mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-24 20:28:06 +02:00
[pitboss/grind] deferred session-0026 (20260521T201327Z-3848)
This commit is contained in:
pitboss
parent
cf65e73f3a
commit
0e1365455f
3 changed files with 231 additions and 6 deletions
|
|
@ -15,6 +15,15 @@
|
|||
//! code path redirects to the relative path `/dashboard` (no host
|
||||
//! component). The captured `location` has no off-origin authority
|
||||
//! and the predicate stays clear.
|
||||
//!
|
||||
//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
|
||||
//! [`crate::dynamic::oob::OobListener`] the harness follows the
|
||||
//! captured `Location:` URL via a real `HttpURLConnection.getInputStream()`
|
||||
//! against the loopback nonce URL so the listener records the per-finding
|
||||
//! callback. Ordered first so the runner exercises the OOB observation
|
||||
//! path before the absolute-URL vuln below triggers and short-circuits
|
||||
//! iteration; runs without a listener skip cleanly (runner
|
||||
//! `oob_nonce_slot` branch).
|
||||
|
||||
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
||||
use crate::dynamic::oracle::ProbePredicate;
|
||||
|
|
@ -22,6 +31,26 @@ use crate::dynamic::oracle::ProbePredicate;
|
|||
const ALLOWLIST: &[&str] = &["example.com"];
|
||||
|
||||
pub const PAYLOADS: &[CuratedPayload] = &[
|
||||
CuratedPayload {
|
||||
// `bytes` is unused when `oob_nonce_slot = true`; the runner
|
||||
// substitutes a per-finding loopback URL (see runner.rs:405-413).
|
||||
bytes: b"",
|
||||
label: "open-redirect-java-oob-nonce",
|
||||
oracle: Oracle::OobCallback { host: "127.0.0.1" },
|
||||
is_benign: false,
|
||||
provenance: PayloadProvenance::Curated,
|
||||
since_corpus_version: 15,
|
||||
deprecated_at_corpus_version: None,
|
||||
fixture_paths: &["tests/dynamic_fixtures/open_redirect/java/Vuln.java"],
|
||||
oob_nonce_slot: true,
|
||||
probe_predicates: &[],
|
||||
benign_control: None,
|
||||
no_benign_control_rationale: Some(
|
||||
"OOB-nonce open-redirect payload self-confirms via the per-finding listener \
|
||||
callback when the harness follows the captured Location URL with \
|
||||
HttpURLConnection.getInputStream; no benign URL can hit the nonce path.",
|
||||
),
|
||||
},
|
||||
CuratedPayload {
|
||||
bytes: b"https://attacker.test/",
|
||||
label: "open-redirect-java-absolute",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue