From 6942ecb33ecd1331840126489ae5ffd2301f89f6 Mon Sep 17 00:00:00 2001 From: Jorge Moya <37148657+vsh00t@users.noreply.github.com> Date: Sun, 3 May 2026 20:19:57 -0500 Subject: [PATCH] add empty-array IDOR FP and OAST source-IP SSRF FP signals (#183) --- strix/skills/vulnerabilities/idor.md | 1 + strix/skills/vulnerabilities/ssrf.md | 1 + 2 files changed, 2 insertions(+) diff --git a/strix/skills/vulnerabilities/idor.md b/strix/skills/vulnerabilities/idor.md index 03de216..6c098b8 100644 --- a/strix/skills/vulnerabilities/idor.md +++ b/strix/skills/vulnerabilities/idor.md @@ -187,6 +187,7 @@ query IDOR { - Soft-privatized data where content is already public - Idempotent metadata lookups that do not reveal sensitive content - Correct row-level checks enforced across all channels +- Empty array / null returned for another user's resource — silent enforcement, not exposure; compare against the owner's view to confirm the data is actually missing rather than just hidden from the response shape ## Impact diff --git a/strix/skills/vulnerabilities/ssrf.md b/strix/skills/vulnerabilities/ssrf.md index e3570d7..d1618b7 100644 --- a/strix/skills/vulnerabilities/ssrf.md +++ b/strix/skills/vulnerabilities/ssrf.md @@ -157,6 +157,7 @@ Server-Side Request Forgery enables the server to reach networks and services th - Strict allowlists with DNS pinning and no redirect following - SSRF simulators/mocks returning canned responses without real egress - Blocked egress confirmed by uniform errors across all targets and protocols +- OAST callbacks where the source IP matches the tester's machine, not the server — the browser or a client-side fetch made the request, not the backend ## Impact