hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 421 个文件 - 2026-03-17 18:30:02

浏览代码
这个提交包含在:
hao
2026-03-17 18:30:02 -07:00
父节点 29c3faaa28
当前提交 a3edc88834
修改 421 个文件,包含 12474 行新增5845 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

476
08-threat-intel/generated/dashboard/profiles.json
查看文件

@@ -509,5 +509,481 @@
"required_services": [
"app"
]
},
"gitea-authz-bypass": {
"profile_id": "gitea-authz-bypass",
"vuln_family": "authz-bypass",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Controlled guest request reaches the protected admin route inside the fixture."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed low-privilege and admin boundary fixture state."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner verifies guest-to-admin bypass only inside fixture route."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"gitea-file-upload": {
"profile_id": "gitea-file-upload",
"vuln_family": "file-upload",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Inert upload marker is accepted and listed on the proof page."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed empty attachment list for upload proof."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner uploads inert text marker only."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"gitea-proxy-boundary": {
"profile_id": "gitea-proxy-boundary",
"vuln_family": "proxy-boundary",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Local fixture proves trusted proxy headers cross the admin boundary."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed forwarded-header boundary fixture with clean state."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner performs local forwarded-header trust proof only inside the fixture."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"gitea-ssrf": {
"profile_id": "gitea-ssrf",
"vuln_family": "ssrf",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Server-side callback reaches the local sink and is recorded in proof output."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed local sink counters only."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner triggers callback strictly to local sink endpoint."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"gitea-xss": {
"profile_id": "gitea-xss",
"vuln_family": "xss",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Browser proof page renders the stored XSS marker after the controlled payload."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed stored content page before browser proof capture."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner stores inert script payload and captures proof page."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"nextjs-authz-bypass": {
"profile_id": "nextjs-authz-bypass",
"vuln_family": "authz-bypass",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Protected route is reachable only after the controlled bypass proof step."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed guest/admin route fixture for server-side recheck."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner performs local authz bypass proof only."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"nextjs-deserialization": {
"profile_id": "nextjs-deserialization",
"vuln_family": "deserialization",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Inert decoded object marker is present without executing a gadget chain."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed inert decode path before proof request."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner demonstrates unsafe decode path without gadget execution."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"nextjs-proxy-boundary": {
"profile_id": "nextjs-proxy-boundary",
"vuln_family": "proxy-boundary",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Middleware trust-boundary proof is visible on the browser proof page."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed middleware boundary fixture with clean proxy state."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner performs forwarded-header proof against local fixture only."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"nextjs-ssrf": {
"profile_id": "nextjs-ssrf",
"vuln_family": "ssrf",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Local sink callback is observed from the server-side fetch path."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed local callback fixture state."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner validates sink callback without leaving local network."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"nextjs-xss": {
"profile_id": "nextjs-xss",
"vuln_family": "xss",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Browser proof page shows the XSS execution marker after the controlled payload."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed client-rendering page for XSS proof capture."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner injects inert payload and captures browser proof."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"undici-ssrf": {
"profile_id": "undici-ssrf",
"vuln_family": "ssrf",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"SSRF proof endpoint confirms only local sink callbacks were performed."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed local sink-only request path."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner validates local callback using undici-style request fixture."
}
],
"browser_assertions": {
"required": false
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"vite-file-upload": {
"profile_id": "vite-file-upload",
"vuln_family": "file-upload",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Uploaded inert marker is shown on the browser proof page."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed empty upload list for dev-server proof page."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner uploads inert text marker only."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"vite-proxy-boundary": {
"profile_id": "vite-proxy-boundary",
"vuln_family": "proxy-boundary",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Proxy boundary proof banner is visible in the captured browser evidence."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed proxy boundary fixture with baseline banner."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner proves forwarded proxy boundary state change locally."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
},
"vite-xss": {
"profile_id": "vite-xss",
"vuln_family": "xss",
"provisioning_mode": "real",
"destructive_risk": "low",
"cleanup_policy": "destroy",
"artifact_source": {
"strategy": "local-minimal-fixture"
},
"success_criteria": [
"Browser proof page shows the controlled XSS marker after attack."
],
"seed_actions": [
{
"kind": "note",
"message": "Seed client render page before XSS proof capture."
}
],
"attack_actions": [
{
"kind": "note",
"message": "Runner stores inert payload and validates browser proof only locally."
}
],
"browser_assertions": {
"required": true
},
"allowed_target_types": [
"lab-local"
],
"required_services": [
"app"
]
}
}