Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From vuln-scout
Identifies common web vulnerability patterns like SQL injection, command injection, XSS, and OWASP Top 10 during whitebox pentesting and code reviews.
npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestHow this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:vuln-patternsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Provide comprehensive knowledge of common web vulnerability patterns for whitebox penetration testing. Understanding these patterns enables identification of security flaws during code review and guides exploitation techniques.
Provides web vulnerability testing methodology from 88,636 WooYun cases for penetration testing, security audits, code reviews, and research. Covers SQLi, XSS, RCE, file upload, path traversal, unauthorized access.
References 100 critical web vulnerabilities by category with definitions, root causes, impacts, and mitigations. Useful for web security audits, testing, and remediation.
Teaches the universal injection pattern across SQL, XSS, command injection, and other interpreters. Useful for code review, secure design, and developer training.
Share bugs, ideas, or general feedback.
Provide comprehensive knowledge of common web vulnerability patterns for whitebox penetration testing. Understanding these patterns enables identification of security flaws during code review and guides exploitation techniques.
Activate this skill when:
| Rank | Category | Code Indicators | Related Skill |
|---|---|---|---|
| A01 | Broken Access Control | Missing auth checks, IDOR patterns | business-logic |
| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys | cryptographic-failures |
| A03 | Injection | User input in queries/commands | vuln-patterns (this skill) |
| A04 | Insecure Design | Logic flaws, missing controls | business-logic |
| A05 | Security Misconfiguration | Debug enabled, default creds | security-misconfiguration |
| A06 | Vulnerable and Outdated Components | Dependency vulns, build pipeline | (out of scope) |
| A07 | Identification and Authentication Failures | Weak session, credential issues | vuln-patterns (this skill) |
| A08 | Software and Data Integrity Failures | Deserialization, CI/CD issues | vuln-patterns (this skill) |
| A09 | Security Logging and Monitoring Failures | Missing logs, log injection | logging-failures |
| A10 | Server-Side Request Forgery | Attacker-controlled outbound fetches | vulnerability-chains, framework-patterns |
See owasp-2025 skill for complete mapping with CWE references.
Pattern: User input concatenated into SQL queries
Indicators:
Exploitation Flow:
Risk Impact: Data breach, authentication bypass, RCE (in some cases)
Pattern: User input passed to system command functions
Indicators:
Exploitation Flow:
Risk Impact: Remote Code Execution, full system compromise
Types:
Indicators:
Risk Impact: Session hijacking, credential theft, malware distribution
Pattern: User input in file path operations
Indicators:
Exploitation Flow:
Risk Impact: Information disclosure, source code leak, potential RCE
Pattern: Untrusted data passed to deserialization functions
Indicators:
Exploitation Flow:
Risk Impact: Remote Code Execution
Pattern: User-controlled URLs in server-side requests
Indicators:
Exploitation Flow:
Risk Impact: Internal network access, cloud metadata exposure
When SSRF response is not directly returned to the attacker, consider these exfiltration methods:
| Vector | How It Works | Detection |
|---|---|---|
| External Callback | SSRF visits attacker-controlled URL with data | Check if outbound requests are allowed |
| DNS Exfiltration | Data encoded in subdomain (e.g., secret.evil.com) | Works even with firewall restrictions |
| Cache Poisoning | Response cached, retrieved later by attacker | Check proxy cache config for static extensions |
| Error-Based | Error messages leak response data | Check error handling and logging |
| Timing/Blind | Response time reveals information | Measure response latency variations |
| File Write | Write response to accessible location | Check for file write primitives |
Cache-Based Exfiltration Pattern (commonly missed):
1. SSRF makes request to /sensitive-endpoint.png
2. Proxy caches response (thinks it's static file)
3. Attacker requests /sensitive-endpoint.png
4. Gets cached sensitive data
See cache-poisoning skill for detailed detection patterns.
Pattern: User input rendered in server-side templates
Indicators:
Exploitation Flow:
Risk Impact: Remote Code Execution
Use the dangerous-functions skill to find security-sensitive functions.
Use the data-flow-tracing skill to trace user input to sinks.
Match code patterns against known vulnerability types.
Consider filters, authentication, impact, and bypass potential.
For detailed exploitation techniques:
references/injection-attacks.md - SQLi, Command Injection, LDAP Injectionreferences/deserialization-attacks.md - PHP, Java, Python, .NET gadgetsreferences/access-control.md - IDOR, privilege escalation, authorization bypassreferences/auth-bypass.md - Authentication bypass, session attacks, JWT flawsreferences/race-conditions.md - TOCTOU, double-spend, concurrency vulnerabilities