514 行
13 KiB
JSON
514 行
13 KiB
JSON
{
|
|
"authz-bypass-generic": {
|
|
"profile_id": "authz-bypass-generic",
|
|
"vuln_family": "authz-bypass",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Protected route or action is evaluated with controlled credentials and logged."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Create low-privilege and admin test users for server-side recheck validation."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use minimal authorization bypass probes defined by case-specific runner or manual session tooling."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"deserialization-generic": {
|
|
"profile_id": "deserialization-generic",
|
|
"vuln_family": "deserialization",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "high",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "source-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Deserialization path is confirmed without executing destructive gadget chains."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert serialized payloads and do not execute gadget chains against non-lab targets."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Demonstrate unsafe decode path with inert object graph or marker token."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"file-upload-generic": {
|
|
"profile_id": "file-upload-generic",
|
|
"vuln_family": "file-upload",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Upload acceptance or bypass path is demonstrated with reversible test artifacts."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert marker files and non-executable payloads by default."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate extension, storage path, and preview behavior using inert files."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"misconfiguration-generic": {
|
|
"profile_id": "misconfiguration-generic",
|
|
"vuln_family": "misconfiguration",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Misconfiguration indicator is captured with HTTP or server evidence."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep checks limited to target-local paths and configured lab endpoints."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "misconfig-lab",
|
|
"args": [
|
|
"--target",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"path-traversal-generic": {
|
|
"profile_id": "path-traversal-generic",
|
|
"vuln_family": "path-traversal",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Marker file outside intended root becomes reachable or denial path is confirmed."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Use inert marker files inside isolated volume mounts only."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate canonicalization failures with marker files rather than real secrets."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"plugin-extension-generic": {
|
|
"profile_id": "plugin-extension-generic",
|
|
"vuln_family": "plugin-extension",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "ecosystem-package-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Extension-specific attack path is demonstrated or blocked with artifact evidence."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Prefer historical plugin/module package; fall back to synthetic isolated reproduction when unavailable."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate trust-boundary or input-handling weakness using isolated extension package only."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"proxy-boundary-generic": {
|
|
"profile_id": "proxy-boundary-generic",
|
|
"vuln_family": "proxy-boundary",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Header trust discrepancy is captured with upstream/downstream logs."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Log reverse-proxy and application headers before any trust-boundary test."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Perform minimal forwarded-header manipulation only inside isolated lab paths."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"request-smuggling-generic": {
|
|
"profile_id": "request-smuggling-generic",
|
|
"vuln_family": "request-smuggling",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "high",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "synthetic-proxy-pair"
|
|
},
|
|
"success_criteria": [
|
|
"Proxy and backend parse disagreement is captured in evidence."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Stand up isolated proxy/app pair only; do not forward to unrelated targets."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Run minimal ambiguous request probes and capture both proxy and app logs."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"session-token-generic": {
|
|
"profile_id": "session-token-generic",
|
|
"vuln_family": "session-token",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Cookie, storage or fixation issue is captured with browser and header evidence."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed only local demo identities and short-lived cookies/tokens."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "session-lab",
|
|
"args": [
|
|
"--target",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"sqli-generic": {
|
|
"profile_id": "sqli-generic",
|
|
"vuln_family": "sqli",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Time-based or error-based probe lands with non-destructive evidence."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep seed data reversible and avoid destructive SQL mutations."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "sqli-scanner",
|
|
"args": [
|
|
"-u",
|
|
"{target_url}",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"ssrf-generic": {
|
|
"profile_id": "ssrf-generic",
|
|
"vuln_family": "ssrf",
|
|
"provisioning_mode": "real",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-source"
|
|
},
|
|
"success_criteria": [
|
|
"Request sink receives expected callback without crossing authorization boundaries."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Route callbacks to local sink endpoints only."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Exercise local sink endpoints, not external third-party destinations."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"template-injection-generic": {
|
|
"profile_id": "template-injection-generic",
|
|
"vuln_family": "template-injection",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "medium",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "source-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Template evaluation path is proven with harmless marker output."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Keep expressions inert and avoid destructive primitives by default."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Validate expression evaluation with benign markers."
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": false
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
},
|
|
"xss-generic": {
|
|
"profile_id": "xss-generic",
|
|
"vuln_family": "xss",
|
|
"provisioning_mode": "synthetic",
|
|
"destructive_risk": "low",
|
|
"cleanup_policy": "destroy",
|
|
"artifact_source": {
|
|
"strategy": "official-image-or-synthetic"
|
|
},
|
|
"success_criteria": [
|
|
"Browser evidence confirms payload reflection or DOM sink execution path."
|
|
],
|
|
"seed_actions": [
|
|
{
|
|
"kind": "note",
|
|
"message": "Seed a low-privilege user and a review page when the target supports stored content."
|
|
}
|
|
],
|
|
"attack_actions": [
|
|
{
|
|
"kind": "tool",
|
|
"tool": "xss-fuzzer",
|
|
"args": [
|
|
"-u",
|
|
"{target_url}",
|
|
"--dom-scan",
|
|
"--check-csp",
|
|
"--evidence-dir",
|
|
"{evidence_dir}",
|
|
"--run-id",
|
|
"{run_id}",
|
|
"--case-id",
|
|
"{case_id}"
|
|
]
|
|
}
|
|
],
|
|
"browser_assertions": {
|
|
"required": true,
|
|
"strategy": "reflect-or-render"
|
|
},
|
|
"allowed_target_types": [
|
|
"lab-local",
|
|
"lab-public",
|
|
"authorized-third-party"
|
|
],
|
|
"required_services": [
|
|
"app"
|
|
]
|
|
}
|
|
}
|