mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-03 20:41:00 +02:00
[pitboss/grind] deferred session-0027 (20260521T201327Z-3848)
This commit is contained in:
parent
0e1365455f
commit
824859008e
9 changed files with 478 additions and 2 deletions
|
|
@ -9,6 +9,14 @@
|
|||
//! Benign control: same shape but redirects to the same-origin path
|
||||
//! `/dashboard`, so the captured `location` has no authority
|
||||
//! component and the predicate stays clear.
|
||||
//!
|
||||
//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
|
||||
//! [`crate::dynamic::oob::OobListener`] the harness follows the
|
||||
//! captured `Location:` URL via a real `http.get` against the loopback
|
||||
//! nonce URL so the listener records the per-finding callback. Ordered
|
||||
//! first so the runner exercises the OOB observation path before the
|
||||
//! absolute-URL vuln below triggers and short-circuits iteration; runs
|
||||
//! without a listener skip cleanly (runner `oob_nonce_slot` branch).
|
||||
|
||||
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
||||
use crate::dynamic::oracle::ProbePredicate;
|
||||
|
|
@ -16,6 +24,26 @@ use crate::dynamic::oracle::ProbePredicate;
|
|||
const ALLOWLIST: &[&str] = &["example.com"];
|
||||
|
||||
pub const PAYLOADS: &[CuratedPayload] = &[
|
||||
CuratedPayload {
|
||||
// `bytes` is unused when `oob_nonce_slot = true`; the runner
|
||||
// substitutes a per-finding loopback URL (see runner.rs:405-413).
|
||||
bytes: b"",
|
||||
label: "open-redirect-js-oob-nonce",
|
||||
oracle: Oracle::OobCallback { host: "127.0.0.1" },
|
||||
is_benign: false,
|
||||
provenance: PayloadProvenance::Curated,
|
||||
since_corpus_version: 15,
|
||||
deprecated_at_corpus_version: None,
|
||||
fixture_paths: &["tests/dynamic_fixtures/open_redirect/js/vuln.js"],
|
||||
oob_nonce_slot: true,
|
||||
probe_predicates: &[],
|
||||
benign_control: None,
|
||||
no_benign_control_rationale: Some(
|
||||
"OOB-nonce open-redirect payload self-confirms via the per-finding listener \
|
||||
callback when the harness follows the captured Location URL with http.get; \
|
||||
no benign URL can hit the nonce path.",
|
||||
),
|
||||
},
|
||||
CuratedPayload {
|
||||
bytes: b"https://attacker.test/",
|
||||
label: "open-redirect-js-absolute",
|
||||
|
|
|
|||
|
|
@ -11,6 +11,16 @@
|
|||
//! Benign control: same shape but redirects to the same-origin path
|
||||
//! `/dashboard`, so the captured `location` has no authority
|
||||
//! component and the predicate stays clear.
|
||||
//!
|
||||
//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
|
||||
//! [`crate::dynamic::oob::OobListener`] the harness follows the
|
||||
//! captured `Location:` URL via a real
|
||||
//! `file_get_contents($location, stream_context_create(...))` against
|
||||
//! the loopback nonce URL so the listener records the per-finding
|
||||
//! callback. Ordered first so the runner exercises the OOB observation
|
||||
//! path before the absolute-URL vuln below triggers and short-circuits
|
||||
//! iteration; runs without a listener skip cleanly (runner
|
||||
//! `oob_nonce_slot` branch).
|
||||
|
||||
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
||||
use crate::dynamic::oracle::ProbePredicate;
|
||||
|
|
@ -18,6 +28,27 @@ use crate::dynamic::oracle::ProbePredicate;
|
|||
const ALLOWLIST: &[&str] = &["example.com"];
|
||||
|
||||
pub const PAYLOADS: &[CuratedPayload] = &[
|
||||
CuratedPayload {
|
||||
// `bytes` is unused when `oob_nonce_slot = true`; the runner
|
||||
// substitutes a per-finding loopback URL (see runner.rs:405-413).
|
||||
bytes: b"",
|
||||
label: "open-redirect-php-oob-nonce",
|
||||
oracle: Oracle::OobCallback { host: "127.0.0.1" },
|
||||
is_benign: false,
|
||||
provenance: PayloadProvenance::Curated,
|
||||
since_corpus_version: 15,
|
||||
deprecated_at_corpus_version: None,
|
||||
fixture_paths: &["tests/dynamic_fixtures/open_redirect/php/vuln.php"],
|
||||
oob_nonce_slot: true,
|
||||
probe_predicates: &[],
|
||||
benign_control: None,
|
||||
no_benign_control_rationale: Some(
|
||||
"OOB-nonce open-redirect payload self-confirms via the per-finding listener \
|
||||
callback when the harness follows the captured Location URL with \
|
||||
file_get_contents under a stream context timeout; no benign URL can hit \
|
||||
the nonce path.",
|
||||
),
|
||||
},
|
||||
CuratedPayload {
|
||||
bytes: b"https://attacker.test/",
|
||||
label: "open-redirect-php-absolute",
|
||||
|
|
|
|||
|
|
@ -10,6 +10,15 @@
|
|||
//! Benign control: same shape but redirects to the relative path
|
||||
//! `/dashboard`, so the captured location has no authority component
|
||||
//! and the predicate stays clear.
|
||||
//!
|
||||
//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
|
||||
//! [`crate::dynamic::oob::OobListener`] the harness follows the
|
||||
//! captured `Location:` URL via a real `urllib.request.urlopen`
|
||||
//! against the loopback nonce URL so the listener records the per-finding
|
||||
//! callback. Ordered first so the runner exercises the OOB observation
|
||||
//! path before the absolute-URL vuln below triggers and short-circuits
|
||||
//! iteration; runs without a listener skip cleanly (runner
|
||||
//! `oob_nonce_slot` branch).
|
||||
|
||||
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
||||
use crate::dynamic::oracle::ProbePredicate;
|
||||
|
|
@ -17,6 +26,26 @@ use crate::dynamic::oracle::ProbePredicate;
|
|||
const ALLOWLIST: &[&str] = &["example.com"];
|
||||
|
||||
pub const PAYLOADS: &[CuratedPayload] = &[
|
||||
CuratedPayload {
|
||||
// `bytes` is unused when `oob_nonce_slot = true`; the runner
|
||||
// substitutes a per-finding loopback URL (see runner.rs:405-413).
|
||||
bytes: b"",
|
||||
label: "open-redirect-python-oob-nonce",
|
||||
oracle: Oracle::OobCallback { host: "127.0.0.1" },
|
||||
is_benign: false,
|
||||
provenance: PayloadProvenance::Curated,
|
||||
since_corpus_version: 15,
|
||||
deprecated_at_corpus_version: None,
|
||||
fixture_paths: &["tests/dynamic_fixtures/open_redirect/python/vuln.py"],
|
||||
oob_nonce_slot: true,
|
||||
probe_predicates: &[],
|
||||
benign_control: None,
|
||||
no_benign_control_rationale: Some(
|
||||
"OOB-nonce open-redirect payload self-confirms via the per-finding listener \
|
||||
callback when the harness follows the captured Location URL with \
|
||||
urllib.request.urlopen; no benign URL can hit the nonce path.",
|
||||
),
|
||||
},
|
||||
CuratedPayload {
|
||||
bytes: b"https://attacker.test/",
|
||||
label: "open-redirect-python-absolute",
|
||||
|
|
|
|||
|
|
@ -9,6 +9,15 @@
|
|||
//! Benign control: same shape but redirects to the same-origin path
|
||||
//! `/dashboard`, so the captured `location` has no authority
|
||||
//! component and the predicate stays clear.
|
||||
//!
|
||||
//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
|
||||
//! [`crate::dynamic::oob::OobListener`] the harness follows the
|
||||
//! captured `Location:` URL via a real `Net::HTTP.get_response` against
|
||||
//! the loopback nonce URL so the listener records the per-finding
|
||||
//! callback. Ordered first so the runner exercises the OOB observation
|
||||
//! path before the absolute-URL vuln below triggers and short-circuits
|
||||
//! iteration; runs without a listener skip cleanly (runner
|
||||
//! `oob_nonce_slot` branch).
|
||||
|
||||
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
||||
use crate::dynamic::oracle::ProbePredicate;
|
||||
|
|
@ -16,6 +25,26 @@ use crate::dynamic::oracle::ProbePredicate;
|
|||
const ALLOWLIST: &[&str] = &["example.com"];
|
||||
|
||||
pub const PAYLOADS: &[CuratedPayload] = &[
|
||||
CuratedPayload {
|
||||
// `bytes` is unused when `oob_nonce_slot = true`; the runner
|
||||
// substitutes a per-finding loopback URL (see runner.rs:405-413).
|
||||
bytes: b"",
|
||||
label: "open-redirect-ruby-oob-nonce",
|
||||
oracle: Oracle::OobCallback { host: "127.0.0.1" },
|
||||
is_benign: false,
|
||||
provenance: PayloadProvenance::Curated,
|
||||
since_corpus_version: 15,
|
||||
deprecated_at_corpus_version: None,
|
||||
fixture_paths: &["tests/dynamic_fixtures/open_redirect/ruby/vuln.rb"],
|
||||
oob_nonce_slot: true,
|
||||
probe_predicates: &[],
|
||||
benign_control: None,
|
||||
no_benign_control_rationale: Some(
|
||||
"OOB-nonce open-redirect payload self-confirms via the per-finding listener \
|
||||
callback when the harness follows the captured Location URL with \
|
||||
Net::HTTP.get_response; no benign URL can hit the nonce path.",
|
||||
),
|
||||
},
|
||||
CuratedPayload {
|
||||
bytes: b"https://attacker.test/",
|
||||
label: "open-redirect-ruby-absolute",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue