hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 359 个文件 - 2026-03-16 23:30:01

浏览代码
这个提交包含在:
hao
2026-03-16 23:30:01 -07:00
父节点 527990f535
当前提交 2974cd9ad9
修改 359 个文件,包含 6332 行新增673 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

31
08-threat-intel/repro-profiles/family-generic/authz-bypass-generic.yaml 普通文件
查看文件

@@ -0,0 +1,31 @@
profile_id: authz-bypass-generic
match_rules:
keywords:
- authorization bypass
- auth bypass
- access control
vuln_family: authz-bypass
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Create low-privilege and admin test users for server-side recheck validation.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Use minimal authorization bypass probes defined by case-specific runner or manual session tooling.
browser_assertions:
required: false
success_criteria:
- Protected route or action is evaluated with controlled credentials and logged.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

30
08-threat-intel/repro-profiles/family-generic/deserialization-generic.yaml 普通文件
查看文件

@@ -0,0 +1,30 @@
profile_id: deserialization-generic
match_rules:
keywords:
- deserialization
- serialization
vuln_family: deserialization
provisioning_mode: synthetic
artifact_source:
strategy: source-or-synthetic
required_services:
- app
seed_actions:
- kind: note
message: Use inert serialized payloads and do not execute gadget chains against non-lab targets.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Demonstrate unsafe decode path with inert object graph or marker token.
browser_assertions:
required: false
success_criteria:
- Deserialization path is confirmed without executing destructive gadget chains.
cleanup_policy: destroy
destructive_risk: high
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

31
08-threat-intel/repro-profiles/family-generic/file-upload-generic.yaml 普通文件
查看文件

@@ -0,0 +1,31 @@
profile_id: file-upload-generic
match_rules:
keywords:
- file upload
- attachment
- upload
vuln_family: file-upload
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Use inert marker files and non-executable payloads by default.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Validate extension, storage path, and preview behavior using inert files.
browser_assertions:
required: true
success_criteria:
- Upload acceptance or bypass path is demonstrated with reversible test artifacts.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

41
08-threat-intel/repro-profiles/family-generic/misconfiguration-generic.yaml 普通文件
查看文件

@@ -0,0 +1,41 @@
profile_id: misconfiguration-generic
match_rules:
keywords:
- misconfiguration
- debug
- default config
- default credentials
vuln_family: misconfiguration
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Keep checks limited to target-local paths and configured lab endpoints.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: tool
tool: misconfig-lab
args:
- "--target"
- "{target_url}"
- "--evidence-dir"
- "{evidence_dir}"
- "--run-id"
- "{run_id}"
- "--case-id"
- "{case_id}"
browser_assertions:
required: false
success_criteria:
- Misconfiguration indicator is captured with HTTP or server evidence.
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

30
08-threat-intel/repro-profiles/family-generic/path-traversal-generic.yaml 普通文件
查看文件

@@ -0,0 +1,30 @@
profile_id: path-traversal-generic
match_rules:
keywords:
- path traversal
- directory traversal
vuln_family: path-traversal
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Use inert marker files inside isolated volume mounts only.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Validate canonicalization failures with marker files rather than real secrets.
browser_assertions:
required: false
success_criteria:
- Marker file outside intended root becomes reachable or denial path is confirmed.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

32
08-threat-intel/repro-profiles/family-generic/plugin-extension-generic.yaml 普通文件
查看文件

@@ -0,0 +1,32 @@
profile_id: plugin-extension-generic
match_rules:
keywords:
- plugin
- module
- extension
- theme
vuln_family: plugin-extension
provisioning_mode: synthetic
artifact_source:
strategy: ecosystem-package-or-synthetic
required_services:
- app
seed_actions:
- kind: note
message: Prefer historical plugin/module package; fall back to synthetic isolated reproduction when unavailable.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Validate trust-boundary or input-handling weakness using isolated extension package only.
browser_assertions:
required: true
success_criteria:
- Extension-specific attack path is demonstrated or blocked with artifact evidence.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

40
08-threat-intel/repro-profiles/family-generic/proxy-boundary-generic.yaml 普通文件
查看文件

@@ -0,0 +1,40 @@
profile_id: proxy-boundary-generic
match_rules:
keywords:
- proxy
- middleware
- header trust
vuln_family: proxy-boundary
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Log reverse-proxy and application headers before any trust-boundary test.
baseline_actions:
- kind: tool
tool: site-scope-mapper
args:
- "--target"
- "127.0.0.1"
- "--evidence-dir"
- "{evidence_dir}"
- "--run-id"
- "{run_id}"
- "--case-id"
- "{case_id}"
attack_actions:
- kind: note
message: Perform minimal forwarded-header manipulation only inside isolated lab paths.
browser_assertions:
required: false
success_criteria:
- Header trust discrepancy is captured with upstream/downstream logs.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

30
08-threat-intel/repro-profiles/family-generic/request-smuggling-generic.yaml 普通文件
查看文件

@@ -0,0 +1,30 @@
profile_id: request-smuggling-generic
match_rules:
keywords:
- request smuggling
- http desync
vuln_family: request-smuggling
provisioning_mode: synthetic
artifact_source:
strategy: synthetic-proxy-pair
required_services:
- app
seed_actions:
- kind: note
message: Stand up isolated proxy/app pair only; do not forward to unrelated targets.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Run minimal ambiguous request probes and capture both proxy and app logs.
browser_assertions:
required: false
success_criteria:
- Proxy and backend parse disagreement is captured in evidence.
cleanup_policy: destroy
destructive_risk: high
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

42
08-threat-intel/repro-profiles/family-generic/session-token-generic.yaml 普通文件
查看文件

@@ -0,0 +1,42 @@
profile_id: session-token-generic
match_rules:
keywords:
- token
- cookie
- session
- jwt
- localstorage
vuln_family: session-token
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Seed only local demo identities and short-lived cookies/tokens.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: tool
tool: session-lab
args:
- "--target"
- "{target_url}"
- "--evidence-dir"
- "{evidence_dir}"
- "--run-id"
- "{run_id}"
- "--case-id"
- "{case_id}"
browser_assertions:
required: true
success_criteria:
- Cookie, storage or fixation issue is captured with browser and header evidence.
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

39
08-threat-intel/repro-profiles/family-generic/sqli-generic.yaml 普通文件
查看文件

@@ -0,0 +1,39 @@
profile_id: sqli-generic
match_rules:
keywords:
- sql injection
- sqli
vuln_family: sqli
provisioning_mode: synthetic
artifact_source:
strategy: official-image-or-synthetic
required_services:
- app
seed_actions:
- kind: note
message: Keep seed data reversible and avoid destructive SQL mutations.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: tool
tool: sqli-scanner
args:
- "-u"
- "{target_url}"
- "--evidence-dir"
- "{evidence_dir}"
- "--run-id"
- "{run_id}"
- "--case-id"
- "{case_id}"
browser_assertions:
required: false
success_criteria:
- Time-based or error-based probe lands with non-destructive evidence.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

30
08-threat-intel/repro-profiles/family-generic/ssrf-generic.yaml 普通文件
查看文件

@@ -0,0 +1,30 @@
profile_id: ssrf-generic
match_rules:
keywords:
- ssrf
- server-side request forgery
vuln_family: ssrf
provisioning_mode: real
artifact_source:
strategy: official-image-or-source
required_services:
- app
seed_actions:
- kind: note
message: Route callbacks to local sink endpoints only.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Exercise local sink endpoints, not external third-party destinations.
browser_assertions:
required: false
success_criteria:
- Request sink receives expected callback without crossing authorization boundaries.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

30
08-threat-intel/repro-profiles/family-generic/template-injection-generic.yaml 普通文件
查看文件

@@ -0,0 +1,30 @@
profile_id: template-injection-generic
match_rules:
keywords:
- template injection
- ssti
vuln_family: template-injection
provisioning_mode: synthetic
artifact_source:
strategy: source-or-synthetic
required_services:
- app
seed_actions:
- kind: note
message: Keep expressions inert and avoid destructive primitives by default.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Validate expression evaluation with benign markers.
browser_assertions:
required: false
success_criteria:
- Template evaluation path is proven with harmless marker output.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party

44
08-threat-intel/repro-profiles/family-generic/xss-generic.yaml 普通文件
查看文件

@@ -0,0 +1,44 @@
profile_id: xss-generic
match_rules:
keywords:
- xss
- cross-site scripting
- dom xss
- trusted types
vuln_family: xss
provisioning_mode: synthetic
artifact_source:
strategy: official-image-or-synthetic
required_services:
- app
seed_actions:
- kind: note
message: Seed a low-privilege user and a review page when the target supports stored content.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: tool
tool: xss-fuzzer
args:
- "-u"
- "{target_url}"
- "--dom-scan"
- "--check-csp"
- "--evidence-dir"
- "{evidence_dir}"
- "--run-id"
- "{run_id}"
- "--case-id"
- "{case_id}"
browser_assertions:
required: true
strategy: reflect-or-render
success_criteria:
- Browser evidence confirms payload reflection or DOM sink execution path.
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local
- lab-public
- authorized-third-party