원클릭으로 Manus에서 모든 스킬 실행

$pwd:

sast-data-exposure-testing

Name: Sast Data Exposure Testing
Author: anshumanbh

// Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.

Manus에서 실행

$ git log --oneline --stat

stars:17

forks:6

updated:2025년 12월 18일 18:46

SKILL.md

readonly

name	sast-data-exposure-testing
description	Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
allowed-tools	Read, Grep, Glob

SAST Data Exposure Testing Skill

Purpose

Investigate data exposure vulnerabilities by analyzing:

Logging practices (what gets logged)
API responses (excessive data exposure)
Error handling (information leakage)
Data storage practices

Vulnerability Types Covered

1. Sensitive Data in Logs (CWE-532)

PII or secrets written to log files.

Dangerous Patterns:

# Logging sensitive data
logger.info(f"User login: {username}, password: {password}")
logger.debug(f"API response: {response.json()}")  # May contain PII
print(f"Processing credit card: {card_number}")

Safe Patterns:

logger.info(f"User login: {username}")
logger.debug(f"API response status: {response.status_code}")
logger.info(f"Processing card ending in: {card_number[-4:]}")

2. Excessive Data Exposure (CWE-200)

API returns more data than necessary.

Dangerous Patterns:

@app.route('/api/user/<id>')
def get_user(id):
    user = User.query.get(id)
    return user.to_dict()  # Returns ALL fields including password_hash, SSN, etc.

Safe Patterns:

def get_user(id):
    user = User.query.get(id)
    return {
        'id': user.id,
        'name': user.name,
        'email': user.email
    }  # Only necessary fields

3. Information Disclosure in Errors (CWE-209)

Stack traces or internal details exposed to users.

Dangerous Patterns:

except Exception as e:
    return str(e), 500  # Exposes internal error details
    return traceback.format_exc(), 500  # Full stack trace

Safe Patterns:

except Exception as e:
    logger.error(f"Error: {e}", exc_info=True)
    return {"error": "An internal error occurred"}, 500

4. Privacy Violation (CWE-359)

PII exposed without proper controls.

Dangerous Patterns:

# Exposing PII in URLs
redirect(f"/profile?ssn={user.ssn}")

# Caching sensitive data
cache.set(f"user_{id}", user.to_dict())  # Includes PII

Investigation Methodology

Step 1: Find Logging Points

Search for logging statements:

Patterns: logger., logging., print(, console.log
          log.info, log.debug, log.error
          sentry, bugsnag, rollbar

Step 2: Identify Sensitive Data

Look for PII and sensitive fields:

Patterns: password, ssn, social_security
          credit_card, card_number, cvv
          email, phone, address
          api_key, token, secret

Step 3: Check API Responses

Analyze what data is returned:

Patterns: return user, return .to_dict()
          jsonify(, json.dumps(
          response.json(), render_template

Step 4: Analyze Error Handling

Check exception handling:

Patterns: except Exception, except:
          traceback, exc_info
          return str(e), raise

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common logging patterns
Data serialization practices
Error handling standards

Classification Criteria

TRUE_POSITIVE:

Sensitive data (PII, secrets) logged or exposed
Full objects returned without field filtering
Stack traces exposed to end users

FALSE_POSITIVE:

Only non-sensitive data logged
Proper field filtering on API responses
Errors properly sanitized for users

UNVALIDATED:

Logging level configurable (may be disabled in prod)
Data sensitivity depends on context

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Exposure Type**: Logging / API Response / Error / Cache
- **Data Exposed**: Type of sensitive data (PII, credentials, etc.)
- **Code**: Relevant code snippet (REDACT actual data)

### Impact
- What data could be exposed
- Who could access it
- Regulatory implications (GDPR, HIPAA, etc.)

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-200: Information Exposure
CWE-532: Insertion of Sensitive Information into Log File
CWE-209: Error Message Information Leak
CWE-359: Exposure of Private Personal Information
CWE-615: Sensitive Data in Comments

Safety Rules

ALWAYS redact actual PII/sensitive data in evidence
Replace with [REDACTED] or [PII] placeholder
Only analyze code in the repository provided
Do not extract or store actual sensitive data

related-skills.json

같은 저장소

sast-authentication-testing.md

from "anshumanbh/vulnvibes"

Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.

2025-12-1817

sast-authorization-testing.md

from "anshumanbh/vulnvibes"

Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.

2025-12-1817

sast-browser-security-testing.md

from "anshumanbh/vulnvibes"

Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.

2025-12-1817

sast-cryptography-testing.md

from "anshumanbh/vulnvibes"

Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.

2025-12-1817

sast-deserialization-testing.md

from "anshumanbh/vulnvibes"

Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.

2025-12-1817

sast-file-security-testing.md

from "anshumanbh/vulnvibes"

Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.

2025-12-1817

package.json

"author": "anshumanbh"

"repository": "anshumanbh/vulnvibes"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

name	sast-data-exposure-testing
description	Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
allowed-tools	Read, Grep, Glob

SAST Data Exposure Testing Skill

Purpose

Investigate data exposure vulnerabilities by analyzing:

Logging practices (what gets logged)
API responses (excessive data exposure)
Error handling (information leakage)
Data storage practices

Vulnerability Types Covered

1. Sensitive Data in Logs (CWE-532)

PII or secrets written to log files.

Dangerous Patterns:

# Logging sensitive data
logger.info(f"User login: {username}, password: {password}")
logger.debug(f"API response: {response.json()}")  # May contain PII
print(f"Processing credit card: {card_number}")

Safe Patterns:

logger.info(f"User login: {username}")
logger.debug(f"API response status: {response.status_code}")
logger.info(f"Processing card ending in: {card_number[-4:]}")

2. Excessive Data Exposure (CWE-200)

API returns more data than necessary.

Dangerous Patterns:

@app.route('/api/user/<id>')
def get_user(id):
    user = User.query.get(id)
    return user.to_dict()  # Returns ALL fields including password_hash, SSN, etc.

Safe Patterns:

def get_user(id):
    user = User.query.get(id)
    return {
        'id': user.id,
        'name': user.name,
        'email': user.email
    }  # Only necessary fields

3. Information Disclosure in Errors (CWE-209)

Stack traces or internal details exposed to users.

Dangerous Patterns:

except Exception as e:
    return str(e), 500  # Exposes internal error details
    return traceback.format_exc(), 500  # Full stack trace

Safe Patterns:

except Exception as e:
    logger.error(f"Error: {e}", exc_info=True)
    return {"error": "An internal error occurred"}, 500

4. Privacy Violation (CWE-359)

PII exposed without proper controls.

Dangerous Patterns:

# Exposing PII in URLs
redirect(f"/profile?ssn={user.ssn}")

# Caching sensitive data
cache.set(f"user_{id}", user.to_dict())  # Includes PII

Investigation Methodology

Step 1: Find Logging Points

Search for logging statements:

Patterns: logger., logging., print(, console.log
          log.info, log.debug, log.error
          sentry, bugsnag, rollbar

Step 2: Identify Sensitive Data

Look for PII and sensitive fields:

Patterns: password, ssn, social_security
          credit_card, card_number, cvv
          email, phone, address
          api_key, token, secret

Step 3: Check API Responses

Analyze what data is returned:

Patterns: return user, return .to_dict()
          jsonify(, json.dumps(
          response.json(), render_template

Step 4: Analyze Error Handling

Check exception handling:

Patterns: except Exception, except:
          traceback, exc_info
          return str(e), raise

Step 5: Cross-Reference with Org

Use github_org_code_search to find:

Common logging patterns
Data serialization practices
Error handling standards

Classification Criteria

TRUE_POSITIVE:

Sensitive data (PII, secrets) logged or exposed
Full objects returned without field filtering
Stack traces exposed to end users

FALSE_POSITIVE:

Only non-sensitive data logged
Proper field filtering on API responses
Errors properly sanitized for users

UNVALIDATED:

Logging level configurable (may be disabled in prod)
Data sensitivity depends on context

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Exposure Type**: Logging / API Response / Error / Cache
- **Data Exposed**: Type of sensitive data (PII, credentials, etc.)
- **Code**: Relevant code snippet (REDACT actual data)

### Impact
- What data could be exposed
- Who could access it
- Regulatory implications (GDPR, HIPAA, etc.)

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-200: Information Exposure
CWE-532: Insertion of Sensitive Information into Log File
CWE-209: Error Message Information Leak
CWE-359: Exposure of Private Personal Information
CWE-615: Sensitive Data in Comments

Safety Rules

ALWAYS redact actual PII/sensitive data in evidence
Replace with [REDACTED] or [PII] placeholder
Only analyze code in the repository provided
Do not extract or store actual sensitive data

sast-data-exposure-testing

SAST Data Exposure Testing Skill

Purpose

Vulnerability Types Covered

1. Sensitive Data in Logs (CWE-532)

2. Excessive Data Exposure (CWE-200)

3. Information Disclosure in Errors (CWE-209)

4. Privacy Violation (CWE-359)

Investigation Methodology

Step 1: Find Logging Points

Step 2: Identify Sensitive Data

Step 3: Check API Responses

Step 4: Analyze Error Handling

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules

이 저장소의 다른 Skills

이 저장소의 다른 Skills

SAST Data Exposure Testing Skill

Purpose

Vulnerability Types Covered

1. Sensitive Data in Logs (CWE-532)

2. Excessive Data Exposure (CWE-200)

3. Information Disclosure in Errors (CWE-209)

4. Privacy Violation (CWE-359)

Investigation Methodology

Step 1: Find Logging Points

Step 2: Identify Sensitive Data

Step 3: Check API Responses

Step 4: Analyze Error Handling

Step 5: Cross-Reference with Org

Classification Criteria

Output Format

CWE Mapping

Safety Rules