Exploit Paths
Library

A curated library for reusable exploit-path structure.

This is the first public slice of the internal library: grounded enough to be useful, small enough to stay legible. It exists to show recurring capability families, path roles, and examples without pretending the whole model is finished.

Read the Thesis Browse Examples Open Cases
Read the reference

Read from capability to role to outcome, then use the examples to make the structure concrete.

Start with capability

Identify what kind of control or exposure the case creates before jumping to severity labels.

Locate the role

Decide whether that capability is acting as foothold, leverage gain, boundary crossing, or a timing-sensitive move.

Compare surviving outcomes

Use grounded examples to see which routes stay at disclosure and which survive toward stronger outcomes.

How To Read This

Primitive family

What kind of capability exists, such as reference control, disclosure, or execution influence.

How To Read This

Path role

What that capability is doing inside the route, such as foothold, leverage gain, boundary crossing, or state-window abuse.

How To Read This

Outcome class

What the route reaches if it survives validation, such as disclosure, privileged action, or execution.

Working structure

How the model is organized.

This public slice stays focused on the strongest grounded families and examples, so the structure is easy to compare without dragging every internal relationship onto the page.

Working capability families
Disclosure
Reference control
Data influence
State corruption
More capability families
Execution influence
Authorization bypass
Sphere crossing
Sequencing manipulation
Common outcomes
Sensitive data access
Privileged action
Arbitrary code execution
Cross-sphere movement
  • Disclosure
  • Reference control
  • Data influence
  • State corruption
  • Execution or interpretation influence
  • Authorization or identity bypass
  • Sphere crossing
  • Sequencing or timing manipulation

This slice favors

  • grounded families that already recur across public cases
  • path roles that help cold readers interpret examples quickly
  • comparison surfaces that show the model repeating across cases

This slice keeps internal

  • raw record identifiers and full source adjacency webs
  • speculative families and weakly grounded relationships
  • internal-only modeling notes that do not improve public legibility yet
Grounded families

The strongest families recur across multiple public cases.

Reference control

Control over paths, routes, or resource references that changes what the system can be made to touch next.

Strongest examples

Apache HTTP Server / Apache APISIX / Apache Sling / nginx

Common adjacent families

Disclosure / Sphere crossing / Authorization bypass

Disclosure

Exposure of information or state that materially improves the next transition in a route.

Strongest examples

Apache HTTP Server / Apache Sling

Common adjacent families

Reference control / Execution influence

Authorization bypass

Access-control failure that lets a route reach states or actions outside the current sphere.

Strongest examples

Apache APISIX

Common adjacent families

Sphere crossing / Reference control

Sphere crossing

Exposure of a resource or execution surface to the wrong trust or execution sphere.

Strongest examples

Apache HTTP Server / Apache APISIX / Apache Sling

Common adjacent families

Reference control / Authorization bypass

Execution influence

Attacker-controlled input or generated logic changes what code-like behavior the target executes.

Strongest examples

Apache Struts

Common adjacent families

Data influence / Disclosure

Path roles

Roles explain what a capability is doing inside the path.

Foothold

The first meaningful capability that moves the route from theoretical to actionable.

What this role is for

Starts the route from an exposed surface or modest weakness.

Best current fits

Reference control / Execution influence

Leverage gain

A step that materially improves control, reachability, or certainty without being the final outcome.

What this role is for

Turns partial capability into stronger control or better next-step options.

Best current fits

Disclosure / Authorization bypass / Reference control / Sequencing manipulation

Boundary crossing

Movement into a route space, trust zone, or execution sphere that should not have been reachable from the starting position.

What this role is for

Marks the transition where impact starts accelerating.

Best current fits

Sphere crossing / Authorization bypass / Reference control / Execution influence

State-window abuse

Exploitation of a narrow timing or order window where the target checks one state and later acts on another.

What this role is for

Captures timing-sensitive routes that do not fit a static-resource model well.

Best current fits

Sequencing manipulation

Grounded examples

The same model can produce very different visible outcomes.

Example Primitive families Path roles Strongest outcome
Apache HTTP Server CVE-2021-41773 / CVE-2021-42013 Reference control, Disclosure, Sphere crossing Foothold, Leverage gain, Boundary crossing Disclosure -> execution under the right environment
Apache APISIX CVE-2021-43557 Reference control, Authorization bypass, Sphere crossing Boundary crossing, Leverage gain Privileged route access and cross-sphere movement
Apache Struts CVE-2017-5638 / S2-045 Execution influence, Data influence Foothold, Leverage gain Remote code execution
Apache Sling CVE-2024-23673 Reference control, Sphere crossing Boundary crossing, Leverage gain Code execution in vulnerable configurations
Dirty COW CVE-2016-5195 Sequencing manipulation Leverage gain, State-window abuse Administrative privilege gain
Why this stays selective

This page stays focused so the core structures are easy to compare.

The underlying library is broader and still evolving. This public slice stays smaller so the model remains legible and the strongest grounded patterns are easy to compare without noise.

Next steps

Use the library as a route into deeper material.

Read the thesis for the conceptual model, use the reference docs for the source-facing layer, and expect the public library slice to expand only when new records materially improve the structure.

Read the Thesis Open the Walkthrough