@intentsolutionsio/penetration-tester 2.0.0 → 3.0.4

package/skills/detecting-command-injection-patterns/scripts/scan_cmdi.py

@@ -0,0 +1,290 @@
+#!/usr/bin/env python3
+"""Static-analysis scan for command-injection patterns.
+
+References:
+    CWE-78 Improper Neutralization of Special Elements used in an OS Command
+    OWASP A03:2021 Injection
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+_PLUGIN_ROOT = Path(__file__).resolve().parents[3]
+if str(_PLUGIN_ROOT) not in sys.path:
+    sys.path.insert(0, str(_PLUGIN_ROOT))
+
+from lib.finding import Finding, Severity  # noqa: E402
+from lib.report import emit, exit_code  # noqa: E402
+
+SKILL_ID = "detecting-command-injection-patterns"
+
+
+PY_PATTERNS = [
+    (
+        "Python subprocess with shell=True + f-string",
+        Severity.CRITICAL,
+        r"subprocess\.(?:run|call|check_output|check_call|Popen)\s*\(\s*f['\"]",
+        "python",
+    ),
+    (
+        "Python subprocess with shell=True + concat",
+        Severity.CRITICAL,
+        r"subprocess\.[a-z_]+\s*\(\s*['\"][^'\"]*['\"]\s*\+\s*\w[^,)]*,[^)]*shell\s*=\s*True",
+        "python",
+    ),
+    (
+        "Python subprocess shell=True (any form, needs review)",
+        Severity.HIGH,
+        r"subprocess\.[a-z_]+\s*\([^)]*shell\s*=\s*True",
+        "python",
+    ),
+    (
+        "Python os.system with f-string / concat",
+        Severity.CRITICAL,
+        r"os\.system\s*\(\s*(?:f['\"]|['\"][^'\"]*['\"]\s*\+)",
+        "python",
+    ),
+    (
+        "Python os.popen with interpolation",
+        Severity.CRITICAL,
+        r"os\.popen\s*\(\s*(?:f['\"]|['\"][^'\"]*['\"]\s*\+)",
+        "python",
+    ),
+    (
+        "Python commands.getoutput / getstatusoutput (legacy)",
+        Severity.HIGH,
+        r"commands\.(?:getoutput|getstatusoutput)\s*\(",
+        "python",
+    ),
+]
+
+JS_PATTERNS = [
+    (
+        "Node child_process.exec with template literal",
+        Severity.CRITICAL,
+        r"(?:child_process|require\(['\"]child_process['\"]\))\.exec(?:Sync)?\s*\(\s*`[^`]*\$\{",
+        "javascript",
+    ),
+    ("Node exec with concat", Severity.CRITICAL, r"\.exec(?:Sync)?\s*\(\s*['\"][^'\"]*['\"]\s*\+\s*\w", "javascript"),
+    (
+        "Node execFile with shell wrapper",
+        Severity.HIGH,
+        r"\.execFile(?:Sync)?\s*\(\s*['\"](?:sh|bash|/bin/sh)['\"]",
+        "javascript",
+    ),
+    (
+        "Node spawn with shell:true option",
+        Severity.HIGH,
+        r"\.spawn(?:Sync)?\s*\([^)]*\{[^}]*shell\s*:\s*true",
+        "javascript",
+    ),
+]
+
+RUBY_PATTERNS = [
+    ("Ruby backticks with interpolation", Severity.CRITICAL, r"`[^`]*#\{[^}]+\}[^`]*`", "ruby"),
+    ("Ruby Kernel#system with interpolation", Severity.CRITICAL, r"\bsystem\s*\(\s*['\"][^'\"]*#\{", "ruby"),
+    ("Ruby Kernel#exec with interpolation", Severity.CRITICAL, r"\bexec\s*\(\s*['\"][^'\"]*#\{", "ruby"),
+    (
+        "Ruby Open3 with shell wrapper interpolation",
+        Severity.HIGH,
+        r"Open3\.(?:popen|capture)[a-z0-9_]*\s*\(\s*['\"][^'\"]*#\{",
+        "ruby",
+    ),
+]
+
+GO_PATTERNS = [
+    (
+        "Go exec.Command with sh -c + concat",
+        Severity.HIGH,
+        r"""exec\.Command\s*\(\s*["'](?:sh|bash|/bin/sh|/bin/bash)["']\s*,\s*["']-c["']\s*,\s*[^,)]*\+""",
+        "go",
+    ),
+    ("Go exec.Command with fmt.Sprintf", Severity.HIGH, r"exec\.Command(?:Context)?\s*\([^)]*fmt\.Sprintf", "go"),
+]
+
+PHP_PATTERNS = [
+    (
+        "PHP system() / exec() with $-interpolation",
+        Severity.CRITICAL,
+        r"\b(?:system|exec|passthru|shell_exec|popen|proc_open)\s*\(\s*['\"][^'\"]*\$",
+        "php",
+    ),
+    ("PHP backticks with $-interpolation", Severity.CRITICAL, r"`[^`]*\$[a-z_][^`]*`", "php"),
+    (
+        "PHP escapeshellarg missing on user input",
+        Severity.MEDIUM,
+        r"\b(?:system|exec|passthru|shell_exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE)",
+        "php",
+    ),
+]
+
+JAVA_PATTERNS = [
+    (
+        "Java Runtime.exec(String) with concat",
+        Severity.HIGH,
+        r"Runtime\.getRuntime\(\)\.exec\s*\(\s*['\"][^'\"]*['\"]\s*\+",
+        "java",
+    ),
+    (
+        "Java ProcessBuilder(String) single-string form",
+        Severity.MEDIUM,
+        r"new ProcessBuilder\s*\(\s*[a-z_]+(?:\s*\+\s*[a-z_]+)+\s*\)",
+        "java",
+    ),
+]
+
+
+LANG_EXT_MAP = {
+    "python": {".py"},
+    "javascript": {".js", ".jsx", ".mjs", ".cjs", ".ts", ".tsx"},
+    "ruby": {".rb"},
+    "go": {".go"},
+    "java": {".java", ".kt", ".scala"},
+    "php": {".php"},
+}
+LANG_PATTERNS = {
+    "python": PY_PATTERNS,
+    "javascript": JS_PATTERNS,
+    "ruby": RUBY_PATTERNS,
+    "go": GO_PATTERNS,
+    "java": JAVA_PATTERNS,
+    "php": PHP_PATTERNS,
+}
+SKIP_DIRS = {
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "target",
+    ".cache",
+    ".pnpm-store",
+    ".venv",
+    "venv",
+    "__pycache__",
+    ".astro",
+    ".next",
+    ".nuxt",
+    "vendor",
+}
+TEST_DIRS = {"tests", "test", "__tests__", "spec", "specs"}
+MAX_FILE_SIZE = 5 * 1024 * 1024
+
+
+def should_skip_path(path: Path, include_tests: bool) -> bool:
+    parts = set(path.parts)
+    if parts & SKIP_DIRS:
+        return True
+    if not include_tests and parts & TEST_DIRS:
+        return True
+    return False
+
+
+def detect_language(path: Path, langs: set[str]) -> str | None:
+    suf = path.suffix.lower()
+    for lang in langs:
+        if suf in LANG_EXT_MAP[lang]:
+            return lang
+    return None
+
+
+def scan_file(file_path: Path, repo_root: Path, langs: set[str]) -> list[Finding]:
+    findings = []
+    lang = detect_language(file_path, langs)
+    if lang is None:
+        return findings
+    try:
+        if file_path.stat().st_size > MAX_FILE_SIZE:
+            return findings
+        text = file_path.read_text(encoding="utf-8", errors="ignore")
+    except (OSError, ValueError):
+        return findings
+    try:
+        rel = str(file_path.relative_to(repo_root))
+    except ValueError:
+        rel = str(file_path)
+
+    for title, sev, pattern, _lang in LANG_PATTERNS[lang]:
+        for m in re.finditer(pattern, text, re.IGNORECASE | re.MULTILINE):
+            line_no = text[: m.start()].count("\n") + 1
+            snippet = text.splitlines()[line_no - 1].strip()[:160]
+            findings.append(
+                Finding(
+                    skill_id=SKILL_ID,
+                    title=f"{title} at {rel}:{line_no}",
+                    severity=sev,
+                    target=f"{rel}:{line_no}",
+                    detail=(
+                        f"File {rel} line {line_no} matches the {title} "
+                        f"pattern: `{snippet}`. If the interpolated value "
+                        "is user-reachable, this is a command-injection vector."
+                    ),
+                    remediation=(
+                        "Replace the shell-string call with the argument-vector "
+                        "form. Python: subprocess.run([cmd, arg], shell=False). "
+                        "Node: spawn(cmd, [arg], {shell: false}). Ruby: "
+                        "Open3.capture3(cmd, arg). Go: exec.Command(cmd, arg). "
+                        "Java: new ProcessBuilder(Arrays.asList(cmd, arg)). "
+                        "See references/PLAYBOOK.md."
+                    ),
+                    cwe_id="CWE-78",
+                    affected_control="OWASP A03:2021",
+                    evidence=(("file", rel), ("line", line_no), ("language", lang), ("snippet", snippet)),
+                )
+            )
+    return findings
+
+
+def walk_repo(root: Path, include_tests: bool, langs: set[str]) -> list[Path]:
+    out = []
+    valid_exts = set()
+    for lang in langs:
+        valid_exts |= LANG_EXT_MAP[lang]
+    for p in root.rglob("*"):
+        if not p.is_file():
+            continue
+        if should_skip_path(p, include_tests):
+            continue
+        if p.suffix.lower() not in valid_exts:
+            continue
+        out.append(p)
+    return out
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(description="Command-injection pattern scanner")
+    parser.add_argument("path", type=Path)
+    parser.add_argument("--output", default=None)
+    parser.add_argument("--format", choices=("json", "jsonl", "markdown"), default="markdown")
+    parser.add_argument("--min-severity", choices=("critical", "high", "medium", "low", "info"), default="info")
+    parser.add_argument("--include-tests", action="store_true")
+    parser.add_argument("--languages", default="all")
+    args = parser.parse_args(argv)
+
+    if args.languages == "all":
+        langs = set(LANG_PATTERNS.keys())
+    else:
+        langs = {lang.strip() for lang in args.languages.split(",") if lang.strip() in LANG_PATTERNS}
+
+    root = args.path.resolve()
+    if not root.exists():
+        sys.stderr.write(f"ERROR: path does not exist: {root}\n")
+        return 2
+
+    files = walk_repo(root, args.include_tests, langs)
+    findings: list[Finding] = []
+    for f in files:
+        findings.extend(scan_file(f, root, langs))
+
+    floor = Severity(args.min_severity)
+    findings = [f for f in findings if f.severity.numeric >= floor.numeric]
+
+    emit(findings, args.output, args.format, str(root))
+    return exit_code(findings)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/skills/detecting-debug-endpoints/SKILL.md

@@ -0,0 +1,207 @@
+---
+name: detecting-debug-endpoints
+description: |
+  Probe a target for accidentally-public admin / debug / introspection
+  endpoints — Spring Boot Actuator, Apache server-status, Prometheus
+  metrics, GraphQL playground, Swagger UI, phpMyAdmin, JMX-over-HTTP
+  (Jolokia), Elasticsearch _cat, Kibana / Grafana / Eureka / Consul
+  panels.
+  Use when: post-deploy verification, security audit before SOC2,
+  inheriting a system you didn't build, or a bug bounty hints at an
+  exposed introspection panel.
+  Threshold: any of the canonical 40+ admin/debug paths returns 200,
+  302 to a login, or framework-specific JSON shape (e.g., Actuator
+  returning a _links object, server-status HTML body containing
+  the Apache Server Status title).
+  Trigger with: "check debug endpoints", "actuator exposure", "admin
+  panel scan", "graphql playground check".
+allowed-tools:
+  - Read
+  - Bash(python3:*)
+  - Bash(curl:*)
+disallowed-tools:
+  - Bash(rm:*)
+  - Edit(/etc/*)
+version: 3.0.0-dev
+author: Jeremy Longshore <jeremy@intentsolutions.io>
+license: MIT
+compatibility: Designed for Claude Code
+tags:
+  - security
+  - information-disclosure
+  - admin-panels
+  - actuator
+  - pentest
+---
+
+# Detecting Debug Endpoints
+
+## Overview
+
+Modern web stacks ship rich introspection by default. Spring Boot
+Actuator exposes `/actuator/env` (every environment variable),
+`/actuator/heapdump` (a live heap snapshot that contains credentials),
+`/actuator/jolokia` (JMX bean invocation = pre-auth RCE in some
+configurations). Apache `mod_status` exposes `/server-status` with
+internal IPs, request counts, and the URL of every active request.
+Prometheus `/metrics` exposes operational telemetry that often
+includes connection-string-bearing labels by accident. phpMyAdmin
+exposes the entire database if unauthenticated.
+
+These are not bugs in the frameworks. They're features that ship
+enabled-by-default for development convenience and stay enabled in
+production because nobody disabled them at install time. The probe
+set covers the canonical 40+ paths and grades each by the response
+fingerprint specific to that framework.
+
+## When the skill produces findings
+
+| Finding | Severity | Threshold | Affected control |
+|---|---|---|---|
+| Spring Boot Actuator `/env` exposed | **CRITICAL** | 200 + body has `"propertySources"` | OWASP A05:2021 |
+| Spring Boot Actuator `/heapdump` exposed | **CRITICAL** | 200 + `Content-Type: application/octet-stream` + multi-MB body | CWE-200 |
+| Spring Boot Actuator `/jolokia` exposed | **CRITICAL** | 200 + body has `"agent":"jolokia"` | CWE-749 |
+| phpMyAdmin reachable | **CRITICAL** | 200 + HTML body contains "phpMyAdmin" + login form | OWASP A07:2021 |
+| Prometheus `/metrics` exposed | **HIGH** | 200 + body has `# HELP` or `# TYPE` lines | CWE-200 |
+| Apache `mod_status` exposed | **HIGH** | 200 + body contains "Apache Server Status" | CWE-200 |
+| Spring Boot Actuator `/actuator` index | **HIGH** | 200 + body has `"_links"` JSON | OWASP A05:2021 |
+| Generic `/admin` returning 200 (not 401/403) | **HIGH** | 200 + HTML body with admin-shaped UI | CWE-285 |
+| Elasticsearch `_cat` exposed | **HIGH** | 200 + body matches `health\s+status\s+index` | CWE-200 |
+| GraphQL Playground on prod | **MEDIUM** | 200 + body contains `"GraphQLPlayground"` | CWE-200 |
+| Swagger UI on prod | **MEDIUM** | 200 + body contains `"swagger-ui"` | CWE-200 |
+| Spring Boot Actuator `/health` exposed | **MEDIUM** | 200 + body has `"status":"UP"` | CWE-200 |
+| `phpinfo` page on prod | **MEDIUM** | 200 + body has `PHP Version` heading | CWE-200 |
+| `/robots.txt` discloses admin paths | **LOW** | 200 + `Disallow:` lines mentioning `/admin` | CWE-200 |
+
+## Prerequisites
+
+- Python 3.9+ with `requests`
+- Authorization for non-local targets
+
+## Instructions
+
+### Step 1 — Confirm Authorization
+
+```text
+"Do you have authorization to perform admin / debug endpoint
+ discovery on this target? I need confirmation before proceeding."
+```
+
+### Step 2 — Run the scanner
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-debug-endpoints/scripts/probe_debug.py \
+    https://target.example.com \
+    --authorized
+```
+
+Options:
+
+```
+Usage: probe_debug.py URL [OPTIONS]
+
+Options:
+  --authorized       Attest authorization (required for non-local)
+  --output FILE      Write findings to FILE
+  --format FMT       json | jsonl | markdown (default: markdown)
+  --min-severity SEV (default: info)
+  --timeout SECS     Per-probe timeout (default: 10)
+  --paths-file FILE  Override the default probe set with a custom list
+  --include-redirects  Treat 302/303 to /login as findings (debug panel
+                       exists but auth gates it — still worth noting)
+```
+
+The scanner sends a GET for each path. For 200 responses, it inspects
+the body for the framework-specific fingerprint to confirm a true
+positive (not the app's SPA index page). For 302 responses to common
+login paths, the panel exists but auth is in front — flagged only
+with `--include-redirects`.
+
+### Step 3 — Interpret findings
+
+CRITICAL = direct compromise vector (env vars / heapdump / Jolokia /
+phpMyAdmin). Ship same-hour fix: take the endpoint behind authn or
+disable it. Audit for prior exploitation.
+
+HIGH = information disclosure substantial enough to drive subsequent
+attacks (server-status reveals request URLs including session tokens
+in query strings; /metrics labels often contain connection strings;
+/admin reachable means brute-force can start).
+
+MEDIUM = posture hardening (health checks, swagger).
+
+### Step 4 — Cross-skill chaining
+
+After this skill, suggest:
+
+- `detecting-exposed-secrets-files` (#6) — same deploy mistake. If
+  `/server-status` is reachable, `.git/` often is too.
+- `auditing-cors-policy` (#3) — if a GraphQL or admin endpoint is
+  reachable AND has open CORS, the attack chain compounds.
+
+## Examples
+
+### Example 1 — Inheriting a system audit
+
+User: "We just acquired example.io. Quick audit of admin surface."
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-debug-endpoints/scripts/probe_debug.py \
+    https://example.io --authorized --min-severity medium
+```
+
+Commonly surfaces forgotten `/server-status` on Apache hosts,
+`/actuator/*` left enabled from Spring Boot defaults, leftover
+`/phpmyadmin` from initial install.
+
+### Example 2 — Spring Boot Actuator paranoia sweep
+
+User: "We use Spring Boot heavily. Show me everywhere Actuator is
+reachable."
+
+```bash
+for ENDPOINT in $(cat spring-services.txt); do
+  python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-debug-endpoints/scripts/probe_debug.py \
+      "$ENDPOINT" --authorized --format jsonl
+done | jq 'select(.title | contains("Actuator"))'
+```
+
+### Example 3 — CI gate against accidental re-enablement
+
+```yaml
+- name: Debug-endpoint guard
+  run: |
+    python3 plugins/security/penetration-tester/skills/detecting-debug-endpoints/scripts/probe_debug.py \
+        "${{ secrets.STAGING_URL }}" \
+        --authorized --min-severity high
+```
+
+Exit 1 fails the deploy if any HIGH or CRITICAL endpoint exposure
+appears. Catches the regression where a debug profile gets enabled
+in a `application-prod.yml` by accident.
+
+## Output
+
+JSON / JSONL / Markdown per `lib/report.py`. Exit codes: 0 clean, 1
+high/critical, 2 error.
+
+## Error Handling
+
+- **SPA catches every URL with 200** → use `--check-only` semantics
+  (default: fingerprint check filters out SPA matches).
+- **WAF / CDN blocks the scanner** → expected for some targets.
+  Coordinate with the target's security team for an allowlist; or
+  run the scanner from inside the target's network if you have
+  authorized internal access.
+- **Connection error** → exit 2 with underlying error.
+
+## Resources
+
+- `references/THEORY.md` — Per-framework reasoning: why Actuator,
+  mod_status, Prometheus, GraphQL Playground, Swagger, phpMyAdmin
+  each matter; canonical fingerprints
+- `references/PLAYBOOK.md` — Per-framework remediation: Spring Boot
+  Actuator authn, Apache mod_status `<Location>` deny, Prometheus
+  Bearer-token, GraphQL introspection toggle, Swagger profile gate
+- `../analyzing-tls-config/references/AUTHORIZATION.md` — Active-scan
+  authorization pattern