vulnerability-patterns

Code vulnerability pattern database. An extension skill for security-analyst that provides language-specific (Python/JS/Java/Go) vulnerable code patterns, CWE classification, safe alternative code, and severity assessment criteria. Use when performing security reviews involving 'vulnerability patterns', 'CWE', 'SQL Injection', 'XSS', 'security vulnerabilities', 'secure coding', 'vulnerable code', etc. Note: penetration testing execution and WAF configuration are outside the scope of this skill.

495 stars

byrevfactory

View on GitHub Installation ↓

Best use case

vulnerability-patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using vulnerability-patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/vulnerability-patterns/SKILL.md --create-dirs "https://raw.githubusercontent.com/revfactory/harness-100/main/en/21-code-reviewer/.claude/skills/vulnerability-patterns/skill.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/vulnerability-patterns/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How vulnerability-patterns Compares

Feature / Agent	vulnerability-patterns	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

Cursor vs Codex for AI Workflows

Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.

SKILL.md Source

# Vulnerability Patterns — Code Vulnerability Pattern Database

A reference of vulnerable code patterns, CWE classification, and safe alternatives used by the security-analyst agent during security reviews.

## Target Agent

`security-analyst` — Directly applies the vulnerability patterns from this skill to code security analysis.

## Vulnerability Classification System (CWE Top 25)

### Priority Detection Targets

| CWE | Name | Severity | Frequency |
|-----|------|----------|-----------|
| CWE-79 | XSS (Cross-Site Scripting) | High | Very high |
| CWE-89 | SQL Injection | Critical | High |
| CWE-78 | OS Command Injection | Critical | Medium |
| CWE-22 | Path Traversal | High | Medium |
| CWE-352 | CSRF | High | High |
| CWE-798 | Hardcoded Credentials | Critical | High |
| CWE-862 | Missing Authorization | Critical | High |
| CWE-306 | Missing Authentication | Critical | Medium |
| CWE-502 | Deserialization | Critical | Medium |
| CWE-918 | SSRF | High | Medium |

## Language-Specific Vulnerable Code Patterns

### Python

#### SQL Injection (CWE-89)
```python
# Vulnerable
query = f"SELECT * FROM users WHERE name = '{user_input}'"
cursor.execute(query)

# Safe
cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))
# Or use ORM (SQLAlchemy, Django ORM)
```

#### Command Injection (CWE-78)
```python
# Vulnerable
os.system(f"ping {user_input}")
subprocess.call(f"ls {user_input}", shell=True)

# Safe
subprocess.run(["ping", user_input], shell=False)
# shlex.quote() for escaping (if unavoidable)
```

#### Path Traversal (CWE-22)
```python
# Vulnerable
file_path = os.path.join(BASE_DIR, user_input)
open(file_path).read()

# Safe
file_path = os.path.realpath(os.path.join(BASE_DIR, user_input))
if not file_path.startswith(os.path.realpath(BASE_DIR)):
    raise ValueError("Invalid path")
```

#### YAML Deserialization (CWE-502)
```python
# Vulnerable
data = yaml.load(user_input)  # Arbitrary code execution possible

# Safe
data = yaml.safe_load(user_input)
```

### JavaScript/TypeScript

#### XSS (CWE-79)
```javascript
// Vulnerable (React)
<div dangerouslySetInnerHTML={{__html: userInput}} />

// Safe
<div>{userInput}</div>  // React auto-escapes
// When needed, use DOMPurify
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />
```

#### Prototype Pollution (CWE-1321)
```javascript
// Vulnerable
function merge(target, source) {
  for (let key in source) {
    target[key] = source[key];  // __proto__ pollution possible
  }
}

// Safe
function merge(target, source) {
  for (let key of Object.keys(source)) {
    if (key === '__proto__' || key === 'constructor') continue;
    target[key] = source[key];
  }
}
// Or use Object.create(null)
```

#### ReDoS (CWE-1333)
```javascript
// Vulnerable (Catastrophic Backtracking)
const regex = /^(a+)+$/;
regex.test("aaaaaaaaaaaaaaaaaaaaaaaaaaaaab");  // Exponential time

// Safe: Use non-backtracking patterns
const regex = /^a+$/;  // Remove nested repetition
```

#### eval/Function Execution (CWE-95)
```javascript
// Vulnerable
eval(userInput);
new Function(userInput)();
setTimeout(userInput, 1000);

// Safe: Never use eval; use alternative logic
```

### Java

#### SQL Injection (CWE-89)
```java
// Vulnerable
String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = conn.createStatement();
stmt.executeQuery(query);

// Safe
PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
ps.setInt(1, userId);
ps.executeQuery();
```

#### XXE (CWE-611)
```java
// Vulnerable
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
db.parse(userInput);

// Safe
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
```

#### Deserialization (CWE-502)
```java
// Vulnerable
ObjectInputStream ois = new ObjectInputStream(userInputStream);
Object obj = ois.readObject();  // Arbitrary code execution possible

// Safe: Use JSON/XML serialization (Jackson, Gson)
// Use ObjectInputFilter (Java 9+)
```

### Go

#### SQL Injection (CWE-89)
```go
// Vulnerable
query := fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", userInput)
db.Query(query)

// Safe
db.Query("SELECT * FROM users WHERE name = $1", userInput)
```

#### Path Traversal (CWE-22)
```go
// Vulnerable
http.ServeFile(w, r, filepath.Join(baseDir, r.URL.Path))

// Safe
cleanPath := filepath.Clean(r.URL.Path)
fullPath := filepath.Join(baseDir, cleanPath)
if !strings.HasPrefix(fullPath, baseDir) {
    http.Error(w, "Forbidden", 403)
    return
}
```

## Severity Assessment Criteria

### CVSS v3.1-Based Assessment

| Factor | Weight | Criteria |
|--------|--------|----------|
| Attack Vector | High | Network (remote) > Local |
| Attack Complexity | High | Low complexity > High complexity |
| Privileges Required | Medium | None > Low > High |
| User Interaction | Medium | None > Required |
| Impact (CIA) | High | Each confidentiality/integrity/availability |

### Practical Exploitability Assessment

| Factor | High Risk | Low Risk |
|--------|----------|---------|
| Input source | External user input | Internal config |
| Data sensitivity | PII, credentials | Public data |
| Authentication | Unauthenticated | Admin only |
| Exploit complexity | Simple string injection | Multi-step chain |
| Existing defenses | None | WAF, input validation present |

Related Skills

risk-response-patterns

495

from revfactory/harness-100

risk response strategy pattern library. response-strategist and monitoring-planner agent risk response plan establishto do when reference. 'risk response', 'mitigation strategy', 'response plan' request when usage. However, insurance design legal risk specialistdocument scope outside.

rhetoric-patterns

495

from revfactory/harness-100

numbercompany pattern library. speech-writer and debate-preparer agent persuasioncapability speech and buildingto do when reference. 'numbercompany', ' structure', 'persuasion technique' request when usage. However, actual presentation nature training scope outside.

kpi-dashboard-patterns

495

from revfactory/harness-100

KPI dashboard design pattern. analyst agent core indicator analysisand executive-summarizer management reporting dashboard compositionto do when reference. 'KPI analysis', 'dashboard design', ' indicator' request when usage. However, actualtime BI whensystem building scope outside.

diagram-patterns

495

from revfactory/harness-100

Mermaid diagram pattern library. diagram-maker agent technical document diagram writingto do when reference verifydone pattern . 'diagram pattern', 'Mermaid template', ' diagram pattern' request when usage. However, actual un-degree specialistperson tool work scope outside.

code-example-patterns

495

from revfactory/harness-100

technical document code example pattern library. doc-writer agent code example, writingto do when reference. 'code example pattern', ' code writing' request when usage. However, actual code file test execution scope outside.

claim-drafting-patterns

495

from revfactory/harness-100

Strategic drafting patterns and claim scope design guide for patent claims. The 'claim-drafter' and 'patent-reviewer' agents must use this skill's drafting patterns, terminology rules, and dependent claim strategies when writing or verifying claims. Used for 'claim drafting', 'claim scope design', 'dependent claim strategy', etc. Note: Overall patent orchestration or prior art search is outside the scope of this skill.

sdk-design-patterns

495

from revfactory/harness-100

SDK/API client design patterns: builder pattern, interceptor chain, retry strategy, type-safe design, error handling, and pagination wrapper guide. Use this skill for requests involving 'SDK design', 'client patterns', 'retry strategy', 'interceptor', 'builder pattern', 'SDK error handling', 'type safety', 'SDK architecture', etc. Enhances sdk-developer's SDK design capabilities. Note: API spec parsing, test authoring, and documentation are outside the scope of this skill.

openapi-spec-patterns

495

from revfactory/harness-100

OpenAPI 3.x spec analysis patterns, schema normalization, authentication method mapping, pagination/error pattern extraction, and GraphQL/gRPC spec interpretation guide. Use this skill for requests involving 'OpenAPI', 'Swagger', 'spec analysis', 'schema normalization', 'API authentication', 'pagination patterns', 'GraphQL schema', 'gRPC proto', etc. Enhances spec-parser's spec analysis capabilities. Note: SDK code generation and test authoring are outside the scope of this skill.

data-validation-patterns

495

from revfactory/harness-100

Migration data validation patterns: row count comparison, checksums, sampling validation, FK integrity, and business rule validation query design guide. Use this skill for requests involving 'data validation', 'migration validation', 'checksum', 'row count comparison', 'integrity validation', 'regression testing', 'Go/No-Go checklist', etc. Enhances validation-engineer's validation design capabilities. Note: schema mapping and rollback planning are outside the scope of this skill.

query-optimization-patterns

495

from revfactory/harness-100

SQL/NoSQL query optimization pattern, execution plan analysis, index strategy, N+1 resolution etc. database performance optimization guide. 'query optimization', 'execution plan', 'EXPLAIN', 'index ', 'N+1 ', 'slow query', 'slow query', 'DB performance' etc. database query performance improvement this for. bottleneck-analystand optimization-engineerof DB performance analysis -ize. , before system profilingthis benchmark execution this of scope .

test-design-patterns

495

from revfactory/harness-100

Patterns for effective test design, including boundary value analysis, equivalence partitioning, state transition testing, and other systematic test case derivation methodologies. Use this skill for 'test design', 'test case derivation', 'boundary value analysis', 'equivalence partitioning', 'state transition testing', 'pairwise', 'test matrix', and other test design tasks. Enhances the test design capabilities of test-strategist and unit-tester. Note: test infrastructure setup and CI/CD configuration are outside the scope of this skill.

distributed-patterns

495

from revfactory/harness-100

Implementation guide and selection matrix for core distributed system patterns (Saga, CQRS, Circuit Breaker, Event Sourcing, etc.). Use this skill for 'distributed transactions', 'Saga pattern', 'CQRS', 'circuit breaker', 'event sourcing', 'distributed patterns', 'compensating transactions', 'eventual consistency', and other distributed system pattern applications. Enhances the distributed system design capabilities of communication-designer and service-architect. Note: infrastructure setup and monitoring configuration are outside the scope of this skill.