salvacybersec/strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f10ae40d76f4786cd3aa476afc9111eff5c213d
strix/strix/skills/scan_modes/deep.md
bearsyankees 4f10ae40d7 whitebox follow up: better wiki
2026-03-31 16:44:48 -04:00

7.2 KiB
Raw Blame History

name, description
name description
deep Exhaustive security assessment with maximum coverage, depth, and vulnerability chaining

Deep Testing Mode

Exhaustive security assessment. Maximum coverage, maximum depth. Finding what others miss is the goal.

Approach

Thorough understanding before exploitation. Test every parameter, every endpoint, every edge case. Chain findings for maximum impact.

Phase 1: Exhaustive Reconnaissance

Whitebox (source available)

  • Map every file, module, and code path in the repository
  • Load and maintain shared wiki notes from the start (list_notes(category="wiki"), then get_note(note_id=...) for wiki:overview and wiki:security), then continuously update wiki:security
  • Start with broad source-aware triage (semgrep, ast-grep, gitleaks, trufflehog, trivy fs) and use outputs to drive deep review
  • Execute at least one structural AST pass (sg and/or Tree-sitter) per repository and store artifacts for reuse
  • Keep AST artifacts bounded and query-driven (target relevant paths/sinks first; avoid whole-repo generic function dumps)
  • Use syntax-aware parsing (Tree-sitter tooling) to improve symbol, route, and sink extraction quality
  • Trace all entry points from HTTP handlers to database queries
  • Document all authentication mechanisms and implementations
  • Map authorization checks and access control model
  • Identify all external service integrations and API calls
  • Analyze configuration for secrets and misconfigurations
  • Review database schemas and data relationships
  • Map background jobs, cron tasks, async processing
  • Identify all serialization/deserialization points
  • Review file handling: upload, download, processing
  • Understand the deployment model and infrastructure assumptions
  • Check all dependency versions and repository risks against CVE/misconfiguration data
  • Before final completion, update wiki:security with scanner summary + dynamic follow-ups

Blackbox (no source)

  • Exhaustive subdomain enumeration with multiple sources and tools
  • Full port scanning across all services
  • Complete content discovery with multiple wordlists
  • Technology fingerprinting on all assets
  • API discovery via docs, JavaScript analysis, fuzzing
  • Identify all parameters including hidden and rarely-used ones
  • Map all user roles with different account types
  • Document rate limiting, WAF rules, security controls
  • Document complete application architecture as understood from outside

Phase 2: Business Logic Deep Dive

Create a complete storyboard of the application:

  • User flows - document every step of every workflow
  • State machines - map all transitions (Created → Paid → Shipped → Delivered)
  • Trust boundaries - identify where privilege changes hands
  • Invariants - what rules should the application always enforce
  • Implicit assumptions - what does the code assume that might be violated
  • Multi-step attack surfaces - where can normal functionality be abused
  • Third-party integrations - map all external service dependencies

Use the application extensively as every user type to understand the full data lifecycle.

Phase 3: Comprehensive Attack Surface Testing

Test every input vector with every applicable technique.

Input Handling

  • Multiple injection types: SQL, NoSQL, LDAP, XPath, command, template
  • Encoding bypasses: double encoding, unicode, null bytes
  • Boundary conditions and type confusion
  • Large payloads and buffer-related issues

Authentication & Session

  • Exhaustive brute force protection testing
  • Session fixation, hijacking, prediction
  • JWT/token manipulation
  • OAuth flow abuse scenarios
  • Password reset vulnerabilities: token leakage, reuse, timing
  • MFA bypass techniques
  • Account enumeration through all channels

Access Control

  • Test every endpoint for horizontal and vertical access control
  • Parameter tampering on all object references
  • Forced browsing to all discovered resources
  • HTTP method tampering (GET vs POST vs PUT vs DELETE)
  • Access control after session state changes (logout, role change)

File Operations

  • Exhaustive file upload bypass: extension, content-type, magic bytes
  • Path traversal on all file parameters
  • SSRF through file inclusion
  • XXE through all XML parsing points

Business Logic

  • Race conditions on all state-changing operations
  • Workflow bypass on every multi-step process
  • Price/quantity manipulation in transactions
  • Parallel execution attacks
  • TOCTOU (time-of-check to time-of-use) vulnerabilities

Advanced Techniques

  • HTTP request smuggling (multiple proxies/servers)
  • Cache poisoning and cache deception
  • Subdomain takeover
  • Prototype pollution (JavaScript applications)
  • CORS misconfiguration exploitation
  • WebSocket security testing
  • GraphQL-specific attacks (introspection, batching, nested queries)

Phase 4: Vulnerability Chaining

Individual bugs are starting points. Chain them for maximum impact:

  • Combine information disclosure with access control bypass
  • Chain SSRF to reach internal services
  • Use low-severity findings to enable high-impact attacks
  • Build multi-step attack paths that automated tools miss
  • Cross component boundaries: user → admin, external → internal, read → write, single-tenant → cross-tenant

Chaining Principles

  • Treat every finding as a pivot point: ask "what does this unlock next?"
  • Continue until reaching maximum privilege / maximum data exposure / maximum control
  • Prefer end-to-end exploit paths over isolated bugs: initial foothold → pivot → privilege gain → sensitive action/data
  • Validate chains by executing the full sequence (proxy + browser for workflows, python for automation)
  • When a pivot is found, spawn focused agents to continue the chain in the next component

Phase 5: Persistent Testing

When initial attempts fail:

  • Research technology-specific bypasses
  • Try alternative exploitation techniques
  • Test edge cases and unusual functionality
  • Test with different client contexts
  • Revisit areas with new information from other findings
  • Consider timing-based and blind exploitation
  • Look for logic flaws that require deep application understanding

Phase 6: Comprehensive Reporting

  • Document every confirmed vulnerability with full details
  • Include all severity levels—low findings may enable chains
  • Complete reproduction steps and working PoC
  • Remediation recommendations with specific guidance
  • Note areas requiring additional review beyond current scope

Agent Strategy

After reconnaissance, decompose the application hierarchically:

  1. Component level - Auth System, Payment Gateway, User Profile, Admin Panel
  2. Feature level - Login Form, Registration API, Password Reset
  3. Vulnerability level - SQLi Agent, XSS Agent, Auth Bypass Agent

Spawn specialized agents at each level. Scale horizontally to maximum parallelization:

  • Do NOT overload a single agent with multiple vulnerability types
  • Each agent focuses on one specific area or vulnerability type
  • Creates a massive parallel swarm covering every angle

Mindset

Relentless. Creative. Patient. Thorough. Persistent.

This is about finding what others miss. Test every parameter, every endpoint, every edge case. If one approach fails, try ten more. Understand how components interact to find systemic issues.