From 6d5a3f331b0295537c332a90d6aebcf60bbd1afa Mon Sep 17 00:00:00 2001 From: Ahmed Allam Date: Mon, 13 Oct 2025 17:24:04 -0700 Subject: [PATCH] feat: Adding prompt modules for broken function level authorization, insecure file uploads, mass assignment, and path traversal, LFI, and RFI --- .../broken_function_level_authorization.jinja | 146 ++++++++++++++ .../insecure_file_uploads.jinja | 188 ++++++++++++++++++ .../vulnerabilities/mass_assignment.jinja | 141 +++++++++++++ .../path_traversal_lfi_rfi.jinja | 142 +++++++++++++ 4 files changed, 617 insertions(+) create mode 100644 strix/prompts/vulnerabilities/broken_function_level_authorization.jinja create mode 100644 strix/prompts/vulnerabilities/insecure_file_uploads.jinja create mode 100644 strix/prompts/vulnerabilities/mass_assignment.jinja create mode 100644 strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja diff --git a/strix/prompts/vulnerabilities/broken_function_level_authorization.jinja b/strix/prompts/vulnerabilities/broken_function_level_authorization.jinja new file mode 100644 index 0000000..0041dff --- /dev/null +++ b/strix/prompts/vulnerabilities/broken_function_level_authorization.jinja @@ -0,0 +1,146 @@ + +BROKEN FUNCTION LEVEL AUTHORIZATION (BFLA) + +BFLA is action-level authorization failure: callers invoke functions (endpoints, mutations, admin tools) they are not entitled to. It appears when enforcement differs across transports, gateways, roles, or when services trust client hints. Bind subject × action at the service that performs the action. + + +- Vertical authz: privileged/admin/staff-only actions reachable by basic users +- Feature gates: toggles enforced at edge/UI, not at core services +- Transport drift: REST vs GraphQL vs gRPC vs WebSocket with inconsistent checks +- Gateway trust: backends trust X-User-Id/X-Role injected by proxies/edges +- Background workers/jobs performing actions without re-checking authz + + + +1. Build an Actor × Action matrix with at least: unauth, basic, premium, staff/admin. Enumerate actions (create/update/delete, approve/cancel, impersonate, export, invite, role-change, credit/refund). +2. Obtain tokens/sessions for each role. Exercise every action across all transports and encodings (JSON, form, multipart), including method overrides. +3. Vary headers and contextual selectors (org/tenant/project) and test behavior behind gateway vs direct-to-service. +4. Include background flows: job creation/finalization, webhooks, queues. Confirm re-validation of authz in consumers. + + + + +- Admin/staff consoles and APIs, support tools, internal-only endpoints exposed via gateway +- Hidden buttons and disabled UI paths (feature-flagged) mapped to still-live endpoints +- GraphQL schemas: mutations and admin-only fields/types; gRPC service descriptors (reflection) +- Mobile clients often reveal extra endpoints/roles in app bundles or network logs + + + +- 401/403 on UI but 200 via direct API call; differing status codes across transports +- Actions succeed via background jobs when direct call is denied +- Changing only headers (role/org) alters access without token change + + + +- Role/permission changes, impersonation/sudo, invite/accept into orgs +- Approve/void/refund/credit issuance, price/plan overrides +- Export/report generation, data deletion, account suspension/reactivation +- Feature flag toggles, quota/grant adjustments, license/seat changes +- Security settings: 2FA reset, email/phone verification overrides + + + + +- Alternate methods: GET performing state change; POST vs PUT vs PATCH differences; X-HTTP-Method-Override/_method +- Alternate endpoints performing the same action with weaker checks (legacy vs v2, mobile vs web) + + + +- Edge blocks an action but core service RPC accepts it directly; call internal service via exposed API route or SSRF +- Gateway-injected identity headers override token claims; supply conflicting headers to test precedence + + + +- Client-checked feature gates; call backend endpoints directly +- Admin-only mutations exposed but hidden in UI; invoke via GraphQL or gRPC tools + + + +- Create export/import jobs where creation is allowed but finalize/approve lacks authz; finalize others' jobs +- Replay webhooks/background tasks endpoints that perform privileged actions without verifying caller + + + +- JSON vs form vs multipart handlers using different middleware: send the action via the most permissive parser + + + + + +- Resolver-level checks per mutation/field; do not assume top-level auth covers nested mutations or admin fields +- Abuse aliases/batching to sneak privileged fields; persisted queries sometimes bypass auth transforms +- Example: +{% raw %} +mutation Promote($id:ID!){ + a: updateUser(id:$id, role: ADMIN){ id role } +} +{% endraw %} + + + +- Method-level auth via interceptors must enforce audience/roles; probe direct gRPC with tokens of lower role +- Reflection lists services/methods; call admin methods that the gateway hid + + + +- Handshake-only auth: ensure per-message authorization on privileged events (e.g., admin:impersonate) +- Try emitting privileged actions after joining standard channels + + + +- Actions requiring tenant admin enforced only by header/subdomain; attempt cross-tenant admin actions by switching selectors with same token + + + +- Internal RPCs trust upstream checks; reach them through exposed endpoints or SSRF; verify each service re-enforces authz + + + + +- Supply X-User-Id/X-Role/X-Organization headers; remove or contradict token claims; observe which source wins + + + +- Legacy/alternate routes (e.g., /admin/v1 vs /v2/admin) that skip new middleware chains + + + +- Retry or replay finalize/approve endpoints that apply state without checking actor on each call + + + +- Cached authorization decisions at edge leading to cross-user reuse; test with Vary and session swaps + + + + +1. Show a lower-privileged principal successfully invokes a restricted action (same inputs) while the proper role succeeds and another lower role fails. +2. Provide evidence across at least two transports or encodings demonstrating inconsistent enforcement. +3. Demonstrate that removing/altering client-side gates (buttons/flags) does not affect backend success. +4. Include durable state change proof: before/after snapshots, audit logs, and authoritative sources. + + + +- Read-only endpoints mislabeled as admin but publicly documented +- Feature toggles intentionally open to all roles for preview/beta with clear policy +- Simulated environments where admin endpoints are stubbed with no side effects + + + +- Privilege escalation to admin/staff actions +- Monetary/state impact: refunds/credits/approvals without authorization +- Tenant-wide configuration changes, impersonation, or data deletion +- Compliance and audit violations due to bypassed approval workflows + + + +1. Start from the role matrix; test every action with basic vs admin tokens across REST/GraphQL/gRPC. +2. Diff middleware stacks between routes; weak chains often exist on legacy or alternate encodings. +3. Inspect gateways for identity header injection; never trust client-provided identity. +4. Treat jobs/webhooks as first-class: finalize/approve must re-check the actor. +5. Prefer minimal PoCs: one request that flips a privileged field or invokes an admin method with a basic token. + + +Authorization must bind the actor to the specific action at the service boundary on every request and message. UI gates, gateways, or prior steps do not substitute for function-level checks. + diff --git a/strix/prompts/vulnerabilities/insecure_file_uploads.jinja b/strix/prompts/vulnerabilities/insecure_file_uploads.jinja new file mode 100644 index 0000000..c0321da --- /dev/null +++ b/strix/prompts/vulnerabilities/insecure_file_uploads.jinja @@ -0,0 +1,188 @@ + +INSECURE FILE UPLOADS + +Upload surfaces are high risk: server-side execution (RCE), stored XSS, malware distribution, storage takeover, and DoS. Modern stacks mix direct-to-cloud uploads, background processors, and CDNs—authorization and validation must hold across every step. + + +- Web/mobile/API uploads, direct-to-cloud (S3/GCS/Azure) presigned flows, resumable/multipart protocols (tus, S3 MPU) +- Image/document/media pipelines (ImageMagick/GraphicsMagick, Ghostscript, ExifTool, PDF engines, office converters) +- Admin/bulk importers, archive uploads (zip/tar), report/template uploads, rich text with attachments +- Serving paths: app directly, object storage, CDN, email attachments, previews/thumbnails + + + +1. Map the pipeline: client → ingress (edge/app/gateway) → storage → processors (thumb, OCR, AV, CDR) → serving (app/storage/CDN). Note where validation and auth occur. +2. Identify allowed types, size limits, filename rules, storage keys, and who serves the content. Collect baseline uploads per type and capture resulting URLs and headers. +3. Exercise bypass families systematically: extension games, MIME/content-type, magic bytes, polyglots, metadata payloads, archive structure, chunk/finalize differentials. +4. Validate execution and rendering: can uploaded content execute on server or client? Confirm with minimal PoCs and headers analysis. + + + + +- Endpoints/fields: upload, file, avatar, image, attachment, import, media, document, template +- Direct-to-cloud params: key, bucket, acl, Content-Type, Content-Disposition, x-amz-meta-*, cache-control +- Resumable APIs: create/init → upload/chunk → complete/finalize; check if metadata/headers can be altered late +- Background processors: thumbnails, PDF→image, virus scan queues; identify timing and status transitions + + + +- Small probe files of each claimed type; diff resulting Content-Type, Content-Disposition, and X-Content-Type-Options on download +- Magic bytes vs extension: JPEG/GIF/PNG headers; mismatches reveal reliance on extension or MIME sniffing +- SVG/HTML probe: do they render inline (text/html or image/svg+xml) or download (attachment)? +- Archive probe: simple zip with nested path traversal entries and symlinks to detect extraction rules + + + + + +- Web shell execution (language dependent), config/handler uploads (.htaccess, .user.ini, web.config) enabling execution +- Interpreter-side template/script evaluation during conversion (ImageMagick/Ghostscript/ExifTool) + + + +- Stored XSS via SVG/HTML/JS if served inline without correct headers; PDF JavaScript; office macros in previewers + + + +- Missing X-Content-Type-Options: nosniff enabling browser sniff to script +- Content-Type reflection from upload vs server-set; Content-Disposition: inline vs attachment + + + +- AV/CDR race or absence; background job status allows access before scan completes; password-protected archives bypass scanning + + + + + +- PHP: GIF polyglot (starts with GIF89a) followed by ; place where PHP is executed +- .htaccess to map extensions to code (AddType/AddHandler); .user.ini (auto_prepend/append_file) for PHP-FPM +- ASP/JSP equivalents where supported; IIS web.config to enable script execution + + + +- SVG with onload/onerror handlers served as image/svg+xml or text/html +- HTML file with script when served as text/html or sniffed due to missing nosniff + + + +- Double extensions: avatar.jpg.php, report.pdf.html; mixed casing: .pHp, .PhAr +- Magic-byte spoofing: valid JPEG header then embedded script; verify server uses content inspection, not extensions alone + + + +- Zip Slip: entries with ../../ to escape extraction dir; symlink-in-zip pointing outside target; nested zips +- Zip bomb: extreme compression ratios (e.g., 42.zip) to exhaust resources in processors + + + +- ImageMagick/GraphicsMagick legacy vectors (policy.xml may mitigate): crafted SVG/PS/EPS invoking external commands or reading files +- Ghostscript in PDF/PS with file operators (%pipe%) +- ExifTool metadata parsing bugs; overly large or crafted EXIF/IPTC/XMP fields + + + +- S3/GCS presigned uploads: attacker controls Content-Type/Disposition; set text/html or image/svg+xml and inline rendering +- Public-read ACL or permissive bucket policies expose uploads broadly; object key injection via user-controlled path prefixes +- Signed URL reuse and stale URLs; serving directly from bucket without attachment + nosniff headers + + + + + +- Change metadata between init and complete (e.g., swap Content-Type/Disposition at finalize) +- Upload benign chunks, then swap last chunk or complete with different source if server trusts client-side digests only + + + +- Unicode homoglyphs, trailing dots/spaces, device names, reserved characters to bypass validators and filesystem rules +- Null-byte truncation on legacy stacks; overlong paths; case-insensitive collisions overwriting existing files + + + +- Request file immediately after upload but before AV/CDR completes; or during derivative creation to get unprocessed content +- Trigger heavy conversions (large images, deep PDFs) to widen race windows + + + +- Oversized EXIF/XMP/IPTC blocks to trigger parser flaws; payloads in document properties of Office/PDF rendered by previewers + + + +- Force inline rendering with Content-Type + inline Content-Disposition; test browsers with and without nosniff +- Cache poisoning via CDN with keys missing Vary on Content-Type/Disposition + + + + + +- Client-side only checks; relying on JS/MIME provided by browser; trusting multipart boundary part headers blindly +- Extension allowlists without server-side content inspection; magic-bytes only without full parsing + + + +- Double extensions, mixed case, hidden dotfiles, extra dots (file..png), long paths with allowed suffix +- Multipart name vs filename vs path discrepancies; duplicate parameters and late parameter precedence + + + + + +- RTEs allow image/attachment uploads and embed links; verify sanitization and serving headers for embedded content + + + +- Mobile SDKs may send nonstandard MIME or metadata; servers sometimes trust client-side transformations or EXIF orientation + + + +- Direct-to-bucket uploads with Lambda/Workers post-processing; verify that security decisions are not delegated to frontends +- CDN caching of uploaded content; ensure correct cache keys and headers (attachment, nosniff) + + + + +- Validate on server: strict allowlist by true type (parse enough to confirm), size caps, and structural checks (dimensions, page count) +- Strip active content: convert SVG→PNG; remove scripts/JS from PDF; disable macros; normalize EXIF; consider CDR for risky types +- Store outside web root; serve via application or signed, time-limited URLs with Content-Disposition: attachment and X-Content-Type-Options: nosniff +- For cloud: private buckets, per-request signed GET, enforce Content-Type/Disposition on GET responses from your app/gateway +- Disable execution in upload paths; ignore .htaccess/.user.ini; sanitize keys to prevent path injections; randomize filenames +- AV + CDR: scan synchronously when possible; quarantine until verdict; block password-protected archives or process in sandbox + + + +1. Demonstrate execution or rendering of active content: web shell reachable, or SVG/HTML executing JS when viewed. +2. Show filter bypass: upload accepted despite restrictions (extension/MIME/magic mismatch) with evidence on retrieval. +3. Prove header weaknesses: inline rendering without nosniff or missing attachment; present exact response headers. +4. Show race or pipeline gap: access before AV/CDR; extraction outside intended directory; derivative creation from malicious input. +5. Provide reproducible steps: request/response for upload and subsequent access, with minimal PoCs. + + + +- Upload stored but never served back; or always served as attachment with strict nosniff +- Converters run in locked-down sandboxes with no external IO and no script engines; no path traversal on archive extraction +- AV/CDR blocks the payload and quarantines; access before scan is impossible by design + + + +- Remote code execution on application stack or media toolchain host +- Persistent cross-site scripting and session/token exfiltration via served uploads +- Malware distribution via public storage/CDN; brand/reputation damage +- Data loss or corruption via overwrite/zip slip; service degradation via zip bombs or oversized assets + + + +1. Keep PoCs minimal: tiny SVG/HTML for XSS, a single-line PHP/ASP where relevant, and benign magic-byte polyglots. +2. Always capture download response headers and final MIME from the server/CDN; that decides browser behavior. +3. Prefer transforming risky formats to safe renderings (SVG→PNG) rather than attempting complex sanitization. +4. In presigned flows, constrain all headers and object keys server-side; ignore client-supplied ACL and metadata. +5. For archives, extract in a chroot/jail with explicit allowlist; drop symlinks and reject traversal. +6. Test finalize/complete steps in resumable flows; many validations only run on init, not at completion. +7. Verify background processors with EICAR and tiny polyglots; ensure quarantine gates access until safe. +8. When you cannot get execution, aim for stored XSS or header-driven script execution; both are impactful. +9. Validate that CDNs honor attachment/nosniff and do not override Content-Type/Disposition. +10. Document full pipeline behavior per asset type; defenses must match actual processors and serving paths. + + +Secure uploads are a pipeline property. Enforce strict type, size, and header controls; transform or strip active content; never execute or inline-render untrusted uploads; and keep storage private with controlled, signed access. + diff --git a/strix/prompts/vulnerabilities/mass_assignment.jinja b/strix/prompts/vulnerabilities/mass_assignment.jinja new file mode 100644 index 0000000..7b9c044 --- /dev/null +++ b/strix/prompts/vulnerabilities/mass_assignment.jinja @@ -0,0 +1,141 @@ + +MASS ASSIGNMENT + +Mass assignment binds client-supplied fields directly into models/DTOs without field-level allowlists. It commonly leads to privilege escalation, ownership changes, and unauthorized state transitions in modern APIs and GraphQL. + + +- REST/JSON, GraphQL inputs, form-encoded and multipart bodies +- Model binding in controllers/resolvers; ORM create/update helpers +- Writable nested relations, sparse/patch updates, bulk endpoints + + + +1. Identify create/update endpoints and GraphQL mutations. Capture full server responses to observe returned fields. +2. Build a candidate list of sensitive attributes per resource: role/isAdmin/permissions, ownerId/accountId/tenantId, status/state, plan/price, limits/quotas, feature flags, verification flags, balance/credits. +3. Inject candidates alongside legitimate updates across transports and encodings; compare before/after state and diffs across roles. +4. Repeat with nested objects, arrays, and alternative shapes (dot/bracket notation, duplicate keys) and in batch operations. + + + + +- Controllers with automatic binding (e.g., request.json → model); GraphQL input types mirroring models; admin/staff tools exposed via API +- OpenAPI/GraphQL schemas: uncover hidden fields or enums; SDKs often reveal writable fields +- Client bundles and mobile apps: inspect forms and mutation payloads for field names + + + +- Flat fields: isAdmin, role, roles[], permissions[], status, plan, tier, premium, verified, emailVerified +- Ownership/tenancy: userId, ownerId, accountId, organizationId, tenantId, workspaceId +- Limits/quotas: usageLimit, seatCount, maxProjects, creditBalance +- Feature flags/gates: features, flags, betaAccess, allowImpersonation +- Billing: price, amount, currency, prorate, nextInvoice, trialEnd + + + +- Alternate shapes: arrays vs scalars; nested JSON; objects under unexpected keys +- Dot/bracket paths: profile.role, profile[role], settings[roles][] +- Duplicate keys and precedence: {"role":"user","role":"admin"} +- Sparse/patch formats: JSON Patch/JSON Merge Patch; try adding forbidden paths or replacing protected fields + + + +- Content-types: application/json, application/x-www-form-urlencoded, multipart/form-data, text/plain (JSON via server coercion) +- GraphQL: add suspicious fields to input objects; overfetch response to detect changes +- Batch/bulk: arrays of objects; verify per-item allowlists not skipped + + + + +- Set role/isAdmin/permissions during signup/profile update; toggle admin/staff flags where exposed + + + +- Change ownerId/accountId/tenantId to seize resources; move objects across users/tenants + + + +- Enable premium/beta/feature flags via flags/features fields; raise limits/seatCount/quotas + + + +- Modify plan/price/prorate/trialEnd or creditBalance; bypass server recomputation + + + +- Writable nested serializers or ORM relations allow creating or linking related objects beyond caller’s scope (e.g., attach to another user’s org) + + + + +- Field-level authz missing on input types: attempt forbidden fields in mutation inputs; combine with aliasing/batching to compare effects +- Use fragments to overfetch changed fields immediately after mutation + + + +- Rails: strong parameters misconfig or deep nesting via accepts_nested_attributes_for +- Laravel: $fillable/$guarded misuses; guarded=[] opens all; casts mutating hidden fields +- Django REST Framework: writable nested serializer, read_only/extra_kwargs gaps, partial updates +- Mongoose/Prisma: schema paths not filtered; select:false doesn’t prevent writes; upsert defaults + + + +- Validators run post-bind and do not cover extra fields; unknown fields silently dropped in response but persisted underneath +- Inconsistent allowlists between mobile/web/gateway; alt encodings bypass validation pipeline + + + + +- Switch JSON ↔ form-encoded ↔ multipart ↔ text/plain; some code paths only validate one + + + +- Dot/bracket/object re-shaping to reach nested fields through different binders + + + +- Per-item checks skipped in bulk operations; insert a single malicious object within a large batch + + + +- Race two updates: first sets forbidden field, second normalizes; final state may retain forbidden change + + + +1. Show a minimal request where adding a sensitive field changes persisted state for a non-privileged caller. +2. Provide before/after evidence (response body, subsequent GET, or GraphQL query) proving the forbidden attribute value. +3. Demonstrate consistency across at least two encodings or channels. +4. For nested/bulk, show that protected fields are written within child objects or array elements. +5. Quantify impact (e.g., role flip, cross-tenant move, quota increase) and reproducibility. + + + +- Server recomputes derived fields (plan/price/role) ignoring client input +- Fields marked read-only and enforced consistently across encodings +- Only UI-side changes with no persisted effect + + + +- Privilege escalation and admin feature access +- Cross-tenant or cross-account resource takeover +- Financial/billing manipulation and quota abuse +- Policy/approval bypass by toggling verification or status flags + + + +1. Build a sensitive-field dictionary per resource and fuzz systematically. +2. Always try alternate shapes and encodings; many validators are shape/CT-specific. +3. For GraphQL, diff the resource immediately after mutation; effects are often visible even if the mutation returns filtered fields. +4. Inspect SDKs/mobile apps for hidden field names and nested write examples. +5. Prefer minimal PoCs that prove durable state changes; avoid UI-only effects. + + + +- Enforce server-side allowlists per operation and role; deny unknown fields by default +- Separate input DTOs from domain models; map explicitly +- Recompute derived fields (role/plan/owner) from trusted context; ignore client values +- Lock nested writes to owned resources; validate foreign keys against caller scope +- For GraphQL, use input types that expose only permitted fields and enforce resolver-level checks + + +Mass assignment is eliminated by explicit mapping and per-field authorization. Treat every client-supplied attribute—especially nested or batch inputs—as untrusted until validated against an allowlist and caller scope. + diff --git a/strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja b/strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja new file mode 100644 index 0000000..377f4de --- /dev/null +++ b/strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja @@ -0,0 +1,142 @@ + +PATH TRAVERSAL, LFI, AND RFI + +Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely. + + +- Path traversal: read files outside intended roots via ../, encoding, normalization gaps +- Local File Inclusion (LFI): include server-side files into interpreters/templates +- Remote File Inclusion (RFI): include remote resources (HTTP/FTP/wrappers) for code execution +- Archive extraction traversal (Zip Slip): write outside target directory upon unzip/untar +- Server/proxy normalization mismatches (nginx alias/root, upstream decoders) +- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams + + + +1. Inventory all file operations: downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors. +2. Identify input joins: path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations. +3. Probe normalization and resolution: separators, encodings, double-decodes, case, trailing dots/slashes; compare web server vs application behavior. +4. Escalate from disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains). + + + + +- HTTP params: file, path, template, include, page, view, download, export, report, log, dir, theme, lang +- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters +- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z +- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins +- Reverse proxies and static file servers (nginx, CDN) in front of app handlers + + + +- Path traversal baseline: ../../etc/hosts and C:\\Windows\\win.ini +- Encodings: %2e%2e%2f, %252e%252e%252f, ..%2f, ..%5c, mixed UTF-8 (%c0%2e), Unicode dots and slashes +- Normalization tests: ....//, ..\\, ././, trailing dot/double dot segments; repeated decoding +- Absolute path acceptance: /etc/passwd, C:\\Windows\\System32\\drivers\\etc\\hosts +- Server mismatch: /static/..;/../etc/passwd ("..;"), encoded slashes (%2F), double-decoding via upstream + + + + + +- Response body discloses file content (text, binary, base64); error pages echo real paths + + + +- Exception messages expose canonicalized paths or include() warnings with real filesystem locations + + + +- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution + + + +- Archive extraction writes files unexpectedly outside target; verify with directory listings or follow-up reads + + + + + +- Encodings: single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities +- Mixed separators: / and \\ on Windows; // and \\\\ collapse differences across frameworks +- Dot tricks: ....// (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension +- Absolute path injection: bypass joins by supplying a rooted path +- Alias/root mismatch (nginx): alias without trailing slash with nested location allows ../ to escape; try /static/../etc/passwd and ";" variants (..;) +- Upstream vs backend decoding: proxies/CDNs decoding %2f differently; test double-decoding and encoded dots + + + +- /etc/passwd, /etc/hosts, application .env/config.yaml, SSH/keys, cloud creds, service configs/logs +- Windows: C:\\Windows\\win.ini, IIS/web.config, programdata configs, application logs +- Source code templates and server-side includes; secrets in env dumps + + + + + +- PHP wrappers: php://filter/convert.base64-encode/resource=index.php (read source), zip://archive.zip#file.txt, data://text/plain;base64, expect:// (if enabled) +- Log/session poisoning: inject PHP/templating payloads into access/error logs or session files then include them (paths vary by stack) +- Upload temp names: include temporary upload files before relocation; race with scanners +- /proc/self/environ and framework-specific caches for readable secrets +- Null-byte (legacy): %00 truncation in older stacks; path length truncation tricks + + + +- PHP include/require; Smarty/Twig/Blade with dynamic template names +- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines +- Seek dynamic template resolution from user input (theme/lang/template) + + + + + +- Remote includes (allow_url_include/allow_url_fopen in PHP), custom fetchers that eval/execute retrieved content, SSRF-to-exec bridges +- Protocol handlers: http, https, ftp; language-specific stream handlers + + + +- Host a minimal payload that proves code execution; prefer OAST beacons or deterministic output over heavy shells +- Chain with upload or log poisoning when remote includes are disabled to reach local payloads + + + + + +- Files within archives containing ../ or absolute paths escape target extract directory +- Test multiple formats: zip/tar/tgz/7z; verify symlink handling and path canonicalization prior to write +- Impact: overwrite config/templates or drop webshells into served directories + + + + +1. Show a minimal traversal read proving out-of-root access (e.g., /etc/hosts) with a same-endpoint in-root control. +2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (php://filter base64 of index.php); avoid active code when not permitted. +3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads. +4. For Zip Slip, create an archive with ../ entries and show write outside target (e.g., marker file read back). +5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility. + + + +- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage) +- Canonicalized paths constrained to an allowlist/root after normalization +- Wrappers disabled and includes using constant templates only +- Archive extractors that sanitize paths and enforce destination directories + + + +- Sensitive configuration/source disclosure → credential and key compromise +- Code execution via inclusion of attacker-controlled content or overwritten templates +- Persistence via dropped files in served directories; lateral movement via revealed secrets +- Supply-chain impact when report/template engines execute attacker-influenced files + + + +1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise. +2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for %2f and %2e encodings. +3. For LFI, prefer php://filter base64 probes over destructive payloads; enumerate readable logs and sessions. +4. Validate extraction code with synthetic archives; include symlinks and deep ../ chains. +5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems. + + +Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO. +