بنقرة واحدة
strix
Strix 开放重定向测试手册,覆盖钓鱼跳转、OAuth 令牌窃取与白名单绕过;触发名:strix-open-redirect
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Strix 开放重定向测试手册,覆盖钓鱼跳转、OAuth 令牌窃取与白名单绕过;触发名:strix-open-redirect
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | Strix•开放重定向 |
| description | Strix 开放重定向测试手册,覆盖钓鱼跳转、OAuth 令牌窃取与白名单绕过;触发名:strix-open-redirect |
Open redirects enable phishing, OAuth/OIDC code and token theft, and allowlist bypass in server-side fetchers that follow redirects. Treat every redirect target as untrusted: canonicalize and enforce exact allowlists per scheme, host, and path.
Server-Driven Redirects
Client-Driven Redirects
window.location, meta refresh, SPA routersOAuth/OIDC/SAML Flows
redirect_uri, post_logout_redirect_uri, RelayState, returnTo/continue/nextMulti-Hop Chains
/out or /r redirectorsredirect, url, next, return_to, returnUrl, continue, goto, target, callback, out, dest, back, to, r, uredirect_uri, post_logout_redirect_uri, RelayState, staterouter.push/replace, location.assign/href, meta refresh, window.openHost, X-Forwarded-Host/Proto, Referer; server-side Location echoUserinfo
https://trusted.com@evil.com → validators parse host as trusted.com, browser navigates to evil.comtrusted.com%40evil.com, a%40evil.com%40trusted.comBackslash and Slashes
https://trusted.com\evil.com, https://trusted.com\@evil.com, ///evil.com, /\evil.comWhitespace and Control
http%09://evil.com, http%0A://evil.com, trusted.com%09evil.comFragment and Query
trusted.com#@evil.com, trusted.com?//@evil.com, ?next=//evil.com#@trusted.comUnicode and IDNA
truѕted.com (Cyrillic), trusted.com。evil.com (full-width dot), trailing dot%2f%2fevil.com, %252f%252fevil.comhTtPs://evil.com, http:evil.com[::ffff:127.0.0.1]/out?url=/\evil.comCommon Mistakes
trusted.com.evil.com*.trusted.com also matches attacker.trusted.com.evil.netdata:, javascript:, file:, gopher: acceptedRobust Validation
// and unknown schemesRedirect URI Abuse
https://trusted.com → https://trusted.com.evil.com/oauth/../../@evil.compost_logout_redirect_uri often less strictly validatedJavaScript Redirects
location.href/assign/replace using user inputcontent=0;url=USER_INPUTrouter.push(searchParams.get('next'))https://trusted.example/out?url=https://attacker.tld/cb/login?next=https://attacker.tld/fakehttps://trusted.example/out?u=http://169.254.169.254/latest/meta-datapost_logout_redirect_uri and less-discussed flows; they're often looserRedirection is safe only when the final destination is constrained after canonicalization. Enforce exact origins, verify per hop, and treat client-provided destinations as untrusted across every stack.
面向中文用户和新手的统一入口,保持原有两种模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想先理清题意、又不想自己先判断何时该切到工具链或漏洞专项的场景;触发名:ctf-beginner-hub
面向 CTF 新手与综合题的统一总控 skill。保持原有两种主模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想边做边学、又不想自己先判断何时切换到工具链或漏洞专项的场景;触发名:ctf-super-hub
Strix JWT 与 OIDC 安全测试手册,覆盖令牌伪造、算法混淆与声明篡改;触发名:strix-authentication-jwt
给中文用户和新手用的 Strix Lite 统一入口:先判断该用哪一个 strix-* 工具或漏洞测试 skill,再给最小化起手步骤;适合在 Web 安全测试、工具链使用、漏洞验证时不知道先用哪个 Strix skill 的场景;触发名:strix-beginner-hub
Strix 功能级授权缺陷测试手册,覆盖操作级权限失效、管理功能越权与 API 操作绕过;触发名:strix-broken-function-level-authorization
Strix 业务逻辑漏洞测试手册,覆盖流程绕过、状态操控与领域约束破坏;触发名:strix-business-logic