Chimera Scenario Compatibility Matrix
Generated on 2026-03-11 for backlog task TASK-28. This matrix audits the live Crucible scenario catalog against Chimera’s current API surface.
HIPAA rows were manually refreshed on 2026-05-29 for TASK-74.7 against the current Crucible HIPAA scenarios and Chimera apps/vuln-api OpenAPI/routes. The summary counts below still describe the original generated matrix; use the HIPAA validation section for the first HIPAA evidence slice.
Sources
packages/catalog/scenarios/— 129 scenario JSON files in Crucible.../Chimera/apps/vuln-api/docs/openapi.yaml— 527 current Chimera path entries.docs/development/contracts/chimera-fedramp-openapi-extensions.md— Crucible’s consumer contract for Chimera FedRAMP OpenAPI annotations.../Chimera/docs/endpoints-catalog.md— planning catalog that still describes a smaller 240+ endpoint subset.../Chimera/docs/vulnerability-inventory.md— vulnerability inventory describing 114+ vulnerable endpoints and 200+ flaws.
Methodology
compatible: every unique scenario request URL matches a current Chimera OpenAPI route after stripping query strings and allowing OpenAPI path parameters such as{id}.needs-update: the scenario is explicitly Chimera-branded, already partially matches Chimera, or only needs deterministic path rewrites such as/api/auth/login -> /api/v1/auth/login.no-match: the scenario targets another app family entirely, depends on non-HTTP recon/static assets, or has no direct Chimera route evidence in the current OpenAPI spec.- Coverage counts are
matched-or-rewritten URLs / total unique scenario URLs. Query-string-only differences are ignored because Crucible resolves them at runtime against the same route. - High-confidence family splits come from scenario metadata, not a central registry. In particular,
chimera-*plus mostapi-demo-*files self-identify as Chimera-oriented, whilecrapi-*,vampi-*,vp-demo-*, and the OWASP sample scenarios point at other target labs.
FedRAMP Control-Mapping Drift Checks
FedRAMP compatibility should be evaluated as a second pass over route compatibility. A scenario can match a Chimera route and still have stale compliance metadata.
When Chimera OpenAPI operations include the FedRAMP extensions defined in docs/development/contracts/chimera-fedramp-openapi-extensions.md, the compatibility workflow should also verify:
- every scenario endpoint reference with
framework: fedrampresolves to an OpenAPI method/path operation; - the matched operation has
x-fedramp-controls,x-vulnerability-class,x-expected-defense, andx-evidence-types; - the scenario’s selected
controlIdappears in the matched operation’sx-fedramp-controls[].controlIdvalues; - the scenario’s selected assertion slug appears in the matched operation’s
x-fedramp-controls[].assertionvalues; - the operation control
familymatches thecontrolIdprefix, such asACforAC-3; x-evidence-typesincludes each evidence type the scenario expects to collect from Chimera;- route drift and control-map drift are reported separately so endpoint rewrites do not hide missing or stale FedRAMP mappings.
Suggested additional status labels for future generated matrices:
| Status | Meaning |
|---|---|
control-compatible |
Scenario route, selected assertion, selected control, and expected evidence types all match the OpenAPI operation annotation. |
missing-fedramp-annotation |
Route matches, but the OpenAPI operation does not expose the required FedRAMP extensions. |
stale-control-map |
Route matches, but the scenario references a control ID, assertion, or evidence type that is absent from the operation annotation. |
route-and-control-drift |
The scenario has both route mismatch and FedRAMP metadata mismatch. |
HIPAA Endpoint and Fixture Validation
Validated on 2026-05-29 for TASK-74.7. Route compatibility is good enough for the first HIPAA technical evidence slice, but deterministic evidence quality still depends on Chimera-owned fixture and response behavior updates.
| Scenario | Route coverage | Current Chimera behavior | Required contract for deterministic evidence | Owner / files |
|---|---|---|---|---|
compliance-hipaa-audit-suppression.json |
2/2 | POST /api/v1/healthcare/records/export returns 200 and sets audit_logged: false when X-Skip-Audit: true; POST /api/v1/admin/audit/suspend returns 200 unless the request body enables strict mode. |
Decide whether Crucible expects WAF-blocked evidence or Chimera strict-mode evidence. For Chimera-only deterministic runs, make audit suppression return an auditable denial for the HIPAA fixture path or update the scenario to send the existing strict-mode signal. | Chimera: apps/vuln-api/app/blueprints/healthcare/routes.py, apps/vuln-api/app/blueprints/admin/routes.py, apps/vuln-api/docs/openapi.yaml; validate with cd apps/vuln-api && uv run pytest tests/unit/test_healthcare_routes.py tests/unit/test_admin_routes.py -q. |
compliance-hipaa-emergency-access.json |
1/1 | POST /api/v1/healthcare/records/emergency-access returns 400 without justification and 200 with justification. |
Usable as the first break-glass route. Add an audit event id or audit-log side effect if the evidence export must prove the audit-log evidence type instead of relying on request/response only. |
Chimera: apps/vuln-api/app/blueprints/healthcare/routes.py, apps/vuln-api/docs/openapi.yaml; validate with cd apps/vuln-api && uv run pytest tests/unit/test_healthcare_routes.py -q. |
compliance-hipaa-minimum-necessary.json |
1/1 | GET /api/v1/healthcare/records/{record_id} exists, but P-88210 is not seeded and the route ignores clinical_token / billing_token; the response shape does not include psychotherapy_notes or invoice_id. |
Seed a deterministic P-88210 or rewrite the scenario to a stable Chimera record id, then make the route return full clinical data for clinical_token and a billing-filtered payload containing invoice_id and excluding psychotherapy_notes for billing_token. |
Chimera: apps/vuln-api/app/utils/demo_data.py, apps/vuln-api/app/blueprints/healthcare/routes.py, apps/vuln-api/docs/openapi.yaml; validate with cd apps/vuln-api && uv run pytest tests/unit/test_healthcare_routes.py -q. |
compliance-hipaa-patient-export.json |
1/1 | POST /api/v1/healthcare/records/export accepts patient_ids and returns export metadata, but it does not return patient record contents, redaction decisions, or explicit note-exclusion evidence. |
Usable as a route-level export probe. For stronger redaction evidence, return a deterministic export payload that includes allowed patient data and explicit exclusion/redaction metadata for psychotherapy and internal administrative notes. | Chimera: apps/vuln-api/app/blueprints/healthcare/routes.py, apps/vuln-api/docs/openapi.yaml; validate with cd apps/vuln-api && uv run pytest tests/unit/test_healthcare_routes.py -q. |
Crucible-side scenario metadata can remain unchanged for route discovery. Before implementing Chimera changes, confirm whether the first runnable HIPAA slice should exercise direct Chimera strict-mode behavior or a WAF/proxy block in front of Chimera; that choice determines whether the audit-suppression scenario should change its request body or rely on an external block signal.
Summary
- Compatible: 38
- Needs update: 52
- No match: 39
Family Breakdown
| Family | Total | Compatible | Needs update | No match |
|---|---|---|---|---|
| chimera-first | 33 | 17 | 16 | 0 |
| external-crapi | 5 | 0 | 2 | 3 |
| external-threatx-demo | 2 | 0 | 1 | 1 |
| external-vampi | 2 | 0 | 0 | 2 |
| external-vp-demo | 9 | 0 | 0 | 9 |
| generic | 78 | 21 | 33 | 24 |
Scenario Matrix
| Scenario | File | Family | Target | Status | Coverage | Key update notes |
|---|---|---|---|---|---|---|
| Advanced Persistent Threat (APT) | advanced-persistent-threat.json | generic | (default target) | needs-update | 6/18 | review remaining /robots.txt, /api/directory/public, /api/dependencies/scan |
| Advanced SQL Injection Campaign | advanced-sqli-campaign.json | generic | (default target) | needs-update | 1/5 | rewrite /api/login -> /api/v1/auth/login; review remaining /user/profile, /search, /products |
| Sensitive Data Leaking from LLM Context | ai-llm-data-leak.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Indirect Prompt Injection via Document | ai-llm-indirect-injection.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Direct Prompt Injection Attack | ai-llm-prompt-injection.json | generic | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Version & Endpoint Discovery | api-demo-api-versioning.json | chimera-first | (default target) | needs-update | 1/10 | review remaining /api/v1/version, /api/v2/version, /api/v0/admin/users |
| Advanced Persistent Threat Multi-Stage Campaign | api-demo-apt-campaign.json | chimera-first | (default target) | compatible | 15/15 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Authentication Attack Chain | api-demo-auth-attacks.json | chimera-first | (default target) | compatible | 10/10 | all scenario URLs match current Chimera OpenAPI routes |
| Botnet Console Showcase - Distributed Attack Simulation | api-demo-botnet-showcase.json | external-threatx-demo | (default target) | needs-update | 1/4 | rewrite /api/auth/login -> /api/v1/auth/login; review remaining /api/bot/detection-test, /api/attack/credential-stuffing, /api/attack/account-takeover |
| Chimera Business Logic Exploitation | api-demo-business-logic.json | chimera-first | (default target) | needs-update | 4/7 | review remaining /api/v1/ecommerce/ratings/bulk, /api/v1/ecommerce/vendors/privileges/escalate, /api/v1/ecommerce/vendors/inventory/sabotage |
| Chimera CORS & CSP Bypass Techniques | api-demo-cors-csp-bypass.json | chimera-first | (default target) | needs-update | 3/10 | rewrite /api/users/profile -> /api/v1/users/profile; review remaining /api/v1/auth/session, /api/data/sensitive, /api/jsonp/data?callback=alert |
| Chimera Cryptographic & Advanced Attacks | api-demo-crypto-advanced.json | chimera-first | (default target) | needs-update | 2/12 | rewrite /api/user/profile/nonexistent.css -> /api/v1/users/profile; review remaining /api/secure/data, /api/decrypt, /api/verify-signature |
| Chimera Data Exfiltration Techniques | api-demo-data-exfiltration.json | chimera-first | (default target) | needs-update | 3/12 | rewrite /api/users/profile?expand=&include=hidden,internal,private -> /api/v1/users/profile; review remaining /api/swagger.json, /api/graphql, /api/users/export?limit=999999&fields= |
| API Defender Showcase - Advanced API Protection | api-demo-defender-showcase.json | external-threatx-demo | (default target) | no-match | 0/5 | no direct Chimera route for /api/security/anomaly-detection, /api/admin/api-defender/stats, /api/security/rate-limit-test |
| Chimera E-commerce Browsing Session | api-demo-ecommerce-browsing.json | chimera-first | (default target) | compatible | 8/8 | all scenario URLs match current Chimera OpenAPI routes |
| Banking Account Takeover & Money Movement | api-demo-financial-fraud.json | chimera-first | (default target) | compatible | 11/11 | all scenario URLs match current Chimera OpenAPI routes |
| Healthcare PHI Data Breach Campaign | api-demo-healthcare-breach.json | chimera-first | (default target) | compatible | 10/10 | all scenario URLs match current Chimera OpenAPI routes |
| Industrial Control System Sabotage Campaign | api-demo-ics-ot-sabotage.json | chimera-first | (default target) | compatible | 10/10 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera IDOR & Access Control Bypass | api-demo-idor-access-control.json | chimera-first | (default target) | needs-update | 4/10 | rewrite /api/users/profile/1 -> /api/v1/users/profile; rewrite /api/users/profile/ -> /api/v1/users/profile; rewrite /api/users/profile/update -> /api/v1/users/profile; review remaining /api/vendors/VENDOR-002/financial, /api/admin/users, /api/orders/550e8400-e29b-41d4-a716-446655440000 |
| Chimera Injection Attacks | api-demo-injection-attacks.json | chimera-first | (default target) | needs-update | 3/12 | review remaining /api/users/check?username=admin’ AND SLEEP(5)–, /api/network/ping, /api/users/search |
| Insurance Fraud & Claims Manipulation | api-demo-insurance-fraud.json | chimera-first | (default target) | needs-update | 9/10 | review remaining /api/v1/insurance/providers/billing |
| Chimera Legitimate User Flow | api-demo-legitimate-user-flow.json | chimera-first | (default target) | compatible | 8/8 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Mixed Behavior Pattern | api-demo-mixed-behavior.json | chimera-first | (default target) | compatible | 10/10 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera OWASP Top 10 Comprehensive Chain | api-demo-owasp-top10.json | chimera-first | (default target) | needs-update | 4/12 | rewrite /api/users/profile?include_sensitive=true&fields=* -> /api/v1/users/profile; rewrite /api/users/profile -> /api/v1/users/profile; review remaining /api/orders/ORD-2024-9999, /api/export/all?limit=999999999, /api/admin/users/all |
| Payment Gateway & Merchant Fraud Campaign | api-demo-payment-exploitation.json | chimera-first | (default target) | compatible | 12/12 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Rate Limiting & DoS Attacks | api-demo-rate-limiting-dos.json | chimera-first | (default target) | needs-update | 3/11 | review remaining /API/Products/SEARCH?q=test, /api/../api/products/search?q=test, /api/upload |
| Chimera Realistic Traffic Pattern | api-demo-realistic-traffic.json | chimera-first | (default target) | compatible | 12/12 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Session Hijacking & Fixation | api-demo-session-hijacking.json | chimera-first | (default target) | needs-update | 8/9 | review remaining /api/v1/auth/transfer |
| Chimera SSRF & Open Redirect Chains | api-demo-ssrf-redirect.json | chimera-first | (default target) | needs-update | 0/11 | review remaining /api/fetch/url, /api/webhook/register, /api/import/feed |
| Supply Chain Vendor Compromise Campaign | api-demo-supply-chain-attack.json | chimera-first | (default target) | needs-update | 9/12 | review remaining /api/vendors/customers/data?include_pii=true, /api/vendors/relationships/exploit, /api/vendors/software/update |
| API Endpoint Discovery | api-endpoint-discovery.json | generic | (default target) | needs-update | 1/23 | rewrite /api/login -> /api/v1/auth/login; review remaining /api, /api/v1, /api/v2 |
| API Gateway Exploitation | api-gateway-exploitation.json | generic | (default target) | needs-update | 8/15 | review remaining /api/gateway/health, /api/gateway/../../../admin/config, /api/mesh/certificates |
| GraphQL Depth & Complexity DoS | api-logic-graphql-dos.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /api/v1/genai/graphql |
| HTTP Parameter Pollution (HPP) Bypass | api-logic-hpp-bypass.json | generic | (default target) | needs-update | 2/3 | rewrite /api/user/profile?id=123 -> /api/v1/users/profile; rewrite /api/user/profile?id=123&id=456 -> /api/v1/users/profile; review remaining /api/admin/settings |
| Unicode Normalization Bypass | api-logic-unicode-normalization.json | generic | (default target) | needs-update | 1/2 | rewrite /api/auth/login -> /api/v1/auth/login; review remaining /api/files/download?path=%ef%bc%8e%ef%bc%8e%ef%bc%8fetc/passwd |
| API Rate Limiting Bypass | api-rate-limit-bypass.json | generic | (default target) | needs-update | 2/3 | rewrite /api/login -> /api/v1/auth/login; rewrite /api/auth/login -> /api/v1/auth/login; review remaining /api/users |
| API Security Audit | api-security-audit.json | generic | (default target) | no-match | 0/6 | no direct Chimera route for /api/v1/swagger.json, /graphql, /api/v1/users/me |
| API10:2023 - Unsafe Consumption of APIs | api10-unsafe-api-consumption.json | external-crapi | http://localhost:8888 | no-match | 0/7 | no direct Chimera route for /identity/api/v2/user/videos, /webhook/callback, /identity/api/v2/user/videos/convert_video |
| API4:2023 - Rate Limit Bypass & Resource Exhaustion | api4-rate-limit-bypass.json | external-vp-demo | http://localhost:5000 | no-match | 0/4 | no direct Chimera route for /createUser, /login, /users/v1?limit=${LIMIT} |
| API5:2023 - Broken Function Level Authorization | api5-function-level-authz-bypass.json | external-vp-demo | http://localhost:5000 | no-match | 0/8 | no direct Chimera route for /createUser, /login, /users/v1/_debug |
| API7:2023 - Server-Side Request Forgery (SSRF) | api7-ssrf-cloud-metadata.json | external-crapi | http://localhost:8888 | no-match | 0/1 | no direct Chimera route for /identity/api/v2/user/videos/convert_video |
| API9:2023 - Improper Inventory Management | api9-improper-inventory-management.json | external-vp-demo | http://localhost:5000 | no-match | 0/10 | no direct Chimera route for ${VERSION_PATH}, ${DOC_PATH}, /users/${VERSION} |
| APT-Style Multi-Vector Persistent Campaign | apt-multi-vector-campaign.json | generic | (default target) | needs-update | 9/10 | review remaining /api/v1/integrations/discovery |
| Basic Authentication Bypass Probes | auth-bypass-basic.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Banking Account Takeover Campaign | banking-account-takeover-campaign.json | generic | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| Basic XSS Discovery Probes | basic-xss-discovery.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Complex Multi-Level BOLA Chain | bola-multi-level-chain.json | generic | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| Business Logic Manipulation Campaign | business-logic-manipulation.json | generic | (default target) | needs-update | 4/9 | rewrite /api/user/profile/1 -> /api/v1/users/profile; rewrite /api/user/profile -> /api/v1/users/profile; review remaining /api/checkout/steps, /api/transfer/initiate, /api/order/12345/status |
| Business Logic Race Condition | business-logic-race-condition.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Banking IDOR Access | chimera-banking-idor.json | chimera-first | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| Healthcare Record IDOR Access | chimera-healthcare-record-idor.json | chimera-first | (default target) | compatible | 4/4 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera JWT Token Forgery | chimera-jwt-token-forgery.json | chimera-first | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| Negative Quantity Cart Manipulation | chimera-negative-quantity-cart.json | chimera-first | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera Password Reset Token Prediction | chimera-password-reset-prediction.json | chimera-first | (default target) | needs-update | 2/2 | rewrite /api/v1/auth/reset-password -> /api/v1/auth/reset |
| Payment Capture Overcharge Attack | chimera-payment-capture-overcharge.json | chimera-first | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| Privilege Escalation via Role Elevation | chimera-privilege-escalation.json | chimera-first | (default target) | needs-update | 4/5 | review remaining /api/v1/admin/audit/suspend |
| Chimera SQL Injection Authentication Bypass | chimera-sqli-auth-bypass.json | chimera-first | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| Chimera SQL Injection Data Extraction | chimera-sqli-data-extraction.json | chimera-first | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| SSRF Cloud Metadata and Internal Service Access | chimera-ssrf-cloud-metadata.json | chimera-first | (default target) | needs-update | 1/2 | review remaining /api/integrations/webhook/register |
| Serverless Function Environment Hijacking | cloud-native-lambda-hijack.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /api/v1/infrastructure/compute/process-image |
| Object Storage Pre-signed URL Abuse | cloud-native-s3-presigned-abuse.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /api/v1/infrastructure/storage/presign |
| IMDSv1/v2 SSRF Attack | cloud-native-ssrf-imds.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Sophisticated OS Command Injection | command-injection-sophisticated.json | generic | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| FedRAMP Non-FIPS Cipher Negotiation Probe | compliance-fedramp-cipher-negotiation.json | generic | (default target) | needs-update | 1/1 | rewrite /api/v1/health -> /api/v1/auth/status |
| FedRAMP Cross-Tenant Data Leakage Probe | compliance-fedramp-cross-tenant.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| GDPR Consent Preference Conflict Probe | compliance-gdpr-consent-conflict.json | generic | (default target) | no-match | 0/2 | no direct Chimera route for /api/v1/user/consent, /api/v1/marketing/send-promotion |
| HIPAA Audit Log Suppression Attempt | compliance-hipaa-audit-suppression.json | generic | (default target) | compatible | 2/2 | routes now match current Chimera OpenAPI; behavior still needs strict/WAF blocking decision for deterministic audit-suppression evidence |
| HIPAA Emergency Access (Break Glass) Abuse | compliance-hipaa-emergency-access.json | generic | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| HIPAA Minimum Necessary Access Control Check | compliance-hipaa-minimum-necessary.json | generic | (default target) | compatible | 1/1 | route matches current Chimera OpenAPI; deterministic fixture and role-filtered response behavior are still needed |
| HIPAA Patient Right to Access Disclosure Check | compliance-hipaa-patient-export.json | generic | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| PCI DSS Payment Page Integrity Probe | compliance-pci-page-integrity.json | generic | (default target) | no-match | 0/2 | no direct Chimera route for /api/v1/checkout/session, /api/v1/checkout/ui-state |
| PCI DSS Insecure PAN Logging Probe | compliance-pci-pan-logging.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| PCI DSS CDE Segmentation Probe | compliance-pci-segmentation.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| SOC 2 Access Review & Credential Lifecycle Probe | compliance-soc2-access-review.json | generic | (default target) | needs-update | 1/1 | rewrite /api/v1/system/status -> /api/v1/auth/status |
| SOC 2 Unauthorized Configuration Change | compliance-soc2-config-change.json | generic | (default target) | compatible | 1/1 | all scenario URLs match current Chimera OpenAPI routes |
| SOC 2 Availability & DoS Resilience Probe | compliance-soc2-dos-resilience.json | generic | (default target) | needs-update | 1/1 | rewrite /api/v1/status -> /api/v1/auth/status |
| crAPI - Vehicle Data Enumeration (BOLA) | crapi-bola-vehicle-enumeration.json | external-crapi | http://localhost:8888 | needs-update | 1/4 | rewrite /identity/api/auth/login -> /api/v1/auth/login; review remaining /identity/api/v2/vehicle/vehicles, /identity/api/v2/vehicle/${VEHICLE_ID}, /identity/api/v2/vehicle/${VEHICLE_ID}/location |
| crAPI - JWT Secret Leak & Token Forgery | crapi-jwt-secret-leak.json | external-crapi | http://localhost:8888 | needs-update | 2/7 | rewrite /identity/api/auth/signup -> /api/v1/auth/register; rewrite /identity/api/auth/login -> /api/v1/auth/login; review remaining /identity/api/v2/user/videos, /identity/api/v2/user/videos/1, /identity/api/v2/admin/users |
| Cryptographic Weakness Exploitation Campaign | cryptographic-weakness-exploitation.json | generic | (default target) | needs-update | 1/11 | rewrite /api/auth/reset-password -> /api/v1/auth/reset; review remaining /, /api/secure-endpoint, /api/file/verify |
| CSRF Token Bypass Campaign | csrf-token-bypass.json | generic | (default target) | no-match | 0/5 | no direct Chimera route for /account/settings, /api/csrf-token, /account/change-email |
| Directory Enumeration (Python/Flask API) | directory-enumeration-python-api.json | generic | (default target) | needs-update | 1/40 | review remaining /robots.txt, /sitemap.xml, /.well-known/security.txt |
| Directory Enumeration | directory-enumeration-slow.json | generic | (default target) | no-match | 0/30 | no direct Chimera route for /robots.txt, /sitemap.xml, /.well-known/security.txt |
| Advanced Directory Traversal | directory-traversal-advanced.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Distributed API Reconnaissance Swarm | distributed-api-reconnaissance-swarm.json | generic | (default target) | no-match | 0/12 | no direct Chimera route for /favicon.ico, /robots.txt, /sitemap.xml |
| Advanced DOM-Based XSS Campaign | dom-xss-advanced.json | generic | (default target) | no-match | 0/9 | no direct Chimera route for /app, /dashboard, /api/frame/message |
| Advanced E-commerce Cart Manipulation Campaign | ecommerce-advanced-cart-manipulation.json | generic | (default target) | needs-update | 12/15 | review remaining /api/pricing/rules, /api/pricing/calculate, /api/payment/methods/add |
| Checkout Process Exploitation Campaign | ecommerce-checkout-exploitation.json | generic | (default target) | needs-update | 5/15 | review remaining /api/checkout/steps, /api/checkout/payment-methods, /api/taxes/rates |
| E-commerce Loyalty Program Exploitation Campaign | ecommerce-loyalty-program-exploitation.json | generic | (default target) | compatible | 14/14 | all scenario URLs match current Chimera OpenAPI routes |
| Malicious File Upload Bypass | file-upload-bypass.json | generic | (default target) | no-match | 0/2 | no direct Chimera route for /upload, /api/upload |
| GraphQL Injection and DoS | graphql-injection.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /graphql |
| Healthcare Data Breach Campaign | healthcare-data-breach.json | generic | (default target) | needs-update | 8/14 | review remaining /api/providers/network/search, /api/providers/auth/login, /api/hipaa/records/patient |
| HTTP Request Smuggling Attack Chain | http-request-smuggling.json | generic | (default target) | needs-update | 1/8 | rewrite /api/user/profile -> /api/v1/users/profile; review remaining /, /api/data, /api/submit |
| OAuth2 PKCE Enforcement Bypass Probe | identity-oauth2-pkce-bypass.json | generic | (default target) | needs-update | 2/2 | rewrite /api/v1/oauth/authorize?client_id=public-spa&response_type=code&redirect_uri=https://app.example.com/callback&scope=openid profile -> /api/v1/auth/oauth/authorize; rewrite /api/v1/oauth/token -> /api/v1/auth/oauth/token |
| OIDC Claim Injection & Privilege Escalation | identity-oidc-claim-injection.json | generic | (default target) | needs-update | 1/2 | rewrite /api/v1/auth/callback -> /api/v1/auth/oauth/callback; review remaining /api/v1/auth/userinfo |
| Session Fixation via Refresh Tokens | identity-session-fixation.json | generic | (default target) | needs-update | 2/3 | rewrite /api/v1/auth/token/refresh -> /api/v1/auth/refresh; review remaining /api/v1/auth/session/fixate |
| Insurance Claims Processing Fraud Campaign | insurance-claims-processing-fraud.json | generic | (default target) | needs-update | 10/15 | rewrite /api/users/profile -> /api/v1/users/profile; review remaining /api/claims/endpoints, /api/medical/records/update, /api/providers/register |
| Insurance Underwriting Data Manipulation | insurance-underwriting-manipulation.json | generic | (default target) | no-match | 0/14 | no direct Chimera route for /api/underwriting/system/info, /api/underwriting/risk-models/list, /api/actuarial/data/query-test |
| Advanced JWT Cryptographic Attacks | jwt-advanced-attacks.json | generic | (default target) | compatible | 3/3 | all scenario URLs match current Chimera OpenAPI routes |
| JWT Token Manipulation | jwt-token-manipulation.json | generic | (default target) | needs-update | 2/8 | rewrite /api/auth/login -> /api/v1/auth/login; rewrite /api/user/profile -> /api/v1/users/profile; review remaining /api/admin/users, /api/admin/settings, /api/admin/delete |
| Advanced LDAP Injection Campaign | ldap-injection-advanced.json | generic | (default target) | needs-update | 1/5 | rewrite /api/auth/login -> /api/v1/auth/login; review remaining /api/directory/search, /api/users, /api/auth/validate |
| Marketplace Vendor Impersonation Campaign | marketplace-vendor-impersonation.json | generic | (default target) | needs-update | 4/14 | review remaining /api/vendors/registration-info, /api/vendors/profile-template, /api/vendors/password-reset |
| Mobile Application Penetration Test | mobile-app-pentest.json | generic | (default target) | no-match | 0/4 | no direct Chimera route for /mobile/api/config, /mobile/deeplink, /mobile/api/auth |
| Mobile Banking API Exploitation | mobile-banking-api-exploitation.json | generic | (default target) | compatible | 15/15 | all scenario URLs match current Chimera OpenAPI routes |
| NoSQL Injection - MongoDB | nosql-injection-mongodb.json | generic | (default target) | needs-update | 2/7 | rewrite /api/auth/login -> /api/v1/auth/login; review remaining /api/users, /api/users/search, /api/orders/filter |
| OWASP API Security Top 10 (2023) - Complete Test Campaign | owasp-api-top10-comprehensive-campaign.json | external-crapi | http://localhost:8888 | no-match | 0/0 | scenario uses variable-driven endpoints only; manual review required |
| Payment Processing Fraud Campaign | payment-processing-fraud.json | generic | (default target) | needs-update | 1/11 | review remaining /api/payments/config, /api/payments/methods, /api/merchant/info |
| Network Port Scanning | port-scan-reconnaissance.json | generic | (default target) | no-match | 0/25 | no direct Chimera route for /:22, /:21, /:23 |
| Right-to-be-Forgotten Residual Data Probe | privacy-forget-me-bypass.json | generic | (default target) | needs-update | 1/3 | review remaining /api/v1/auth/delete, /api/v1/integrations/analytics/data |
| PII Harvesting via User Enumeration | privacy-pii-harvesting.json | generic | (default target) | compatible | 2/2 | all scenario URLs match current Chimera OpenAPI routes |
| Regulatory Compliance Evasion | regulatory-compliance-evasion.json | generic | (default target) | no-match | 0/15 | no direct Chimera route for /api/compliance/infrastructure/status, /api/compliance/aml/.well-known/endpoints, /api/kyc/verify/test-mode |
| Security Monitoring Blind Spot Exploitation | security-monitoring-evasion.json | generic | (default target) | needs-update | 1/12 | rewrite /api/user/profile -> /api/v1/users/profile; review remaining /.well-known/security.txt, /api/health, /api/feedback |
| SSRF Cloud Metadata Exploitation | ssrf-cloud-metadata.json | generic | (default target) | no-match | 0/5 | no direct Chimera route for /api/fetch, /webhook/test, /proxy/request |
| Server-Side Template Injection Multi-Engine | ssti-template-engines.json | generic | (default target) | no-match | 0/9 | no direct Chimera route for /search, /api/render, /api/template/compile |
| Subdomain Discovery | subdomain-reconnaissance.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for / |
| Dependency Confusion Reconnaissance | supply-chain-dependency-confusion.json | generic | (default target) | no-match | 0/3 | no direct Chimera route for /static/js/main.chunk.js, /api/v1/system/version, /api/v1/debug/dependencies |
| Supply Chain Poisoning Campaign | supply-chain-poisoning-campaign.json | generic | (default target) | no-match | 0/12 | no direct Chimera route for /package.json, /.well-known/npm-package-listing, /assets/lib/jquery-3.6.0.min.js |
| CI/CD Webhook Poisoning Attack | supply-chain-webhook-poisoning.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /api/v1/webhooks/github |
| Technology Fingerprinting (Python/Flask API) | tech-fingerprinting-python-api.json | generic | (default target) | needs-update | 1/27 | review remaining /robots.txt, /version.txt, /.well-known/security.txt |
| Technology Fingerprinting | tech-fingerprinting.json | generic | (default target) | needs-update | 1/18 | review remaining /robots.txt, /version.txt, /.well-known/security.txt |
| Third-Party Integration Attacks | third-party-integration-attacks.json | generic | (default target) | needs-update | 7/14 | review remaining /.well-known/openid_configuration, /api/oauth/callback, /api/auth/social/google |
| VAmPI - BOLA Books Database Enumeration | vampi-bola-books-enumeration.json | external-vampi | http://localhost:5000 | no-match | 0/5 | no direct Chimera route for /createUser, /login, /books/v1 |
| VAmPI - Mass Assignment Privilege Escalation | vampi-mass-assignment-privilege-escalation.json | external-vampi | http://localhost:5000 | no-match | 0/5 | no direct Chimera route for /, /createUser, /login |
| 01 - Single SQLi Probe | vp-demo-01-single-sqli-probe.json | external-vp-demo | (default target) | no-match | 0/1 | no direct Chimera route for https://localhost:6190/ |
| 02 - XSS Attempt | vp-demo-02-xss-attempt.json | external-vp-demo | (default target) | no-match | 0/1 | no direct Chimera route for https://localhost:6190/search |
| 03 - Behavioral Trigger | vp-demo-03-behavioral-trigger.json | external-vp-demo | (default target) | no-match | 0/4 | no direct Chimera route for https://localhost:6190/api/users, https://localhost:6190/search, https://localhost:6190/api/files |
| 04 - Clean Request After Ban | vp-demo-04-clean-request-after-ban.json | external-vp-demo | (default target) | no-match | 0/1 | no direct Chimera route for https://localhost:6190/api/health |
| 05 - Schema Violation | vp-demo-05-schema-violation.json | external-vp-demo | (default target) | no-match | 0/1 | no direct Chimera route for https://localhost:6190/api/users |
| 06 - Trap Endpoint | vp-demo-06-trap-endpoint.json | external-vp-demo | (default target) | no-match | 0/1 | no direct Chimera route for https://localhost:6190/wp-login.php |
| WebSocket Logic & Security Manipulation | websocket-logic-manipulation.json | generic | (default target) | no-match | 0/1 | no direct Chimera route for /api/v1/integrations/ws/simulate-frame |
| XML External Entity (XXE) Injection | xxe-injection-xml.json | generic | (default target) | no-match | 0/7 | no direct Chimera route for /api/xml/upload, /api/xml/parse, /api/xml/process |
Recommended Follow-up
- Prioritize the
chimera-firstscenarios markedneeds-update; they are the fastest wins because they already target current Chimera domains but have route drift. - For FedRAMP scenario work, prioritize routes in the seed endpoint-control map before expanding broader Chimera coverage.
- Add a generated control-map drift section after Chimera OpenAPI annotations land so compliance metadata can be audited independently of path compatibility.
- Treat
external-crapi,external-vampi,external-vp-demo, andexternal-threatx-demorows markedno-matchas candidates for replacement scenarios instead of path-only rewrites. - If TASK-29 expands Chimera-native coverage further, re-run this audit against the updated
openapi.yamlbefore editing scenario JSON files.