stryx-cli 0.1.0__tar.gz → 0.1.2__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/CODE_OF_CONDUCT.md +101 -101
  2. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/PKG-INFO +2 -2
  3. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/README.md +184 -184
  4. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/pyproject.toml +1 -1
  5. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/ai/attack_planner.py +5 -13
  6. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/ai/payload_generator.py +4 -5
  7. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/ai/providers.py +9 -4
  8. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/attacks/attack_chain.py +10 -10
  9. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/attacks/replay.py +7 -8
  10. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/auth/session_manager.py +23 -14
  11. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/cli.py +42 -29
  12. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/comparison/differ.py +17 -22
  13. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/config/loader.py +10 -2
  14. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/discovery.py +4 -3
  15. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/graphql_discovery.py +19 -15
  16. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/html_crawler.py +54 -35
  17. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/js_endpoints.py +43 -41
  18. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/openapi.py +9 -7
  19. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/sitemap.py +20 -18
  20. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/orchestrator.py +49 -36
  21. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/policy/engine.py +60 -47
  22. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/generator.py +30 -34
  23. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/sarif_report.py +6 -5
  24. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/terminal_report.py +9 -7
  25. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/auth.py +174 -141
  26. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/authorization.py +51 -59
  27. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/blind.py +101 -87
  28. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/cloud_ssrf.py +21 -14
  29. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/cors.py +2 -5
  30. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/dependencies.py +86 -86
  31. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/disclosure.py +132 -101
  32. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/fuzz.py +171 -101
  33. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/graphql.py +106 -99
  34. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/injection.py +82 -66
  35. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/race.py +68 -56
  36. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/utils/evidence.py +1 -2
  37. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/utils/logging.py +14 -12
  38. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/PKG-INFO +2 -2
  39. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/CHANGELOG.md +0 -0
  40. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/CONTRIBUTING.md +0 -0
  41. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/LICENSE +0 -0
  42. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/MANIFEST.in +0 -0
  43. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/SECURITY.md +0 -0
  44. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/setup.cfg +0 -0
  45. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/__init__.py +0 -0
  46. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/ai/__init__.py +0 -0
  47. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/ai/prompts.py +0 -0
  48. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/attacks/__init__.py +0 -0
  49. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/auth/__init__.py +0 -0
  50. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/comparison/__init__.py +0 -0
  51. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/config/__init__.py +0 -0
  52. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/config/default_config.yaml +0 -0
  53. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/config/schema.py +0 -0
  54. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/crawler/__init__.py +0 -0
  55. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/cmdi.txt +0 -0
  56. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/header_injection.txt +0 -0
  57. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/ldap.txt +0 -0
  58. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/nosqli.txt +0 -0
  59. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/open_redirect.txt +0 -0
  60. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/path_traversal.txt +0 -0
  61. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/sqli.txt +0 -0
  62. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/ssrf.txt +0 -0
  63. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/ssti.txt +0 -0
  64. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/xss.txt +0 -0
  65. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/payloads/xxe.txt +0 -0
  66. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/plugins/__init__.py +0 -0
  67. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/plugins/base.py +0 -0
  68. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/policy/__init__.py +0 -0
  69. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/py.typed +0 -0
  70. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/__init__.py +0 -0
  71. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/json_report.py +0 -0
  72. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/markdown_report.py +0 -0
  73. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/reports/templates/report.html.j2 +0 -0
  74. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/scanners/__init__.py +0 -0
  75. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/signatures/framework_fingerprints.yaml +0 -0
  76. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/signatures/known_vulns.yaml +0 -0
  77. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/utils/__init__.py +0 -0
  78. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/utils/http_client.py +0 -0
  79. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx/utils/rate_limiter.py +0 -0
  80. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/SOURCES.txt +0 -0
  81. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/dependency_links.txt +0 -0
  82. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/entry_points.txt +0 -0
  83. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/requires.txt +0 -0
  84. {stryx_cli-0.1.0 → stryx_cli-0.1.2}/stryx_cli.egg-info/top_level.txt +0 -0
@@ -1,101 +1,101 @@
1
- # Contributor Covenant Code of Conduct
2
-
3
- ## Our Pledge
4
-
5
- We as members, contributors, and leaders pledge to make participation in our
6
- community a harassment-free experience for everyone, regardless of age, body
7
- size, visible or invisible disability, ethnicity, sex characteristics, gender
8
- identity and expression, level of experience, education, socio-economic status,
9
- nationality, personal appearance, race, religion, or sexual identity
10
- and orientation.
11
-
12
- ## Our Standards
13
-
14
- Examples of behavior that contributes to a positive environment:
15
-
16
- * Using welcoming and inclusive language
17
- * Being respectful of differing viewpoints and experiences
18
- * Gracefully accepting constructive criticism
19
- * Focusing on what is best for the community
20
- * Showing empathy towards other community members
21
-
22
- Examples of unacceptable behavior:
23
-
24
- * The use of sexualized language or imagery, and sexual attention or advances of any kind
25
- * Trolling, insulting or derogatory comments, and personal or political attacks
26
- * Public or private harassment
27
- * Publishing others' private information, such as a physical or electronic address, without explicit permission
28
- * Other conduct which could reasonably be considered inappropriate in a professional setting
29
-
30
- ## Enforcement Responsibilities
31
-
32
- Community leaders are responsible for clarifying and enforcing our standards of
33
- acceptable behavior and will take appropriate and fair corrective action in
34
- response to any behavior that they deem inappropriate, threatening, offensive,
35
- or harmful.
36
-
37
- ## Scope
38
-
39
- This Code of Conduct applies within all community spaces, and also applies when
40
- an individual is officially representing the community in public spaces.
41
-
42
- ## Enforcement
43
-
44
- Instances of abusive, harassing, or otherwise unacceptable behavior may be
45
- reported by opening a GitHub issue tagged `conduct` on the
46
- [medusa-Security/stryx](https://github.com/medusa-Security/stryx/issues) repository.
47
-
48
- All complaints will be reviewed and investigated promptly and fairly.
49
-
50
- ## Enforcement Guidelines
51
-
52
- Community leaders will follow these Community Impact Guidelines in determining
53
- the consequences for any action they deem in violation of this Code of Conduct:
54
-
55
- ### 1. Correction
56
-
57
- **Community Impact**: Use of inappropriate language or other behavior deemed
58
- unprofessional or unwelcome in the community.
59
-
60
- **Consequence**: A private, written warning from community leaders, providing
61
- clarity around the nature of the violation and an explanation of why the
62
- behavior was inappropriate.
63
-
64
- ### 2. Warning
65
-
66
- **Community Impact**: A violation through a single incident or series
67
- of actions.
68
-
69
- **Consequence**: A warning with consequences for continued behavior. No
70
- interaction with the people involved, including unsolicited interaction with
71
- those enforcing the Code of Conduct, for a specified period of time.
72
-
73
- ### 3. Temporary Ban
74
-
75
- **Community Impact**: A serious violation of community standards, including
76
- sustained inappropriate behavior.
77
-
78
- **Consequence**: A temporary ban from any sort of interaction or public
79
- communication with the community for a specified period of time.
80
-
81
- ### 4. Permanent Ban
82
-
83
- **Community Impact**: Demonstrating a pattern of violation of community
84
- standards, including sustained inappropriate behavior, harassment of an
85
- individual, or aggression toward or disparagement of classes of individuals.
86
-
87
- **Consequence**: A permanent ban from any sort of public interaction within
88
- the community.
89
-
90
- ## Attribution
91
-
92
- This Code of Conduct is adapted from the [Contributor Covenant][homepage],
93
- version 2.1, available at
94
- [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
95
-
96
- Community Impact Guidelines were inspired by
97
- [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
98
-
99
- [homepage]: https://www.contributor-covenant.org
100
- [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
101
- [Mozilla CoC]: https://github.com/mozilla/diversity
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ We as members, contributors, and leaders pledge to make participation in our
6
+ community a harassment-free experience for everyone, regardless of age, body
7
+ size, visible or invisible disability, ethnicity, sex characteristics, gender
8
+ identity and expression, level of experience, education, socio-economic status,
9
+ nationality, personal appearance, race, religion, or sexual identity
10
+ and orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to a positive environment:
15
+
16
+ * Using welcoming and inclusive language
17
+ * Being respectful of differing viewpoints and experiences
18
+ * Gracefully accepting constructive criticism
19
+ * Focusing on what is best for the community
20
+ * Showing empathy towards other community members
21
+
22
+ Examples of unacceptable behavior:
23
+
24
+ * The use of sexualized language or imagery, and sexual attention or advances of any kind
25
+ * Trolling, insulting or derogatory comments, and personal or political attacks
26
+ * Public or private harassment
27
+ * Publishing others' private information, such as a physical or electronic address, without explicit permission
28
+ * Other conduct which could reasonably be considered inappropriate in a professional setting
29
+
30
+ ## Enforcement Responsibilities
31
+
32
+ Community leaders are responsible for clarifying and enforcing our standards of
33
+ acceptable behavior and will take appropriate and fair corrective action in
34
+ response to any behavior that they deem inappropriate, threatening, offensive,
35
+ or harmful.
36
+
37
+ ## Scope
38
+
39
+ This Code of Conduct applies within all community spaces, and also applies when
40
+ an individual is officially representing the community in public spaces.
41
+
42
+ ## Enforcement
43
+
44
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
45
+ reported by opening a GitHub issue tagged `conduct` on the
46
+ [Medusa-Security/stryx](https://github.com/Medusa-Security/stryx/issues) repository.
47
+
48
+ All complaints will be reviewed and investigated promptly and fairly.
49
+
50
+ ## Enforcement Guidelines
51
+
52
+ Community leaders will follow these Community Impact Guidelines in determining
53
+ the consequences for any action they deem in violation of this Code of Conduct:
54
+
55
+ ### 1. Correction
56
+
57
+ **Community Impact**: Use of inappropriate language or other behavior deemed
58
+ unprofessional or unwelcome in the community.
59
+
60
+ **Consequence**: A private, written warning from community leaders, providing
61
+ clarity around the nature of the violation and an explanation of why the
62
+ behavior was inappropriate.
63
+
64
+ ### 2. Warning
65
+
66
+ **Community Impact**: A violation through a single incident or series
67
+ of actions.
68
+
69
+ **Consequence**: A warning with consequences for continued behavior. No
70
+ interaction with the people involved, including unsolicited interaction with
71
+ those enforcing the Code of Conduct, for a specified period of time.
72
+
73
+ ### 3. Temporary Ban
74
+
75
+ **Community Impact**: A serious violation of community standards, including
76
+ sustained inappropriate behavior.
77
+
78
+ **Consequence**: A temporary ban from any sort of interaction or public
79
+ communication with the community for a specified period of time.
80
+
81
+ ### 4. Permanent Ban
82
+
83
+ **Community Impact**: Demonstrating a pattern of violation of community
84
+ standards, including sustained inappropriate behavior, harassment of an
85
+ individual, or aggression toward or disparagement of classes of individuals.
86
+
87
+ **Consequence**: A permanent ban from any sort of public interaction within
88
+ the community.
89
+
90
+ ## Attribution
91
+
92
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage],
93
+ version 2.1, available at
94
+ [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
95
+
96
+ Community Impact Guidelines were inspired by
97
+ [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
98
+
99
+ [homepage]: https://www.contributor-covenant.org
100
+ [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
101
+ [Mozilla CoC]: https://github.com/mozilla/diversity
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: stryx-cli
3
- Version: 0.1.0
3
+ Version: 0.1.2
4
4
  Summary: AI-Powered Dynamic Application Security Testing (DAST) -- part of the MEDUSA security platform
5
5
  Author-email: Akhilesh Varma <akhverm@gmail.com>
6
6
  License: Apache-2.0
@@ -91,7 +91,7 @@ CLI -> Configuration -> Attack Orchestrator -> { Endpoint Discovery }
91
91
  pip install stryx
92
92
 
93
93
  # From source
94
- git clone https://github.com/medusa-Security/stryx.git
94
+ git clone https://github.com/Medusa-Security/stryx.git
95
95
  cd stryx
96
96
  pip install -e .
97
97
  ```
@@ -1,184 +1,184 @@
1
- # STRYX
2
-
3
- **AI-Powered Dynamic Application Security Testing (DAST)**
4
-
5
- [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
6
- [![Python Version](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
7
- [![Build Status](https://github.com/medusa-Security/stryx/actions/workflows/ci.yml/badge.svg)](https://github.com/medusa-Security/stryx/actions)
8
-
9
- STRYX is a developer-first, AI-assisted DAST engine that crawls, maps, and tests the live attack surface of web applications. It discovers hidden endpoints, simulates real attacker behavior, and detects exploitable vulnerabilities with minimal false positives. Every finding carries full evidence (request, response, status code, payload, confidence score) -- no heuristic-only results.
10
-
11
- **Design philosophy: high signal, low noise.**
12
-
13
- ## How It Fits Into MEDUSA
14
-
15
- - **Remy** -- SAST, analyzes source code pre-deployment.
16
- - **STRYX** -- DAST, validates a running application's live attack surface and exploitability.
17
- - **MEDUSA** -- Aggregates findings from both, correlates static and runtime issues, estimates business impact, provides centralized security management.
18
-
19
- ## Architecture
20
-
21
- ```
22
- CLI -> Configuration -> Attack Orchestrator -> { Endpoint Discovery }
23
- |
24
- Authentication Engine
25
- Authorization Engine
26
- Injection Engine
27
- API Fuzzer
28
- AI Attack Planner
29
- Evidence Collector
30
- Report Generator
31
- |
32
- Target Application
33
- ```
34
-
35
- ## Installation
36
-
37
- ```bash
38
- # From PyPI
39
- pip install stryx
40
-
41
- # From source
42
- git clone https://github.com/medusa-Security/stryx.git
43
- cd stryx
44
- pip install -e .
45
- ```
46
-
47
- ## Quickstart
48
-
49
- ```bash
50
- # Run a full scan
51
- stryx scan http://localhost:8000
52
-
53
- # Output:
54
- # STRYX Scan Results
55
- # Target: http://localhost:8000
56
- # Total Findings: 3
57
- # Breakdown: CRITICAL: 1 | HIGH: 1 | MEDIUM: 1
58
- ```
59
-
60
- ## Core Modules
61
-
62
- | Module | Purpose |
63
- |--------|---------|
64
- | Endpoint Discovery | Crawls targets, extracts APIs from OpenAPI/Swagger, sitemaps, JS files, GraphQL |
65
- | Authentication Scanner | Tests missing auth, weak JWTs, session fixation, cookie security |
66
- | Authorization Scanner | Tests IDOR, privilege escalation, admin access, multi-tenant escape |
67
- | Injection Engine | SQL, NoSQL, command, SSRF, path traversal, XXE, SSTI, LDAP injection |
68
- | API Fuzzer | Parameter mutation, boundary values, type confusion, nested JSON |
69
- | CORS Scanner | Detects misconfigured CORS policies and origin reflection |
70
- | GraphQL Scanner | Tests introspection exposure, query depth limiting |
71
- | AI Attack Planner | Constructs multi-step attack chains across findings |
72
- | Evidence Engine | Enforces evidence requirements on every finding |
73
-
74
- ## CLI Reference
75
-
76
- ### Commands
77
-
78
- | Command | Description |
79
- |---------|-------------|
80
- | `stryx scan <url>` | Run full security scan |
81
- | `stryx crawl <url>` | Crawl and discover endpoints |
82
- | `stryx auth <url>` | Run authentication tests |
83
- | `stryx fuzz <url>` | Run API fuzzing tests |
84
- | `stryx report <url>` | Generate reports |
85
- | `stryx config` | View/update configuration |
86
- | `stryx providers` | List supported AI providers |
87
- | `stryx update` | Update STRYX |
88
-
89
- ### Flags
90
-
91
- | Flag | Description |
92
- |------|-------------|
93
- | `--deep` | Enable deep scanning |
94
- | `--json <file>` | Output JSON report |
95
- | `--html <file>` | Output HTML report |
96
- | `--markdown <file>` | Output Markdown report |
97
- | `--threads <n>` | Concurrent threads (1-200) |
98
- | `--timeout <s>` | HTTP timeout in seconds |
99
- | `--headers <json>` | Custom headers |
100
- | `--cookies <str>` | Authentication cookies |
101
- | `--proxy <url>` | HTTP proxy |
102
- | `--wordlist <file>` | Custom wordlist |
103
- | `--rate <n>` | Requests per second limit |
104
-
105
- ## Configuration
106
-
107
- ```yaml
108
- provider: groq
109
- model: llama-3.3-70b-versatile
110
- threads: 20
111
- timeout: 10
112
- crawl_depth: 5
113
- respect_robots: false
114
- ai_attack_planning: true
115
- modules:
116
- auth: true
117
- authorization: true
118
- injection: true
119
- fuzzing: true
120
- ```
121
-
122
- Supported AI providers: Groq, OpenAI, Anthropic, OpenRouter, Ollama, XAI, NVIDIA NIM.
123
-
124
- ## Sample Report
125
-
126
- ```
127
- +--------------------------------------------------------------------+
128
- | STRYX Scan Results |
129
- | Target: http://localhost:8000 |
130
- | Total Findings: 3 |
131
- | Breakdown: CRITICAL: 1 | HIGH: 1 | MEDIUM: 1 |
132
- +--------------------------------------------------------------------+
133
-
134
- [#] [CRITICAL] Unauthenticated access to /admin
135
- Endpoint: http://localhost:8000/admin
136
- CWE: CWE-306 | Scanner: auth
137
- Confidence: 70%
138
- Evidence: GET http://localhost:8000/admin -> 200
139
- ```
140
-
141
- ## Roadmap
142
-
143
- ### v0.1 (this build)
144
-
145
- - [ ] HTTP crawler
146
- - [ ] Endpoint discovery
147
- - [ ] Authentication scanning
148
- - [ ] Authorization testing
149
- - [ ] Basic injection testing
150
- - [ ] JSON/HTML reports
151
-
152
- ### v0.5
153
-
154
- - [ ] Browser automation
155
- - [ ] GraphQL support
156
- - [ ] Multi-threaded fuzzing
157
- - [ ] AI attack planning
158
- - [ ] Custom payloads
159
- - [ ] Plugin SDK
160
-
161
- ### v1.0
162
-
163
- - [ ] Autonomous attack chaining
164
- - [ ] Headless browser exploitation
165
- - [ ] CI/CD integration
166
- - [ ] Distributed scanning
167
- - [ ] Cloud dashboards (MEDUSA integration)
168
- - [ ] AI-powered exploit reasoning
169
-
170
- ## Contributing
171
-
172
- See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
173
-
174
- ## Security Policy
175
-
176
- See [SECURITY.md](SECURITY.md) for reporting vulnerabilities in STRYX itself.
177
-
178
- ## License
179
-
180
- Apache License 2.0. See [LICENSE](LICENSE).
181
-
182
- ## Author
183
-
184
- Built by Akhilesh Varma (ak495867) under Medusa Security.
1
+ # STRYX
2
+
3
+ **AI-Powered Dynamic Application Security Testing (DAST)**
4
+
5
+ [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
6
+ [![Python Version](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
7
+ [![Build Status](https://github.com/medusa-Security/stryx/actions/workflows/ci.yml/badge.svg)](https://github.com/medusa-Security/stryx/actions)
8
+
9
+ STRYX is a developer-first, AI-assisted DAST engine that crawls, maps, and tests the live attack surface of web applications. It discovers hidden endpoints, simulates real attacker behavior, and detects exploitable vulnerabilities with minimal false positives. Every finding carries full evidence (request, response, status code, payload, confidence score) -- no heuristic-only results.
10
+
11
+ **Design philosophy: high signal, low noise.**
12
+
13
+ ## How It Fits Into MEDUSA
14
+
15
+ - **Remy** -- SAST, analyzes source code pre-deployment.
16
+ - **STRYX** -- DAST, validates a running application's live attack surface and exploitability.
17
+ - **MEDUSA** -- Aggregates findings from both, correlates static and runtime issues, estimates business impact, provides centralized security management.
18
+
19
+ ## Architecture
20
+
21
+ ```
22
+ CLI -> Configuration -> Attack Orchestrator -> { Endpoint Discovery }
23
+ |
24
+ Authentication Engine
25
+ Authorization Engine
26
+ Injection Engine
27
+ API Fuzzer
28
+ AI Attack Planner
29
+ Evidence Collector
30
+ Report Generator
31
+ |
32
+ Target Application
33
+ ```
34
+
35
+ ## Installation
36
+
37
+ ```bash
38
+ # From PyPI
39
+ pip install stryx
40
+
41
+ # From source
42
+ git clone https://github.com/Medusa-Security/stryx.git
43
+ cd stryx
44
+ pip install -e .
45
+ ```
46
+
47
+ ## Quickstart
48
+
49
+ ```bash
50
+ # Run a full scan
51
+ stryx scan http://localhost:8000
52
+
53
+ # Output:
54
+ # STRYX Scan Results
55
+ # Target: http://localhost:8000
56
+ # Total Findings: 3
57
+ # Breakdown: CRITICAL: 1 | HIGH: 1 | MEDIUM: 1
58
+ ```
59
+
60
+ ## Core Modules
61
+
62
+ | Module | Purpose |
63
+ |--------|---------|
64
+ | Endpoint Discovery | Crawls targets, extracts APIs from OpenAPI/Swagger, sitemaps, JS files, GraphQL |
65
+ | Authentication Scanner | Tests missing auth, weak JWTs, session fixation, cookie security |
66
+ | Authorization Scanner | Tests IDOR, privilege escalation, admin access, multi-tenant escape |
67
+ | Injection Engine | SQL, NoSQL, command, SSRF, path traversal, XXE, SSTI, LDAP injection |
68
+ | API Fuzzer | Parameter mutation, boundary values, type confusion, nested JSON |
69
+ | CORS Scanner | Detects misconfigured CORS policies and origin reflection |
70
+ | GraphQL Scanner | Tests introspection exposure, query depth limiting |
71
+ | AI Attack Planner | Constructs multi-step attack chains across findings |
72
+ | Evidence Engine | Enforces evidence requirements on every finding |
73
+
74
+ ## CLI Reference
75
+
76
+ ### Commands
77
+
78
+ | Command | Description |
79
+ |---------|-------------|
80
+ | `stryx scan <url>` | Run full security scan |
81
+ | `stryx crawl <url>` | Crawl and discover endpoints |
82
+ | `stryx auth <url>` | Run authentication tests |
83
+ | `stryx fuzz <url>` | Run API fuzzing tests |
84
+ | `stryx report <url>` | Generate reports |
85
+ | `stryx config` | View/update configuration |
86
+ | `stryx providers` | List supported AI providers |
87
+ | `stryx update` | Update STRYX |
88
+
89
+ ### Flags
90
+
91
+ | Flag | Description |
92
+ |------|-------------|
93
+ | `--deep` | Enable deep scanning |
94
+ | `--json <file>` | Output JSON report |
95
+ | `--html <file>` | Output HTML report |
96
+ | `--markdown <file>` | Output Markdown report |
97
+ | `--threads <n>` | Concurrent threads (1-200) |
98
+ | `--timeout <s>` | HTTP timeout in seconds |
99
+ | `--headers <json>` | Custom headers |
100
+ | `--cookies <str>` | Authentication cookies |
101
+ | `--proxy <url>` | HTTP proxy |
102
+ | `--wordlist <file>` | Custom wordlist |
103
+ | `--rate <n>` | Requests per second limit |
104
+
105
+ ## Configuration
106
+
107
+ ```yaml
108
+ provider: groq
109
+ model: llama-3.3-70b-versatile
110
+ threads: 20
111
+ timeout: 10
112
+ crawl_depth: 5
113
+ respect_robots: false
114
+ ai_attack_planning: true
115
+ modules:
116
+ auth: true
117
+ authorization: true
118
+ injection: true
119
+ fuzzing: true
120
+ ```
121
+
122
+ Supported AI providers: Groq, OpenAI, Anthropic, OpenRouter, Ollama, XAI, NVIDIA NIM.
123
+
124
+ ## Sample Report
125
+
126
+ ```
127
+ +--------------------------------------------------------------------+
128
+ | STRYX Scan Results |
129
+ | Target: http://localhost:8000 |
130
+ | Total Findings: 3 |
131
+ | Breakdown: CRITICAL: 1 | HIGH: 1 | MEDIUM: 1 |
132
+ +--------------------------------------------------------------------+
133
+
134
+ [#] [CRITICAL] Unauthenticated access to /admin
135
+ Endpoint: http://localhost:8000/admin
136
+ CWE: CWE-306 | Scanner: auth
137
+ Confidence: 70%
138
+ Evidence: GET http://localhost:8000/admin -> 200
139
+ ```
140
+
141
+ ## Roadmap
142
+
143
+ ### v0.1 (this build)
144
+
145
+ - [ ] HTTP crawler
146
+ - [ ] Endpoint discovery
147
+ - [ ] Authentication scanning
148
+ - [ ] Authorization testing
149
+ - [ ] Basic injection testing
150
+ - [ ] JSON/HTML reports
151
+
152
+ ### v0.5
153
+
154
+ - [ ] Browser automation
155
+ - [ ] GraphQL support
156
+ - [ ] Multi-threaded fuzzing
157
+ - [ ] AI attack planning
158
+ - [ ] Custom payloads
159
+ - [ ] Plugin SDK
160
+
161
+ ### v1.0
162
+
163
+ - [ ] Autonomous attack chaining
164
+ - [ ] Headless browser exploitation
165
+ - [ ] CI/CD integration
166
+ - [ ] Distributed scanning
167
+ - [ ] Cloud dashboards (MEDUSA integration)
168
+ - [ ] AI-powered exploit reasoning
169
+
170
+ ## Contributing
171
+
172
+ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
173
+
174
+ ## Security Policy
175
+
176
+ See [SECURITY.md](SECURITY.md) for reporting vulnerabilities in STRYX itself.
177
+
178
+ ## License
179
+
180
+ Apache License 2.0. See [LICENSE](LICENSE).
181
+
182
+ ## Author
183
+
184
+ Built by Akhilesh Varma (ak495867) under Medusa Security.
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
4
4
 
5
5
  [project]
6
6
  name = "stryx-cli"
7
- version = "0.1.0"
7
+ version = "0.1.2"
8
8
  description = "AI-Powered Dynamic Application Security Testing (DAST) -- part of the MEDUSA security platform"
9
9
  readme = "README.md"
10
10
  license = {text = "Apache-2.0"}
@@ -82,16 +82,14 @@ class AttackPlanner:
82
82
 
83
83
  return chains
84
84
 
85
- async def _generate_remediation(
86
- self, findings: list[Finding], provider: AIProvider
87
- ) -> None:
85
+ async def _generate_remediation(self, findings: list[Finding], provider: AIProvider) -> None:
88
86
  """Generate AI-powered remediation for each finding."""
89
87
  logger.info(f"Generating remediation for {len(findings)} findings")
90
88
 
91
89
  # Process findings in batches to avoid token limits
92
90
  batch_size = 10
93
91
  for i in range(0, len(findings), batch_size):
94
- batch = findings[i:i + batch_size]
92
+ batch = findings[i : i + batch_size]
95
93
 
96
94
  for finding in batch:
97
95
  if finding.remediation:
@@ -128,9 +126,7 @@ class AttackPlanner:
128
126
  logger.debug(f"Failed to generate remediation for {finding.title}: {e}")
129
127
  continue
130
128
 
131
- async def _ai_plan_chains(
132
- self, findings: list[Finding], provider: AIProvider
133
- ) -> list[AttackChain]:
129
+ async def _ai_plan_chains(self, findings: list[Finding], provider: AIProvider) -> list[AttackChain]:
134
130
  """Use AI to generate attack chains."""
135
131
  findings_data = [f.to_dict() for f in findings]
136
132
  findings_text = format_findings_for_prompt(findings_data)
@@ -168,9 +164,7 @@ class AttackPlanner:
168
164
  for step_data in chain_data.get("steps", []):
169
165
  if isinstance(step_data, dict):
170
166
  # Find matching finding
171
- matching_finding = self._find_matching_finding(
172
- findings, step_data.get("title", "")
173
- )
167
+ matching_finding = self._find_matching_finding(findings, step_data.get("title", ""))
174
168
  if matching_finding:
175
169
  chain.add_step(
176
170
  matching_finding,
@@ -187,9 +181,7 @@ class AttackPlanner:
187
181
  logger.warning(f"Failed to parse AI response: {e}")
188
182
  return []
189
183
 
190
- def _find_matching_finding(
191
- self, findings: list[Finding], title: str
192
- ) -> Finding | None:
184
+ def _find_matching_finding(self, findings: list[Finding], title: str) -> Finding | None:
193
185
  """Find a finding matching the given title."""
194
186
  title_lower = title.lower()
195
187
  for f in findings: