Exploit Paths
Library

A curated library for reusable exploit-path structure.

This is the first public slice of the internal library: grounded enough to be useful, small enough to stay legible. It exists to show recurring capability families, path roles, and examples without pretending the whole model is finished.

Read the Thesis Browse Examples
Use this page

Read from capability to role to outcome, then use the examples to make the structure concrete.

Start with capability

Identify what kind of control or exposure the case creates before jumping to severity labels.

Locate the role

Decide whether that capability is acting as foothold, leverage gain, boundary crossing, or a timing-sensitive move.

Compare surviving outcomes

Use grounded examples to see which routes stay at disclosure and which survive toward stronger outcomes.

How To Read This

Primitive family

What kind of capability exists, such as reference control, disclosure, or execution influence.

How To Read This

Path role

What that capability is doing inside the route, such as foothold, leverage gain, boundary crossing, or state-window abuse.

How To Read This

Outcome class

What the route reaches if it survives validation, such as disclosure, privileged action, or execution.

Working structure

The library is a curated projection of the internal model.

The public layer is intentionally smaller than the internal corpus. It shows the currently strongest grounded families and examples without exposing every raw relationship or speculative category.

Working capability families
Disclosure
Reference control
Data influence
State corruption
More capability families
Execution influence
Authorization bypass
Sphere crossing
Sequencing manipulation
Common outcomes
Sensitive data access
Privileged action
Arbitrary code execution
Cross-sphere movement
  • Disclosure
  • Reference control
  • Data influence
  • State corruption
  • Execution or interpretation influence
  • Authorization or identity bypass
  • Sphere crossing
  • Sequencing or timing manipulation
Grounded families

The first slice emphasizes reusable structure, not exhaustive coverage.

Reference control

Control over paths, routes, or resource references that changes what the system can be made to touch next.

Strongest examples

Apache HTTP Server / Apache APISIX / Apache Sling / nginx

Common adjacent families

Disclosure / Sphere crossing / Authorization bypass

Disclosure

Exposure of information or state that materially improves the next transition in a route.

Strongest examples

Apache HTTP Server / Apache Sling

Common adjacent families

Reference control / Execution influence

Authorization bypass

Access-control failure that lets a route reach states or actions outside the current sphere.

Strongest examples

Apache APISIX

Common adjacent families

Sphere crossing / Reference control

Sphere crossing

Exposure of a resource or execution surface to the wrong trust or execution sphere.

Strongest examples

Apache HTTP Server / Apache APISIX / Apache Sling

Common adjacent families

Reference control / Authorization bypass

Execution influence

Attacker-controlled input or generated logic changes what code-like behavior the target executes.

Strongest examples

Apache Struts

Common adjacent families

Data influence / Disclosure

Path roles

The same capability can play different roles depending on where the route is standing.

Foothold

The first meaningful capability that moves the route from theoretical to actionable.

What this role is for

Starts the route from an exposed surface or modest weakness.

Best current fits

Reference control / Execution influence

Leverage gain

A step that materially improves control, reachability, or certainty without being the final outcome.

What this role is for

Turns partial capability into stronger control or better next-step options.

Best current fits

Disclosure / Authorization bypass / Reference control / Sequencing manipulation

Boundary crossing

Movement into a route space, trust zone, or execution sphere that should not have been reachable from the starting position.

What this role is for

Marks the transition where impact starts accelerating.

Best current fits

Sphere crossing / Authorization bypass / Reference control / Execution influence

State-window abuse

Exploitation of a narrow timing or order window where the target checks one state and later acts on another.

What this role is for

Captures timing-sensitive routes that do not fit a static-resource model well.

Best current fits

Sequencing manipulation

Grounded examples

The same structure should recur across very different public cases.

Example Primitive families Path roles Strongest outcome
Apache HTTP Server CVE-2021-41773 / CVE-2021-42013 Reference control, Disclosure, Sphere crossing Foothold, Leverage gain, Boundary crossing Disclosure -> execution under the right environment
Apache APISIX CVE-2021-43557 Reference control, Authorization bypass, Sphere crossing Boundary crossing, Leverage gain Privileged route access and cross-sphere movement
Apache Struts CVE-2017-5638 / S2-045 Execution influence, Data influence Foothold, Leverage gain Remote code execution
Apache Sling CVE-2024-23673 Reference control, Sphere crossing Boundary crossing, Leverage gain Code execution in vulnerable configurations
Dirty COW CVE-2016-5195 Sequencing manipulation Leverage gain, State-window abuse Administrative privilege gain
Boundary

This is curated, not exhaustive.

The internal library is broader and still evolving. The public surface is intentionally selective so the model stays legible and the strongest grounded patterns are easy to compare.

Next steps

Use the library as a route into deeper material.

Read the thesis for the conceptual model, use the reference docs for the source-facing layer, and expect the public library slice to expand only when new records materially improve the structure.

Read the Thesis Open the Walkthrough