salvacybersec/strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6cb1c20978817d4da8b48de0b7e0a671cda64f3f
strix/strix/skills/scan_modes/deep.md
0xallam 6cb1c20978 refactor: migrate skills from Jinja to Markdown
2026-01-20 12:50:59 -08:00

7.1 KiB
Raw Blame History

DEEP SCAN MODE

Exhaustive Security Assessment

This mode is for thorough security reviews where finding vulnerabilities is critical.

PHASE 1: EXHAUSTIVE RECONNAISSANCE AND MAPPING Spend significant effort understanding the target before exploitation.

For whitebox (source code available):

  • Map EVERY file, module, and code path in the repository
  • Trace all entry points from HTTP handlers to database queries
  • Identify all authentication mechanisms and their implementations
  • Map all authorization checks and understand the access control model
  • Identify all external service integrations and API calls
  • Analyze all configuration files for secrets and misconfigurations
  • Review all database schemas and understand data relationships
  • Map all background jobs, cron tasks, and async processing
  • Identify all serialization/deserialization points
  • Review all file handling operations (upload, download, processing)
  • Understand the deployment model and infrastructure assumptions
  • Check all dependency versions against known CVE databases

For blackbox (no source code):

  • Exhaustive subdomain enumeration using multiple sources and tools
  • Full port scanning to identify all services
  • Complete content discovery with multiple wordlists
  • Technology fingerprinting on all discovered assets
  • API endpoint discovery through documentation, JavaScript analysis, and fuzzing
  • Identify all parameters including hidden and rarely-used ones
  • Map all user roles by testing with different account types
  • Understand rate limiting, WAF rules, and security controls in place
  • Document the complete application architecture as understood from outside

EXECUTION STRATEGY - HIERARCHICAL AGENT SWARM: After Phase 1 (Recon & Mapping) is complete:

  1. Divide the application into major components/parts (e.g., Auth System, Payment Gateway, User Profile, Admin Panel)
  2. Spawn a specialized subagent for EACH major component
  3. Each component agent must then:
    • Further subdivide its scope into subparts (e.g., Login Form, Registration API, Password Reset)
    • Spawn sub-subagents for each distinct subpart
  4. At the lowest level (specific functionality), spawn specialized agents for EACH potential vulnerability type:
    • "Auth System" → "Login Form" → "SQLi Agent", "XSS Agent", "Auth Bypass Agent"
    • This creates a massive parallel swarm covering every angle
    • Do NOT overload a single agent with multiple vulnerability types
    • Scale horizontally to maximum capacity

PHASE 2: DEEP BUSINESS LOGIC ANALYSIS Understand the application deeply enough to find logic flaws:

  • CREATE A FULL STORYBOARD of all user flows and state transitions
  • Document every step of the business logic in a structured flow diagram
  • Use the application extensively as every type of user to map the full lifecycle of data
  • Document all state machines and workflows (e.g. Order Created -> Paid -> Shipped)
  • Identify trust boundaries between components
  • Map all integrations with third-party services
  • Understand what invariants the application tries to maintain
  • Identify all points where roles, privileges, or sensitive data changes hands
  • Look for implicit assumptions in the business logic
  • Consider multi-step attacks that abuse normal functionality

PHASE 3: COMPREHENSIVE ATTACK SURFACE TESTING Test EVERY input vector with EVERY applicable technique.

Input Handling - Test all parameters, headers, cookies with:

  • Multiple injection payloads (SQL, NoSQL, LDAP, XPath, Command, Template)
  • Various encodings and bypass techniques (double encoding, unicode, null bytes)
  • Boundary conditions and type confusion
  • Large payloads and buffer-related issues

Authentication and Session:

  • Exhaustive brute force protection testing
  • Session fixation, hijacking, and prediction attacks
  • JWT/token manipulation if applicable
  • OAuth flow abuse scenarios
  • Password reset flow vulnerabilities (token leakage, reuse, timing)
  • Multi-factor authentication bypass techniques
  • Account enumeration through all possible channels

Access Control:

  • Test EVERY endpoint for horizontal and vertical access control
  • Parameter tampering on all object references
  • Forced browsing to all discovered resources
  • HTTP method tampering
  • Test access control after session changes (logout, role change)

File Operations:

  • Exhaustive file upload bypass testing (extension, content-type, magic bytes)
  • Path traversal on all file parameters
  • Server-side request forgery through file inclusion
  • XXE through all XML parsing points

Business Logic:

  • Race conditions on all state-changing operations
  • Workflow bypass attempts on every multi-step process
  • Price/quantity manipulation in all transactions
  • Parallel execution attacks
  • Time-of-check to time-of-use vulnerabilities

Advanced Attacks:

  • HTTP request smuggling if multiple proxies/servers
  • Cache poisoning and cache deception
  • Subdomain takeover on all subdomains
  • Prototype pollution in JavaScript applications
  • CORS misconfiguration exploitation
  • WebSocket security testing
  • GraphQL specific attacks if applicable

PHASE 4: VULNERABILITY CHAINING Don't just find individual bugs - chain them:

  • Combine information disclosure with access control bypass
  • Chain SSRF to access internal services
  • Use low-severity findings to enable high-impact attacks
  • Look for multi-step attack paths that automated tools miss
  • Consider attacks that span multiple application components

CHAINING PRINCIPLES (MAX IMPACT):

  • Treat every finding as a pivot: ask "What does this unlock next?" until you reach maximum privilege / maximum data exposure / maximum control
  • Prefer end-to-end exploit paths over isolated bugs: initial foothold → pivot → privilege gain → sensitive action/data
  • Cross boundaries deliberately: user → admin, external → internal, unauthenticated → authenticated, read → write, single-tenant → cross-tenant
  • Validate chains by executing the full sequence using the available tools (proxy + browser for workflows, python for automation, terminal for supporting commands)
  • When a component agent finds a potential pivot, it must message/spawn the next focused agent to continue the chain in the next component/subpart

PHASE 5: PERSISTENT TESTING If initial attempts fail, don't give up:

  • Research specific technologies for known bypasses
  • Try alternative exploitation techniques
  • Look for edge cases and unusual functionality
  • Test with different client contexts
  • Revisit previously tested areas with new information
  • Consider timing-based and blind exploitation techniques

PHASE 6: THOROUGH REPORTING

  • Document EVERY confirmed vulnerability with full details
  • Include all severity levels - even low findings may enable chains
  • Provide complete reproduction steps and PoC
  • Document remediation recommendations
  • Note areas requiring additional review beyond current scope

MINDSET:

  • Relentless - this is about finding what others miss
  • Creative - think of unconventional attack vectors
  • Patient - real vulnerabilities often require deep investigation
  • Thorough - test every parameter, every endpoint, every edge case
  • Persistent - if one approach fails, try ten more
  • Holistic - understand how components interact to find systemic issues