Missing vulnerability skills: MFA bypass and edge cases (caching races, partial failures)

[fresh3nough]

Problem

Strix's current skill set has strong coverage for common vulnerability classes (SQLi, XSS, SSRF, IDOR, etc.) and even has thorough playbooks for race conditions, business logic, and JWT authentication. However, two important areas have no dedicated coverage:

1. MFA Bypass (no existing skill)

MFA is now a baseline security control across most production applications, yet there is no skill that teaches agents how to test MFA implementations. Real-world MFA bypasses are common and include:

• Pre-MFA session access -- the gap between password verification and MFA completion often leaves sessions partially authenticated with API access
• OTP code reuse and brute force -- missing rate limits or single-use enforcement on 6-digit codes
• Fallback/recovery abuse -- method downgrade (TOTP to SMS), backup code weaknesses, account recovery flows that skip MFA entirely
• Enrollment flow weaknesses -- adding or removing MFA methods without verifying the existing factor
• Client-side MFA gates -- MFA status stored in JWTs or cookies that can be tampered with

Without this skill, agents have no structured approach for testing one of the most critical authentication controls. CWE-308 (Use of Single-factor Authentication) is consistently present in bug bounty findings and penetration test reports.

2. Edge Cases: Caching Races, Partial Failures, Boundary Conditions (no existing skill)

The existing race_conditions skill covers concurrency bugs well, but there is no coverage for the broader class of edge case vulnerabilities that arise at system boundaries:

• Cache poisoning races -- TOCTOU on CDNs, Vary header omission serving authenticated content cross-user, web cache deception, cache key confusion between proxy and origin
• Partial failure exploitation -- half-committed multi-service transactions (payment captured but order not created), orphaned resources, retry amplification causing duplicate side effects
• Eventual consistency windows -- stale reads after permission revocation due to replication lag, search index lag exposing deleted/revoked resources, distributed counter drift
• Boundary condition abuse -- integer overflow in quantity/price fields, pagination cursor manipulation crossing authorization boundaries, time-boundary quota resets at midnight/month-end/DST
• Graceful degradation weaknesses -- fallback paths that skip auth when a dependency is unavailable, circuit breaker open states routing around security controls

These bugs are high-impact (cross-user data exposure, financial loss, authorization bypass) but rarely surface in standard testing because they require adversarial timing, failure injection, or boundary-value analysis. Modern distributed architectures (microservices, CDN-backed APIs, multi-region deployments) make these issues increasingly common.

Proposed Solution

Add two new skill files:

• strix/skills/vulnerabilities/mfa_bypass.md (CWE-308)
• strix/skills/vulnerabilities/edge_cases.md (CWE-362)

Both following the existing skill template with full Attack Surface, Reconnaissance, Key Vulnerabilities, Bypass Techniques, Testing Methodology, Validation, and Pro Tips sections.

Addressed in #334.