diff --git a/strix/skills/vulnerabilities/idor.md b/strix/skills/vulnerabilities/idor.md index 03de216..6c098b8 100644 --- a/strix/skills/vulnerabilities/idor.md +++ b/strix/skills/vulnerabilities/idor.md @@ -187,6 +187,7 @@ query IDOR { - Soft-privatized data where content is already public - Idempotent metadata lookups that do not reveal sensitive content - Correct row-level checks enforced across all channels +- Empty array / null returned for another user's resource — silent enforcement, not exposure; compare against the owner's view to confirm the data is actually missing rather than just hidden from the response shape ## Impact diff --git a/strix/skills/vulnerabilities/ssrf.md b/strix/skills/vulnerabilities/ssrf.md index e3570d7..d1618b7 100644 --- a/strix/skills/vulnerabilities/ssrf.md +++ b/strix/skills/vulnerabilities/ssrf.md @@ -157,6 +157,7 @@ Server-Side Request Forgery enables the server to reach networks and services th - Strict allowlists with DNS pinning and no redirect following - SSRF simulators/mocks returning canned responses without real egress - Blocked egress confirmed by uniform errors across all targets and protocols +- OAST callbacks where the source IP matches the tester's machine, not the server — the browser or a client-side fetch made the request, not the backend ## Impact