first commit
This commit is contained in:
@@ -0,0 +1,34 @@
|
||||
---
|
||||
title: "Browser"
|
||||
description: "Playwright-powered Chrome for web application testing"
|
||||
---
|
||||
|
||||
Strix uses a headless Chrome browser via Playwright to interact with web applications exactly like a real user would.
|
||||
|
||||
## How It Works
|
||||
|
||||
All browser traffic is automatically routed through the Caido proxy, giving Strix full visibility into every request and response. This enables:
|
||||
|
||||
- Testing client-side vulnerabilities (XSS, DOM manipulation)
|
||||
- Navigating authenticated flows (login, OAuth, MFA)
|
||||
- Triggering JavaScript-heavy functionality
|
||||
- Capturing dynamically generated requests
|
||||
|
||||
## Capabilities
|
||||
|
||||
| Action | Description |
|
||||
| ---------- | ------------------------------------------- |
|
||||
| Navigate | Go to URLs, follow links, handle redirects |
|
||||
| Click | Interact with buttons, links, form elements |
|
||||
| Type | Fill in forms, search boxes, input fields |
|
||||
| Execute JS | Run custom JavaScript in the page context |
|
||||
| Screenshot | Capture visual state for reports |
|
||||
| Multi-tab | Test across multiple browser tabs |
|
||||
|
||||
## Example Flow
|
||||
|
||||
1. Agent launches browser and navigates to login page
|
||||
2. Fills in credentials and submits form
|
||||
3. Proxy captures the authentication request
|
||||
4. Agent navigates to protected areas
|
||||
5. Tests for IDOR by replaying requests with modified IDs
|
||||
@@ -0,0 +1,33 @@
|
||||
---
|
||||
title: "Agent Tools"
|
||||
description: "How Strix agents interact with targets"
|
||||
---
|
||||
|
||||
Strix agents use specialized tools to test your applications like a real penetration tester would.
|
||||
|
||||
## Core Tools
|
||||
|
||||
<CardGroup cols={2}>
|
||||
<Card title="Browser" icon="globe" href="/tools/browser">
|
||||
Playwright-powered Chrome for interacting with web UIs.
|
||||
</Card>
|
||||
<Card title="HTTP Proxy" icon="network-wired" href="/tools/proxy">
|
||||
Caido-powered proxy for intercepting and replaying requests.
|
||||
</Card>
|
||||
<Card title="Terminal" icon="terminal" href="/tools/terminal">
|
||||
Bash shell for running commands and security tools.
|
||||
</Card>
|
||||
<Card title="Sandbox Tools" icon="toolbox" href="/tools/sandbox">
|
||||
Pre-installed security tools: Nuclei, ffuf, and more.
|
||||
</Card>
|
||||
</CardGroup>
|
||||
|
||||
## Additional Tools
|
||||
|
||||
| Tool | Purpose |
|
||||
| -------------- | ---------------------------------------- |
|
||||
| Python Runtime | Write and execute custom exploit scripts |
|
||||
| File Editor | Read and modify source code |
|
||||
| Web Search | Real-time OSINT via Perplexity |
|
||||
| Notes | Document findings during the scan |
|
||||
| Reporting | Generate vulnerability reports with PoCs |
|
||||
@@ -0,0 +1,135 @@
|
||||
---
|
||||
title: "HTTP Proxy"
|
||||
description: "Caido-powered proxy for request interception and replay"
|
||||
---
|
||||
|
||||
Strix includes [Caido](https://caido.io), a modern HTTP proxy built for security testing. All browser traffic flows through Caido, giving the agent full control over requests and responses.
|
||||
|
||||
## Capabilities
|
||||
|
||||
| Feature | Description |
|
||||
| ---------------- | -------------------------------------------- |
|
||||
| Request Capture | Log all HTTP/HTTPS traffic automatically |
|
||||
| Request Replay | Repeat any request with modifications |
|
||||
| HTTPQL | Query captured traffic with powerful filters |
|
||||
| Scope Management | Focus on specific domains or paths |
|
||||
| Sitemap | Visualize the discovered attack surface |
|
||||
|
||||
## HTTPQL Filtering
|
||||
|
||||
Query captured requests using Caido's HTTPQL syntax
|
||||
|
||||
## Request Replay
|
||||
|
||||
The agent can take any captured request and replay it with modifications:
|
||||
|
||||
- Change path parameters (test for IDOR)
|
||||
- Modify request body (test for injection)
|
||||
- Add/remove headers (test for auth bypass)
|
||||
- Alter cookies (test for session issues)
|
||||
|
||||
## Python Integration
|
||||
|
||||
Proxy helpers are available to sandbox Python scripts through the image-baked `caido_api` module. This enables powerful scripted security testing:
|
||||
|
||||
```python
|
||||
import asyncio
|
||||
|
||||
from caido_api import list_requests, repeat_request, view_request
|
||||
|
||||
|
||||
async def main():
|
||||
# List recent POST requests
|
||||
post_requests = await list_requests(
|
||||
httpql_filter='req.method.eq:"POST"',
|
||||
first=20,
|
||||
)
|
||||
|
||||
# View a specific request
|
||||
request_details = await view_request("req_123", part="request")
|
||||
|
||||
# Replay with modified payload
|
||||
response = await repeat_request(
|
||||
"req_123",
|
||||
modifications={"body": '{"user_id": "admin"}'},
|
||||
)
|
||||
print(response["status"], request_details is not None, len(post_requests.edges))
|
||||
|
||||
|
||||
asyncio.run(main())
|
||||
```
|
||||
|
||||
### Available Functions
|
||||
|
||||
| Function | Description |
|
||||
| ---------------------- | ------------------------------------------ |
|
||||
| `list_requests()` | Query captured traffic with HTTPQL filters |
|
||||
| `view_request()` | Get full request/response details |
|
||||
| `repeat_request()` | Replay a request with modifications |
|
||||
| `list_sitemap()` | Browse the request-tree view of discovered surface |
|
||||
| `view_sitemap_entry()` | Inspect one sitemap entry + its related requests |
|
||||
| `scope_rules()` | Manage proxy scope (allowlist/denylist) |
|
||||
|
||||
For one-off arbitrary requests, use shell tooling like `curl` — the
|
||||
sandbox's `HTTP_PROXY` env routes the traffic through Caido
|
||||
automatically, so it lands in `list_requests` and can be replayed via
|
||||
`repeat_request`.
|
||||
|
||||
### Example: Automated IDOR Testing
|
||||
|
||||
```python
|
||||
import asyncio
|
||||
|
||||
# Get all requests to user endpoints
|
||||
from caido_api import list_requests, repeat_request
|
||||
|
||||
|
||||
async def main():
|
||||
user_requests = await list_requests(httpql_filter='req.path.cont:"/users/"')
|
||||
|
||||
for edge in user_requests.edges:
|
||||
req = edge.node.request
|
||||
scheme = "https" if req.is_tls else "http"
|
||||
for test_id in ["1", "2", "admin", "../admin"]:
|
||||
url = f"{scheme}://{req.host}{req.path.replace('/users/1', f'/users/{test_id}')}"
|
||||
response = await repeat_request(
|
||||
req.id,
|
||||
modifications={"url": url},
|
||||
)
|
||||
print(req.id, test_id, response["status"])
|
||||
if response["status"] == "DONE":
|
||||
print(f"Replay completed for candidate {test_id}")
|
||||
|
||||
|
||||
asyncio.run(main())
|
||||
```
|
||||
|
||||
## Human-in-the-Loop
|
||||
|
||||
Strix exposes the Caido proxy to your host machine, so you can interact with it alongside the automated scan. When the sandbox starts, the Caido URL is displayed in the TUI sidebar — click it to copy, then open it in Caido Desktop.
|
||||
|
||||
### Accessing Caido
|
||||
|
||||
1. Start a scan as usual
|
||||
2. Look for the **Caido** URL in the sidebar stats panel (e.g. `localhost:52341`)
|
||||
3. Open the URL in Caido Desktop
|
||||
4. Click **Continue as guest** to access the instance
|
||||
|
||||
### What You Can Do
|
||||
|
||||
- **Inspect traffic** — Browse all HTTP/HTTPS requests the agent is making in real time
|
||||
- **Replay requests** — Take any captured request and resend it with your own modifications
|
||||
- **Intercept and modify** — Pause requests mid-flight, edit them, then forward
|
||||
- **Explore the sitemap** — See the full attack surface the agent has discovered
|
||||
- **Manual testing** — Use Caido's tools to test findings the agent reports, or explore areas it hasn't reached
|
||||
|
||||
This turns Strix from a fully automated scanner into a collaborative tool — the agent handles the heavy lifting while you focus on the interesting parts.
|
||||
|
||||
## Scope
|
||||
|
||||
Create scopes to filter traffic to relevant domains:
|
||||
|
||||
```
|
||||
Allowlist: ["api.example.com", "*.example.com"]
|
||||
Denylist: ["*.gif", "*.jpg", "*.png", "*.css", "*.js"]
|
||||
```
|
||||
@@ -0,0 +1,91 @@
|
||||
---
|
||||
title: "Sandbox Tools"
|
||||
description: "Pre-installed security tools in the Strix container"
|
||||
---
|
||||
|
||||
Strix runs inside a Kali Linux-based Docker container with a comprehensive set of security tools pre-installed. The agent can use any of these tools through the [terminal](/tools/terminal).
|
||||
|
||||
## Reconnaissance
|
||||
|
||||
| Tool | Description |
|
||||
| ---------------------------------------------------------- | -------------------------------------- |
|
||||
| [Subfinder](https://github.com/projectdiscovery/subfinder) | Subdomain discovery |
|
||||
| [Naabu](https://github.com/projectdiscovery/naabu) | Fast port scanner |
|
||||
| [httpx](https://github.com/projectdiscovery/httpx) | HTTP probing and analysis |
|
||||
| [Katana](https://github.com/projectdiscovery/katana) | Web crawling and spidering |
|
||||
| [ffuf](https://github.com/ffuf/ffuf) | Fast web fuzzer |
|
||||
| [Nmap](https://nmap.org) | Network scanning and service detection |
|
||||
|
||||
## Web Testing
|
||||
|
||||
| Tool | Description |
|
||||
| ------------------------------------------------------ | -------------------------------- |
|
||||
| [Arjun](https://github.com/s0md3v/Arjun) | HTTP parameter discovery |
|
||||
| [Dirsearch](https://github.com/maurosoria/dirsearch) | Directory and file brute-forcing |
|
||||
| [wafw00f](https://github.com/EnableSecurity/wafw00f) | WAF fingerprinting |
|
||||
| [GoSpider](https://github.com/jaeles-project/gospider) | Web spider for link extraction |
|
||||
|
||||
## Automated Scanners
|
||||
|
||||
| Tool | Description |
|
||||
| ---------------------------------------------------- | -------------------------------------------------- |
|
||||
| [Nuclei](https://github.com/projectdiscovery/nuclei) | Template-based vulnerability scanner |
|
||||
| [SQLMap](https://sqlmap.org) | Automatic SQL injection detection and exploitation |
|
||||
| [Wapiti](https://wapiti-scanner.github.io) | Web application vulnerability scanner |
|
||||
| [ZAP](https://zaproxy.org) | OWASP Zed Attack Proxy |
|
||||
|
||||
## JavaScript Analysis
|
||||
|
||||
| Tool | Description |
|
||||
| -------------------------------------------------------- | ------------------------------ |
|
||||
| [JS-Snooper](https://github.com/aravind0x7/JS-Snooper) | JavaScript reconnaissance |
|
||||
| [jsniper](https://github.com/xchopath/jsniper.sh) | JavaScript file analysis |
|
||||
| [Retire.js](https://retirejs.github.io/retire.js) | Detect vulnerable JS libraries |
|
||||
| [ESLint](https://eslint.org) | JavaScript static analysis |
|
||||
| [js-beautify](https://github.com/beautifier/js-beautify) | JavaScript deobfuscation |
|
||||
| [JSHint](https://jshint.com) | JavaScript code quality tool |
|
||||
|
||||
## Source-Aware Analysis
|
||||
|
||||
| Tool | Description |
|
||||
| ------------------------------------------------------- | --------------------------------------------- |
|
||||
| [Semgrep](https://github.com/semgrep/semgrep) | Fast SAST and custom rule matching |
|
||||
| [ast-grep](https://ast-grep.github.io) | Structural AST/CST-aware code search (`sg`) |
|
||||
| [Tree-sitter](https://tree-sitter.github.io/tree-sitter/) | Syntax tree parsing and symbol extraction (Java/JS/TS/Python/Go/Bash/JSON/YAML grammars pre-configured) |
|
||||
| [Bandit](https://bandit.readthedocs.io) | Python security linter |
|
||||
|
||||
## Secret Detection
|
||||
|
||||
| Tool | Description |
|
||||
| ----------------------------------------------------------- | ------------------------------------- |
|
||||
| [TruffleHog](https://github.com/trufflesecurity/trufflehog) | Find secrets in code and history |
|
||||
| [Gitleaks](https://github.com/gitleaks/gitleaks) | Detect hardcoded secrets in repositories |
|
||||
|
||||
## Authentication Testing
|
||||
|
||||
| Tool | Description |
|
||||
| ------------------------------------------------------------ | ---------------------------------- |
|
||||
| [jwt_tool](https://github.com/ticarpi/jwt_tool) | JWT token testing and exploitation |
|
||||
| [Interactsh](https://github.com/projectdiscovery/interactsh) | Out-of-band interaction detection |
|
||||
|
||||
## Container & Supply Chain
|
||||
|
||||
| Tool | Description |
|
||||
| -------------------------- | ---------------------------------------------- |
|
||||
| [Trivy](https://trivy.dev) | Filesystem/container scanning for vulns, misconfigurations, secrets, and licenses |
|
||||
|
||||
## HTTP Proxy
|
||||
|
||||
| Tool | Description |
|
||||
| ------------------------- | --------------------------------------------- |
|
||||
| [Caido](https://caido.io) | Modern HTTP proxy for interception and replay |
|
||||
|
||||
## Browser
|
||||
|
||||
| Tool | Description |
|
||||
| ------------------------------------ | --------------------------- |
|
||||
| [Playwright](https://playwright.dev) | Headless browser automation |
|
||||
|
||||
<Note>
|
||||
All tools are pre-configured and ready to use. The agent selects the appropriate tool based on the vulnerability being tested.
|
||||
</Note>
|
||||
@@ -0,0 +1,65 @@
|
||||
---
|
||||
title: "Terminal"
|
||||
description: "Bash shell for running commands and security tools"
|
||||
---
|
||||
|
||||
Strix has access to a persistent bash terminal running inside the Docker sandbox. This gives the agent access to all [pre-installed security tools](/tools/sandbox).
|
||||
|
||||
## Capabilities
|
||||
|
||||
| Feature | Description |
|
||||
| ----------------- | ---------------------------------------------------------- |
|
||||
| Persistent state | Working directory and environment persist between commands |
|
||||
| Multiple sessions | Run parallel terminals for concurrent operations |
|
||||
| Background jobs | Start long-running processes without blocking |
|
||||
| Interactive | Respond to prompts and control running processes |
|
||||
|
||||
## Common Uses
|
||||
|
||||
### Running Security Tools
|
||||
|
||||
```bash
|
||||
# Subdomain enumeration
|
||||
subfinder -d example.com
|
||||
|
||||
# Vulnerability scanning
|
||||
nuclei -u https://example.com
|
||||
|
||||
# SQL injection testing
|
||||
sqlmap -u "https://example.com/page?id=1"
|
||||
```
|
||||
|
||||
### Code Analysis
|
||||
|
||||
```bash
|
||||
# Fast SAST triage
|
||||
semgrep --config auto ./src
|
||||
|
||||
# Structural AST search
|
||||
sg scan ./src
|
||||
|
||||
# Secret detection
|
||||
gitleaks detect --source ./
|
||||
trufflehog filesystem ./
|
||||
|
||||
# Supply-chain and misconfiguration checks
|
||||
trivy fs ./
|
||||
```
|
||||
|
||||
### Custom Scripts
|
||||
|
||||
```bash
|
||||
# Run Python exploits
|
||||
python3 exploit.py
|
||||
|
||||
# Execute shell scripts
|
||||
./test_auth_bypass.sh
|
||||
```
|
||||
|
||||
## Session Management
|
||||
|
||||
The agent can run multiple terminal sessions concurrently, for example:
|
||||
|
||||
- Main session for primary testing
|
||||
- Secondary session for monitoring
|
||||
- Background processes for servers or watchers
|
||||
Reference in New Issue
Block a user