Skip to content

Feature/fase 2 prompt optimization#183

Merged
0xallam merged 1 commit into
usestrix:mainfrom
vsh00t:feature/fase-2-prompt-optimization
May 4, 2026
Merged

Feature/fase 2 prompt optimization#183
0xallam merged 1 commit into
usestrix:mainfrom
vsh00t:feature/fase-2-prompt-optimization

Conversation

@vsh00t

@vsh00t vsh00t commented Dec 7, 2025

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings December 7, 2025 22:44

This comment was marked as outdated.

@0xallam 0xallam force-pushed the feature/fase-2-prompt-optimization branch from dc23891 to 9d742a4 Compare May 4, 2026 01:15
0xallam added a commit to vsh00t/strix that referenced this pull request May 4, 2026
Two single-bullet additions to the False Positives sections of two
existing skills:

- idor.md: empty array / null returned for another user's resource
  is silent enforcement (not exposure) — compare against owner's view
  to confirm
- ssrf.md: OAST callback whose source IP matches the tester's machine
  was made client-side (browser / client fetch), not by the server

Both signals surfaced from the false-positive-indicators section of
the deprecated .jinja prompts in usestrix#183 (rest of that PR was scoped down
to its substantive parts; the .jinja content itself is dropped because
the .jinja vulnerability prompt format has been replaced by the .md
skills).

Co-authored-by: Jorge Moya <jorge@MacBook-Pro-de-Jorge.local>
Two single-bullet additions to the False Positives sections of two
existing skills:

- idor.md: empty array / null returned for another user's resource
  is silent enforcement (not exposure) — compare against the owner's
  view to confirm
- ssrf.md: OAST callback whose source IP matches the tester's machine
  was made client-side (browser / client fetch), not by the server

Both signals surfaced from the false-positive-indicators content
originally proposed in this PR; rest of the PR's scope (test scaffolding,
confidence module, system-prompt protocol, deprecated .jinja prompt
format) was dropped because the .jinja vulnerability prompt format has
been replaced by the .md skills and the other parts didn't have
production consumers.
@0xallam 0xallam force-pushed the feature/fase-2-prompt-optimization branch from 9d742a4 to 50bbfb6 Compare May 4, 2026 01:17
@0xallam 0xallam merged commit 6942ecb into usestrix:main May 4, 2026
@vsh00t vsh00t deleted the feature/fase-2-prompt-optimization branch May 4, 2026 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants