server side

Skill

Server-side vulnerability testing - SSRF, HTTP Request Smuggling, Path Traversal, File Upload, Insecure Deserialization, and Host Header injection.

Files50
  • @skills/server-side/SKILL.md
  • @skills/server-side/reference/INDEX.md
  • @skills/server-side/reference/file-upload-resources.md
  • @skills/server-side/reference/http-host-header-resources.md
  • @skills/server-side/reference/http-request-smuggling-resources.md
  • @skills/server-side/reference/insecure-deserialization-resources.md
  • @skills/server-side/reference/protocol-coercion.md
  • @skills/server-side/reference/scenarios/deserialization/dotnet-deserialization.md
  • @skills/server-side/reference/scenarios/deserialization/java-deserialization.md
  • @skills/server-side/reference/scenarios/deserialization/nodejs-deserialization.md
  • @skills/server-side/reference/scenarios/deserialization/php-deserialization.md
  • @skills/server-side/reference/scenarios/deserialization/python-and-ruby.md
  • @skills/server-side/reference/scenarios/deserialization/react-server-components-flight.md
  • @skills/server-side/reference/scenarios/deserialization/tools/aspnet_viewstate_build.py
  • @skills/server-side/reference/scenarios/file-upload/content-type-and-magic-bytes.md
  • @skills/server-side/reference/scenarios/file-upload/defense-evasion-and-yara.md
  • @skills/server-side/reference/scenarios/file-upload/extension-bypass.md
  • @skills/server-side/reference/scenarios/file-upload/ntfs-junction-write-redirect.md
  • @skills/server-side/reference/scenarios/file-upload/ntlm-hash-leak-via-media-upload.md
  • @skills/server-side/reference/scenarios/file-upload/path-traversal-and-htaccess.md
  • @skills/server-side/reference/scenarios/file-upload/polyglot-and-metadata-injection.md
  • @skills/server-side/reference/scenarios/file-upload/python-module-shadowing-via-so.md
  • @skills/server-side/reference/scenarios/file-upload/race-conditions.md
  • @skills/server-side/reference/scenarios/file-upload/web-shell-payloads.md
  • @skills/server-side/reference/scenarios/host-header/auth-bypass-localhost.md
  • @skills/server-side/reference/scenarios/host-header/cache-poisoning-via-host.md
  • @skills/server-side/reference/scenarios/host-header/password-reset-poisoning.md
  • @skills/server-side/reference/scenarios/host-header/routing-ssrf-and-flawed-parsing.md
  • @skills/server-side/reference/scenarios/http-smuggling/cl-te.md
  • @skills/server-side/reference/scenarios/http-smuggling/cl-zero-and-pause-based.md
  • @skills/server-side/reference/scenarios/http-smuggling/exploitation-patterns.md
  • @skills/server-side/reference/scenarios/http-smuggling/h2-downgrade.md
  • @skills/server-side/reference/scenarios/http-smuggling/te-cl.md
  • @skills/server-side/reference/scenarios/http-smuggling/te-te-obfuscation.md
  • @skills/server-side/reference/scenarios/path-traversal/basic-payloads-and-encoding.md
  • @skills/server-side/reference/scenarios/path-traversal/filter-bypass-techniques.md
  • @skills/server-side/reference/scenarios/path-traversal/lfi-to-rce.md
  • @skills/server-side/reference/scenarios/path-traversal/nbconvert-jupyter-notebook.md
  • @skills/server-side/reference/scenarios/path-traversal/platform-specific.md
  • @skills/server-side/reference/scenarios/path-traversal/target-files.md
  • @skills/server-side/reference/scenarios/ssrf/blind-detection-and-portscan.md
  • @skills/server-side/reference/scenarios/ssrf/cloud-metadata.md
  • @skills/server-side/reference/scenarios/ssrf/localhost-and-ip-bypass.md
  • @skills/server-side/reference/scenarios/ssrf/protocol-exploitation-gopher.md
  • @skills/server-side/reference/scenarios/ssrf/proxy-path-traversal.md
  • @skills/server-side/reference/scenarios/ssrf/redis-inline-via-header-name.md
  • @skills/server-side/reference/scenarios/ssrf/stored-connector-url-ssrf.md
  • @skills/server-side/reference/scenarios/ssrf/url-parser-and-allowlist-bypass.md
  • @skills/server-side/reference/scenarios/ssrf/utf8-binary-loss-limit.md
  • @skills/server-side/reference/server-side-principles.md

Server-Side

Test for server-side vulnerabilities that allow unauthorized access, RCE, or data exfiltration.

Techniques

TypeKey Vectors
SSRFInternal service access, cloud metadata, protocol smuggling
HTTP SmugglingCL.TE, TE.CL, TE.TE, CL.0, H2.CL, h2c, multi-layer proxy chains, connection pooling desync
Path TraversalDirectory traversal, null bytes, encoding bypass
File UploadExtension bypass, content-type manipulation, polyglot files
DeserializationJava, PHP, Python, .NET gadget chains
Host HeaderPassword reset poisoning, cache poisoning, routing-based SSRF
CUPS / cups-browsedCVE-2024-47076/47175/47176/47177 — UDP browse → IPP injection → PPD injection → foomatic-rip RCE (see skills/infrastructure/reference/scenarios/network-recon/cups-browsed-rce.md)

Workflow

  1. Identify server-side processing points
  2. Test for vulnerability class indicators
  3. Bypass protections (WAF, allowlists, encoding filters)
  4. Demonstrate impact (file read, RCE, internal access)
  5. Capture evidence with PoC

Reference

  • reference/scenarios/ssrf/*.md - SSRF techniques and labs
  • reference/http-request-smuggling*.md - Smuggling techniques
  • reference/scenarios/path-traversal/*.md - Path traversal bypass methods
  • reference/file-upload*.md - File upload exploitation
  • reference/insecure-deserialization*.md - Deserialization attacks
  • reference/http-host-header*.md - Host header injection
  • skills/infrastructure/reference/scenarios/network-recon/cups-browsed-rce.md - CUPS RCE chain (CVE-2024-47076/175/176/177); ipptool false positives vs libcups runtime parser; ippserver Python lib version-1.1 hardcode bug
server-side — Kortix Marketplace | Kortix