Exploit for Grimoire

Name: Exploit for Grimoire
Rating: 5 (7 reviews)
2026-06-16 | CVSS 5.5
## https://sploitus.com/exploit?id=C3D0F122-BC3F-5AAC-9F18-FA8CB3F96BF4
書 — The Pentesterʼs Spellbook
  Answer the questions. Unleash the test cases.


---

## What is Grimoire?

A grimoire is a spellbook — a compendium of knowledge passed down by those who came before. **This Grimoire** is no different. Itʼs a wizard-style expert system that asks pentesters the right questions about their target, then reveals every relevant test case, methodology, exploit technique, payload, and tool from its vast library.

Born from the idea that **no test case should ever be missed**, Grimoire adapts to your target — web, mobile, thick client, API, or IoT — and dynamically routes you through the questions that matter, building a precise profile that matches against **192 test cases** across **13 categories**.

## How It Casts

```
┌─────────────┐     ┌──────────────┐     ┌──────────────────┐
│  Answer the  │ ──▶ │  Dynamic     │ ──▶ │  Tag-based       │
│  Questions   │     │  Routing     │     │  Matching Engine │
└─────────────┘     └──────────────┘     └────────┬─────────┘
                                                   │
┌─────────────┐     ┌──────────────┐     ┌────────▼─────────┐
│  Export     │ ◀── │  Severity    │ ◀── │  192 Test Cases  │
│  JSON/CSV   │     │  Weighted    │     │  Scored & Ranked │
└─────────────┘     └──────────────┘     └──────────────────┘
```

1. **Ask** — 71 questions across 7 phases: App Profile, Tech Stack, Auth, Features, Data Patterns, Infrastructure, Third-party
2. **Route** — Questions adapt dynamically. Choose PHP? Get PHP-specific follow-ups. Choose Mobile? Get biometric, 2FA, debuggable questions.
3. **Match** — Every answer adds tags. The engine scores all 192 test cases against your tag profile.
4. **Reveal** — Results ranked by relevance × severity. Filter by category, severity, or search keywords.
5. **Export** — Download as JSON, CSV, or print-ready report.

## Quick Start

```bash
git clone https://github.com/ShubhamDubeyy/grimoire.git
cd grimoire
python3 -m http.server 8000
# Open http://localhost:8000
```

> **Important:** Must be served from a web server (not `file://`). The knowledge base loads via `fetch()`.

## Project Structure

```
grimoire/
├── index.html                     # Entry point
├── logo.svg                       # Grimoire brandmark
├── version.json                   # Version check (GitHub Pages ready)
├── css/
│   └── style.css                  # Dark professional theme
├── js/
│   ├── engine.js                  # Tag scoring, routing, matching engine
│   └── app.js                     # Wizard UI, results grid, filter, export
├── data/
│   ├── knowledge-base.json        # 7 phases, 71 questions, category index
│   └── test-cases/
│       ├── generic-baseline.json  # 10: Universal tests every pentester starts with
│       ├── authentication.json    # 19: JWT, OAuth, SAML, MFA, session attacks
│       ├── authorization.json     #  8: IDOR, privilege escalation, CORS, HPP
│       ├── injection.json         # 29: SQLi, NoSQLi, XSS, SSTI, SSRF, XXE, Command
│       ├── file-handling.json     # 16: Upload, path traversal, LFI/RFI, zip slip
│       ├── business-logic.json    # 18: Race conditions, price, coupons, workflow
│       ├── infrastructure.json    # 16: Smuggling, cache poison, CSP, TLS
│       ├── llm-ai.json            # 12: Prompt injection, jailbreak, RAG poison
│       ├── mobile.json            # 16: Storage, cert pinning, WebView, biometric, memory
│       ├── thick-client.json      # 10: DLL hijack, named pipes, decompilation
│       ├── php-specific.json      # 16: Type juggling, deserialization, filter chains
│       ├── api-specific.json      # 12: BOLA, JWT, rate limit, GraphQL, webhooks
│       └── cms-specific.json      # 10: WordPress, Drupal, Magento, Laravel, Django
└── README.md
```

## The Spells (Test Case Categories)

| Category | Count | What It Covers |
|----------|:-----:|---------------|
| **Generic / Baseline** | 10 | TLS, security headers, cookies, info disclosure, default creds, input validation, CORS, rate limiting — every assessment starts here |
| **Authentication** | 19 | JWT/OAuth/SAML/MFA/session fixation/password reset/remember-me/credential brute-force |
| **Authorization** | 8 | IDOR (horizontal/vertical), privilege escalation, forced browsing, CORS, HPP, mass assignment |
| **Injection** | 29 | SQLi (5 types), NoSQLi (2), XSS (5 types), SSTI, SSRF (2), XXE (2), CRLF, Command, LDAP, GraphQL, Email, XPATH, SMTP |
| **File Handling** | 16 | Upload (8 vectors), .htaccess/.user.ini attacks, SVG XXE/XSS, LFI/RFI, path traversal, zip slip, ImageMagick |
| **Business Logic** | 18 | Race conditions, TOCTOU, price/quantity manipulation, payment callback, coupons, workflow bypass, subscription abuse |
| **Infrastructure** | 16 | Request smuggling (CL.TE/TE.CL/TE.TE), cache poison/deception, WebSocket, DNS rebinding, prototype pollution, hop-by-hop |
| **LLM/AI** | 12 | Direct/indirect prompt injection, jailbreak, system extraction, excessive agency, RAG poison, multimodal, DoS |
| **Mobile** | 16 | Storage, cert pinning bypass, deep link hijacking, WebView, biometric bypass, backup extraction, network analysis, reverse engineering, broadcast intent, memory analysis, debuggable exploitation |
| **Thick Client** | 10 | DLL hijacking, named pipes, decompilation, memory dumping, traffic interception, registry secrets, update hijacking, Electron attacks |
| **PHP-Specific** | 16 | Type juggling, unserialize RCE, LFI/RFI wrappers, mail() RCE, PHP-FPM, filter chains, disable_functions, Phar, OPcache |
| **API** | 12 | BOLA, JWT suite, rate limiting, mass assignment, versioning, SOAP, GraphQL, webhooks, WebSocket |
| **CMS** | 10 | WordPress, Drupal, Joomla, Magento, Laravel, Symfony, Django, Node.js, .NET, Strapi |

## Features

- **Dynamic routing** — Follow-up questions appear based on your answers. No two assessments are the same.
- **Tech-aware payloads** — PHP backend? PHP-specific payloads prioritized. Node.js? Node-specific vectors shown.
- **Severity-weighted** — Critical/High/Medium/Low/Info badges with color coding
- **Collapsible sections** — Methodology steps, payloads, references, and tools — expand what you need
- **Search & filter** — Narrow by category, severity, or keyword in real-time
- **Export** — JSON (full structured data), CSV (spreadsheet-friendly), or print to PDF
- **Keyboard navigation** — Enter to advance, click to select
- **192 test cases** — And growing. Each with methodology, payloads, references, and tool recommendations

## Adding New Spells

Each test case file in `data/test-cases/` is a JSON array. To contribute a new test case:

```json
{
  "id": "unique_id_here",
  "name": "Test Case Name",
  "category": "Category",
  "severity": "critical|high|medium|low|info",
  "owasp": "A01:2021",
  "cwe": "CWE-XXX",
  "description": "What this test case checks for",
  "methodology": ["Step 1", "Step 2", "Step 3"],
  "payloads": {
    "generic": ["generic payload"],
    "php": ["PHP-specific payload"]
  },
  "trigger": {
    "require_any_tags": ["tag1", "tag2"],
    "require_all_tags": [],
    "exclude_tags": []
  },
  "references": ["OWASP Ref", "CVE-XXXX-XXXXX"],
  "tools": ["Tool1", "Tool2"]
}
```

## Deploy to GitHub Pages

1. Push to GitHub: `git push origin main`
2. Go to **Settings → Pages → Source → Deploy from branch**
3. Select `main` branch, root (`/`) directory
4. Your Grimoire is live at `https://shubhamdubeyy.github.io/grimoire/`

## License

MIT — use, modify, and distribute freely. Attribution appreciated.

---


  「知識は力なり」— Knowledge is power. Every vulnerability has a test case. Every test case is in the Grimoire.