1229 行
30 KiB
JSON
1229 行
30 KiB
JSON
{
|
|
"authz-bypass-generic": {
|
|
"profile_id": "authz-bypass-generic",
|
|
"vuln_family": "authz-bypass",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Protected route or action is evaluated with controlled credentials and logged."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Create low-privilege and admin test users for server-side recheck validation."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use minimal authorization bypass probes defined by case-specific runner or manual session tooling."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"deserialization-generic": {
|
|
"profile_id": "deserialization-generic",
|
|
"vuln_family": "deserialization",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "high",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "source-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Deserialization path is confirmed without executing destructive gadget chains."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert serialized payloads and do not execute gadget chains against non-lab targets."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Demonstrate unsafe decode path with inert object graph or marker token."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"file-upload-generic": {
|
|
"profile_id": "file-upload-generic",
|
|
"vuln_family": "file-upload",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Upload acceptance or bypass path is demonstrated with reversible test artifacts."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert marker files and non-executable payloads by default."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate extension, storage path, and preview behavior using inert files."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"misconfiguration-generic": {
|
|
"profile_id": "misconfiguration-generic",
|
|
"vuln_family": "misconfiguration",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Misconfiguration indicator is captured with HTTP or server evidence."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep checks limited to target-local paths and configured lab endpoints."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "misconfig-lab",
|
|
"args": [
|
|
"--target",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"path-traversal-generic": {
|
|
"profile_id": "path-traversal-generic",
|
|
"vuln_family": "path-traversal",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Marker file outside intended root becomes reachable or denial path is confirmed."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert marker files inside isolated volume mounts only."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate canonicalization failures with marker files rather than real secrets."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"plugin-extension-generic": {
|
|
"profile_id": "plugin-extension-generic",
|
|
"vuln_family": "plugin-extension",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "ecosystem-package-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Extension-specific attack path is demonstrated or blocked with artifact evidence."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Prefer historical plugin/module package; fall back to synthetic isolated reproduction when unavailable."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate trust-boundary or input-handling weakness using isolated extension package only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"proxy-boundary-generic": {
|
|
"profile_id": "proxy-boundary-generic",
|
|
"vuln_family": "proxy-boundary",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Header trust discrepancy is captured with upstream/downstream logs."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Log reverse-proxy and application headers before any trust-boundary test."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Perform minimal forwarded-header manipulation only inside isolated lab paths."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"request-smuggling-generic": {
|
|
"profile_id": "request-smuggling-generic",
|
|
"vuln_family": "request-smuggling",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "high",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "synthetic-proxy-pair"
|
|
},
|
|
"success_criteria": [
|
|
"Proxy and backend parse disagreement is captured in evidence."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Stand up isolated proxy/app pair only; do not forward to unrelated targets."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Run minimal ambiguous request probes and capture both proxy and app logs."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"session-token-generic": {
|
|
"profile_id": "session-token-generic",
|
|
"vuln_family": "session-token",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Cookie, storage or fixation issue is captured with browser and header evidence."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed only local demo identities and short-lived cookies/tokens."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "session-lab",
|
|
"args": [
|
|
"--target",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"sqli-generic": {
|
|
"profile_id": "sqli-generic",
|
|
"vuln_family": "sqli",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Time-based or error-based probe lands with non-destructive evidence."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep seed data reversible and avoid destructive SQL mutations."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "sqli-scanner",
|
|
"args": [
|
|
"-u",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"ssrf-generic": {
|
|
"profile_id": "ssrf-generic",
|
|
"vuln_family": "ssrf",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Request sink receives expected callback without crossing authorization boundaries."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Route callbacks to local sink endpoints only."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Exercise local sink endpoints, not external third-party destinations."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"template-injection-generic": {
|
|
"profile_id": "template-injection-generic",
|
|
"vuln_family": "template-injection",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "source-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Template evaluation path is proven with harmless marker output."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep expressions inert and avoid destructive primitives by default."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate expression evaluation with benign markers."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"xss-generic": {
|
|
"profile_id": "xss-generic",
|
|
"vuln_family": "xss",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Browser evidence confirms payload reflection or DOM sink execution path."
|
|
],
|
|
"success_assertions": [],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed a low-privilege user and a review page when the target supports stored content."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "xss-fuzzer",
|
|
"args": [
|
|
"-u",
|
|
"{target_url}",
|
|
"--dom-scan",
|
|
"--check-csp",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true,
|
|
"strategy": "reflect-or-render"
|
|
},
|
|
"runner_id": null,
|
|
"fixture_path": null,
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"gitea-authz-bypass": {
|
|
"profile_id": "gitea-authz-bypass",
|
|
"vuln_family": "authz-bypass",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Controlled guest request reaches the protected admin route inside the fixture."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed low-privilege and admin boundary fixture state."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner verifies guest-to-admin bypass only inside fixture route."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "gitea.authz-bypass",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/gitea/authz-bypass",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"gitea-file-upload": {
|
|
"profile_id": "gitea-file-upload",
|
|
"vuln_family": "file-upload",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Inert upload marker is accepted and listed on the proof page."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed empty attachment list for upload proof."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner uploads inert text marker only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "gitea.file-upload",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/gitea/file-upload",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"gitea-proxy-boundary": {
|
|
"profile_id": "gitea-proxy-boundary",
|
|
"vuln_family": "proxy-boundary",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Local fixture proves trusted proxy headers cross the admin boundary."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed forwarded-header boundary fixture with clean state."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner performs local forwarded-header trust proof only inside the fixture."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "gitea.proxy-boundary",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/gitea/proxy-boundary",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"gitea-ssrf": {
|
|
"profile_id": "gitea-ssrf",
|
|
"vuln_family": "ssrf",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Server-side callback reaches the local sink and is recorded in proof output."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed local sink counters only."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner triggers callback strictly to local sink endpoint."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "gitea.ssrf",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/gitea/ssrf",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"gitea-xss": {
|
|
"profile_id": "gitea-xss",
|
|
"vuln_family": "xss",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Browser proof page renders the stored XSS marker after the controlled payload."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed stored content page before browser proof capture."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner stores inert script payload and captures proof page."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "gitea.xss",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/gitea/xss",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"nextjs-authz-bypass": {
|
|
"profile_id": "nextjs-authz-bypass",
|
|
"vuln_family": "authz-bypass",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Protected route is reachable only after the controlled bypass proof step."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed guest/admin route fixture for server-side recheck."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner performs local authz bypass proof only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "nextjs.authz-bypass",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/nextjs/authz-bypass",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"nextjs-deserialization": {
|
|
"profile_id": "nextjs-deserialization",
|
|
"vuln_family": "deserialization",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Inert decoded object marker is present without executing a gadget chain."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed inert decode path before proof request."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner demonstrates unsafe decode path without gadget execution."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "nextjs.deserialization",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/nextjs/deserialization",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"nextjs-proxy-boundary": {
|
|
"profile_id": "nextjs-proxy-boundary",
|
|
"vuln_family": "proxy-boundary",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Middleware trust-boundary proof is visible on the browser proof page."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed middleware boundary fixture with clean proxy state."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner performs forwarded-header proof against local fixture only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "nextjs.proxy-boundary",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/nextjs/proxy-boundary",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"nextjs-ssrf": {
|
|
"profile_id": "nextjs-ssrf",
|
|
"vuln_family": "ssrf",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Local sink callback is observed from the server-side fetch path."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed local callback fixture state."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner validates sink callback without leaving local network."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "nextjs.ssrf",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/nextjs/ssrf",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"nextjs-xss": {
|
|
"profile_id": "nextjs-xss",
|
|
"vuln_family": "xss",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Browser proof page shows the XSS execution marker after the controlled payload."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed client-rendering page for XSS proof capture."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner injects inert payload and captures browser proof."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "nextjs.xss",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/nextjs/xss",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"undici-ssrf": {
|
|
"profile_id": "undici-ssrf",
|
|
"vuln_family": "ssrf",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"SSRF proof endpoint confirms only local sink callbacks were performed."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed local sink-only request path."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner validates local callback using undici-style request fixture."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"runner_id": "undici.ssrf",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/undici/ssrf",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"vite-file-upload": {
|
|
"profile_id": "vite-file-upload",
|
|
"vuln_family": "file-upload",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Uploaded inert marker is shown on the browser proof page."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed empty upload list for dev-server proof page."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner uploads inert text marker only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "vite.file-upload",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/vite/file-upload",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"vite-proxy-boundary": {
|
|
"profile_id": "vite-proxy-boundary",
|
|
"vuln_family": "proxy-boundary",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Proxy boundary proof banner is visible in the captured browser evidence."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed proxy boundary fixture with baseline banner."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner proves forwarded proxy boundary state change locally."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "vite.proxy-boundary",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/vite/proxy-boundary",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"vite-xss": {
|
|
"profile_id": "vite-xss",
|
|
"vuln_family": "xss",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "local-minimal-fixture"
|
|
},
|
|
"success_criteria": [
|
|
"Browser proof page shows the controlled XSS marker after attack."
|
|
],
|
|
"success_assertions": [
|
|
{
|
|
"name": "baseline-ok",
|
|
"type": "baseline-ok"
|
|
},
|
|
{
|
|
"name": "runner-success",
|
|
"type": "runner-success"
|
|
},
|
|
{
|
|
"name": "browser-present",
|
|
"type": "browser-present"
|
|
}
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed client render page before XSS proof capture."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Runner stores inert payload and validates browser proof only locally."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"runner_id": "vite.xss",
|
|
"fixture_path": "/Users/x/websafe/00-environments/templates/fixtures/vite/xss",
|
|
"allowed_target_types": [
|
|
"lab-local"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
}
|
|
}
|