ワンクリックで
mona-sast-skills
mona-sast-skills には KaanBicaklar から収集した 50 個の skills があり、リポジトリ単位の職業カバレッジとサイト内 skill 詳細ページを表示します。
このリポジトリの skills
SAST detection methodology for authentication failures (CWE-287/640/307/620), including insecure password reset (predictable/non-expiring tokens, host-header poisoning, token in referer), user enumeration, missing rate-limiting/account lockout, MFA bypass, auth race conditions, insecure "remember me", non-constant-time credential comparison, and default/weak credentials. Use when reviewing login, registration, password-reset, and MFA flows. Writes confirmed findings to findings/21-authentication-flaws.md.
SAST detection methodology for broken access control (CWE-284/862) and insecure direct object references / BOLA (CWE-639), including function-level authorization gaps (BFLA), horizontal/vertical privilege escalation, missing ownership checks, "UUID is not access control", and inconsistent auth middleware. Use when reviewing routes/controllers/resolvers that read or mutate a resource identified by a request-supplied id. Writes confirmed findings to findings/19-broken-access-control-idor.md.
SAST detection methodology for business-logic flaws (CWE-840, CWE-841), including negative/overflow quantities, price/discount manipulation, trusting client-computed totals, workflow step-skipping, coupon/referral abuse, and replay of one-time actions. Use when reviewing server-side handling of business values and invariants. Writes confirmed findings to findings/34-business-logic-flaws.md.
SAST detection methodology for CI/CD and pipeline injection (CWE-94, CWE-78), covering GitHub Actions script injection via ${{ github.event.* }} in run: steps, pull_request_target checkout of untrusted PR head with secrets, self-hosted runner and cache poisoning, over-privileged GITHUB_TOKEN, unpinned third-party actions, forked-PR secret exfiltration, GitLab CI / Jenkinsfile injection, and insecure OIDC trust policies. Use when reviewing .github/workflows/*.yml, .gitlab-ci.yml, or Jenkinsfile. Writes confirmed findings to findings/35-cicd-and-pipeline-injection.md.
SAST detection methodology for code injection / dynamic evaluation (CWE-94, CWE-95), including eval/exec/Function(), Python compile/__import__, Node vm/vm2 sandbox escape, PHP preg_replace /e, assert/create_function, dynamic require/import, and expression-engine evaluation. Use when reviewing code that evaluates strings as code. Writes confirmed findings to findings/04-code-injection.md.
SAST detection methodology for OS command injection (CWE-78), including shell metacharacter injection, argument/flag injection into git/curl/tar, wildcard injection, shell=True, and indirect injection via env vars and filenames. Use when reviewing code that spawns OS processes. Writes confirmed findings to findings/03-command-injection.md.
SAST detection methodology for CORS misconfiguration (CWE-942, CWE-346), including reflected Origin with Access-Control-Allow-Credentials:true, null origin acceptance, weak origin regex (unescaped dot, prefix/suffix match, trailing-domain confusion), trusting all subdomains, and wildcard-with- credentials pitfalls. Use when reviewing server code or config that emits Access-Control-Allow-* headers or configures a CORS middleware. Writes confirmed findings to findings/17-cors-misconfiguration.md.
SAST detection methodology for CRLF and header injection (CWE-93, CWE-113, CWE-117), including HTTP response splitting, Location/Set-Cookie header injection, log forging, SMTP/email (BCC) header injection, and Host header injection. Use when reviewing code that writes user input into HTTP headers, redirects, log lines, or email envelopes. Writes confirmed findings to findings/08-crlf-and-header-injection.md.
SAST detection methodology for cross-site scripting (CWE-79), including reflected, stored, and DOM-based XSS, mutation XSS (mXSS), framework sink gadgets (dangerouslySetInnerHTML, v-html, bypassSecurityTrust), template auto-escape bypasses, and HTML/attribute/JS/URL/CSS context confusion. Use when reviewing code that emits user data into HTML, the DOM, or a template. Writes confirmed findings to findings/13-cross-site-scripting.md.
SAST detection methodology for cross-site request forgery (CWE-352), including missing/unverified anti-CSRF tokens, tokens not tied to session, SameSite gaps (Lax bypass via top-level GET state change, SameSite=None), JSON CSRF via simple content-types, login/logout CSRF, HTTP method override, CORS-enabled state-changing endpoints, and GET requests that change state. Use when reviewing state-changing endpoints and their CSRF defenses. Writes confirmed findings to findings/18-csrf.md.
SAST detection methodology for dependency and supply-chain risk (CWE-1104, CWE-1357, CWE-829, CWE-427), covering known-vulnerable components, dependency confusion, typosquatting, malicious install/lifecycle scripts, missing or ignored lockfiles and integrity hashes, unpinned/latest versions, direct git/URL/tarball deps, private-registry fallback to public, base-image and GitHub-Action supply chain, and unsafe module search order. Use when reviewing package.json/lockfiles, requirements.txt/poetry.lock, pom.xml, .npmrc, or pip.conf. Writes confirmed findings to findings/37-dependency-and-supply-chain.md.
SAST detection methodology for DOM clobbering and insecure cross-window messaging (CWE-79, CWE-451). Covers id/name attributes overwriting JS globals and document properties, postMessage receivers with missing/weak origin checks, wildcard targetOrigin data leaks, window.name / location.hash / document.referrer as DOM sources, and document.domain relaxation. Use when reviewing client-side JS that reads DOM-derived globals or handles postMessage. Writes confirmed findings to findings/15-dom-clobbering-and-postmessage.md.
SAST detection methodology for GraphQL injection and abuse (CWE-400, CWE-285), covering introspection in production, batching/aliasing/deep-nesting DoS, missing depth/complexity/cost limits, object- and field-level authorization gaps in resolvers (BOLA/BFLA), injection propagating through resolvers into SQL/NoSQL/OS sinks, mutation IDOR, and verbose schema-leaking errors. Use when reviewing GraphQL schemas, resolvers, or server config (Apollo, graphql-js, graphene, graphql-java). Writes confirmed findings to findings/09-graphql-injection-and-abuse.md.
SAST detection methodology for hardcoded / embedded secrets (CWE-798, CWE-259, CWE-321), including API keys, passwords, private keys, tokens and cloud credentials in source, git history, committed .env, CI config, and shipped mobile/front-end bundles, plus high-entropy and default-credential detection. Use when reviewing source, config, or build artifacts for embedded secrets. Writes confirmed findings to findings/28-hardcoded-secrets.md.
SAST detection methodology for HTTP request smuggling / desync (CWE-444), including CL.TE, TE.CL, TE.TE obfuscation, HTTP/2 downgrade smuggling (h2c, H2.CL/H2.TE), and client-side desync. Use when reviewing custom HTTP parsing/forwarding code or reverse-proxy/gateway configuration. Writes confirmed findings to findings/30-http-request-smuggling.md.
SAST detection methodology for Infrastructure-as-Code misconfiguration (CWE-1188, CWE-732, CWE-16), covering public buckets, 0.0.0.0/0 security groups, wildcard IAM, unencrypted storage/RDS, IMDSv1, publicly exposed databases, disabled logging, and Kubernetes/Helm/Dockerfile issues (privileged containers, hostPath/hostNetwork, runAsRoot, missing NetworkPolicy, broad RBAC, plaintext secrets, root/latest images, baked secrets, ADD remote URLs). Use when reviewing *.tf, CloudFormation/k8s YAML, Dockerfile, or Helm charts. Writes confirmed findings to findings/36-iac-misconfiguration.md.
SAST detection methodology for information disclosure (CWE-200), including verbose errors/stack traces (CWE-209), debug mode (Flask/Werkzeug console, Django DEBUG=True, Rails detailed errors, ASP.NET custom errors off), exposed .git/.svn/.env/backup/swap/.DS_Store files, source-map (.map) exposure, directory listing (CWE-548), framework actuator/diagnostic endpoints (Spring Boot /actuator/heapdump, /env, phpinfo), sensitive data in responses/JS bundles/HTML comments (CWE-540), and XSSI/JSONP data leakage. Use when reviewing error handling, debug config, deployed artifacts, and response bodies. Writes confirmed findings to findings/40-information-disclosure.md.
SAST detection methodology for insecure deserialization (CWE-502) across Java (ObjectInputStream/ysoserial/Commons-Collections/Spring/JNDI), .NET (BinaryFormatter, LosFormatter/ViewState, Json.NET TypeNameHandling, ObjectStateFormatter), Python (pickle, unsafe PyYAML), PHP (unserialize + POP chains, phar://), Ruby (Marshal/YAML), and Node (node-serialize, funcster, unserialize). Covers magic-method gadget chains and how untrusted bytes reach a deserializer. Use when reviewing code that deserializes data. Writes confirmed findings to findings/10-insecure-deserialization.md.
SAST detection methodology for insecure randomness (CWE-330, CWE-338, CWE-331), where security-sensitive values (session IDs, password-reset/OTP/CSRF tokens, API keys, coupon codes) are generated with a non-CSPRNG (Math.random, java.util.Random, rand, mt_rand, Python random), a predictable seed, UUIDv1, or insufficient entropy. Use when reviewing code that generates tokens, IDs, keys, or nonces. Writes confirmed findings to findings/29-insecure-randomness.md.
SAST detection methodology for JWT/JWS verification flaws (CWE-347, CWE-345), including alg:none acceptance, HS/RS algorithm confusion, weak HMAC secrets, attacker-supplied keys via jwk/jku/x5u, kid header injection (path traversal / SQLi / command injection), missing exp/nbf/aud/iss validation, decode-without- verify, unpinned algorithms, and sensitive data in the payload. Use when reviewing code that issues or validates JSON Web Tokens. Writes confirmed findings to findings/22-jwt-vulnerabilities.md.
SAST detection methodology for LDAP injection (CWE-90), including search-filter injection, authentication-bypass filters, blind LDAP injection, and DN injection. Use when reviewing code that builds LDAP search filters or distinguished names from user input (JNDI/DirContext, ldap3, python-ldap, PHP ldap_search, .NET DirectorySearcher). Writes confirmed findings to findings/06-ldap-injection.md.
SAST detection methodology for LLM and AI application security (CWE-77, CWE-20, CWE-94), covering direct and indirect prompt injection (untrusted RAG/tool/web/ email content reaching the model), insecure output handling (LLM output flowing unsanitized into eval/exec/SQL/shell/innerHTML/file-path sinks), excessive agency and over-permissioned tools, SSRF/RCE via tool calls, system-prompt and secret leakage, and over-trusting model output for authz/safety. Use when reviewing LLM app code, agent/tool definitions, or RAG pipelines. Writes confirmed findings to findings/38-llm-and-ai-application-security.md.
SAST detection methodology for mass assignment / auto-binding (CWE-915), including whole-request-body binding to models (Rails strong-params gaps, Spring @ModelAttribute data-binder, Django ModelForm fields='__all__', Sequelize/Mongoose req.body spread), privilege escalation via isAdmin/role/ is_verified/balance, nested/related-object over-posting, and GraphQL input over-binding. Use when reviewing create/update handlers that persist objects built from request data. Writes confirmed findings to findings/20-mass-assignment.md.
SAST detection methodology for native memory-safety flaws (CWE-119) in C/C++, unsafe Rust, cgo, and JNI — stack/heap buffer overflow, out-of-bounds read/ write, use-after-free, double-free, integer overflow leading to undersized allocation, format-string, off-by-one, uninitialized memory, and type confusion. Use when reviewing native code or FFI boundaries. Writes confirmed findings to findings/46-memory-safety.md.
SAST detection methodology for Android app security flaws (CWE-926) — exported components & intent hijacking, insecure WebView/JS-bridge, insecure data storage, deep-link/App-Link hijacking, exported ContentProvider, cleartext traffic, missing certificate pinning, mutable PendingIntent, and allowBackup. Use when reviewing an APK, decompiled smali/Java/Kotlin, or an AndroidManifest. Writes confirmed findings to findings/44-mobile-android-security.md.
SAST detection methodology for iOS app security flaws (CWE-312) — insecure local storage (NSUserDefaults/plist/Core Data, Keychain misuse), pasteboard leakage, custom-URL-scheme & universal-link hijacking, WKWebView/UIWebView JS bridge & file access, ATS disabled, pinning bypass, weak jailbreak detection, screenshot caching, and secrets in Info.plist/binary. Use when reviewing an iOS app, Info.plist, or decompiled binary. Writes confirmed findings to findings/45-mobile-ios-security.md.
SAST detection methodology for NoSQL injection (CWE-943), including MongoDB operator injection ($ne/$gt/$regex type-confusion), $where JavaScript execution, aggregation-pipeline abuse, and GraphQL→Mongo flows. Use when reviewing code that queries MongoDB, Redis, CouchDB, or similar document stores. Writes confirmed findings to findings/02-nosql-injection.md.
SAST detection methodology for federated-auth flaws in OAuth 2.0, OpenID Connect, and SAML (CWE-347/352/601), including missing/replayable state (login CSRF), missing PKCE, weak redirect_uri validation, implicit-flow token leakage, SAML signature wrapping (XSW) and unsigned/comment-injection assertions, unvalidated audience/issuer/nonce on ID tokens, confused-deputy across IdPs, and client_secret exposure. Use when reviewing OAuth/OIDC/SAML login and callback code. Writes confirmed findings to findings/23-oauth-oidc-saml-flaws.md.
SAST detection methodology for open redirect (CWE-601), including filter bypasses (//evil.com, backslash tricks, @ userinfo, substring/suffix whitelist flaws, CRLF), redirect_uri / RelayState / next / returnUrl parameter abuse in OAuth/SSO flows, and header/meta-refresh/JS location sinks. Emphasizes its role as a chaining primitive for token theft, phishing, and SSRF filter bypass. Use when reviewing code that redirects a browser to a URL derived from input. Writes confirmed findings to findings/16-open-redirect.md.
SAST detection methodology for path traversal and file inclusion (CWE-22, CWE-98, CWE-73), including ../ traversal, absolute-path override, encoded/ double-encoded/Unicode/null-byte bypasses, LFI→RCE via PHP wrappers and log poisoning, RFI, zip slip, symlink following, and unconfined sendFile. Use when reviewing code that opens, serves, includes, or extracts a file whose path is influenced by input. Writes findings to findings/25-path-traversal-and-file-inclusion.md.
SAST detection methodology for JavaScript/Node prototype pollution (CWE-1321), including client-side PP feeding DOM XSS gadgets and server-side PP escalating to RCE via child_process and template-engine option gadgets. Covers vulnerable recursive merge/extend/clone/set utilities, __proto__/constructor.prototype keys, and nested-object parsers. Use when reviewing JS that merges, clones, or deep-sets objects from untrusted input. Writes confirmed findings to findings/14-prototype-pollution.md.
SAST detection methodology for race conditions and TOCTOU flaws (CWE-362, CWE-367, CWE-366), including limit-overrun / double-spend, non-atomic check-then-act, TOCTOU file races, and missing DB transactions/row locks. Use when reviewing check-then-act logic on shared state (balances, inventory, files, one-time actions). Writes confirmed findings to findings/33-race-conditions-and-toctou.md.
SAST detection methodology for Regular Expression Denial of Service (CWE-1333, CWE-400), including catastrophic backtracking (nested quantifiers, overlapping alternation, backreferences), user-supplied regex compiled at runtime, and known-vulnerable library patterns. Use when reviewing regex used against untrusted input on a backtracking engine. Writes confirmed findings to findings/32-redos.md.
Run LAST, after all per-class SAST detection skills have produced their findings/*.md files. Aggregates every finding, de-duplicates, scores severity, and — the core purpose — reasons about attack chaining: which individual weaknesses combine into full kill chains. Writes SECURITY-ASSESSMENT-REPORT.md.
Dynamically validate SAST findings against a running target to separate real issues from false positives. Use AFTER the detection skills have produced findings/*.md and you have a reachable, IN-SCOPE, authorized environment. Gathers the credentials/scope needed, runs access-control checks FIRST, then tests each finding in priority order using its Burp-pasteable request, and finally validates the ATTACK CHAINS end-to-end (each primitive handoff). Default posture: PROVE EXISTENCE / FEASIBILITY with a benign PoC — do NOT weaponize or exploit.
Orchestrator for a source-to-sink static application security testing (SAST) engagement. Use this FIRST when asked to security-review, audit, or SAST a codebase. Defines scope, recon, the taint model, run order for the per-class detection skills, and how findings are written to per-vulnerability files before the final aggregated attack-chaining report.
SAST detection methodology for security logging and monitoring failures (CWE-778), including missing logging of security events (auth success/failure, access-control denials, high-value transactions, input-validation failures), logging of secrets/PII/tokens (CWE-532), insufficient log context for forensics (CWE-223), absent alerting/monitoring, and non-tamper-resistant/uncentralized logs. Use when reviewing logging configuration, security-event handlers, and what data is written to logs. Largely a code/config-review class. Writes confirmed findings to findings/42-security-logging-and-monitoring-failures.md.
SAST detection methodology for security misconfiguration and missing/weak security headers (CWE-16), including absent CSP/HSTS/X-Content-Type-Options, clickjacking via missing X-Frame-Options / CSP frame-ancestors (CWE-1021), insecure cookie attributes (Secure/HttpOnly/SameSite, cookie scope, __Host-/ __Secure- prefixes), cleartext/mixed content (CWE-319), verbose banners, default pages/credentials, directory listing, and dangerous HTTP methods. Use when reviewing server/framework config, response headers, cookie setup, and web-server hardening. Writes confirmed findings to findings/39-security-misconfiguration-and-headers.md.
SAST detection methodology for server-side template injection (CWE-1336, CWE-94), including Jinja2/Twig/Freemarker/Velocity/ERB SSTI→RCE, Spring SpEL/OGNL, sandbox escapes, and client-side template injection. Use when reviewing code that renders templates, especially where user input becomes part of the template itself. Writes confirmed findings to findings/05-server-side-template-injection.md.
SAST detection methodology for session management flaws (CWE-384 session fixation), including session id not rotated after login/privilege change, no invalidation on logout / password change / role change (CWE-613 absent expiry, CWE-565 cookie-trust), predictable or exposed session identifiers, session id in URL, weak cookie scope/flags (CWE-614), remember-me tokens not rotated, and CSRF-token-vs-session binding. Use when reviewing login/logout, session lifecycle, and session-cookie configuration. Writes confirmed findings to findings/43-session-management.md.