meta

CI/CD pipeline security auditor. Activate when tasked with reviewing GitHub Actions workflows, CI/CD pipelines, supply chain security, or DevOps infrastructure. Covers script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.

Mobile application penetration tester for Android and iOS. Activate when tasked with testing mobile apps, APKs, IPAs, or mobile APIs. Covers insecure storage, weak crypto, authentication bypass, network security, platform interaction, code quality, and anti-reversing resilience.

Web application penetration tester. Activate when tasked with testing, auditing, or bug hunting on a web application or API. Covers the full attack surface: recon, authentication, authorization, session, injection, client-side, and business logic.

Use when hunting CI/CD bot comment command vulnerabilities where issue_comment or pull_request_review_comment triggers invoke privileged workflows without verifying the commenter's identity or authorization. Trigger on: "bot command injection", "issue_comment trigger", "@github-actions", "slash command CI", "CI bot command", "comment triggered workflow", "unauthenticated bot", "github-actions publish", "comment dispatch", no authorization check on workflow_dispatch from comment, chatops CI/CD, supply chain via PR comment.

Use when hunting GitHub Actions cache poisoning vulnerabilities where an attacker can inject malicious content into the CI/CD cache and have it restored by a privileged downstream workflow. Trigger on: "cache poisoning", "actions/cache", "actions/setup-node", "node_modules cache", "GitHub Actions cache", "pnpm cache", "LRU eviction", "10GB limit", "Cacheract", "poisoned cache", "workflow cache attack", supply chain via CI cache, "ng-renovate", "cache stuffing", scheduled workflow cache restore, shared cache key, "hashFiles package.json", cross-workflow cache, PR workflow release workflow same key, "npm install prefer-offline", Cacheract, Gato-X, supply chain npm token.

Use when auditing GitHub Actions workflows for script injection vulnerabilities via unsanitized context expressions. Trigger on: "github actions injection", "workflow injection", "head_ref injection", "github context injection", "pwn request", "github.head_ref", "github.event.pull_request.title", "github.event.issue.body", pull_request_target workflows, run: steps interpolating GitHub context variables, CI/CD script injection, GitHub Actions security audit.

Use when hunting Pwn Request vulnerabilities where pull_request_target workflows checkout attacker-controlled PR code and execute it in a privileged context with access to repository secrets. Trigger on: "pwn request", "pull_request_target", "checkout PR head", "npm install in CI", "lifecycle scripts in CI", "preinstall script", "postinstall script", "package.json scripts CI", "npm ci ignore-scripts false", "actions/checkout ref pull request head sha", privileged workflow running PR code, "Gato-X", supply chain via PR lifecycle scripts.

Use when hunting self-hosted GitHub Actions runner vulnerabilities where fork pull requests can execute on privileged non-ephemeral runners. Trigger on: "self-hosted runner", "runs-on self-hosted", "fork PR workflow", "non-ephemeral runner", "first-time contributor approval", "runner images", "azure-builds runner", "outside collaborator approval", "runs-on matrix", "persistent runner", "Gato GitHub Attack Toolkit", "runner agent", self-hosted CI/CD runner abuse, "git config token", "workflow log deletion", runner C2.

Inspects a skill's SKILL.md and its observations/runs.md log, identifies failure patterns, and proposes a targeted amendment to improve the skill. Trigger on: "improve this skill", "fix this skill", "update this skill", "why does X keep failing", "this skill is wrong", "add this to the skill", or automatically when observations/<skill-name>/runs.md contains 3 or more failure entries. Outputs the amendment as a diff the user can review before applying. Records the amendment rationale in observations/<skill-name>/runs.md after user confirmation.

Use when the user wants to extract reusable offensive security knowledge from any source and generate a SKILL.md file. Trigger on: "distill this", "extract skill from", "turn this into a skill", "generate skill from", "convert this report/blog/book/walkthrough into a skill", or when the user pastes raw security content (bug report, pentest report, CTF writeup, blog post, ezine, book chapter) and wants it transformed into structured hunting methodology.

Logs the outcome of a skill execution to observations/<skill-name>/runs.md. Trigger on: "log this run", "skill worked", "skill failed", "this didn't work", "log the outcome", "record this", "note that", or after any skill completes with a clear success, partial, or failure outcome. Creates the observations file if it does not exist, then appends an entry with date, task description, skill used, outcome, what worked, what failed, and any error messages observed.

Detects authentication and biometric bypass vulnerabilities in mobile apps (Android/iOS). Trigger on: BiometricPrompt, LocalAuthentication, LAContext, evaluatePolicy, CryptoObject, Android Keystore, Secure Enclave, kSecAccessControlBiometryCurrentSet, userAuthenticationValidityDurationSeconds, confirmCredentials, biometric fallback, PIN bypass, passive authentication, enrolled biometrics detection, Frida hook auth, jailbreak bypass, TouchID, FaceID, fingerprint. Covers MASVS-AUTH-1/2/3.

Detects code quality vulnerabilities in mobile apps (Android/iOS). Trigger on: SQL injection in SQLite, JavaScript injection in WebViews, intent injection, unsafe deserialization, NSKeyedUnarchiver, NSCoding, Java serialization, Parcelable, buffer overflow, JNI native code, PIE disabled, NX disabled, stack canary absent, RELRO, ARC disabled, third-party library CVE, vulnerable dependency, outdated SDK, targetSdkVersion, update enforcement missing, implicit Intent, URL loading in WebView, object persistence, memory corruption, OWASP dependency check. Covers MASVS-CODE-1/2/3/4.

Detects weak or misconfigured cryptography in mobile apps (Android/iOS). Trigger on: hardcoded keys, ECB mode, DES, 3DES, RC4, MD5, SHA-1, SecureRandom misuse, static IV, reused IV, Math.random, arc4random, CommonCrypto, CryptoKit, Android Keystore, SecKey, AES-ECB, RSA without OAEP, insufficient key size, predictable seed, insecure key storage, broken hash, PBKDF2 iteration count. Covers MASVS-CRYPTO-1 (algorithm choice) and MASVS-CRYPTO-2 (key management).

Detects insecure network communication in mobile apps (Android/iOS). Trigger on: cleartext HTTP, TLS misconfiguration, certificate pinning bypass, hostname verification disabled, allowCleartextTraffic, NSAllowsArbitraryLoads, ATS exceptions, custom TrustManager, ALLOW_ALL_HOSTNAME_VERIFIER, TLS 1.0/1.1, weak cipher suites, certificate pinning absent, Network Security Configuration, onReceivedSslError, SSLSocket, OkHttp, NSURL, URLSession, certificate transparency, HSTS, MITM. Covers MASVS-NETWORK-1 (TLS required) and MASVS-NETWORK-2 (certificate validation).

Detects insecure platform interaction in mobile apps (Android/iOS). Trigger on: exported Activity, exported Service, exported BroadcastReceiver, Content Provider, Intent injection, deep link hijacking, WebView JavaScript enabled, JavascriptInterface, addJavascriptInterface, setJavaScriptEnabled, intent:// scheme, file:// scheme, WKWebView, WKScriptMessageHandler, UIPasteboard, URL scheme hijacking, Universal Links, PendingIntent, FLAG_IMMUTABLE, overlay attack, tapjacking, screenshot prevention, FLAG_SECURE, Broadcast sniffing, IPC data exposure. Covers MASVS-PLATFORM-1/2/3.

Detects weak reverse engineering and tampering protections in mobile apps (Android/iOS). Trigger on: root detection bypass, jailbreak detection bypass, Frida detection, debugger detection, anti-debugging, ptrace, sysctl, emulator detection, code obfuscation absent, debug symbols present, get-task-allow, ProGuard disabled, R8 disabled, string encryption, integrity check, file tampering, repackaging, dynamic instrumentation, runtime hook, Magisk hide, Magisk, frida-server, objection bypass, signing verification, apk resign. Covers MASVS-RESILIENCE-1/2/3/4.

Detects sensitive data stored insecurely on mobile devices (Android/iOS). Trigger on: SharedPreferences, NSUserDefaults, SQLite, Room DB, DataStore, Core Data, Keychain misconfiguration, external storage, backup exposure, plaintext files, unencrypted databases, adb backup, iCloud backup, NSFileProtection, EncryptedSharedPreferences, SQLCipher, allowBackup, FLAG_SECURE, keyboard cache, sensitive logs. Covers MASVS-STORAGE-1 (local storage) and MASVS-STORAGE-2 (exposure to unauthorized actors).

Bypass authentication via forced browsing to protected URLs, parameter tampering (authenticated=yes, debug=true, fromtrustIP=true), session ID prediction from linear/incremental cookies, SQL injection on login forms, PHP unserialize() boolean type juggling (b:1 payload), and credential transport over HTTP. Detectable with Burp Suite, OWASP ZAP, WebGoat.

Identify and exploit default or weak credentials on web application login forms, admin panels, CMS backends (WordPress wp-admin, Joomla, Drupal), and embedded device management interfaces. Signals include framework fingerprinting (WhatWeb, Wappalyzer, Nikto), exposed admin paths from robots.txt/dirbusting, and weak password policy acceptance of "Password1" or "123456". Tools: Burp Suite Intruder, Hydra, Medusa, OWASP ZAP.

Use when testing JWT-based authentication for algorithm confusion, alg:none bypass, weak HMAC secrets, missing expiration, kid parameter injection, and token storage in localStorage. Trigger on: "Authorization: Bearer tokens, JWTs in cookies, any base64url" encoded header.payload.signature pattern, OAuth2 access tokens, API authentication tokens, SSO tokens, JWKS endpoints. Detects RS256→HS256 confusion, public key as HMAC secret, unverified kid values used in file reads or SQL queries, and JWT cracking with short secrets.

Exploit weak password reset and change flows via CSRF on reset forms, cross-user password modification by swapping username parameters, token predictability in reset links, reset displaying old password in plaintext (revealing weak storage), missing current-password verification on change forms, and session hijacker lockout via passwordless change. Test with Burp Suite, OWASP ZAP following OWASP Forgot Password Cheat Sheet.

Test horizontal and vertical authorization bypass via session ID swapping between accounts, IDOR through parameter manipulation (invoice=, user=, menuitem=, EventID=), and special header injection (X-Original-URL, X-Rewrite-URL, X-Forwarded-For, X-Remote-IP, X-Client-IP with 127.0.0.1/localhost/RFC1918 values). Tools: Burp Suite with Autorize/AuthMatrix extensions, OWASP ZAP Access Control Testing add-on.

Use when hunting Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) vulnerabilities in APIs or web applications. Trigger on: "BOLA", "IDOR", "broken object level", "access other users", "object reference", numeric or UUID IDs in URLs or request bodies, user-scoped resources, horizontal privilege escalation, "change the ID in the request", second-order IDOR, blind IDOR, indirect reference, encoded ID, deprecated API version, JSON globbing.

Use when testing APIs and web frameworks for mass assignment vulnerabilities where user-controlled request body fields are bound directly to model attributes without a field allowlist. Trigger on: ORM update/create endpoints, REST APIs accepting JSON body, Rails strong parameters, Django model forms, Laravel fillable/guarded, Node.js Mongoose/Sequelize, PUT/PATCH requests, registration endpoints, profile update endpoints, GraphQL mutations. Detects privilege escalation via role/admin/isAdmin fields, plan upgrades via subscription fields, and horizontal access via ownerId/userId injection.

Exploit path traversal and local/remote file inclusion (LFI/RFI) via URL parameters, cookies, and hidden fields using ../ sequences, URL encoding (%2e%2e%2f), double encoding (%252e%252e%255c), Unicode bypasses (..%c0%af), and Windows UNC paths. PHP include/require with $_GET/$_POST/$_COOKIE pattern. Target /etc/passwd, boot.ini, web.config. Tools: DotDotPwn, WFuzz, Burp Suite, ZAP.

Clickjacking overlays a target page in a transparent or hidden iframe, tricking victims into clicking UI elements they cannot see. Detect by attempting to load the target in an iframe and checking for `X-Frame-Options` (DENY/SAMEORIGIN) or `Content-Security-Policy: frame-ancestors` headers. Frame-busting JavaScript can be bypassed via double-framing, `sandbox` attribute, `onBeforeUnload` exploitation, and IE `location` variable redefinition. Tools: Burp Suite (Clickjacking PoC generation).

CORS misconfiguration allows attacker-controlled origins to read sensitive cross-origin responses when servers echo the `Origin` header in `Access-Control-Allow-Origin` or set it to `*` with `Access-Control-Allow-Credentials: true`. Detect via `Origin: https://attacker.com` reflection in `Access-Control-Allow-Origin` response header, wildcard `*` on credentialed endpoints, and null origin acceptance. Tools: OWASP ZAP, Burp Suite, manual `fetch()` with `credentials: include`.

Use when hunting Client-Side Path Traversal (CSPT) vulnerabilities where attacker- controlled input is unsafely concatenated into the path component of a JavaScript fetch() or XHR request. Trigger on: "CSPT", "client-side path traversal", "fetch path traversal", "XHR path injection", "fetch concatenation", "../ in fetch", "user input in fetch URL", "path component injection", fetch redirect chaining, CSPT to XSS, open redirect fetch, "JavaScript fetch user input", DOM fetch injection.

Cross-Site Request Forgery (CSRF) tricks authenticated users into submitting forged requests to a target application by exploiting browser automatic cookie attachment. Detect via missing or predictable CSRF tokens in state-changing requests (POST/PUT/DELETE), absent `SameSite` cookie attributes, and JSON endpoints accepting `text/plain` Content-Type. Test using HTML auto-submitting forms, XHR requests, and CORS-enabled fetch. Tools: Burp Suite (Generate CSRF PoC), OWASP ZAP.

DOM-based XSS occurs when JavaScript reads attacker-controlled sources (`location.hash`, `document.referrer`, `window.name`, `location.search`) and passes them to dangerous sinks (`document.write`, `innerHTML`, `eval`, `location.href`, `setTimeout`, `jQuery.html()`) without sanitization. Unlike reflected/stored XSS, payloads never reach the server. Detect by auditing JavaScript for tainted data flow from DOM sources to sinks. Tools: Burp Suite DOM Invader, Chrome DevTools, DOMPurify (fix).

Use when testing redirect or return-URL parameters for open redirect vulnerabilities. Trigger on: ?redirect=, ?url=, ?next=, ?return_to=, ?continue=, ?dest=, ?destination=, ?return=, ?go= parameters; post-login/logout redirect flows; OAuth callback ?state=; any endpoint that reads a URL from input and issues a 301/302/307. Detects filter bypass via @-symbol, subdomain abuse, backslash normalization, double URL encoding, unicode homographs, null bytes, protocol-relative URLs, data: "/javascript: schemes," fragment confusion, and DNS rebinding tricks.

OS command injection occurs when user input is passed unsanitized to a system shell via dangerous APIs: Java `Runtime.exec()`, Python `os.system/subprocess`, PHP `system/shell_exec/exec/proc_open`, C `system/exec`. Detect via pipe `|`, semicolon `;`, `&&`, `||`, backtick, `$()` operators, and time-delay payloads (`sleep 5`). Tools: Commix, Burp Suite, OWASP WebGoat.

HTTP request smuggling exploits disagreements between a front-end proxy and back-end server on where one HTTP request ends and the next begins, using conflicting `Content-Length` and `Transfer-Encoding: chunked` headers (CL.TE, TE.CL, TE.TE variants). Enables bypassing access controls, cache poisoning, session hijacking, and capturing other users' requests. Detect via timing attacks, differential responses, and tools like Burp's HTTP Request Smuggler extension.

SQL injection occurs when untrusted user input is interpolated directly into database queries, allowing attackers to alter query logic. Detect via single-quote errors, boolean-based blind responses (AND 1=1 vs AND 1=2), time-delay payloads (SLEEP, WAITFOR), UNION column enumeration, and error messages from MySQL, Oracle, MSSQL, PostgreSQL. Tools: sqlmap, sqlbftools, Burp Suite, wfuzz with SQLi fuzz strings.

Server-Side Request Forgery (SSRF) occurs when user-controlled input is used to construct URLs that the server fetches, enabling access to internal services, cloud metadata endpoints (169.254.169.254), and local files via `file://` scheme. Detect via parameters accepting URLs or hostnames, PDF/report generators rendering `<iframe>/<img>/<script>`, and blind SSRF via out-of-band DNS callbacks. Bypass filters using IP decimal/octal/hex encoding, URL-userinfo tricks, and URL fragments. Tools: Burp Collaborator, curl.

Server-Side Template Injection (SSTI) occurs when user input is embedded directly into a template engine (Jinja2, Twig, Freemarker, Pebble, Velocity, Smarty, Mako) and evaluated, enabling remote code execution. Detect via math expressions `{{7*7}}` returning `49`, or `${7*7}`, `<%= 7*7 %>`. Leads to full RCE via template sandbox escape, Python `__class__.__mro__` traversal, and Java reflection chains. Tools: tplmap, Burp Suite.

Reflected XSS occurs when user-supplied input is echoed in an HTTP response without sanitization, allowing script execution in the victim's browser. Detect via injecting `<script>alert(1)</script>`, event handlers like `onfocus`, HTML entity bypass, and encoding variants. Tools: Burp Suite, OWASP ZAP, PHP Charset Encoder (PCE), Hackvertor, XSS-Proxy, ratproxy.

Stored XSS (persistent XSS) occurs when attacker-supplied input is saved server-side and later rendered unencoded to other users. Common injection points include profile fields, comments, forum posts, file upload filenames, and application logs. Detect via PHP `$_GET/$_POST/$_REQUEST/$_FILES`, ASP `Request.Form`, JSP `request.getParameter`, and BeEF hook injection. Tools: Burp Suite, OWASP ZAP, BeEF, PHP Charset Encoder, Hackvertor.

XML External Entity (XXE) injection exploits XML parsers that process DTD external entity declarations, enabling local file disclosure (`file:///etc/passwd`), SSRF via `http://` entities, and DoS via Billion Laughs. Vulnerable Java APIs include `DocumentBuilder`, `SAXParser`, `dom4j`, `TransformerFactory`, `SAXReader`, `XMLInputFactory`, Xerces. Detect by injecting `<!DOCTYPE>` DTD with `SYSTEM` entity references. Tools: Burp Suite, wfuzz XML fuzz strings.

Business logic flaws are application vulnerabilities where valid functions are abused in unintended ways: price manipulation via hidden field tampering, workflow step-skipping, function call limit bypass (coupon reuse), process timing exploitation (race conditions on balance updates), and request forging via guessable/predictable parameters. Detect using Burp Suite proxy interception, HTTP POST/GET parameter analysis, and misuse-case testing against multi-step workflows. Tools: Burp Suite, OWASP ZAP.

Covers object-level authorization bypass in GraphQL APIs where introspection reveals hidden fields or mutations that accept arbitrary user/resource IDs without ownership checks. Trigger on keywords like "GraphQL", "query", "mutation", "introspection", "resolver", "node ID", "relay", "object type", "schema", "batching", or "alias". Applies to dual-stack REST+GraphQL apps, Relay-style global IDs, and unauthenticated resolvers.

Use when testing file upload endpoints for unrestricted file upload, MIME type bypass, magic byte spoofing, polyglot files, SVG XSS, XXE via Office documents, ZIP slip, and path traversal in filenames. Trigger on: multipart/form-data endpoints, avatar/document upload flows, import-from-file features, profile image, CSV/Excel import, DOCX/XLSX parsing, image resizing pipelines, archive extraction, and any endpoint that stores or serves user-supplied files. Detects extension bypass (shell.php.jpg), null byte injection, double extension, ImageMagick exploits, and content-type confusion.

Identify web server type/version, framework, and application entry points via banner grabbing, HTTP header analysis (Server, X-Powered-By, X-Generator), cookie names (CAKEPHP, laravel_session, wp-settings), HTML meta generators, robots.txt, source map files (.map), JS hardcoded secrets, and Google dorking (site:, inurl:, filetype:, intitle:) with tools Nikto, WhatWeb, Wappalyzer, Nmap, Shodan, Burp Suite, OWASP ZAP, Waybackurls.

Audit and attack session cookies via missing Secure/HttpOnly/SameSite attributes, overly broad Domain/Path scope, non-expiring persistent cookies, absent __Host- and __Secure- prefixes, browser cache leakage (Cache-Control: no-store missing), session token predictability via Burp Sequencer analysis, server-side session not invalidated on logout, and SSO single-logout bypass. Tools: Burp Suite Repeater/Sequencer, OWASP ZAP, EditThisCookie, Tamper Data, Cookiebro.

Detect and exploit session fixation (WSTG-SESS-01, WSTG-SESS-03) and session exposure (WSTG-SESS-04) by testing whether the server issues a new session token post-authentication, whether pre-login tokens remain valid after login, and whether session IDs are transmitted over HTTP or included in GET parameters. Analyze token randomness via Burp Sequencer. Test JSESSIONID, ASP.NET Forms Auth cookies. Tools: OWASP ZAP, Burp Suite Repeater/Sequencer, JHijack.