salvacybersec/strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Adding prompt modules for broken function level authorization, insecure file uploads, mass assignment, and path traversal, LFI, and RFI

Browse Source
This commit is contained in:
Ahmed Allam
2025-10-13 17:24:04 -07:00
committed by Ahmed Allam
parent d4a62ec365
commit 6d5a3f331b
4 changed files with 617 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
strix/prompts/vulnerabilities/broken_function_level_authorization.jinja Normal file
View File

@@ -0,0 +1,146 @@
<broken_function_level_authorization_guide>
<title>BROKEN FUNCTION LEVEL AUTHORIZATION (BFLA)</title>
<critical>BFLA is action-level authorization failure: callers invoke functions (endpoints, mutations, admin tools) they are not entitled to. It appears when enforcement differs across transports, gateways, roles, or when services trust client hints. Bind subject × action at the service that performs the action.</critical>
<scope>
- Vertical authz: privileged/admin/staff-only actions reachable by basic users
- Feature gates: toggles enforced at edge/UI, not at core services
- Transport drift: REST vs GraphQL vs gRPC vs WebSocket with inconsistent checks
- Gateway trust: backends trust X-User-Id/X-Role injected by proxies/edges
- Background workers/jobs performing actions without re-checking authz
</scope>
<methodology>
1. Build an Actor × Action matrix with at least: unauth, basic, premium, staff/admin. Enumerate actions (create/update/delete, approve/cancel, impersonate, export, invite, role-change, credit/refund).
2. Obtain tokens/sessions for each role. Exercise every action across all transports and encodings (JSON, form, multipart), including method overrides.
3. Vary headers and contextual selectors (org/tenant/project) and test behavior behind gateway vs direct-to-service.
4. Include background flows: job creation/finalization, webhooks, queues. Confirm re-validation of authz in consumers.
</methodology>
<discovery_techniques>
<surface_enumeration>
- Admin/staff consoles and APIs, support tools, internal-only endpoints exposed via gateway
- Hidden buttons and disabled UI paths (feature-flagged) mapped to still-live endpoints
- GraphQL schemas: mutations and admin-only fields/types; gRPC service descriptors (reflection)
- Mobile clients often reveal extra endpoints/roles in app bundles or network logs
</surface_enumeration>
<signals>
- 401/403 on UI but 200 via direct API call; differing status codes across transports
- Actions succeed via background jobs when direct call is denied
- Changing only headers (role/org) alters access without token change
</signals>
<high_value_actions>
- Role/permission changes, impersonation/sudo, invite/accept into orgs
- Approve/void/refund/credit issuance, price/plan overrides
- Export/report generation, data deletion, account suspension/reactivation
- Feature flag toggles, quota/grant adjustments, license/seat changes
- Security settings: 2FA reset, email/phone verification overrides
</high_value_actions>
<exploitation_techniques>
<verb_drift_and_aliases>
- Alternate methods: GET performing state change; POST vs PUT vs PATCH differences; X-HTTP-Method-Override/_method
- Alternate endpoints performing the same action with weaker checks (legacy vs v2, mobile vs web)
</verb_drift_and_aliases>
<edge_vs_core_mismatch>
- Edge blocks an action but core service RPC accepts it directly; call internal service via exposed API route or SSRF
- Gateway-injected identity headers override token claims; supply conflicting headers to test precedence
</edge_vs_core_mismatch>
<feature_flag_bypass>
- Client-checked feature gates; call backend endpoints directly
- Admin-only mutations exposed but hidden in UI; invoke via GraphQL or gRPC tools
</feature_flag_bypass>
<batch_job_paths>
- Create export/import jobs where creation is allowed but finalize/approve lacks authz; finalize others' jobs
- Replay webhooks/background tasks endpoints that perform privileged actions without verifying caller
</batch_job_paths>
<content_type_paths>
- JSON vs form vs multipart handlers using different middleware: send the action via the most permissive parser
</content_type_paths>
</exploitation_techniques>
<advanced_techniques>
<graphql>
- Resolver-level checks per mutation/field; do not assume top-level auth covers nested mutations or admin fields
- Abuse aliases/batching to sneak privileged fields; persisted queries sometimes bypass auth transforms
- Example:
{% raw %}
mutation Promote($id:ID!){
a: updateUser(id:$id, role: ADMIN){ id role }
}
{% endraw %}
</graphql>
<grpc>
- Method-level auth via interceptors must enforce audience/roles; probe direct gRPC with tokens of lower role
- Reflection lists services/methods; call admin methods that the gateway hid
</grpc>
<websocket>
- Handshake-only auth: ensure per-message authorization on privileged events (e.g., admin:impersonate)
- Try emitting privileged actions after joining standard channels
</websocket>
<multi_tenant>
- Actions requiring tenant admin enforced only by header/subdomain; attempt cross-tenant admin actions by switching selectors with same token
</multi_tenant>
<microservices>
- Internal RPCs trust upstream checks; reach them through exposed endpoints or SSRF; verify each service re-enforces authz
</microservices>
<bypass_techniques>
<header_trust>
- Supply X-User-Id/X-Role/X-Organization headers; remove or contradict token claims; observe which source wins
</header_trust>
<route_shadowing>
- Legacy/alternate routes (e.g., /admin/v1 vs /v2/admin) that skip new middleware chains
</route_shadowing>
<idempotency_and_retries>
- Retry or replay finalize/approve endpoints that apply state without checking actor on each call
</idempotency_and_retries>
<cache_key_confusion>
- Cached authorization decisions at edge leading to cross-user reuse; test with Vary and session swaps
</cache_key_confusion>
</bypass_techniques>
<validation>
1. Show a lower-privileged principal successfully invokes a restricted action (same inputs) while the proper role succeeds and another lower role fails.
2. Provide evidence across at least two transports or encodings demonstrating inconsistent enforcement.
3. Demonstrate that removing/altering client-side gates (buttons/flags) does not affect backend success.
4. Include durable state change proof: before/after snapshots, audit logs, and authoritative sources.
</validation>
<false_positives>
- Read-only endpoints mislabeled as admin but publicly documented
- Feature toggles intentionally open to all roles for preview/beta with clear policy
- Simulated environments where admin endpoints are stubbed with no side effects
</false_positives>
<impact>
- Privilege escalation to admin/staff actions
- Monetary/state impact: refunds/credits/approvals without authorization
- Tenant-wide configuration changes, impersonation, or data deletion
- Compliance and audit violations due to bypassed approval workflows
</impact>
<pro_tips>
1. Start from the role matrix; test every action with basic vs admin tokens across REST/GraphQL/gRPC.
2. Diff middleware stacks between routes; weak chains often exist on legacy or alternate encodings.
3. Inspect gateways for identity header injection; never trust client-provided identity.
4. Treat jobs/webhooks as first-class: finalize/approve must re-check the actor.
5. Prefer minimal PoCs: one request that flips a privileged field or invokes an admin method with a basic token.
</pro_tips>
<remember>Authorization must bind the actor to the specific action at the service boundary on every request and message. UI gates, gateways, or prior steps do not substitute for function-level checks.</remember>
</broken_function_level_authorization_guide>

188
strix/prompts/vulnerabilities/insecure_file_uploads.jinja Normal file
View File

@@ -0,0 +1,188 @@
<insecure_file_uploads_guide>
<title>INSECURE FILE UPLOADS</title>
<critical>Upload surfaces are high risk: server-side execution (RCE), stored XSS, malware distribution, storage takeover, and DoS. Modern stacks mix direct-to-cloud uploads, background processors, and CDNs—authorization and validation must hold across every step.</critical>
<scope>
- Web/mobile/API uploads, direct-to-cloud (S3/GCS/Azure) presigned flows, resumable/multipart protocols (tus, S3 MPU)
- Image/document/media pipelines (ImageMagick/GraphicsMagick, Ghostscript, ExifTool, PDF engines, office converters)
- Admin/bulk importers, archive uploads (zip/tar), report/template uploads, rich text with attachments
- Serving paths: app directly, object storage, CDN, email attachments, previews/thumbnails
</scope>
<methodology>
1. Map the pipeline: client → ingress (edge/app/gateway) → storage → processors (thumb, OCR, AV, CDR) → serving (app/storage/CDN). Note where validation and auth occur.
2. Identify allowed types, size limits, filename rules, storage keys, and who serves the content. Collect baseline uploads per type and capture resulting URLs and headers.
3. Exercise bypass families systematically: extension games, MIME/content-type, magic bytes, polyglots, metadata payloads, archive structure, chunk/finalize differentials.
4. Validate execution and rendering: can uploaded content execute on server or client? Confirm with minimal PoCs and headers analysis.
</methodology>
<discovery_techniques>
<surface_map>
- Endpoints/fields: upload, file, avatar, image, attachment, import, media, document, template
- Direct-to-cloud params: key, bucket, acl, Content-Type, Content-Disposition, x-amz-meta-*, cache-control
- Resumable APIs: create/init → upload/chunk → complete/finalize; check if metadata/headers can be altered late
- Background processors: thumbnails, PDF→image, virus scan queues; identify timing and status transitions
</surface_map>
<capability_probes>
- Small probe files of each claimed type; diff resulting Content-Type, Content-Disposition, and X-Content-Type-Options on download
- Magic bytes vs extension: JPEG/GIF/PNG headers; mismatches reveal reliance on extension or MIME sniffing
- SVG/HTML probe: do they render inline (text/html or image/svg+xml) or download (attachment)?
- Archive probe: simple zip with nested path traversal entries and symlinks to detect extraction rules
</capability_probes>
</discovery_techniques>
<detection_channels>
<server_execution>
- Web shell execution (language dependent), config/handler uploads (.htaccess, .user.ini, web.config) enabling execution
- Interpreter-side template/script evaluation during conversion (ImageMagick/Ghostscript/ExifTool)
</server_execution>
<client_execution>
- Stored XSS via SVG/HTML/JS if served inline without correct headers; PDF JavaScript; office macros in previewers
</client_execution>
<header_and_render>
- Missing X-Content-Type-Options: nosniff enabling browser sniff to script
- Content-Type reflection from upload vs server-set; Content-Disposition: inline vs attachment
</header_and_render>
<process_side_effects>
- AV/CDR race or absence; background job status allows access before scan completes; password-protected archives bypass scanning
</process_side_effects>
</detection_channels>
<core_payloads>
<web_shells_and_configs>
- PHP: GIF polyglot (starts with GIF89a) followed by <?php echo 1; ?>; place where PHP is executed
- .htaccess to map extensions to code (AddType/AddHandler); .user.ini (auto_prepend/append_file) for PHP-FPM
- ASP/JSP equivalents where supported; IIS web.config to enable script execution
</web_shells_and_configs>
<stored_xss>
- SVG with onload/onerror handlers served as image/svg+xml or text/html
- HTML file with script when served as text/html or sniffed due to missing nosniff
</stored_xss>
<mime_magic_polyglots>
- Double extensions: avatar.jpg.php, report.pdf.html; mixed casing: .pHp, .PhAr
- Magic-byte spoofing: valid JPEG header then embedded script; verify server uses content inspection, not extensions alone
</mime_magic_polyglots>
<archive_attacks>
- Zip Slip: entries with ../../ to escape extraction dir; symlink-in-zip pointing outside target; nested zips
- Zip bomb: extreme compression ratios (e.g., 42.zip) to exhaust resources in processors
</archive_attacks>
<toolchain_exploits>
- ImageMagick/GraphicsMagick legacy vectors (policy.xml may mitigate): crafted SVG/PS/EPS invoking external commands or reading files
- Ghostscript in PDF/PS with file operators (%pipe%)
- ExifTool metadata parsing bugs; overly large or crafted EXIF/IPTC/XMP fields
</toolchain_exploits>
<cloud_storage_vectors>
- S3/GCS presigned uploads: attacker controls Content-Type/Disposition; set text/html or image/svg+xml and inline rendering
- Public-read ACL or permissive bucket policies expose uploads broadly; object key injection via user-controlled path prefixes
- Signed URL reuse and stale URLs; serving directly from bucket without attachment + nosniff headers
</cloud_storage_vectors>
</core_payloads>
<advanced_techniques>
<resumable_multipart>
- Change metadata between init and complete (e.g., swap Content-Type/Disposition at finalize)
- Upload benign chunks, then swap last chunk or complete with different source if server trusts client-side digests only
</resumable_multipart>
<filename_and_path>
- Unicode homoglyphs, trailing dots/spaces, device names, reserved characters to bypass validators and filesystem rules
- Null-byte truncation on legacy stacks; overlong paths; case-insensitive collisions overwriting existing files
</filename_and_path>
<processing_races>
- Request file immediately after upload but before AV/CDR completes; or during derivative creation to get unprocessed content
- Trigger heavy conversions (large images, deep PDFs) to widen race windows
</processing_races>
<metadata_abuse>
- Oversized EXIF/XMP/IPTC blocks to trigger parser flaws; payloads in document properties of Office/PDF rendered by previewers
</metadata_abuse>
<header_manipulation>
- Force inline rendering with Content-Type + inline Content-Disposition; test browsers with and without nosniff
- Cache poisoning via CDN with keys missing Vary on Content-Type/Disposition
</header_manipulation>
</advanced_techniques>
<filter_bypasses>
<validation_gaps>
- Client-side only checks; relying on JS/MIME provided by browser; trusting multipart boundary part headers blindly
- Extension allowlists without server-side content inspection; magic-bytes only without full parsing
</validation_gaps>
<evasion_tricks>
- Double extensions, mixed case, hidden dotfiles, extra dots (file..png), long paths with allowed suffix
- Multipart name vs filename vs path discrepancies; duplicate parameters and late parameter precedence
</evasion_tricks>
</filter_bypasses>
<special_contexts>
<rich_text_editors>
- RTEs allow image/attachment uploads and embed links; verify sanitization and serving headers for embedded content
</rich_text_editors>
<mobile_clients>
- Mobile SDKs may send nonstandard MIME or metadata; servers sometimes trust client-side transformations or EXIF orientation
</mobile_clients>
<serverless_and_cdn>
- Direct-to-bucket uploads with Lambda/Workers post-processing; verify that security decisions are not delegated to frontends
- CDN caching of uploaded content; ensure correct cache keys and headers (attachment, nosniff)
</serverless_and_cdn>
</special_contexts>
<parser_hardening>
- Validate on server: strict allowlist by true type (parse enough to confirm), size caps, and structural checks (dimensions, page count)
- Strip active content: convert SVG→PNG; remove scripts/JS from PDF; disable macros; normalize EXIF; consider CDR for risky types
- Store outside web root; serve via application or signed, time-limited URLs with Content-Disposition: attachment and X-Content-Type-Options: nosniff
- For cloud: private buckets, per-request signed GET, enforce Content-Type/Disposition on GET responses from your app/gateway
- Disable execution in upload paths; ignore .htaccess/.user.ini; sanitize keys to prevent path injections; randomize filenames
- AV + CDR: scan synchronously when possible; quarantine until verdict; block password-protected archives or process in sandbox
</parser_hardening>
<validation>
1. Demonstrate execution or rendering of active content: web shell reachable, or SVG/HTML executing JS when viewed.
2. Show filter bypass: upload accepted despite restrictions (extension/MIME/magic mismatch) with evidence on retrieval.
3. Prove header weaknesses: inline rendering without nosniff or missing attachment; present exact response headers.
4. Show race or pipeline gap: access before AV/CDR; extraction outside intended directory; derivative creation from malicious input.
5. Provide reproducible steps: request/response for upload and subsequent access, with minimal PoCs.
</validation>
<false_positives>
- Upload stored but never served back; or always served as attachment with strict nosniff
- Converters run in locked-down sandboxes with no external IO and no script engines; no path traversal on archive extraction
- AV/CDR blocks the payload and quarantines; access before scan is impossible by design
</false_positives>
<impact>
- Remote code execution on application stack or media toolchain host
- Persistent cross-site scripting and session/token exfiltration via served uploads
- Malware distribution via public storage/CDN; brand/reputation damage
- Data loss or corruption via overwrite/zip slip; service degradation via zip bombs or oversized assets
</impact>
<pro_tips>
1. Keep PoCs minimal: tiny SVG/HTML for XSS, a single-line PHP/ASP where relevant, and benign magic-byte polyglots.
2. Always capture download response headers and final MIME from the server/CDN; that decides browser behavior.
3. Prefer transforming risky formats to safe renderings (SVG→PNG) rather than attempting complex sanitization.
4. In presigned flows, constrain all headers and object keys server-side; ignore client-supplied ACL and metadata.
5. For archives, extract in a chroot/jail with explicit allowlist; drop symlinks and reject traversal.
6. Test finalize/complete steps in resumable flows; many validations only run on init, not at completion.
7. Verify background processors with EICAR and tiny polyglots; ensure quarantine gates access until safe.
8. When you cannot get execution, aim for stored XSS or header-driven script execution; both are impactful.
9. Validate that CDNs honor attachment/nosniff and do not override Content-Type/Disposition.
10. Document full pipeline behavior per asset type; defenses must match actual processors and serving paths.
</pro_tips>
<remember>Secure uploads are a pipeline property. Enforce strict type, size, and header controls; transform or strip active content; never execute or inline-render untrusted uploads; and keep storage private with controlled, signed access.</remember>
</insecure_file_uploads_guide>

141
strix/prompts/vulnerabilities/mass_assignment.jinja Normal file
View File

@@ -0,0 +1,141 @@
<mass_assignment_guide>
<title>MASS ASSIGNMENT</title>
<critical>Mass assignment binds client-supplied fields directly into models/DTOs without field-level allowlists. It commonly leads to privilege escalation, ownership changes, and unauthorized state transitions in modern APIs and GraphQL.</critical>
<scope>
- REST/JSON, GraphQL inputs, form-encoded and multipart bodies
- Model binding in controllers/resolvers; ORM create/update helpers
- Writable nested relations, sparse/patch updates, bulk endpoints
</scope>
<methodology>
1. Identify create/update endpoints and GraphQL mutations. Capture full server responses to observe returned fields.
2. Build a candidate list of sensitive attributes per resource: role/isAdmin/permissions, ownerId/accountId/tenantId, status/state, plan/price, limits/quotas, feature flags, verification flags, balance/credits.
3. Inject candidates alongside legitimate updates across transports and encodings; compare before/after state and diffs across roles.
4. Repeat with nested objects, arrays, and alternative shapes (dot/bracket notation, duplicate keys) and in batch operations.
</methodology>
<discovery_techniques>
<surface_map>
- Controllers with automatic binding (e.g., request.json → model); GraphQL input types mirroring models; admin/staff tools exposed via API
- OpenAPI/GraphQL schemas: uncover hidden fields or enums; SDKs often reveal writable fields
- Client bundles and mobile apps: inspect forms and mutation payloads for field names
</surface_map>
<parameter_strategies>
- Flat fields: isAdmin, role, roles[], permissions[], status, plan, tier, premium, verified, emailVerified
- Ownership/tenancy: userId, ownerId, accountId, organizationId, tenantId, workspaceId
- Limits/quotas: usageLimit, seatCount, maxProjects, creditBalance
- Feature flags/gates: features, flags, betaAccess, allowImpersonation
- Billing: price, amount, currency, prorate, nextInvoice, trialEnd
</parameter_strategies>
<shape_variants>
- Alternate shapes: arrays vs scalars; nested JSON; objects under unexpected keys
- Dot/bracket paths: profile.role, profile[role], settings[roles][]
- Duplicate keys and precedence: {"role":"user","role":"admin"}
- Sparse/patch formats: JSON Patch/JSON Merge Patch; try adding forbidden paths or replacing protected fields
</shape_variants>
<encodings_and_channels>
- Content-types: application/json, application/x-www-form-urlencoded, multipart/form-data, text/plain (JSON via server coercion)
- GraphQL: add suspicious fields to input objects; overfetch response to detect changes
- Batch/bulk: arrays of objects; verify per-item allowlists not skipped
</encodings_and_channels>
<exploitation_techniques>
<privilege_escalation>
- Set role/isAdmin/permissions during signup/profile update; toggle admin/staff flags where exposed
</privilege_escalation>
<ownership_takeover>
- Change ownerId/accountId/tenantId to seize resources; move objects across users/tenants
</ownership_takeover>
<feature_gate_bypass>
- Enable premium/beta/feature flags via flags/features fields; raise limits/seatCount/quotas
</feature_gate_bypass>
<billing_and_entitlements>
- Modify plan/price/prorate/trialEnd or creditBalance; bypass server recomputation
</billing_and_entitlements>
<nested_and_relation_writes>
- Writable nested serializers or ORM relations allow creating or linking related objects beyond callers scope (e.g., attach to another users org)
</nested_and_relation_writes>
<advanced_techniques>
<graphQL_specific>
- Field-level authz missing on input types: attempt forbidden fields in mutation inputs; combine with aliasing/batching to compare effects
- Use fragments to overfetch changed fields immediately after mutation
</graphQL_specific>
<orm_framework_edges>
- Rails: strong parameters misconfig or deep nesting via accepts_nested_attributes_for
- Laravel: $fillable/$guarded misuses; guarded=[] opens all; casts mutating hidden fields
- Django REST Framework: writable nested serializer, read_only/extra_kwargs gaps, partial updates
- Mongoose/Prisma: schema paths not filtered; select:false doesnt prevent writes; upsert defaults
</orm_framework_edges>
<parser_and_validator_gaps>
- Validators run post-bind and do not cover extra fields; unknown fields silently dropped in response but persisted underneath
- Inconsistent allowlists between mobile/web/gateway; alt encodings bypass validation pipeline
</parser_and_validator_gaps>
<bypass_techniques>
<content_type_switching>
- Switch JSON ↔ form-encoded ↔ multipart ↔ text/plain; some code paths only validate one
</content_type_switching>
<key_path_variants>
- Dot/bracket/object re-shaping to reach nested fields through different binders
</key_path_variants>
<batch_paths>
- Per-item checks skipped in bulk operations; insert a single malicious object within a large batch
</batch_paths>
<race_and_reorder>
- Race two updates: first sets forbidden field, second normalizes; final state may retain forbidden change
</race_and_reorder>
<validation>
1. Show a minimal request where adding a sensitive field changes persisted state for a non-privileged caller.
2. Provide before/after evidence (response body, subsequent GET, or GraphQL query) proving the forbidden attribute value.
3. Demonstrate consistency across at least two encodings or channels.
4. For nested/bulk, show that protected fields are written within child objects or array elements.
5. Quantify impact (e.g., role flip, cross-tenant move, quota increase) and reproducibility.
</validation>
<false_positives>
- Server recomputes derived fields (plan/price/role) ignoring client input
- Fields marked read-only and enforced consistently across encodings
- Only UI-side changes with no persisted effect
</false_positives>
<impact>
- Privilege escalation and admin feature access
- Cross-tenant or cross-account resource takeover
- Financial/billing manipulation and quota abuse
- Policy/approval bypass by toggling verification or status flags
</impact>
<pro_tips>
1. Build a sensitive-field dictionary per resource and fuzz systematically.
2. Always try alternate shapes and encodings; many validators are shape/CT-specific.
3. For GraphQL, diff the resource immediately after mutation; effects are often visible even if the mutation returns filtered fields.
4. Inspect SDKs/mobile apps for hidden field names and nested write examples.
5. Prefer minimal PoCs that prove durable state changes; avoid UI-only effects.
</pro_tips>
<mitigations>
- Enforce server-side allowlists per operation and role; deny unknown fields by default
- Separate input DTOs from domain models; map explicitly
- Recompute derived fields (role/plan/owner) from trusted context; ignore client values
- Lock nested writes to owned resources; validate foreign keys against caller scope
- For GraphQL, use input types that expose only permitted fields and enforce resolver-level checks
</mitigations>
<remember>Mass assignment is eliminated by explicit mapping and per-field authorization. Treat every client-supplied attribute—especially nested or batch inputs—as untrusted until validated against an allowlist and caller scope.</remember>
</mass_assignment_guide>

142
strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja Normal file
View File

@@ -0,0 +1,142 @@
<path_traversal_lfi_rfi_guide>
<title>PATH TRAVERSAL, LFI, AND RFI</title>
<critical>Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely.</critical>
<scope>
- Path traversal: read files outside intended roots via ../, encoding, normalization gaps
- Local File Inclusion (LFI): include server-side files into interpreters/templates
- Remote File Inclusion (RFI): include remote resources (HTTP/FTP/wrappers) for code execution
- Archive extraction traversal (Zip Slip): write outside target directory upon unzip/untar
- Server/proxy normalization mismatches (nginx alias/root, upstream decoders)
- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams
</scope>
<methodology>
1. Inventory all file operations: downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors.
2. Identify input joins: path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations.
3. Probe normalization and resolution: separators, encodings, double-decodes, case, trailing dots/slashes; compare web server vs application behavior.
4. Escalate from disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains).
</methodology>
<discovery_techniques>
<surface_map>
- HTTP params: file, path, template, include, page, view, download, export, report, log, dir, theme, lang
- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters
- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z
- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins
- Reverse proxies and static file servers (nginx, CDN) in front of app handlers
</surface_map>
<capability_probes>
- Path traversal baseline: ../../etc/hosts and C:\\Windows\\win.ini
- Encodings: %2e%2e%2f, %252e%252e%252f, ..%2f, ..%5c, mixed UTF-8 (%c0%2e), Unicode dots and slashes
- Normalization tests: ....//, ..\\, ././, trailing dot/double dot segments; repeated decoding
- Absolute path acceptance: /etc/passwd, C:\\Windows\\System32\\drivers\\etc\\hosts
- Server mismatch: /static/..;/../etc/passwd ("..;"), encoded slashes (%2F), double-decoding via upstream
</capability_probes>
</discovery_techniques>
<detection_channels>
<direct>
- Response body discloses file content (text, binary, base64); error pages echo real paths
</direct>
<error_based>
- Exception messages expose canonicalized paths or include() warnings with real filesystem locations
</error_based>
<oast>
- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution
</oast>
<side_effects>
- Archive extraction writes files unexpectedly outside target; verify with directory listings or follow-up reads
</side_effects>
</detection_channels>
<path_traversal>
<bypasses_and_variants>
- Encodings: single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities
- Mixed separators: / and \\ on Windows; // and \\\\ collapse differences across frameworks
- Dot tricks: ....// (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension
- Absolute path injection: bypass joins by supplying a rooted path
- Alias/root mismatch (nginx): alias without trailing slash with nested location allows ../ to escape; try /static/../etc/passwd and ";" variants (..;)
- Upstream vs backend decoding: proxies/CDNs decoding %2f differently; test double-decoding and encoded dots
</bypasses_and_variants>
<high_value_targets>
- /etc/passwd, /etc/hosts, application .env/config.yaml, SSH/keys, cloud creds, service configs/logs
- Windows: C:\\Windows\\win.ini, IIS/web.config, programdata configs, application logs
- Source code templates and server-side includes; secrets in env dumps
</high_value_targets>
</path_traversal>
<lfi>
<wrappers_and_techniques>
- PHP wrappers: php://filter/convert.base64-encode/resource=index.php (read source), zip://archive.zip#file.txt, data://text/plain;base64, expect:// (if enabled)
- Log/session poisoning: inject PHP/templating payloads into access/error logs or session files then include them (paths vary by stack)
- Upload temp names: include temporary upload files before relocation; race with scanners
- /proc/self/environ and framework-specific caches for readable secrets
- Null-byte (legacy): %00 truncation in older stacks; path length truncation tricks
</wrappers_and_techniques>
<template_engines>
- PHP include/require; Smarty/Twig/Blade with dynamic template names
- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines
- Seek dynamic template resolution from user input (theme/lang/template)
</template_engines>
</lfi>
<rfi>
<conditions>
- Remote includes (allow_url_include/allow_url_fopen in PHP), custom fetchers that eval/execute retrieved content, SSRF-to-exec bridges
- Protocol handlers: http, https, ftp; language-specific stream handlers
</conditions>
<exploitation>
- Host a minimal payload that proves code execution; prefer OAST beacons or deterministic output over heavy shells
- Chain with upload or log poisoning when remote includes are disabled to reach local payloads
</exploitation>
</rfi>
<archive_extraction>
<zip_slip>
- Files within archives containing ../ or absolute paths escape target extract directory
- Test multiple formats: zip/tar/tgz/7z; verify symlink handling and path canonicalization prior to write
- Impact: overwrite config/templates or drop webshells into served directories
</zip_slip>
</archive_extraction>
<validation>
1. Show a minimal traversal read proving out-of-root access (e.g., /etc/hosts) with a same-endpoint in-root control.
2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (php://filter base64 of index.php); avoid active code when not permitted.
3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads.
4. For Zip Slip, create an archive with ../ entries and show write outside target (e.g., marker file read back).
5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility.
</validation>
<false_positives>
- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage)
- Canonicalized paths constrained to an allowlist/root after normalization
- Wrappers disabled and includes using constant templates only
- Archive extractors that sanitize paths and enforce destination directories
</false_positives>
<impact>
- Sensitive configuration/source disclosure → credential and key compromise
- Code execution via inclusion of attacker-controlled content or overwritten templates
- Persistence via dropped files in served directories; lateral movement via revealed secrets
- Supply-chain impact when report/template engines execute attacker-influenced files
</impact>
<pro_tips>
1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise.
2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for %2f and %2e encodings.
3. For LFI, prefer php://filter base64 probes over destructive payloads; enumerate readable logs and sessions.
4. Validate extraction code with synthetic archives; include symlinks and deep ../ chains.
5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems.
</pro_tips>
<remember>Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO.</remember>
</path_traversal_lfi_rfi_guide>