Skill

Vulnerability Patterns

This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox pentesting.

From vuln-scout

Install

Run in your terminal

npx claudepluginhub allsmog/vuln-scout --plugin vuln-scout

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

references/access-control.md

references/auth-bypass.md

references/deserialization-attacks.md

references/injection-attacks.md

references/race-conditions.md

references/reentrancy-solidity.md

references/state-before-validation.md

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

139.9k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.9k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

139.9k

Stats

Parent Repo Stars12

Parent Repo Forks1

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Vulnerability Patterns Reference

Purpose

Provide comprehensive knowledge of common web vulnerability patterns for whitebox penetration testing. Understanding these patterns enables identification of security flaws during code review and guides exploitation techniques.

When to Use

Activate this skill when:

Analyzing potential vulnerabilities found during sink search
Understanding how specific vulnerability classes work
Determining exploitability of identified code patterns
Learning attack techniques for specific vulnerability types

OWASP Top 10 Overview

Rank	Category	Code Indicators	Related Skill
A01	Broken Access Control	Missing auth checks, IDOR patterns	`business-logic`
A02	Cryptographic Failures	Weak algorithms, hardcoded keys	`cryptographic-failures`
A03	Injection	User input in queries/commands	`vuln-patterns` (this skill)
A04	Insecure Design	Logic flaws, missing controls	`business-logic`
A05	Security Misconfiguration	Debug enabled, default creds	`security-misconfiguration`
A06	Vulnerable and Outdated Components	Dependency vulns, build pipeline	(out of scope)
A07	Identification and Authentication Failures	Weak session, credential issues	`vuln-patterns` (this skill)
A08	Software and Data Integrity Failures	Deserialization, CI/CD issues	`vuln-patterns` (this skill)
A09	Security Logging and Monitoring Failures	Missing logs, log injection	`logging-failures`
A10	Server-Side Request Forgery	Attacker-controlled outbound fetches	`vulnerability-chains`, `framework-patterns`

See owasp-2025 skill for complete mapping with CWE references.

Core Vulnerability Categories

SQL Injection (SQLi)

Pattern: User input concatenated into SQL queries

Indicators:

String concatenation in query construction
Template literals/f-strings in SQL
Missing parameterized queries
Raw/native query methods

Exploitation Flow:

Identify injection point
Determine database type
Test with basic payloads
Extract data or escalate

Risk Impact: Data breach, authentication bypass, RCE (in some cases)

Command Injection

Pattern: User input passed to system command functions

Indicators:

Command execution functions with user data
Shell metacharacters not filtered
Insufficient input validation

Exploitation Flow:

Identify command execution sink
Trace user input to sink
Test command separators
Chain commands for exploitation

Risk Impact: Remote Code Execution, full system compromise

Cross-Site Scripting (XSS)

Types:

Reflected: Input reflected in response
Stored: Input persisted and displayed
DOM-based: Client-side JavaScript manipulation

Indicators:

User input in HTML output without encoding
Dynamic HTML insertion with user data
Missing output encoding

Risk Impact: Session hijacking, credential theft, malware distribution

Path Traversal / LFI

Pattern: User input in file path operations

Indicators:

File inclusion with user-controlled path
File read/write with user input
Missing path validation

Exploitation Flow:

Identify file operation with user input
Test traversal sequences
Target sensitive files
Chain with other vulnerabilities

Risk Impact: Information disclosure, source code leak, potential RCE

Deserialization

Pattern: Untrusted data passed to deserialization functions

Indicators:

Deserialization functions with user data
User-controlled serialized data
Missing type validation

Exploitation Flow:

Identify deserialization sink
Find gadget chains
Craft malicious payload
Achieve code execution

Risk Impact: Remote Code Execution

Server-Side Request Forgery (SSRF)

Pattern: User-controlled URLs in server-side requests

Indicators:

HTTP client with user-provided URL
URL validation bypass possibilities
Internal network access

Exploitation Flow:

Identify HTTP request with user URL
Test internal endpoints
Bypass URL validation
Access internal services

Risk Impact: Internal network access, cloud metadata exposure

SSRF Exfiltration Vectors

When SSRF response is not directly returned to the attacker, consider these exfiltration methods:

Vector	How It Works	Detection
External Callback	SSRF visits attacker-controlled URL with data	Check if outbound requests are allowed
DNS Exfiltration	Data encoded in subdomain (e.g., `secret.evil.com`)	Works even with firewall restrictions
Cache Poisoning	Response cached, retrieved later by attacker	Check proxy cache config for static extensions
Error-Based	Error messages leak response data	Check error handling and logging
Timing/Blind	Response time reveals information	Measure response latency variations
File Write	Write response to accessible location	Check for file write primitives

Cache-Based Exfiltration Pattern (commonly missed):

1. SSRF makes request to /sensitive-endpoint.png
2. Proxy caches response (thinks it's static file)
3. Attacker requests /sensitive-endpoint.png
4. Gets cached sensitive data

See cache-poisoning skill for detailed detection patterns.

Template Injection (SSTI)

Pattern: User input rendered in server-side templates

Indicators:

Template rendering with user-controlled template
Template syntax in user input

Exploitation Flow:

Identify template rendering point
Test template syntax
Determine template engine
Escalate to RCE

Risk Impact: Remote Code Execution

Vulnerability Identification Framework

Step 1: Sink Identification

Use the dangerous-functions skill to find security-sensitive functions.

Step 2: Source Tracing

Use the data-flow-tracing skill to trace user input to sinks.

Step 3: Pattern Matching

Match code patterns against known vulnerability types.

Step 4: Exploitability Assessment

Consider filters, authentication, impact, and bypass potential.

Additional Resources

Reference Files

For detailed exploitation techniques:

references/injection-attacks.md - SQLi, Command Injection, LDAP Injection
references/deserialization-attacks.md - PHP, Java, Python, .NET gadgets
references/access-control.md - IDOR, privilege escalation, authorization bypass
references/auth-bypass.md - Authentication bypass, session attacks, JWT flaws
references/race-conditions.md - TOCTOU, double-spend, concurrency vulnerabilities

Integration with Other Skills

Use dangerous-functions to identify sinks
Use data-flow-tracing to trace sources to sinks
Use exploit-techniques to develop working PoC