{ "authz-bypass-generic": { "profile_id": "authz-bypass-generic", "vuln_family": "authz-bypass", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Protected route or action is evaluated with controlled credentials and logged." ], "seed_actions": [ { "kind": "note", "message": "Create low-privilege and admin test users for server-side recheck validation." } ], "attack_actions": [ { "kind": "note", "message": "Use minimal authorization bypass probes defined by case-specific runner or manual session tooling." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "deserialization-generic": { "profile_id": "deserialization-generic", "vuln_family": "deserialization", "provisioning_mode": "synthetic", "destructive_risk": "high", "cleanup_policy": "destroy", "artifact_source": { "strategy": "source-or-synthetic" }, "success_criteria": [ "Deserialization path is confirmed without executing destructive gadget chains." ], "seed_actions": [ { "kind": "note", "message": "Use inert serialized payloads and do not execute gadget chains against non-lab targets." } ], "attack_actions": [ { "kind": "note", "message": "Demonstrate unsafe decode path with inert object graph or marker token." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "file-upload-generic": { "profile_id": "file-upload-generic", "vuln_family": "file-upload", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Upload acceptance or bypass path is demonstrated with reversible test artifacts." ], "seed_actions": [ { "kind": "note", "message": "Use inert marker files and non-executable payloads by default." } ], "attack_actions": [ { "kind": "note", "message": "Validate extension, storage path, and preview behavior using inert files." } ], "browser_assertions": { "required": true }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "misconfiguration-generic": { "profile_id": "misconfiguration-generic", "vuln_family": "misconfiguration", "provisioning_mode": "real", "destructive_risk": "low", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Misconfiguration indicator is captured with HTTP or server evidence." ], "seed_actions": [ { "kind": "note", "message": "Keep checks limited to target-local paths and configured lab endpoints." } ], "attack_actions": [ { "kind": "tool", "tool": "misconfig-lab", "args": [ "--target", "{target_url}", "--evidence-dir", "{evidence_dir}", "--run-id", "{run_id}", "--case-id", "{case_id}" ] } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "path-traversal-generic": { "profile_id": "path-traversal-generic", "vuln_family": "path-traversal", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Marker file outside intended root becomes reachable or denial path is confirmed." ], "seed_actions": [ { "kind": "note", "message": "Use inert marker files inside isolated volume mounts only." } ], "attack_actions": [ { "kind": "note", "message": "Validate canonicalization failures with marker files rather than real secrets." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "plugin-extension-generic": { "profile_id": "plugin-extension-generic", "vuln_family": "plugin-extension", "provisioning_mode": "synthetic", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "ecosystem-package-or-synthetic" }, "success_criteria": [ "Extension-specific attack path is demonstrated or blocked with artifact evidence." ], "seed_actions": [ { "kind": "note", "message": "Prefer historical plugin/module package; fall back to synthetic isolated reproduction when unavailable." } ], "attack_actions": [ { "kind": "note", "message": "Validate trust-boundary or input-handling weakness using isolated extension package only." } ], "browser_assertions": { "required": true }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "proxy-boundary-generic": { "profile_id": "proxy-boundary-generic", "vuln_family": "proxy-boundary", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Header trust discrepancy is captured with upstream/downstream logs." ], "seed_actions": [ { "kind": "note", "message": "Log reverse-proxy and application headers before any trust-boundary test." } ], "attack_actions": [ { "kind": "note", "message": "Perform minimal forwarded-header manipulation only inside isolated lab paths." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "request-smuggling-generic": { "profile_id": "request-smuggling-generic", "vuln_family": "request-smuggling", "provisioning_mode": "synthetic", "destructive_risk": "high", "cleanup_policy": "destroy", "artifact_source": { "strategy": "synthetic-proxy-pair" }, "success_criteria": [ "Proxy and backend parse disagreement is captured in evidence." ], "seed_actions": [ { "kind": "note", "message": "Stand up isolated proxy/app pair only; do not forward to unrelated targets." } ], "attack_actions": [ { "kind": "note", "message": "Run minimal ambiguous request probes and capture both proxy and app logs." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "session-token-generic": { "profile_id": "session-token-generic", "vuln_family": "session-token", "provisioning_mode": "real", "destructive_risk": "low", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Cookie, storage or fixation issue is captured with browser and header evidence." ], "seed_actions": [ { "kind": "note", "message": "Seed only local demo identities and short-lived cookies/tokens." } ], "attack_actions": [ { "kind": "tool", "tool": "session-lab", "args": [ "--target", "{target_url}", "--evidence-dir", "{evidence_dir}", "--run-id", "{run_id}", "--case-id", "{case_id}" ] } ], "browser_assertions": { "required": true }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "sqli-generic": { "profile_id": "sqli-generic", "vuln_family": "sqli", "provisioning_mode": "synthetic", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-synthetic" }, "success_criteria": [ "Time-based or error-based probe lands with non-destructive evidence." ], "seed_actions": [ { "kind": "note", "message": "Keep seed data reversible and avoid destructive SQL mutations." } ], "attack_actions": [ { "kind": "tool", "tool": "sqli-scanner", "args": [ "-u", "{target_url}", "--evidence-dir", "{evidence_dir}", "--run-id", "{run_id}", "--case-id", "{case_id}" ] } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "ssrf-generic": { "profile_id": "ssrf-generic", "vuln_family": "ssrf", "provisioning_mode": "real", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-source" }, "success_criteria": [ "Request sink receives expected callback without crossing authorization boundaries." ], "seed_actions": [ { "kind": "note", "message": "Route callbacks to local sink endpoints only." } ], "attack_actions": [ { "kind": "note", "message": "Exercise local sink endpoints, not external third-party destinations." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "template-injection-generic": { "profile_id": "template-injection-generic", "vuln_family": "template-injection", "provisioning_mode": "synthetic", "destructive_risk": "medium", "cleanup_policy": "destroy", "artifact_source": { "strategy": "source-or-synthetic" }, "success_criteria": [ "Template evaluation path is proven with harmless marker output." ], "seed_actions": [ { "kind": "note", "message": "Keep expressions inert and avoid destructive primitives by default." } ], "attack_actions": [ { "kind": "note", "message": "Validate expression evaluation with benign markers." } ], "browser_assertions": { "required": false }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] }, "xss-generic": { "profile_id": "xss-generic", "vuln_family": "xss", "provisioning_mode": "synthetic", "destructive_risk": "low", "cleanup_policy": "destroy", "artifact_source": { "strategy": "official-image-or-synthetic" }, "success_criteria": [ "Browser evidence confirms payload reflection or DOM sink execution path." ], "seed_actions": [ { "kind": "note", "message": "Seed a low-privilege user and a review page when the target supports stored content." } ], "attack_actions": [ { "kind": "tool", "tool": "xss-fuzzer", "args": [ "-u", "{target_url}", "--dom-scan", "--check-csp", "--evidence-dir", "{evidence_dir}", "--run-id", "{run_id}", "--case-id", "{case_id}" ] } ], "browser_assertions": { "required": true, "strategy": "reflect-or-render" }, "allowed_target_types": [ "lab-local", "lab-public", "authorized-third-party" ], "required_services": [ "app" ] } }