一键在 Manus 中运行任何 Skill

$pwd:

sast-authorization-testing

Name: Sast Authorization Testing
Author: anshumanbh

// Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.

在 Manus 中运行

$ git log --oneline --stat

stars:17

forks:6

updated:2025年12月18日 18:46

SKILL.md

readonly

name	sast-authorization-testing
description	Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
allowed-tools	Read, Grep, Glob

SAST Authorization Testing Skill

Purpose

Investigate authorization failures in source code by tracing:

User identity checks (horizontal privilege escalation / IDOR)
Role/privilege verification (vertical privilege escalation)
Resource ownership validation rules
Function-level access controls

Vulnerability Types Covered

1. Insecure Direct Object Reference - IDOR (CWE-639)

User can access other users' resources by manipulating object IDs.

Code Patterns to Find:

Direct use of user-supplied IDs without ownership checks
Missing user_id == current_user.id comparisons
API endpoints accepting resource IDs without authorization

Example Vulnerable Code:

@app.route('/api/user/<int:user_id>')
def get_user(user_id):
    return User.query.get(user_id).to_dict()  # No check if current user can access

2. Vertical Privilege Escalation (CWE-269)

User performs actions requiring higher privileges.

Code Patterns to Find:

Admin endpoints without role checks
Missing @admin_required or @role_required decorators
Role modification endpoints accessible to regular users

Example Vulnerable Code:

@app.route('/admin/delete_user', methods=['POST'])
def delete_user():  # No @admin_required
    User.query.filter_by(id=request.json['id']).delete()

3. Missing Authorization (CWE-862)

Actions execute without ANY authorization check.

Code Patterns to Find:

API endpoints with no authentication decorator
Direct database operations without auth context
Sensitive operations in unauthenticated routes

4. Incorrect Authorization (CWE-863)

Wrong authorization logic applied.

Code Patterns to Find:

Flawed ownership checks (checking wrong field)
OR instead of AND in permission checks
Race conditions in authorization

Investigation Methodology

Step 1: Identify Entry Points

Search for affected routes/endpoints from PR changes:

Grep for: @app.route, @router, def handle_, async def

Step 2: Trace Authorization Decorators

Look for authorization decorators/middleware:

Patterns: @require_auth, @login_required, @admin_only
          @permission_required, @role_required
          authorize!, can?, has_permission

Step 3: Check Ownership Validation

Search for ownership checks in handlers:

Patterns: current_user.id ==, request.user.id
          .filter(user_id=, owner_id=
          belongs_to?, owned_by

Step 4: Cross-Reference with Org

Use github_org_code_search to find:

How other endpoints implement authz
Shared auth middleware/decorators
Common security patterns in the org

Step 5: Verify Data Flow

Trace from user input → database query:

Is the resource ID validated against user context?
Can a user access resources they don't own?

Classification Criteria

TRUE_POSITIVE:

No authorization check exists for sensitive operation
Ownership check is missing or bypassable
Role check uses wrong comparison logic

FALSE_POSITIVE:

Proper authorization decorator exists
Ownership validation is implemented correctly
Access is intentionally public

UNVALIDATED:

Authorization logic is in middleware not visible in PR
Complex dynamic authorization that can't be statically analyzed

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue**: Description of the authorization gap
- **Code**: Relevant code snippet

### Attack Scenario
How an attacker could exploit this:
1. [Steps to reproduce]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
CWE-269: Improper Privilege Management
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-284: Improper Access Control

Safety Rules

Only analyze code in the repository provided
Do not attempt to exploit or test against live systems
Redact any sensitive data (API keys, secrets) from evidence

related-skills.json

同仓库

sast-authentication-testing.md

from "anshumanbh/vulnvibes"

Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.

2025-12-1817

sast-browser-security-testing.md

from "anshumanbh/vulnvibes"

Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.

2025-12-1817

sast-cryptography-testing.md

from "anshumanbh/vulnvibes"

Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.

2025-12-1817

sast-data-exposure-testing.md

from "anshumanbh/vulnvibes"

Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.

2025-12-1817

sast-deserialization-testing.md

from "anshumanbh/vulnvibes"

Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.

2025-12-1817

sast-file-security-testing.md

from "anshumanbh/vulnvibes"

Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.

2025-12-1817

package.json

"author": "anshumanbh"

"repository": "anshumanbh/vulnvibes"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	sast-authorization-testing
description	Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
allowed-tools	Read, Grep, Glob

SAST Authorization Testing Skill

Purpose

Investigate authorization failures in source code by tracing:

User identity checks (horizontal privilege escalation / IDOR)
Role/privilege verification (vertical privilege escalation)
Resource ownership validation rules
Function-level access controls

Vulnerability Types Covered

1. Insecure Direct Object Reference - IDOR (CWE-639)

User can access other users' resources by manipulating object IDs.

Code Patterns to Find:

Direct use of user-supplied IDs without ownership checks
Missing user_id == current_user.id comparisons
API endpoints accepting resource IDs without authorization

Example Vulnerable Code:

@app.route('/api/user/<int:user_id>')
def get_user(user_id):
    return User.query.get(user_id).to_dict()  # No check if current user can access

2. Vertical Privilege Escalation (CWE-269)

User performs actions requiring higher privileges.

Code Patterns to Find:

Admin endpoints without role checks
Missing @admin_required or @role_required decorators
Role modification endpoints accessible to regular users

Example Vulnerable Code:

@app.route('/admin/delete_user', methods=['POST'])
def delete_user():  # No @admin_required
    User.query.filter_by(id=request.json['id']).delete()

3. Missing Authorization (CWE-862)

Actions execute without ANY authorization check.

Code Patterns to Find:

API endpoints with no authentication decorator
Direct database operations without auth context
Sensitive operations in unauthenticated routes

4. Incorrect Authorization (CWE-863)

Wrong authorization logic applied.

Code Patterns to Find:

Flawed ownership checks (checking wrong field)
OR instead of AND in permission checks
Race conditions in authorization

Investigation Methodology

Step 1: Identify Entry Points

Search for affected routes/endpoints from PR changes:

Grep for: @app.route, @router, def handle_, async def

Step 2: Trace Authorization Decorators

Look for authorization decorators/middleware:

Patterns: @require_auth, @login_required, @admin_only
          @permission_required, @role_required
          authorize!, can?, has_permission

Step 3: Check Ownership Validation

Search for ownership checks in handlers:

Patterns: current_user.id ==, request.user.id
          .filter(user_id=, owner_id=
          belongs_to?, owned_by

Step 4: Cross-Reference with Org

Use github_org_code_search to find:

How other endpoints implement authz
Shared auth middleware/decorators
Common security patterns in the org

Step 5: Verify Data Flow

Trace from user input → database query:

Is the resource ID validated against user context?
Can a user access resources they don't own?

Classification Criteria

TRUE_POSITIVE:

No authorization check exists for sensitive operation
Ownership check is missing or bypassable
Role check uses wrong comparison logic

FALSE_POSITIVE:

Proper authorization decorator exists
Ownership validation is implemented correctly
Access is intentionally public

UNVALIDATED:

Authorization logic is in middleware not visible in PR
Complex dynamic authorization that can't be statically analyzed

Output Format

### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL

### Evidence
- **Location**: file:line
- **Issue**: Description of the authorization gap
- **Code**: Relevant code snippet

### Attack Scenario
How an attacker could exploit this:
1. [Steps to reproduce]

### Recommendations
- [Specific fix with code example]

CWE Mapping

CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
CWE-269: Improper Privilege Management
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-284: Improper Access Control

Safety Rules

Only analyze code in the repository provided
Do not attempt to exploit or test against live systems
Redact any sensitive data (API keys, secrets) from evidence

sast-authorization-testing

SAST Authorization Testing Skill

Purpose

Vulnerability Types Covered

1. Insecure Direct Object Reference - IDOR (CWE-639)

2. Vertical Privilege Escalation (CWE-269)

3. Missing Authorization (CWE-862)

4. Incorrect Authorization (CWE-863)

Investigation Methodology

Step 1: Identify Entry Points

Step 2: Trace Authorization Decorators

Step 3: Check Ownership Validation

Step 4: Cross-Reference with Org

Step 5: Verify Data Flow

Classification Criteria

Output Format

CWE Mapping

Safety Rules

同仓库更多 Skills

同仓库更多 Skills

SAST Authorization Testing Skill

Purpose

Vulnerability Types Covered

1. Insecure Direct Object Reference - IDOR (CWE-639)

2. Vertical Privilege Escalation (CWE-269)

3. Missing Authorization (CWE-862)

4. Incorrect Authorization (CWE-863)

Investigation Methodology

Step 1: Identify Entry Points

Step 2: Trace Authorization Decorators

Step 3: Check Ownership Validation

Step 4: Cross-Reference with Org

Step 5: Verify Data Flow

Classification Criteria

Output Format

CWE Mapping

Safety Rules