Surface the previously-undocumented sandbox tools and unbreak two of them
The image ships 15 tools (jwt_tool, interactsh-client, arjun, dirsearch, gospider, wafw00f, retire, eslint, jshint, js-beautify, JS-Snooper, jsniper.sh, vulnx, ncat, uv) that the always-loaded skills never name with usage guidance — agents could discover them via the environment catalog but had no when/how. Add concise mentions in the natural home for each: jwt_tool in the JWT skill, interactsh-client in the OAST sections of SSRF/XXE/RCE, arjun in IDOR recon, dirsearch as the broad alternate in the ffuf skill, gospider + the JS scrapers in katana, wafw00f next to httpx, retire/eslint/jshint/js-beautify as a new JavaScript-Side Coverage block in the SAST playbook, uv in python, vulnx in the deep scan-mode CVE bullet, ncat in a new RCE Tooling block. Audit also turned up three real breakages along the way: - jwt_tool's shebang resolves to /usr/bin/python3 but its dependencies live in /app/.venv, so every invocation died with ModuleNotFoundError: ratelimit. Replace the bare symlink with a wrapper that execs /app/.venv/bin/python against the real script. - dirsearch's pipx venv ended up with setuptools 82, which dropped pkg_resources — startup failed before parsing args. Pin the inject to setuptools<81. - ESLint's --no-eslintrc flag was removed in v9; the surviving --no-config-lookup covers it. Drop the dead flag from the SAST command block. Also corrected the JS-Snooper / jsniper.sh entry in katana.md — both take a bare domain and run their own JS discovery internally, not the JS URLs Katana already harvested.
This commit is contained in:
@@ -75,7 +75,7 @@ RUN nuclei -update-templates
|
||||
|
||||
RUN pipx install arjun && \
|
||||
pipx install dirsearch && \
|
||||
pipx inject dirsearch setuptools && \
|
||||
pipx inject dirsearch 'setuptools<81' && \
|
||||
pipx install wafw00f
|
||||
|
||||
ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global
|
||||
@@ -193,7 +193,11 @@ USER pentester
|
||||
RUN python3 -m venv /app/.venv && \
|
||||
/app/.venv/bin/pip install --no-cache-dir caido-sdk-client && \
|
||||
/app/.venv/bin/pip install --no-cache-dir -r /home/pentester/tools/jwt_tool/requirements.txt && \
|
||||
ln -s /home/pentester/tools/jwt_tool/jwt_tool.py /home/pentester/.local/bin/jwt_tool
|
||||
printf '%s\n' \
|
||||
'#!/bin/bash' \
|
||||
'exec /app/.venv/bin/python /home/pentester/tools/jwt_tool/jwt_tool.py "$@"' \
|
||||
> /home/pentester/.local/bin/jwt_tool && \
|
||||
chmod +x /home/pentester/.local/bin/jwt_tool
|
||||
|
||||
COPY --chown=pentester:pentester strix/tools/proxy/caido_api.py /opt/strix-python/caido_api.py
|
||||
ENV PYTHONPATH=/opt/strix-python
|
||||
|
||||
Reference in New Issue
Block a user