedence (id=123&id=456); try both orderings
+- Mix case/alias param names so gateway and backend disagree (userId vs userid)
+</parameter_pollution>
+
+<cache_and_gateway>
+- CDN/proxy key confusion: responses keyed without Authorization or tenant headers expose cached objects to other users; manipulate Vary and Accept
+- Redirect chains and 304/206 behaviors can leak content across tenants
+</cache_and_gateway>
+
+<race_windows>
+- Time-of-check vs time-of-use: change the referenced ID between validation and execution using parallel requests
+</race_windows>
+</bypass_techniques>
+
+<special_contexts>
+<websocket>
+- Authorization per-subscription: ensure channel/topic names cannot be guessed (user_{id}, org_{id}); subscribe/publish checks must run server-side, not only at handshake
+- Try sending messages with target user IDs after subscribing to own channels
+</websocket>
+
+<grpc>
+- Direct protobuf fields (owner_id, tenant_id) often bypass HTTP-layer middleware; validate references via grpcurl with tokens from different principals
+</grpc>
+
+<integrations>
+- Webhooks/callbacks referencing foreign objects (e.g., invoice_id) processed without verifying ownership
+- Third-party importers syncing data into wrong tenant due to missing tenant binding
+</integrations>
+</special_contexts>
+
+<chaining_attacks>
+- IDOR + CSRF: force victims to trigger unauthorized changes on objects you discovered
+- IDOR + Stored XSS: pivot into other users' sessions through data you gained access to
+- IDOR + SSRF: exfiltrate internal IDs, then access their corresponding resources
+- IDOR + Race: bypass spot checks with simultaneous requests
+</chaining_attacks>
+
+<validation>
+1. Demonstrate access to an object not owned by the caller (content or metadata).
+2. Show the same request fails with appropriately enforced authorization when corrected.
+3. Prove cross-channel consistency: same unauthorized access via at least two transports (e.g., REST and GraphQL).
+4. Document tenant boundary violations (if applicable).
+5. Provide reproducible steps and evidence (requests/responses for owner vs non-owner).
+</validation>
+
+<false_positives>
+- Public/anonymous resources by design
+- Soft-privatized data where content is already public
+- Idempotent metadata lookups that do not reveal sensitive content
+- Correct row-level checks enforced across all channels
+</false_positives>
+
+<impact>
+- Cross-account data exposure (PII/PHI/PCI)
+- Unauthorized state changes (transfers, role changes, cancellations)
+- Cross-tenant data leaks violating contractual and regulatory boundaries
+- Regulatory risk (GDPR/HIPAA/PCI), fraud, reputational damage
+</impact>
+
+<pro_tips>
+1. Always test list/search/export endpoints first; they are rich ID seeders.
+2. Build a reusable ID corpus from logs, notifications, emails, and client bundles.
+3. Toggle content-types and transports; authorization middleware often differs per stack.
+4. In GraphQL, validate at resolver boundaries; never trust parent auth to cover children.
+5. In multi-tenant apps, vary org headers, subdomains, and path params independently.
+6. Check batch/bulk operations and background job endpoints; they frequently skip per-item checks.
+7. Inspect gateways for header trust and cache key configuration.
+8. Treat UUIDs as untrusted; obtain them via OSINT/leaks and test binding.
+9. Use timing/size/ETag differentials for blind confirmation when content is masked.
+10. Prove impact with precise before/after diffs and role-separated evidence.
+</pro_tips>
+
+<remember>Authorization must bind subject, action, and specific object on every request, regardless of identifier opacity or transport. If the binding is missing anywhere, the system is vulnerable.</remember>
+</idor_vulnerability_guide>

strix/prompts/vulnerabilities/information_disclosure.jinja

@@ -0,0 +1,222 @@
+<information_disclosure_vulnerability_guide>
+<title>INFORMATION DISCLOSURE</title>
+
+<critical>Information leaks accelerate exploitation by revealing code, configuration, identifiers, and trust boundaries. Treat every response byte, artifact, and header as potential intelligence. Minimize, normalize, and scope disclosure across all channels.</critical>
+
+<scope>
+- Errors and exception pages: stack traces, file paths, SQL, framework versions
+- Debug/dev tooling reachable in prod: debuggers, profilers, feature flags
+- DVCS/build artifacts and temp/backup files: .git, .svn, .hg, .bak, .swp, archives
+- Configuration and secrets: .env, phpinfo, appsettings.json, Docker/K8s manifests
+- API schemas and introspection: OpenAPI/Swagger, GraphQL introspection, gRPC reflection
+- Client bundles and source maps: webpack/Vite maps, embedded env, __NEXT_DATA__, static JSON
+- Headers and response metadata: Server/X-Powered-By, tracing, ETag, Accept-Ranges, Server-Timing
+- Storage/export surfaces: public buckets, signed URLs, export/download endpoints
+- Observability/admin: /metrics, /actuator, /health, tracing UIs (Jaeger, Zipkin), Kibana, Admin UIs
+- Directory listings and indexing: autoindex, sitemap/robots revealing hidden routes
+- Cross-origin signals: CORS misconfig, Referrer-Policy leakage, Expose-Headers
+- File/document metadata: EXIF, PDF/Office properties
+</scope>
+
+<methodology>
+1. Build a channel map: Web, API, GraphQL, WebSocket, gRPC, mobile, background jobs, exports, CDN.
+2. Establish a diff harness: compare owner vs non-owner vs anonymous across transports; normalize on status/body length/ETag/headers.
+3. Trigger controlled failures: send malformed types, boundary values, missing params, and alternate content-types to elicit error detail and stack traces.
+4. Enumerate artifacts: DVCS folders, backups, config endpoints, source maps, client bundles, API docs, observability routes.
+5. Correlate disclosures to impact: versions→CVE, paths→LFI/RCE, keys→cloud access, schemas→auth bypass, IDs→IDOR.
+</methodology>
+
+<surfaces>
+<errors_and_exceptions>
+- SQL/ORM errors: reveal table/column names, DBMS, query fragments
+- Stack traces: absolute paths, class/method names, framework versions, developer emails
+- Template engine probes: {% raw %}{{7*7}}, ${7*7}{% endraw %} identify templating stack and code paths
+- JSON/XML parsers: type mismatches and coercion logs leak internal model names
+</errors_and_exceptions>
+
+<debug_and_env_modes>
+- Debug pages and flags: Django DEBUG, Laravel Telescope, Rails error pages, Flask/Werkzeug debugger, ASP.NET customErrors Off
+- Profiler endpoints: /debug/pprof, /actuator, /_profiler, custom /debug APIs
+- Feature/config toggles exposed in JS or headers; admin/staff banners in HTML
+</debug_and_env_modes>
+
+<dvcs_and_backups>
+- DVCS: /.git/ (HEAD, config, index, objects), .svn/entries, .hg/store → reconstruct source and secrets
+- Backups/temp: .bak/.old/~/.swp/.swo/.tmp/.orig, db dumps, zipped deployments under /backup/, /old/, /archive/
+- Build artifacts: dist artifacts containing .map, env prints, internal URLs
+</dvcs_and_backups>
+
+<configs_and_secrets>
+- Classic: web.config, appsettings.json, settings.py, config.php, phpinfo.php
+- Containers/cloud: Dockerfile, docker-compose.yml, Kubernetes manifests, service account tokens, cloud credentials files
+- Credentials and connection strings; internal hosts and ports; JWT secrets
+</configs_and_secrets>
+
+<api_schemas_and_introspection>
+- OpenAPI/Swagger: /swagger, /api-docs, /openapi.json — enumerate hidden/privileged operations
+- GraphQL: introspection enabled; field suggestions; error disclosure via invalid fields; persisted queries catalogs
+- gRPC: server reflection exposing services/messages; proto download via reflection
+</api_schemas_and_introspection>
+
+<client_bundles_and_maps>
+- Source maps (.map) reveal original sources, comments, and internal logic
+- Client env leakage: NEXT_PUBLIC_/VITE_/REACT_APP_ variables; runtime config; embedded secrets accidentally shipped
+- Next.js data: __NEXT_DATA__ and pre-fetched JSON under /_next/data can include internal IDs, flags, or PII
+- Static JSON/CSV feeds used by the UI that bypass server-side auth filtering
+</client_bundles_and_maps>
+
+<headers_and_response_metadata>
+- Fingerprinting: Server, X-Powered-By, X-AspNet-Version
+- Tracing: X-Request-Id, traceparent, Server-Timing, debug headers
+- Caching oracles: ETag/If-None-Match, Last-Modified/If-Modified-Since, Accept-Ranges/Range (partial content reveals)
+- Content sniffing and MIME metadata that implies backend components
+</headers_and_response_metadata>
+
+<storage_and_exports>
+- Public object storage: S3/GCS/Azure blobs with world-readable ACLs or guessable keys
+- Signed URLs: long-lived, weakly scoped, re-usable across tenants; metadata leaks in headers
+- Export/report endpoints returning foreign data sets or unfiltered fields
+</storage_and_exports>
+
+<observability_and_admin>
+- Metrics: Prometheus /metrics exposing internal hostnames, process args, SQL, credentials by mistake
+- Health/config: /actuator/health, /actuator/env, Spring Boot info endpoints
+- Tracing UIs and dashboards: Jaeger/Zipkin/Kibana/Grafana exposed without auth
+</observability_and_admin>
+
+<directory_and_indexing>
+- Autoindex on /uploads/, /files/, /logs/, /tmp/, /assets/
+- Robots/sitemap reveal hidden paths, admin panels, export feeds
+</directory_and_indexing>
+
+<cross_origin_signals>
+- Referrer leakage: missing/referrer policy leading to path/query/token leaks to third parties
+- CORS: overly permissive Access-Control-Allow-Origin/Expose-Headers revealing data cross-origin; preflight error shapes
+</cross_origin_signals>
+
+<file_metadata>
+- EXIF, PDF/Office properties: authors, paths, software versions, timestamps, embedded objects
+</file_metadata>
+</surfaces>
+
+<advanced_techniques>
+<differential_oracles>
+- Compare owner vs non-owner vs anonymous for the same resource and track: status, length, ETag, Last-Modified, Cache-Control
+- HEAD vs GET: header-only differences can confirm existence or type without content
+- Conditional requests: 304 vs 200 behaviors leak existence/state; binary search content size via Range requests
+</differential_oracles>
+
+<cdn_and_cache_keys>
+- Identity-agnostic caches: CDN/proxy keys missing Authorization/tenant headers → cross-user cached responses
+- Vary misconfiguration: user-agent/language vary without auth vary leaks alternate content
+- 206 partial content + stale caches leak object fragments
+</cdn_and_cache_keys>
+
+<cross_channel_mirroring>
+- Inconsistent hardening between REST, GraphQL, WebSocket, and gRPC; one channel leaks schema or fields hidden in others
+- SSR vs CSR: server-rendered pages omit fields while JSON API includes them; compare responses
+</cross_channel_mirroring>
+
+<introspection_and_reflection>
+- GraphQL: disabled introspection still leaks via errors, fragment suggestions, and client bundles containing schema
+- gRPC reflection: list services/messages and infer internal resource names and flows
+</introspection_and_reflection>
+
+<cloud_specific>
+- S3/GCS/Azure: anonymous listing disabled but object reads allowed; metadata headers leak owner/project identifiers
+- Pre-signed URLs: audience not bound; observe key scope and lifetime in URL params
+</cloud_specific>
+</advanced_techniques>
+
+<usefulness_assessment>
+- Actionable signals:
+  - Secrets/keys/tokens that grant new access (DB creds, cloud keys, JWT signing/refresh, signed URL secrets)
+  - Versions with a reachable, unpatched CVE on an exposed path
+  - Cross-tenant identifiers/data or per-user fields that differ by principal
+  - File paths, service hosts, or internal URLs that enable LFI/SSRF/RCE pivots
+  - Cache/CDN differentials (Vary/ETag/Range) that expose other users' content
+  - Schema/introspection revealing hidden operations or fields that return sensitive data
+- Likely benign or intended:
+  - Public docs or non-sensitive metadata explicitly documented as public
+  - Generic server names without precise versions or exploit path
+  - Redacted/sanitized fields with stable length/ETag across principals
+  - Per-user data visible only to the owner and consistent with privacy policy
+</usefulness_assessment>
+
+<triage_rubric>
+- Critical: Credentials/keys; signed URL secrets; config dumps; unrestricted admin/observability panels
+- High: Versions with reachable CVEs; cross-tenant data; caches serving cross-user content; schema enabling auth bypass
+- Medium: Internal paths/hosts enabling LFI/SSRF pivots; source maps revealing hidden endpoints/IDs
+- Low: Generic headers, marketing versions, intended documentation without exploit path
+- Guidance: Always attempt a minimal, reversible proof for Critical/High; if no safe chain exists, document precise blocker and downgrade
+</triage_rubric>
+
+<escalation_playbook>
+- If DVCS/backups/configs → extract secrets; test least-privileged read; rotate after coordinated disclosure
+- If versions → map to CVE; verify exposure; execute minimal PoC under strict scope
+- If schema/introspection → call hidden/privileged fields with non-owner tokens; confirm auth gaps
+- If source maps/client JSON → mine endpoints/IDs/flags; pivot to IDOR/listing; validate filtering
+- If cache/CDN keys → demonstrate cross-user cache leak via Vary/ETag/Range; escalate to broken access control
+- If paths/hosts → target LFI/SSRF with harmless reads (e.g., /etc/hostname, metadata headers); avoid destructive actions
+- If observability/admin → enumerate read-only info first; prove data scope breach; avoid write/exec operations
+</escalation_playbook>
+
+<exploitation_chains>
+<credential_extraction>
+- DVCS/config dumps exposing secrets (DB, SMTP, JWT, cloud)
+- Keys → cloud control plane access; rotate and verify scope
+</credential_extraction>
+
+<version_to_cve>
+1. Derive precise component versions from headers/errors/bundles.
+2. Map to known CVEs and confirm reachability.
+3. Execute minimal proof targeting disclosed component.
+</version_to_cve>
+
+<path_disclosure_to_lfi>
+1. Paths from stack traces/templates reveal filesystem layout.
+2. Use LFI/traversal to fetch config/keys.
+3. Prove controlled access without altering state.
+</path_disclosure_to_lfi>
+
+<schema_to_auth_bypass>
+1. Schema reveals hidden fields/endpoints.
+2. Attempt requests with those fields; confirm missing authorization or field filtering.
+</schema_to_auth_bypass>
+</exploitation_chains>
+
+<validation>
+1. Provide raw evidence (headers/body/artifact) and explain exact data revealed.
+2. Determine intent: cross-check docs/UX; classify per triage rubric (Critical/High/Medium/Low).
+3. Attempt minimal, reversible exploitation or present a concrete step-by-step chain (what to try next and why).
+4. Show reproducibility and minimal request set; include cross-channel confirmation where applicable.
+5. Bound scope (user, tenant, environment) and data sensitivity classification.
+</validation>
+
+<false_positives>
+- Intentional public docs or non-sensitive metadata with no exploit path
+- Generic errors with no actionable details
+- Redacted fields that do not change differential oracles (length/ETag stable)
+- Version banners with no exposed vulnerable surface and no chain
+- Owner-visible-only details that do not cross identity/tenant boundaries
+</false_positives>
+
+<impact>
+- Accelerated exploitation of RCE/LFI/SSRF via precise versions and paths
+- Credential/secret exposure leading to persistent external compromise
+- Cross-tenant data disclosure through exports, caches, or mis-scoped signed URLs
+- Privacy/regulatory violations and business intelligence leakage
+</impact>
+
+<pro_tips>
+1. Start with artifacts (DVCS, backups, maps) before payloads; artifacts yield the fastest wins.
+2. Normalize responses and diff by digest to reduce noise when comparing roles.
+3. Hunt source maps and client data JSON; they often carry internal IDs and flags.
+4. Probe caches/CDNs for identity-unaware keys; verify Vary includes Authorization/tenant.
+5. Treat introspection and reflection as configuration findings across GraphQL/gRPC; validate per environment.
+6. Mine observability endpoints last; they are noisy but high-yield in misconfigured setups.
+7. Chain quickly to a concrete risk and stop—proof should be minimal and reversible.
+</pro_tips>
+
+<remember>Information disclosure is an amplifier. Convert leaks into precise, minimal exploits or clear architectural risks.</remember>
+</information_disclosure_vulnerability_guide>

strix/prompts/vulnerabilities/insecure_file_uploads.jinja

@@ -0,0 +1,188 @@
+<insecure_file_uploads_guide>
+<title>INSECURE FILE UPLOADS</title>
+
+<critical>Upload surfaces are high risk: server-side execution (RCE), stored XSS, malware distribution, storage takeover, and DoS. Modern stacks mix direct-to-cloud uploads, background processors, and CDNs—authorization and validation must hold across every step.</critical>
+
+<scope>
+- Web/mobile/API uploads, direct-to-cloud (S3/GCS/Azure) presigned flows, resumable/multipart protocols (tus, S3 MPU)
+- Image/document/media pipelines (ImageMagick/GraphicsMagick, Ghostscript, ExifTool, PDF engines, office converters)
+- Admin/bulk importers, archive uploads (zip/tar), report/template uploads, rich text with attachments
+- Serving paths: app directly, object storage, CDN, email attachments, previews/thumbnails
+</scope>
+
+<methodology>
+1. Map the pipeline: client → ingress (edge/app/gateway) → storage → processors (thumb, OCR, AV, CDR) → serving (app/storage/CDN). Note where validation and auth occur.
+2. Identify allowed types, size limits, filename rules, storage keys, and who serves the content. Collect baseline uploads per type and capture resulting URLs and headers.
+3. Exercise bypass families systematically: extension games, MIME/content-type, magic bytes, polyglots, metadata payloads, archive structure, chunk/finalize differentials.
+4. Validate execution and rendering: can uploaded content execute on server or client? Confirm with minimal PoCs and headers analysis.
+</methodology>
+
+<discovery_techniques>
+<surface_map>
+- Endpoints/fields: upload, file, avatar, image, attachment, import, media, document, template
+- Direct-to-cloud params: key, bucket, acl, Content-Type, Content-Disposition, x-amz-meta-*, cache-control
+- Resumable APIs: create/init → upload/chunk → complete/finalize; check if metadata/headers can be altered late
+- Background processors: thumbnails, PDF→image, virus scan queues; identify timing and status transitions
+</surface_map>
+
+<capability_probes>
+- Small probe files of each claimed type; diff resulting Content-Type, Content-Disposition, and X-Content-Type-Options on download
+- Magic bytes vs extension: JPEG/GIF/PNG headers; mismatches reveal reliance on extension or MIME sniffing
+- SVG/HTML probe: do they render inline (text/html or image/svg+xml) or download (attachment)?
+- Archive probe: simple zip with nested path traversal entries and symlinks to detect extraction rules
+</capability_probes>
+</discovery_techniques>
+
+<detection_channels>
+<server_execution>
+- Web shell execution (language dependent), config/handler uploads (.htaccess, .user.ini, web.config) enabling execution
+- Interpreter-side template/script evaluation during conversion (ImageMagick/Ghostscript/ExifTool)
+</server_execution>
+
+<client_execution>
+- Stored XSS via SVG/HTML/JS if served inline without correct headers; PDF JavaScript; office macros in previewers
+</client_execution>
+
+<header_and_render>
+- Missing X-Content-Type-Options: nosniff enabling browser sniff to script
+- Content-Type reflection from upload vs server-set; Content-Disposition: inline vs attachment
+</header_and_render>
+
+<process_side_effects>
+- AV/CDR race or absence; background job status allows access before scan completes; password-protected archives bypass scanning
+</process_side_effects>
+</detection_channels>
+
+<core_payloads>
+<web_shells_and_configs>
+- PHP: GIF polyglot (starts with GIF89a) followed by <?php echo 1; ?>; place where PHP is executed
+- .htaccess to map extensions to code (AddType/AddHandler); .user.ini (auto_prepend/append_file) for PHP-FPM
+- ASP/JSP equivalents where supported; IIS web.config to enable script execution
+</web_shells_and_configs>
+
+<stored_xss>
+- SVG with onload/onerror handlers served as image/svg+xml or text/html
+- HTML file with script when served as text/html or sniffed due to missing nosniff
+</stored_xss>
+
+<mime_magic_polyglots>
+- Double extensions: avatar.jpg.php, report.pdf.html; mixed casing: .pHp, .PhAr
+- Magic-byte spoofing: valid JPEG header then embedded script; verify server uses content inspection, not extensions alone
+</mime_magic_polyglots>
+
+<archive_attacks>
+- Zip Slip: entries with ../../ to escape extraction dir; symlink-in-zip pointing outside target; nested zips
+- Zip bomb: extreme compression ratios (e.g., 42.zip) to exhaust resources in processors
+</archive_attacks>
+
+<toolchain_exploits>
+- ImageMagick/GraphicsMagick legacy vectors (policy.xml may mitigate): crafted SVG/PS/EPS invoking external commands or reading files
+- Ghostscript in PDF/PS with file operators (%pipe%)
+- ExifTool metadata parsing bugs; overly large or crafted EXIF/IPTC/XMP fields
+</toolchain_exploits>
+
+<cloud_storage_vectors>
+- S3/GCS presigned uploads: attacker controls Content-Type/Disposition; set text/html or image/svg+xml and inline rendering
+- Public-read ACL or permissive bucket policies expose uploads broadly; object key injection via user-controlled path prefixes
+- Signed URL reuse and stale URLs; serving directly from bucket without attachment + nosniff headers
+</cloud_storage_vectors>
+</core_payloads>
+
+<advanced_techniques>
+<resumable_multipart>
+- Change metadata between init and complete (e.g., swap Content-Type/Disposition at finalize)
+- Upload benign chunks, then swap last chunk or complete with different source if server trusts client-side digests only
+</resumable_multipart>
+
+<filename_and_path>
+- Unicode homoglyphs, trailing dots/spaces, device names, reserved characters to bypass validators and filesystem rules
+- Null-byte truncation on legacy stacks; overlong paths; case-insensitive collisions overwriting existing files
+</filename_and_path>
+
+<processing_races>
+- Request file immediately after upload but before AV/CDR completes; or during derivative creation to get unprocessed content
+- Trigger heavy conversions (large images, deep PDFs) to widen race windows
+</processing_races>
+
+<metadata_abuse>
+- Oversized EXIF/XMP/IPTC blocks to trigger parser flaws; payloads in document properties of Office/PDF rendered by previewers
+</metadata_abuse>
+
+<header_manipulation>
+- Force inline rendering with Content-Type + inline Content-Disposition; test browsers with and without nosniff
+- Cache poisoning via CDN with keys missing Vary on Content-Type/Disposition
+</header_manipulation>
+</advanced_techniques>
+
+<filter_bypasses>
+<validation_gaps>
+- Client-side only checks; relying on JS/MIME provided by browser; trusting multipart boundary part headers blindly
+- Extension allowlists without server-side content inspection; magic-bytes only without full parsing
+</validation_gaps>
+
+<evasion_tricks>
+- Double extensions, mixed case, hidden dotfiles, extra dots (file..png), long paths with allowed suffix
+- Multipart name vs filename vs path discrepancies; duplicate parameters and late parameter precedence
+</evasion_tricks>
+</filter_bypasses>
+
+<special_contexts>
+<rich_text_editors>
+- RTEs allow image/attachment uploads and embed links; verify sanitization and serving headers for embedded content
+</rich_text_editors>
+
+<mobile_clients>
+- Mobile SDKs may send nonstandard MIME or metadata; servers sometimes trust client-side transformations or EXIF orientation
+</mobile_clients>
+
+<serverless_and_cdn>
+- Direct-to-bucket uploads with Lambda/Workers post-processing; verify that security decisions are not delegated to frontends
+- CDN caching of uploaded content; ensure correct cache keys and headers (attachment, nosniff)
+</serverless_and_cdn>
+</special_contexts>
+
+<parser_hardening>
+- Validate on server: strict allowlist by true type (parse enough to confirm), size caps, and structural checks (dimensions, page count)
+- Strip active content: convert SVG→PNG; remove scripts/JS from PDF; disable macros; normalize EXIF; consider CDR for risky types
+- Store outside web root; serve via application or signed, time-limited URLs with Content-Disposition: attachment and X-Content-Type-Options: nosniff
+- For cloud: private buckets, per-request signed GET, enforce Content-Type/Disposition on GET responses from your app/gateway
+- Disable execution in upload paths; ignore .htaccess/.user.ini; sanitize keys to prevent path injections; randomize filenames
+- AV + CDR: scan synchronously when possible; quarantine until verdict; block password-protected archives or process in sandbox
+</parser_hardening>
+
+<validation>
+1. Demonstrate execution or rendering of active content: web shell reachable, or SVG/HTML executing JS when viewed.
+2. Show filter bypass: upload accepted despite restrictions (extension/MIME/magic mismatch) with evidence on retrieval.
+3. Prove header weaknesses: inline rendering without nosniff or missing attachment; present exact response headers.
+4. Show race or pipeline gap: access before AV/CDR; extraction outside intended directory; derivative creation from malicious input.
+5. Provide reproducible steps: request/response for upload and subsequent access, with minimal PoCs.
+</validation>
+
+<false_positives>
+- Upload stored but never served back; or always served as attachment with strict nosniff
+- Converters run in locked-down sandboxes with no external IO and no script engines; no path traversal on archive extraction
+- AV/CDR blocks the payload and quarantines; access before scan is impossible by design
+</false_positives>
+
+<impact>
+- Remote code execution on application stack or media toolchain host
+- Persistent cross-site scripting and session/token exfiltration via served uploads
+- Malware distribution via public storage/CDN; brand/reputation damage
+- Data loss or corruption via overwrite/zip slip; service degradation via zip bombs or oversized assets
+</impact>
+
+<pro_tips>
+1. Keep PoCs minimal: tiny SVG/HTML for XSS, a single-line PHP/ASP where relevant, and benign magic-byte polyglots.
+2. Always capture download response headers and final MIME from the server/CDN; that decides browser behavior.
+3. Prefer transforming risky formats to safe renderings (SVG→PNG) rather than attempting complex sanitization.
+4. In presigned flows, constrain all headers and object keys server-side; ignore client-supplied ACL and metadata.
+5. For archives, extract in a chroot/jail with explicit allowlist; drop symlinks and reject traversal.
+6. Test finalize/complete steps in resumable flows; many validations only run on init, not at completion.
+7. Verify background processors with EICAR and tiny polyglots; ensure quarantine gates access until safe.
+8. When you cannot get execution, aim for stored XSS or header-driven script execution; both are impactful.
+9. Validate that CDNs honor attachment/nosniff and do not override Content-Type/Disposition.
+10. Document full pipeline behavior per asset type; defenses must match actual processors and serving paths.
+</pro_tips>
+
+<remember>Secure uploads are a pipeline property. Enforce strict type, size, and header controls; transform or strip active content; never execute or inline-render untrusted uploads; and keep storage private with controlled, signed access.</remember>
+</insecure_file_uploads_guide>