en un clic
mona-sast-skills
mona-sast-skills contient 50 skills collectées depuis KaanBicaklar, avec une couverture métier par dépôt et des pages de détail sur le site.
Skills dans ce dépôt
SAST detection methodology for authentication failures (CWE-287/640/307/620), including insecure password reset (predictable/non-expiring tokens, host-header poisoning, token in referer), user enumeration, missing rate-limiting/account lockout, MFA bypass, auth race conditions, insecure "remember me", non-constant-time credential comparison, and default/weak credentials. Use when reviewing login, registration, password-reset, and MFA flows. Writes confirmed findings to findings/21-authentication-flaws.md.
SAST detection methodology for broken access control (CWE-284/862) and insecure direct object references / BOLA (CWE-639), including function-level authorization gaps (BFLA), horizontal/vertical privilege escalation, missing ownership checks, "UUID is not access control", and inconsistent auth middleware. Use when reviewing routes/controllers/resolvers that read or mutate a resource identified by a request-supplied id. Writes confirmed findings to findings/19-broken-access-control-idor.md.
SAST detection methodology for business-logic flaws (CWE-840, CWE-841), including negative/overflow quantities, price/discount manipulation, trusting client-computed totals, workflow step-skipping, coupon/referral abuse, and replay of one-time actions. Use when reviewing server-side handling of business values and invariants. Writes confirmed findings to findings/34-business-logic-flaws.md.
SAST detection methodology for CI/CD and pipeline injection (CWE-94, CWE-78), covering GitHub Actions script injection via ${{ github.event.* }} in run: steps, pull_request_target checkout of untrusted PR head with secrets, self-hosted runner and cache poisoning, over-privileged GITHUB_TOKEN, unpinned third-party actions, forked-PR secret exfiltration, GitLab CI / Jenkinsfile injection, and insecure OIDC trust policies. Use when reviewing .github/workflows/*.yml, .gitlab-ci.yml, or Jenkinsfile. Writes confirmed findings to findings/35-cicd-and-pipeline-injection.md.
SAST detection methodology for code injection / dynamic evaluation (CWE-94, CWE-95), including eval/exec/Function(), Python compile/__import__, Node vm/vm2 sandbox escape, PHP preg_replace /e, assert/create_function, dynamic require/import, and expression-engine evaluation. Use when reviewing code that evaluates strings as code. Writes confirmed findings to findings/04-code-injection.md.
SAST detection methodology for OS command injection (CWE-78), including shell metacharacter injection, argument/flag injection into git/curl/tar, wildcard injection, shell=True, and indirect injection via env vars and filenames. Use when reviewing code that spawns OS processes. Writes confirmed findings to findings/03-command-injection.md.
SAST detection methodology for CORS misconfiguration (CWE-942, CWE-346), including reflected Origin with Access-Control-Allow-Credentials:true, null origin acceptance, weak origin regex (unescaped dot, prefix/suffix match, trailing-domain confusion), trusting all subdomains, and wildcard-with- credentials pitfalls. Use when reviewing server code or config that emits Access-Control-Allow-* headers or configures a CORS middleware. Writes confirmed findings to findings/17-cors-misconfiguration.md.
SAST detection methodology for CRLF and header injection (CWE-93, CWE-113, CWE-117), including HTTP response splitting, Location/Set-Cookie header injection, log forging, SMTP/email (BCC) header injection, and Host header injection. Use when reviewing code that writes user input into HTTP headers, redirects, log lines, or email envelopes. Writes confirmed findings to findings/08-crlf-and-header-injection.md.
SAST detection methodology for cross-site scripting (CWE-79), including reflected, stored, and DOM-based XSS, mutation XSS (mXSS), framework sink gadgets (dangerouslySetInnerHTML, v-html, bypassSecurityTrust), template auto-escape bypasses, and HTML/attribute/JS/URL/CSS context confusion. Use when reviewing code that emits user data into HTML, the DOM, or a template. Writes confirmed findings to findings/13-cross-site-scripting.md.
SAST detection methodology for cross-site request forgery (CWE-352), including missing/unverified anti-CSRF tokens, tokens not tied to session, SameSite gaps (Lax bypass via top-level GET state change, SameSite=None), JSON CSRF via simple content-types, login/logout CSRF, HTTP method override, CORS-enabled state-changing endpoints, and GET requests that change state. Use when reviewing state-changing endpoints and their CSRF defenses. Writes confirmed findings to findings/18-csrf.md.
SAST detection methodology for dependency and supply-chain risk (CWE-1104, CWE-1357, CWE-829, CWE-427), covering known-vulnerable components, dependency confusion, typosquatting, malicious install/lifecycle scripts, missing or ignored lockfiles and integrity hashes, unpinned/latest versions, direct git/URL/tarball deps, private-registry fallback to public, base-image and GitHub-Action supply chain, and unsafe module search order. Use when reviewing package.json/lockfiles, requirements.txt/poetry.lock, pom.xml, .npmrc, or pip.conf. Writes confirmed findings to findings/37-dependency-and-supply-chain.md.
SAST detection methodology for DOM clobbering and insecure cross-window messaging (CWE-79, CWE-451). Covers id/name attributes overwriting JS globals and document properties, postMessage receivers with missing/weak origin checks, wildcard targetOrigin data leaks, window.name / location.hash / document.referrer as DOM sources, and document.domain relaxation. Use when reviewing client-side JS that reads DOM-derived globals or handles postMessage. Writes confirmed findings to findings/15-dom-clobbering-and-postmessage.md.
SAST detection methodology for GraphQL injection and abuse (CWE-400, CWE-285), covering introspection in production, batching/aliasing/deep-nesting DoS, missing depth/complexity/cost limits, object- and field-level authorization gaps in resolvers (BOLA/BFLA), injection propagating through resolvers into SQL/NoSQL/OS sinks, mutation IDOR, and verbose schema-leaking errors. Use when reviewing GraphQL schemas, resolvers, or server config (Apollo, graphql-js, graphene, graphql-java). Writes confirmed findings to findings/09-graphql-injection-and-abuse.md.
SAST detection methodology for hardcoded / embedded secrets (CWE-798, CWE-259, CWE-321), including API keys, passwords, private keys, tokens and cloud credentials in source, git history, committed .env, CI config, and shipped mobile/front-end bundles, plus high-entropy and default-credential detection. Use when reviewing source, config, or build artifacts for embedded secrets. Writes confirmed findings to findings/28-hardcoded-secrets.md.
SAST detection methodology for HTTP request smuggling / desync (CWE-444), including CL.TE, TE.CL, TE.TE obfuscation, HTTP/2 downgrade smuggling (h2c, H2.CL/H2.TE), and client-side desync. Use when reviewing custom HTTP parsing/forwarding code or reverse-proxy/gateway configuration. Writes confirmed findings to findings/30-http-request-smuggling.md.
SAST detection methodology for Infrastructure-as-Code misconfiguration (CWE-1188, CWE-732, CWE-16), covering public buckets, 0.0.0.0/0 security groups, wildcard IAM, unencrypted storage/RDS, IMDSv1, publicly exposed databases, disabled logging, and Kubernetes/Helm/Dockerfile issues (privileged containers, hostPath/hostNetwork, runAsRoot, missing NetworkPolicy, broad RBAC, plaintext secrets, root/latest images, baked secrets, ADD remote URLs). Use when reviewing *.tf, CloudFormation/k8s YAML, Dockerfile, or Helm charts. Writes confirmed findings to findings/36-iac-misconfiguration.md.
SAST detection methodology for information disclosure (CWE-200), including verbose errors/stack traces (CWE-209), debug mode (Flask/Werkzeug console, Django DEBUG=True, Rails detailed errors, ASP.NET custom errors off), exposed .git/.svn/.env/backup/swap/.DS_Store files, source-map (.map) exposure, directory listing (CWE-548), framework actuator/diagnostic endpoints (Spring Boot /actuator/heapdump, /env, phpinfo), sensitive data in responses/JS bundles/HTML comments (CWE-540), and XSSI/JSONP data leakage. Use when reviewing error handling, debug config, deployed artifacts, and response bodies. Writes confirmed findings to findings/40-information-disclosure.md.
SAST detection methodology for insecure deserialization (CWE-502) across Java (ObjectInputStream/ysoserial/Commons-Collections/Spring/JNDI), .NET (BinaryFormatter, LosFormatter/ViewState, Json.NET TypeNameHandling, ObjectStateFormatter), Python (pickle, unsafe PyYAML), PHP (unserialize + POP chains, phar://), Ruby (Marshal/YAML), and Node (node-serialize, funcster, unserialize). Covers magic-method gadget chains and how untrusted bytes reach a deserializer. Use when reviewing code that deserializes data. Writes confirmed findings to findings/10-insecure-deserialization.md.
SAST detection methodology for insecure randomness (CWE-330, CWE-338, CWE-331), where security-sensitive values (session IDs, password-reset/OTP/CSRF tokens, API keys, coupon codes) are generated with a non-CSPRNG (Math.random, java.util.Random, rand, mt_rand, Python random), a predictable seed, UUIDv1, or insufficient entropy. Use when reviewing code that generates tokens, IDs, keys, or nonces. Writes confirmed findings to findings/29-insecure-randomness.md.
SAST detection methodology for JWT/JWS verification flaws (CWE-347, CWE-345), including alg:none acceptance, HS/RS algorithm confusion, weak HMAC secrets, attacker-supplied keys via jwk/jku/x5u, kid header injection (path traversal / SQLi / command injection), missing exp/nbf/aud/iss validation, decode-without- verify, unpinned algorithms, and sensitive data in the payload. Use when reviewing code that issues or validates JSON Web Tokens. Writes confirmed findings to findings/22-jwt-vulnerabilities.md.
SAST detection methodology for LDAP injection (CWE-90), including search-filter injection, authentication-bypass filters, blind LDAP injection, and DN injection. Use when reviewing code that builds LDAP search filters or distinguished names from user input (JNDI/DirContext, ldap3, python-ldap, PHP ldap_search, .NET DirectorySearcher). Writes confirmed findings to findings/06-ldap-injection.md.
SAST detection methodology for LLM and AI application security (CWE-77, CWE-20, CWE-94), covering direct and indirect prompt injection (untrusted RAG/tool/web/ email content reaching the model), insecure output handling (LLM output flowing unsanitized into eval/exec/SQL/shell/innerHTML/file-path sinks), excessive agency and over-permissioned tools, SSRF/RCE via tool calls, system-prompt and secret leakage, and over-trusting model output for authz/safety. Use when reviewing LLM app code, agent/tool definitions, or RAG pipelines. Writes confirmed findings to findings/38-llm-and-ai-application-security.md.
SAST detection methodology for mass assignment / auto-binding (CWE-915), including whole-request-body binding to models (Rails strong-params gaps, Spring @ModelAttribute data-binder, Django ModelForm fields='__all__', Sequelize/Mongoose req.body spread), privilege escalation via isAdmin/role/ is_verified/balance, nested/related-object over-posting, and GraphQL input over-binding. Use when reviewing create/update handlers that persist objects built from request data. Writes confirmed findings to findings/20-mass-assignment.md.
SAST detection methodology for native memory-safety flaws (CWE-119) in C/C++, unsafe Rust, cgo, and JNI — stack/heap buffer overflow, out-of-bounds read/ write, use-after-free, double-free, integer overflow leading to undersized allocation, format-string, off-by-one, uninitialized memory, and type confusion. Use when reviewing native code or FFI boundaries. Writes confirmed findings to findings/46-memory-safety.md.
SAST detection methodology for Android app security flaws (CWE-926) — exported components & intent hijacking, insecure WebView/JS-bridge, insecure data storage, deep-link/App-Link hijacking, exported ContentProvider, cleartext traffic, missing certificate pinning, mutable PendingIntent, and allowBackup. Use when reviewing an APK, decompiled smali/Java/Kotlin, or an AndroidManifest. Writes confirmed findings to findings/44-mobile-android-security.md.
SAST detection methodology for iOS app security flaws (CWE-312) — insecure local storage (NSUserDefaults/plist/Core Data, Keychain misuse), pasteboard leakage, custom-URL-scheme & universal-link hijacking, WKWebView/UIWebView JS bridge & file access, ATS disabled, pinning bypass, weak jailbreak detection, screenshot caching, and secrets in Info.plist/binary. Use when reviewing an iOS app, Info.plist, or decompiled binary. Writes confirmed findings to findings/45-mobile-ios-security.md.
SAST detection methodology for NoSQL injection (CWE-943), including MongoDB operator injection ($ne/$gt/$regex type-confusion), $where JavaScript execution, aggregation-pipeline abuse, and GraphQL→Mongo flows. Use when reviewing code that queries MongoDB, Redis, CouchDB, or similar document stores. Writes confirmed findings to findings/02-nosql-injection.md.
SAST detection methodology for federated-auth flaws in OAuth 2.0, OpenID Connect, and SAML (CWE-347/352/601), including missing/replayable state (login CSRF), missing PKCE, weak redirect_uri validation, implicit-flow token leakage, SAML signature wrapping (XSW) and unsigned/comment-injection assertions, unvalidated audience/issuer/nonce on ID tokens, confused-deputy across IdPs, and client_secret exposure. Use when reviewing OAuth/OIDC/SAML login and callback code. Writes confirmed findings to findings/23-oauth-oidc-saml-flaws.md.
SAST detection methodology for open redirect (CWE-601), including filter bypasses (//evil.com, backslash tricks, @ userinfo, substring/suffix whitelist flaws, CRLF), redirect_uri / RelayState / next / returnUrl parameter abuse in OAuth/SSO flows, and header/meta-refresh/JS location sinks. Emphasizes its role as a chaining primitive for token theft, phishing, and SSRF filter bypass. Use when reviewing code that redirects a browser to a URL derived from input. Writes confirmed findings to findings/16-open-redirect.md.
SAST detection methodology for path traversal and file inclusion (CWE-22, CWE-98, CWE-73), including ../ traversal, absolute-path override, encoded/ double-encoded/Unicode/null-byte bypasses, LFI→RCE via PHP wrappers and log poisoning, RFI, zip slip, symlink following, and unconfined sendFile. Use when reviewing code that opens, serves, includes, or extracts a file whose path is influenced by input. Writes findings to findings/25-path-traversal-and-file-inclusion.md.
SAST detection methodology for JavaScript/Node prototype pollution (CWE-1321), including client-side PP feeding DOM XSS gadgets and server-side PP escalating to RCE via child_process and template-engine option gadgets. Covers vulnerable recursive merge/extend/clone/set utilities, __proto__/constructor.prototype keys, and nested-object parsers. Use when reviewing JS that merges, clones, or deep-sets objects from untrusted input. Writes confirmed findings to findings/14-prototype-pollution.md.
SAST detection methodology for race conditions and TOCTOU flaws (CWE-362, CWE-367, CWE-366), including limit-overrun / double-spend, non-atomic check-then-act, TOCTOU file races, and missing DB transactions/row locks. Use when reviewing check-then-act logic on shared state (balances, inventory, files, one-time actions). Writes confirmed findings to findings/33-race-conditions-and-toctou.md.
SAST detection methodology for Regular Expression Denial of Service (CWE-1333, CWE-400), including catastrophic backtracking (nested quantifiers, overlapping alternation, backreferences), user-supplied regex compiled at runtime, and known-vulnerable library patterns. Use when reviewing regex used against untrusted input on a backtracking engine. Writes confirmed findings to findings/32-redos.md.
Run LAST, after all per-class SAST detection skills have produced their findings/*.md files. Aggregates every finding, de-duplicates, scores severity, and — the core purpose — reasons about attack chaining: which individual weaknesses combine into full kill chains. Writes SECURITY-ASSESSMENT-REPORT.md.
Dynamically validate SAST findings against a running target to separate real issues from false positives. Use AFTER the detection skills have produced findings/*.md and you have a reachable, IN-SCOPE, authorized environment. Gathers the credentials/scope needed, runs access-control checks FIRST, then tests each finding in priority order using its Burp-pasteable request, and finally validates the ATTACK CHAINS end-to-end (each primitive handoff). Default posture: PROVE EXISTENCE / FEASIBILITY with a benign PoC — do NOT weaponize or exploit.
Orchestrator for a source-to-sink static application security testing (SAST) engagement. Use this FIRST when asked to security-review, audit, or SAST a codebase. Defines scope, recon, the taint model, run order for the per-class detection skills, and how findings are written to per-vulnerability files before the final aggregated attack-chaining report.
SAST detection methodology for security logging and monitoring failures (CWE-778), including missing logging of security events (auth success/failure, access-control denials, high-value transactions, input-validation failures), logging of secrets/PII/tokens (CWE-532), insufficient log context for forensics (CWE-223), absent alerting/monitoring, and non-tamper-resistant/uncentralized logs. Use when reviewing logging configuration, security-event handlers, and what data is written to logs. Largely a code/config-review class. Writes confirmed findings to findings/42-security-logging-and-monitoring-failures.md.
SAST detection methodology for security misconfiguration and missing/weak security headers (CWE-16), including absent CSP/HSTS/X-Content-Type-Options, clickjacking via missing X-Frame-Options / CSP frame-ancestors (CWE-1021), insecure cookie attributes (Secure/HttpOnly/SameSite, cookie scope, __Host-/ __Secure- prefixes), cleartext/mixed content (CWE-319), verbose banners, default pages/credentials, directory listing, and dangerous HTTP methods. Use when reviewing server/framework config, response headers, cookie setup, and web-server hardening. Writes confirmed findings to findings/39-security-misconfiguration-and-headers.md.
SAST detection methodology for server-side template injection (CWE-1336, CWE-94), including Jinja2/Twig/Freemarker/Velocity/ERB SSTI→RCE, Spring SpEL/OGNL, sandbox escapes, and client-side template injection. Use when reviewing code that renders templates, especially where user input becomes part of the template itself. Writes confirmed findings to findings/05-server-side-template-injection.md.
SAST detection methodology for session management flaws (CWE-384 session fixation), including session id not rotated after login/privilege change, no invalidation on logout / password change / role change (CWE-613 absent expiry, CWE-565 cookie-trust), predictable or exposed session identifiers, session id in URL, weak cookie scope/flags (CWE-614), remember-me tokens not rotated, and CSRF-token-vs-session binding. Use when reviewing login/logout, session lifecycle, and session-cookie configuration. Writes confirmed findings to findings/43-session-management.md.