Security Scanner

Automatically scan code for security vulnerabilities.

When to Use This Skill

Activate this skill when the user:

• Asks "is this secure?"
• Shows code handling user input
• Mentions "security vulnerability", "exploit", or "hack"
• References XSS, SQL injection, CSRF, or authentication
• Shows database queries or file operations
• Asks "could this be exploited?"

Quick Security Checks

1. SQL Injection

Vulnerable Pattern:

// ❌ DANGEROUS
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
db_query($query);

Secure Pattern:

// ✅ SECURE
$query = db_select('users', 'u')
  ->condition('id', $id, '=')
  ->execute();

// Or with placeholders
$query = "SELECT * FROM users WHERE id = :id";
db_query($query, [':id' => $id]);

2. Cross-Site Scripting (XSS)

Vulnerable Pattern:

// ❌ DANGEROUS
echo "<div>" . $_POST['name'] . "</div>";

Secure Pattern:

// ✅ SECURE (Drupal)
echo "<div>" . Html::escape($_POST['name']) . "</div>";

// ✅ SECURE (WordPress)
echo "<div>" . esc_html( $_POST['name'] ) . "</div>";

3. CSRF (Cross-Site Request Forgery)

Vulnerable Pattern:

// ❌ DANGEROUS - No CSRF protection
if ($_POST['action'] === 'delete') {
  delete_user($_POST['user_id']);
}

Secure Pattern:

// ✅ SECURE (Drupal) - CSRF token validation
if ($_POST['form_token'] && \Drupal::csrfToken()->validate($_POST['form_token'])) {
  delete_user($_POST['user_id']);
}

// ✅ SECURE (WordPress) - Nonce validation
if (wp_verify_nonce($_POST['_wpnonce'], 'delete_user')) {
  delete_user($_POST['user_id']);
}

4. Authentication Bypass

Check for:

• Missing permission checks
• Hardcoded credentials
• Weak password requirements
• Session fixation vulnerabilities

5. File Upload Vulnerabilities

Vulnerable Pattern:

// ❌ DANGEROUS - No validation
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $_FILES['file']['name']);

Secure Pattern:

// ✅ SECURE
$allowed_types = ['jpg', 'png', 'pdf'];
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

if (in_array(strtolower($extension), $allowed_types)) {
  $safe_name = preg_replace('/[^a-zA-Z0-9_-]/', '', basename($_FILES['file']['name']));
  move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $safe_name);
}

Response Format

## Security Scan Results

### 🔴 Critical Issues (Fix Immediately)

**1. SQL Injection Vulnerability**
- **Location**: `src/Controller/UserController.php:45`
- **Risk**: Critical - Allows database manipulation
- **Code**:
  ```php
  $query = "SELECT * FROM users WHERE id = " . $_GET['id'];

• Fix:

  $query = $connection->select('users', 'u')
    ->condition('id', $id, '=')
    ->execute();
  

• OWASP: A03:2021 – Injection

🟠 High Priority

2. Missing CSRF Protection

• Location: src/Form/DeleteForm.php:67
• Risk: High - Allows unauthorized actions
• Fix: Add CSRF token validation

🟡 Medium Priority

3. Weak Password Policy

• Current: Minimum 6 characters
• Recommended: Minimum 12 characters + complexity rules

✅ Secure Patterns Found

• ✅ Output properly escaped (XSS protection)
• ✅ Access checks on admin routes
• ✅ File upload validation present

## OWASP Top 10 Quick Check

1. **Injection** - SQL, command, LDAP injection
2. **Broken Authentication** - Weak passwords, session management
3. **Sensitive Data Exposure** - Unencrypted data, weak crypto
4. **XML External Entities (XXE)** - XML parsing vulnerabilities
5. **Broken Access Control** - Missing permission checks
6. **Security Misconfiguration** - Default configs, verbose errors
7. **XSS** - Unescaped user input
8. **Insecure Deserialization** - Unsafe object deserialization
9. **Known Vulnerabilities** - Outdated dependencies
10. **Insufficient Logging** - No audit trail

## Platform-Specific Security

### Drupal Security

**Use**:
- `\Drupal\Component\Utility\Html::escape()` for output
- `\Drupal::database()->select()` for queries
- `\Drupal::csrfToken()->validate()` for forms
- `$this->currentUser()->hasPermission()` for access checks

### WordPress Security

**Use**:
- `esc_html()`, `esc_attr()`, `esc_url()` for output
- `$wpdb->prepare()` for queries
- `wp_verify_nonce()` for forms
- `current_user_can()` for permissions

## Integration with /audit-security Command

- **This Skill**: Focused code-level security checks
  - "Is this query secure?"
  - "Check this form for vulnerabilities"
  - Single function/file analysis

- **`/audit-security` Command**: Comprehensive security audit
  - Full OWASP Top 10 scan
  - Dependency vulnerability check
  - File permission analysis
  - Secrets detection

## Common Vulnerabilities

### Input Validation
```php
// ❌ No validation
$age = $_POST['age'];

// ✅ Validated
$age = filter_var($_POST['age'], FILTER_VALIDATE_INT, [
  'options' => ['min_range' => 1, 'max_range' => 120]
]);

Output Escaping

// ❌ Unescaped
echo $user_input;

// ✅ Escaped (context-appropriate)
echo Html::escape($user_input);           // HTML context
echo Html::escape($user_input, ENT_QUOTES); // Attribute context
echo json_encode($user_input);            // JSON context

Access Control

// ❌ No permission check
function deleteUser($uid) {
  User::load($uid)->delete();
}

// ✅ Permission checked
function deleteUser($uid) {
  if (!\Drupal::currentUser()->hasPermission('delete users')) {
    throw new AccessDeniedHttpException();
  }
  User::load($uid)->delete();
}

Resources

• OWASP Top 10
• Drupal Security Best Practices
• WordPress Security