Vulnerability Patterns
This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.
Best use case
Vulnerability Patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.
Teams using Vulnerability Patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/vuln-patterns/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Vulnerability Patterns Compares
| Feature / Agent | Vulnerability Patterns | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Vulnerability Patterns Reference ## Purpose Provide comprehensive knowledge of common web vulnerability patterns for whitebox penetration testing. Understanding these patterns enables identification of security flaws during code review and guides exploitation techniques. ## When to Use Activate this skill when: - Analyzing potential vulnerabilities found during sink search - Understanding how specific vulnerability classes work - Determining exploitability of identified code patterns - Learning attack techniques for specific vulnerability types ## OWASP Top 10 Overview | Rank | Category | Code Indicators | Related Skill | |------|----------|-----------------|---------------| | A01 | Broken Access Control | Missing auth checks, IDOR patterns | `business-logic` | | A02 | Cryptographic Failures | Weak algorithms, hardcoded keys | `cryptographic-failures` | | A03 | Injection | User input in queries/commands | `vuln-patterns` (this skill) | | A04 | Insecure Design | Logic flaws, missing controls | `business-logic` | | A05 | Security Misconfiguration | Debug enabled, default creds | `security-misconfiguration` | | A06 | Vulnerable and Outdated Components | Dependency vulns, build pipeline | *(out of scope)* | | A07 | Identification and Authentication Failures | Weak session, credential issues | `vuln-patterns` (this skill) | | A08 | Software and Data Integrity Failures | Deserialization, CI/CD issues | `vuln-patterns` (this skill) | | A09 | Security Logging and Monitoring Failures | Missing logs, log injection | `logging-failures` | | A10 | Server-Side Request Forgery | Attacker-controlled outbound fetches | `vulnerability-chains`, `framework-patterns` | See `owasp-2025` skill for complete mapping with CWE references. ## Core Vulnerability Categories ### SQL Injection (SQLi) **Pattern**: User input concatenated into SQL queries **Indicators**: - String concatenation in query construction - Template literals/f-strings in SQL - Missing parameterized queries - Raw/native query methods **Exploitation Flow**: 1. Identify injection point 2. Determine database type 3. Test with basic payloads 4. Extract data or escalate **Risk Impact**: Data breach, authentication bypass, RCE (in some cases) ### Command Injection **Pattern**: User input passed to system command functions **Indicators**: - Command execution functions with user data - Shell metacharacters not filtered - Insufficient input validation **Exploitation Flow**: 1. Identify command execution sink 2. Trace user input to sink 3. Test command separators 4. Chain commands for exploitation **Risk Impact**: Remote Code Execution, full system compromise ### Cross-Site Scripting (XSS) **Types**: - Reflected: Input reflected in response - Stored: Input persisted and displayed - DOM-based: Client-side JavaScript manipulation **Indicators**: - User input in HTML output without encoding - Dynamic HTML insertion with user data - Missing output encoding **Risk Impact**: Session hijacking, credential theft, malware distribution ### Path Traversal / LFI **Pattern**: User input in file path operations **Indicators**: - File inclusion with user-controlled path - File read/write with user input - Missing path validation **Exploitation Flow**: 1. Identify file operation with user input 2. Test traversal sequences 3. Target sensitive files 4. Chain with other vulnerabilities **Risk Impact**: Information disclosure, source code leak, potential RCE ### Deserialization **Pattern**: Untrusted data passed to deserialization functions **Indicators**: - Deserialization functions with user data - User-controlled serialized data - Missing type validation **Exploitation Flow**: 1. Identify deserialization sink 2. Find gadget chains 3. Craft malicious payload 4. Achieve code execution **Risk Impact**: Remote Code Execution ### Server-Side Request Forgery (SSRF) **Pattern**: User-controlled URLs in server-side requests **Indicators**: - HTTP client with user-provided URL - URL validation bypass possibilities - Internal network access **Exploitation Flow**: 1. Identify HTTP request with user URL 2. Test internal endpoints 3. Bypass URL validation 4. Access internal services **Risk Impact**: Internal network access, cloud metadata exposure #### SSRF Exfiltration Vectors When SSRF response is not directly returned to the attacker, consider these exfiltration methods: | Vector | How It Works | Detection | |--------|--------------|-----------| | **External Callback** | SSRF visits attacker-controlled URL with data | Check if outbound requests are allowed | | **DNS Exfiltration** | Data encoded in subdomain (e.g., `secret.evil.com`) | Works even with firewall restrictions | | **Cache Poisoning** | Response cached, retrieved later by attacker | Check proxy cache config for static extensions | | **Error-Based** | Error messages leak response data | Check error handling and logging | | **Timing/Blind** | Response time reveals information | Measure response latency variations | | **File Write** | Write response to accessible location | Check for file write primitives | **Cache-Based Exfiltration Pattern** (commonly missed): ``` 1. SSRF makes request to /sensitive-endpoint.png 2. Proxy caches response (thinks it's static file) 3. Attacker requests /sensitive-endpoint.png 4. Gets cached sensitive data ``` See `cache-poisoning` skill for detailed detection patterns. ### Template Injection (SSTI) **Pattern**: User input rendered in server-side templates **Indicators**: - Template rendering with user-controlled template - Template syntax in user input **Exploitation Flow**: 1. Identify template rendering point 2. Test template syntax 3. Determine template engine 4. Escalate to RCE **Risk Impact**: Remote Code Execution ## Vulnerability Identification Framework ### Step 1: Sink Identification Use the dangerous-functions skill to find security-sensitive functions. ### Step 2: Source Tracing Use the data-flow-tracing skill to trace user input to sinks. ### Step 3: Pattern Matching Match code patterns against known vulnerability types. ### Step 4: Exploitability Assessment Consider filters, authentication, impact, and bypass potential. ## Additional Resources ### Reference Files For detailed exploitation techniques: - **`references/injection-attacks.md`** - SQLi, Command Injection, LDAP Injection - **`references/deserialization-attacks.md`** - PHP, Java, Python, .NET gadgets - **`references/access-control.md`** - IDOR, privilege escalation, authorization bypass - **`references/auth-bypass.md`** - Authentication bypass, session attacks, JWT flaws - **`references/race-conditions.md`** - TOCTOU, double-spend, concurrency vulnerabilities ### Integration with Other Skills - Use **dangerous-functions** to identify sinks - Use **data-flow-tracing** to trace sources to sinks - Use **exploit-techniques** to develop working PoC
Related Skills
vulnerability-chains
This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox security review.
Mobile Payment Tokenization Patterns
Use this skill when reviewing mobile code that handles card data, payment tokenization, or third-party payment SDK integrations (Braintree, Stripe, Adyen, Google Pay, Apple Pay, FirstData-style iframe encryptors). The skill catalogues the high-signal attack patterns vuln-scout detects in mobile payment flows — server-controlled tokenization URLs, JavaScript-injection-into-WebView card-data exfiltration, JS-bridge token construction, and payment scope mismatches — and maps each to the detector that fires.
framework-patterns
This skill should be used when the user asks about "framework vulnerabilities", "Next.js security", "Flask security", "Django security", "Rails security", "Spring security", "GraphQL security", "Server Actions", "render_template_string", "SSTI patterns", "redirect SSRF", "mass assignment", "actuator exposure", "SpEL injection", "introspection", or needs to identify framework-specific vulnerability patterns during whitebox security review.
Workspace Discovery
This skill should be used when the user asks to "detect workspaces", "find packages", "list monorepo packages", "workspace structure", "monorepo analysis", or needs to identify workspace/package boundaries in a codebase for focused security analysis.
Threat Modeling
This skill should be used when the user asks about "threat model", "STRIDE", "data flow diagram", "attack surface", "threat analysis", "security architecture", "component threats", "trust boundaries", "technology decomposition", or needs systematic threat identification during whitebox security review.
verify-finding
Drive a single finding through CPG verification and false-positive triage.
start-audit
Guided first-run security audit: doctor, scope, threats, scan, verify, report.
scope-repo
Decide audit boundaries for large or monorepo targets and write audit-plan.md.
review-pr
Diff-aware PR security review with verified findings and PR comment payload.
package-evidence
Bundle findings, reports, audit plan, and ledger into one evidence zip.
Sensitive Data Leakage
Detect ANY credential/secret flowing to ANY output sink. Use when asked about "credential leakage", "secret logging", "sensitive data exposure", "CWE-532", "password in logs", "token exposure", or security logging issues.
Security Misconfiguration
This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.