Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From appsec
Maps application attack surface by inventorying and ranking entry points like HTTP routes, APIs, forms, WebSockets, CLI parsers, and external interfaces by exposure level.
npx claudepluginhub florianbuetow/claude-code --plugin appsecHow this skill is triggered — by the user, by Claude, or both
Slash command
/appsec:attack-surfaceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Discover and inventory every entry point where external data enters the
Discovers and catalogs API endpoints including undocumented, shadow, zombie, and deprecated APIs using traffic analysis, active scanning, DNS enumeration, and cloud resource inventory.
Discovers and catalogs all API endpoints including shadow, zombie, and undocumented APIs using passive traffic analysis, active scanning, and cloud resource inventory. Maps to OWASP API9:2023.
Performs API inventory and discovery to identify documented, undocumented, shadow, zombie, and deprecated endpoints using passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, and cloud inventory. For security audits and OWASP API9:2023 compliance.
Share bugs, ideas, or general feedback.
Discover and inventory every entry point where external data enters the application. Produces a ranked catalog of all routes, APIs, input handlers, and external interfaces organized by exposure level and trust boundary.
Read ../../shared/schemas/flags.md for the full flag specification.
| Flag | Attack Surface Behavior |
|---|---|
--scope | Default full. Attack surface mapping benefits from whole-codebase visibility. Narrow scopes produce partial inventories with a warning. |
--depth quick | Framework route extraction only (Grep for route decorators and definitions). |
--depth standard | Route extraction + read handlers to classify input types and auth requirements. |
--depth deep | Standard + trace each entry point to internal sinks, map trust boundary crossings. |
--depth expert | Deep + rank by exploitability, identify shadow/undocumented endpoints, DREAD scoring. |
--severity | Not directly applicable. Used to filter the exposure ranking in output. |
--format | Default text. Use json for machine-readable inventory, md for wiki export. |
--scope flag. Default to full for this skill (attack surface requires broad visibility).Identify the application framework(s) to determine route registration patterns:
| Framework | Route Pattern |
|---|---|
| Express/Koa/Fastify | app.get(), router.post(), fastify.route() |
| Django | urlpatterns, path(), re_path(), @api_view |
| Flask | @app.route(), @blueprint.route() |
| Spring | @GetMapping, @PostMapping, @RequestMapping |
| Rails | routes.rb, resources :, get '/' |
| Next.js/Nuxt | pages/ and app/ directory conventions, route.ts |
| ASP.NET | [HttpGet], [Route], MapGet(), MapPost() |
| Go net/http | http.HandleFunc(), mux.Handle(), gorilla/chi patterns |
| FastAPI | @app.get(), @router.post() |
| gRPC | .proto service definitions, generated server stubs |
| GraphQL | Schema definitions, resolver registrations |
For each framework detected, systematically extract all entry points:
argparse, commander, cobra, clap).For every discovered entry point, determine:
Assign an exposure level to each entry point:
| Level | Criteria |
|---|---|
| CRITICAL | Internet-facing, no authentication, accepts user input, interacts with sensitive data or system resources |
| HIGH | Internet-facing with authentication but handling sensitive data, or unauthenticated endpoints with limited input validation |
| MEDIUM | Authenticated endpoints with proper validation, or internal endpoints with no authentication |
| LOW | Internal endpoints with authentication, limited input surface, or read-only operations on non-sensitive data |
At --depth deep and --depth expert, trace each HIGH/CRITICAL entry point
inward to identify what sinks they reach (databases, file system, external
services, system commands).
At --depth expert, look for:
/debug, /admin, /metrics, /health exposing internals).Output the attack surface inventory.
This skill produces an inventory, not vulnerability findings. However, when
entry points have clearly missing security controls (no auth on sensitive
endpoints), emit findings using the standard schema from ../../shared/schemas/findings.md.
Finding ID prefix: SURF (e.g., SURF-001).
## Attack Surface Inventory
### Summary
- Total entry points: N
- Internet-facing: N (N unauthenticated)
- Internal: N
- Exposure: N CRITICAL, N HIGH, N MEDIUM, N LOW
### Entry Points by Exposure
| # | Method | Path | Auth | Input Types | Validation | Rate Limit | Exposure |
|---|--------|------|------|-------------|------------|------------|----------|
| 1 | POST | /api/v1/users | None | JSON body | None | No | CRITICAL |
| 2 | GET | /api/v1/users/:id | JWT | Path param | Partial | Yes | MEDIUM |
| ... |
### Trust Boundary Map (--depth deep)
[Mermaid diagram showing entry points grouped by trust boundary]
### Shadow Endpoints (--depth expert)
[Undocumented or debug endpoints discovered]
### Findings
[Standard findings for missing security controls on entry points]
Findings follow ../../shared/schemas/findings.md with:
metadata.tool: "attack-surface"metadata.framework: depends on invoking context (or null if standalone)references.cwe: CWE-16 (Configuration), CWE-306 (Missing Authentication)/health, /ready) without auth are normal in container orchestration.
Only flag if they expose sensitive internal state.