Skip to content

dmbs335/the-map

BranchesTags

Repository files navigation

The Map

Web Security Vulnerability Knowledge Base — Mutation Taxonomy & Attack Surface Reference

A structured, comprehensive vulnerability mutation taxonomy collection for security researchers, penetration testers, bug bounty hunters, and AI security agents — built with Claude Code.

Keywords: web security knowledge base, vulnerability taxonomy, attack surface mapping, mutation catalog, penetration testing reference, bug bounty methodology, security research database, exploit variation matrix, web hacking cheatsheet, OWASP vulnerability classification, offensive security reference

What is this?

The Map is a security knowledge base that systematically classifies 108+ web vulnerability classes across 12 categories (plus 7 researcher profiles). Unlike conventional cheatsheets or CVE lists, each topic is organized by structural mutation criteria — what is mutated, what discrepancy it creates, and where it is weaponized.

Each topic is a deeply structured Markdown reference document covering the full attack surface of a vulnerability class through a three-axis taxonomy (Mutation Target, Discrepancy/Bypass Type, Attack Scenario).

Topics

01. Injection

Category Description
SQL Injection SQL injection mutation vectors and filter bypass taxonomy
NoSQL Injection NoSQL injection operators, syntax variations, and blind extraction
Command Injection OS command injection chaining, filter evasion, and shell-specific mutations
XSS Cross-Site Scripting context-dependent payloads and filter bypass
SSTI Server-Side Template Injection across template engines
EL Injection Expression Language injection in Java EE / Spring ecosystems
XXE XML External Entity injection, OOB exfiltration, and parser differentials
LDAP / XPath Injection LDAP and XPath query injection mutation taxonomy
Prototype Pollution JavaScript prototype chain pollution vectors and gadget chains
GraphQL GraphQL introspection abuse, batching attacks, and injection vectors
LaTeX Injection LaTeX injection mutation vectors and document processing exploitation
Protocol-Level Injection Protocol-level injection across SMTP, LDAP, and other wire protocols
SSI / ESI / XSLT Injection Server-Side Includes, Edge Side Includes, and XSLT injection for RCE
ORM Misuse → SQL Injection ORM query function misuse leading to SQL injection
CSV Formula Injection Spreadsheet formula injection via CSV/Excel export functionality
CSS Injection CSS-based data exfiltration and style injection attacks

02. Authentication & Authorization

Category Description
Authentication Bypass & SSO Single Sign-On and authentication bypass patterns
OAuth OAuth 2.0 flow exploitation and token theft patterns
JWT JSON Web Token algorithm confusion, key injection, and claim abuse
SAML SAML assertion forgery, signature wrapping, and parser differentials
CORS Misconfiguration Cross-Origin Resource Sharing misconfig exploitation patterns
IDOR / BOLA Broken Object Level Authorization and reference manipulation
Account Takeover Authentication bypass chains and account recovery exploitation
Mass Assignment Parameter binding abuse and hidden field injection
Cryptographic Implementation Vulnerabilities Web-context cryptographic implementation flaws and bypass patterns

03. HTTP & Protocol Layer

Category Description
HTTP Request Smuggling HTTP parsing discrepancies, desync attacks, and CL/TE mutations
HTTP Header HTTP header injection, smuggling, and semantic abuse
HTTP Parameter Pollution Parameter parsing discrepancy across backends and frameworks
WebSocket WebSocket handshake abuse, hijacking, and cross-site attacks
gRPC / tRPC gRPC and tRPC protocol exploitation and security patterns
Reverse Proxy Misrouting Reverse proxy path normalization discrepancies and access control bypass
Protocol-Level WAF Bypass Protocol-level WAF evasion via HTTP parsing differentials
HTTP Censorship Bypass HTTP-based censorship circumvention techniques
HTTP/3 QUIC Protocol Smuggling HTTP/3 and QUIC protocol-level smuggling and parsing differentials
TLS/SSL Security TLS/SSL mutation taxonomy, downgrade attacks, and certificate validation bypass

04. Server-Side Attacks

Category Description
SSRF Server-Side Request Forgery bypass taxonomy and cloud metadata exploitation
Path Traversal Directory traversal, path normalization bypass, and file access attacks
File Upload File upload restriction bypass mutations and content-type confusion
Deserialization Deserialization gadget chains, format-specific attacks, and bypass taxonomy
JNDI Injection JNDI lookup exploitation (Log4Shell class) and remote class loading
JDBC Attack JDBC connection string injection and driver-specific exploitation
JAAS Attack Java Authentication & Authorization Service bypass patterns
Email Smuggling Email header injection, SMTP smuggling, and parser abuse
File Download Arbitrary file download, forced download, and file access control bypass
Arbitrary File Write → RCE Cross-platform arbitrary file write to RCE chain taxonomy
Document & Media Processing RCE Document/media processing library exploitation (ImageMagick, Ghostscript, etc.)
Arbitrary Object Instantiation Arbitrary object instantiation and class loading exploitation

05. Client-Side & UI

Category Description
Cookie Security Cookie security bypass, scope confusion, and injection techniques
CSRF Cross-Site Request Forgery token bypass and SameSite evasion
UI Redressing Clickjacking, drag-and-drop hijacking, and UI deception techniques
Open Redirect URL redirect bypass techniques and chaining with other vulns
Browser Security Model Browser security model bypass and same-origin policy violations
Browser Extension Security Browser extension vulnerabilities and attack surface
DOM Clobbering DOM Clobbering attacks via named access and prototype chain pollution
Service Worker Service Worker security issues and exploitation techniques
XS-Leak Cross-site leak attacks and timing side-channels
Mutation XSS (mXSS) DOM mutation-based XSS via sanitizer/parser differentials
Universal XSS (uXSS) Browser-level universal XSS vulnerabilities
Desktop & Hybrid App Security Electron, CEF, and desktop/hybrid application security

06. Encoding & Parser Differential

Category Description
URL Confusion URL parser inconsistency attacks and normalization differentials
Unicode Unicode normalization, case mapping, encoding attacks, and visual spoofing
Type Confusion & Coercion Type confusion, coercion abuse, and implicit conversion vulnerabilities
ZIP Archive Archive parsing differentials, path traversal, and Zip Slip exploitation

07. Application Logic

Category Description
Business Logic Vulnerabilities Application logic flaw patterns and state manipulation
State Machine Violation Workflow state bypass and process order manipulation
Web Race Condition Concurrency exploitation, TOCTOU attacks, and limit-overrun
Web Timing Attack Timing side-channels for enumeration and state inference
Implicit Trust Boundary Undocumented trust relationships and boundary crossing attacks
Numeric & Boundary Logic Integer overflow, boundary value abuse, and numeric logic flaws

08. Infrastructure & Supply Chain

Category Description
Dependency Confusion Package manager namespace attacks and supply chain injection
Web Cache Poisoning & Deception Cache key manipulation, unkeyed input abuse, and cache deception
WAF Bypass (Payload-Level) Payload-level WAF evasion — encoding, chunking, and format tricks
CI/CD Pipeline Security CI/CD pipeline vulnerabilities and supply chain attacks
API Inventory Management API discovery, shadow APIs, and inventory management security
Container & Orchestration RCE Container escape, Kubernetes exploitation, and orchestration infrastructure RCE
Developer Toolchain & Build System RCE Build tool, IDE plugin, and developer toolchain exploitation for RCE
Secondary Context Attack Cross-context injection and inter-component trust abuse
Insecure Management Interface Exposed admin panels, management interface exploitation, and default credential abuse

09. Frameworks & Languages

Category Description
Spring Spring Framework-specific attack surface and misconfiguration
ASP.NET ASP.NET specific vulnerabilities and exploitation patterns
PHP PHP-specific vulnerabilities, type juggling, and deserialization
Ruby on Rails Rails-specific vulnerabilities, mass assignment, and ERB injection
Django Django-specific vulnerabilities and ORM exploitation
Symfony Symfony framework-specific vulnerabilities and exploitation
Next.js Next.js SSR/SSG security patterns and middleware bypass
Modern JS Frameworks React, Angular, Vue security patterns and SSR vulnerabilities
ORM Leak ORM information leakage and query manipulation patterns
Java Java standard library security — JDK core package attack surfaces and language-level design flaws
Node.js Node.js runtime security — event loop, native module, and runtime-specific vulnerabilities

10. Recon & Methodology

Category Description
Web Fingerprinting Server and application fingerprinting techniques
Web Fuzzing Web fuzzing strategies, wordlist generation, and parameter discovery
Web Crawling Security-focused web crawling methodology and reconnaissance automation
Reconnaissance Undocumented parameter and endpoint enumeration

11. Security Researchers

Researcher Focus Areas
Sam Curry Real-world business logic and API misconfig case studies
Orange Tsai Advanced web exploitation and novel attack chains
Frans Rosén Browser security and innovative client-side attacks
Soroush Dalili IIS exploitation and web application security research
Ben Sadeghipour Bug bounty methodology, recon techniques, and live hacking
Harsh Jaiswal & Rahul Maini Pre-auth RCE, server-side exploitation chains, and Electron security
Ron Chan Bug bounty research techniques and web vulnerability discovery

12. Product Security

Category Description
SAP SAP-specific web vulnerabilities and exploitation patterns
Adobe Experience Manager (AEM) AEM-specific attack surface, dispatcher bypass, and OSGi exploitation
Salesforce Lightning Platform Salesforce Lightning security, Aura/LWC exploitation, and SOQL injection
SharePoint SharePoint deserialization, auth bypass, and infrastructure exploitation
WordPress WordPress-specific vulnerabilities, plugin exploitation, and misconfigurations
Nginx Nginx-specific misconfigurations, alias traversal, and off-by-slash attacks
Jetty Eclipse Jetty-specific vulnerabilities and exploitation patterns
DOMPurify DOMPurify bypass and sanitizer evasion mutation taxonomy
MongoDB MongoDB injection, operator abuse, and exploitation patterns

13. Miscellaneous

Category Description
AI/LLM Security AI/LLM prompt injection, jailbreak, agent exploitation, and model security
Web Application DoS Application-layer denial of service via ReDoS, hash collision, resource exhaustion
DNS Web Security DNS rebinding, subdomain takeover, and resolver abuse
Dynamic Rendering Engine Exploitation Headless browser and dynamic rendering engine exploitation
CTF Exotic Tricks Unconventional exploitation techniques from CTF competitions
Web Memory Disclosure Web application memory disclosure via buffer over-read, uninitialized memory, and heap spraying

99. Deprecated

Category Description
RMI Java Remote Method Invocation attack surface and registry abuse
JMX Attack Java Management Extensions attack surface and MBean abuse
HTTP Pipelining Attack HTTP pipelining abuse, response queue poisoning, and desync attacks
Cross-Site Script Inclusion (XSSI) Cross-site script inclusion and JSONP data theft
Relative Path Overwrite (RPO) Relative path overwrite for stylesheet injection and content hijacking
NAT Slipstreaming NAT slipstreaming via browser-based protocol confusion

Artifact Examples

Category Description
Artifact Examples Generated security tooling examples and proof-of-concepts (directory index)

Purpose — An Intermediate Representation for Security Knowledge

In a compiler, source code is transformed into an Intermediate Representation (IR) before being compiled into machine code for any target architecture. The Map serves the same role for security knowledge:

Security Research (papers, CVEs, writeups, conference talks)
        |
        v
    The Map (IR) — structured mutation taxonomy
        |
        v
  Burp Suite plugin / Nuclei template / WAF rule / bchecks / DAST scanner / AI agent

Raw security research — scattered across academic papers, blog posts, conference talks, and bug bounty reports — is valuable but not directly actionable. The Map compiles this knowledge into a structured, machine-readable intermediate form where every mutation variant is classified by what is mutated, why it works, and where it applies. From this IR, any number of output formats can be generated:

Input (IR) Output
jwt/jwt.md § Algorithm Confusion Burp Scanner check for alg header manipulation
cookie/cookie.md § Cookie Sandwich Nuclei template detecting RFC 2109 parsing quirks
xss/xss.md § Encoding Differentials WAF rule set covering context-specific bypass variants
ssrf/ssrf.md § IP Representation bchecks collection for SSRF filter bypass mutations
smuggling/... § CL.TE / TE.CL DAST scanner test cases for HTTP desync
Any taxonomy document AI agent context for automated penetration testing

Each row in each taxonomy table is simultaneously a test case (offensive), a detection signature (defensive), and a fuzzer seed (discovery). Structure the knowledge once, compile it to any target.

What this enables

  • AI Security Agents — LLM-based agents consume these taxonomies as structured domain knowledge to reason about vulnerability classes, generate test cases, and guide penetration testing workflows — replacing ad-hoc prompting with systematic mutation coverage.
  • Security Tooling Pipeline — Feed a taxonomy document into Claude Code and generate Burp Suite extensions, Nuclei templates, Semgrep rules, WAF configurations, or bchecks — each mutation variant maps directly to a concrete check.
  • Taxonomy & Classification — A unified structural framework for organizing vulnerability research that goes beyond surface-level categorization (e.g., OWASP Top 10) into mutation-level granularity.
  • Fuzzer Seed Generation — Mutation catalogs provide systematic seed corpora for fuzzers. Instead of random mutations, fuzzers can target specific structural variations documented in each taxonomy.
  • Security Research — A reference framework for researchers to identify gaps in existing coverage, discover unexplored mutation combinations, and build on prior work systematically.
  • Novel Variant Discovery — Because the taxonomy is organized by mutation axes rather than known payloads, it enables reasoning about unexplored combinations — mutations that should theoretically work but haven't been documented yet.

How it was built

Every document in this repository was researched and synthesized using Claude Code (Anthropic's AI coding agent). The process involved systematic multi-source research — academic papers, conference talks (BlackHat, DEF CON), CVE databases, bug bounty reports, and tooling documentation — then synthesized into unified taxonomy documents organized by generalized structural criteria.

Structure

the-map/
  ├── 01-injection/              # Injection attacks (16 topics)
  ├── 02-auth/                   # Authentication & Authorization (9 topics)
  ├── 03-http-protocol/          # HTTP & Protocol Layer attacks (10 topics)
  │   └── http-parsing-discrepancy/  # HTTP parsing differential sub-category
  ├── 04-server-side/            # Server-side vulnerabilities (12 topics)
  ├── 05-client-side/            # Client-side & Browser attacks (12 topics)
  ├── 06-encoding-parser/        # Encoding & Parser differentials (4 topics)
  ├── 07-application-logic/      # Business logic vulnerabilities (6 topics)
  ├── 08-infrastructure/         # Infrastructure & Supply Chain (9 topics)
  ├── 09-frameworks-and-languages/  # Framework & Language-specific (11 topics)
  ├── 10-recon-methodology/      # Reconnaissance & Methodology (4 topics)
  ├── 11-researchers/            # Security researcher case studies (7 topics)
  ├── 12-product-security/       # Product-specific security (9 topics)
  ├── 13-misc/                   # Miscellaneous (6 topics)
  ├── 99-deprecated/             # Deprecated topics (6 topics)
  ├── skills/                    # Claude Code skill definitions (10 skills)
  ├── artifact-examples/         # Generated tooling examples & visualizations
  └── README.md

Each category contains related vulnerability classes, with each .md file following a consistent three-axis classification:

  1. Axis 1 — Mutation Target: What structural component is manipulated
  2. Axis 2 — Discrepancy Type: What mismatch or bypass the mutation creates
  3. Axis 3 — Attack Scenario: Real-world exploitation context mapping

License

This is a security research reference. Use responsibly for authorized testing, defensive security, and education.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

11 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

Languages