@intentsolutionsio/penetration-tester 2.0.0 → 3.0.4

package/skills/detecting-sql-injection-patterns/scripts/scan_sqli.py

@@ -0,0 +1,354 @@
+#!/usr/bin/env python3
+"""Static-analysis scan for SQL-injection vulnerable patterns.
+
+References:
+    CWE-89 Improper Neutralization of Special Elements used in an SQL Command
+    OWASP A03:2021 Injection
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+_PLUGIN_ROOT = Path(__file__).resolve().parents[3]
+if str(_PLUGIN_ROOT) not in sys.path:
+    sys.path.insert(0, str(_PLUGIN_ROOT))
+
+from lib.finding import Finding, Severity  # noqa: E402
+from lib.report import emit, exit_code  # noqa: E402
+
+SKILL_ID = "detecting-sql-injection-patterns"
+
+# Build the SQL-keyword detector once
+SQL_KEYWORDS = r"(?:SELECT|INSERT\s+INTO|UPDATE\s+\w|DELETE\s+FROM|REPLACE\s+INTO|MERGE\s+INTO|UPSERT|DROP\s+\w|TRUNCATE|ALTER\s+\w|CREATE\s+\w|FROM\s+\w|WHERE|JOIN|GROUP\s+BY|ORDER\s+BY)"
+
+
+def py_patterns():
+    """Python SQL-injection patterns."""
+    return [
+        (
+            "Python f-string with SQL keywords",
+            Severity.CRITICAL,
+            rf"""f["']\s*{SQL_KEYWORDS}\s+[^"']*\{{[^}}]+\}}""",
+            "python",
+        ),
+        (
+            "Python cursor.execute with f-string argument",
+            Severity.CRITICAL,
+            r"""\b(?:cursor|conn|db)\s*\.\s*execute(?:many)?\s*\(\s*f["']""",
+            "python",
+        ),
+        (
+            "Python string concat into SQL keyword string",
+            Severity.CRITICAL,
+            rf"""["']\s*{SQL_KEYWORDS}[^"']*["']\s*\+\s*\w""",
+            "python",
+        ),
+        (
+            "Python %-format on SQL string",
+            Severity.HIGH,
+            rf"""["']\s*{SQL_KEYWORDS}[^"']*%\s*[sdif]?["']\s*%\s*""",
+            "python",
+        ),
+        (
+            "Python .format() on SQL string",
+            Severity.HIGH,
+            rf"""["']\s*{SQL_KEYWORDS}[^"']*\{{[^}}]*\}}[^"']*["']\s*\.\s*format\b""",
+            "python",
+        ),
+        ("Django .extra() with raw SQL", Severity.MEDIUM, r"\.\s*extra\s*\(\s*(?:where|select|tables)\s*=", "python"),
+    ]
+
+
+def js_patterns():
+    """JavaScript / TypeScript SQL-injection patterns."""
+    return [
+        (
+            "JS template literal with SQL keywords + interpolation",
+            Severity.CRITICAL,
+            rf"""`\s*{SQL_KEYWORDS}[^`]*\$\{{[^}}]+\}}""",
+            "javascript",
+        ),
+        (
+            "JS sequelize.query with template literal interpolation",
+            Severity.HIGH,
+            r"""sequelize\s*\.\s*query\s*\(\s*`[^`]*\$\{""",
+            "javascript",
+        ),
+        (
+            "JS knex.raw with template literal interpolation",
+            Severity.HIGH,
+            r"""(?:knex|db)\s*\.\s*raw\s*\(\s*`[^`]*\$\{""",
+            "javascript",
+        ),
+        (
+            "JS knex.raw with string concat",
+            Severity.HIGH,
+            r"""(?:knex|db)\s*\.\s*raw\s*\(\s*['"][^'"]*['"]\s*\+\s*\w""",
+            "javascript",
+        ),
+        (
+            "JS mysql/pg .query with concat",
+            Severity.HIGH,
+            rf"""\.\s*query\s*\(\s*["']\s*{SQL_KEYWORDS}[^"']*["']\s*\+\s*\w""",
+            "javascript",
+        ),
+    ]
+
+
+def ruby_patterns():
+    """Ruby SQL-injection patterns."""
+    return [
+        ("Rails .where with string interpolation", Severity.HIGH, r"""\.\s*where\s*\(\s*["'][^"']*\#\{""", "ruby"),
+        (
+            "Rails find_by_sql with string interpolation",
+            Severity.HIGH,
+            r"""\.\s*find_by_sql\s*\(\s*["'][^"']*\#\{""",
+            "ruby",
+        ),
+        (
+            "Rails connection.execute with interpolation",
+            Severity.CRITICAL,
+            r"""ActiveRecord::Base\.connection\s*\.\s*execute\s*\(\s*["'][^"']*\#\{""",
+            "ruby",
+        ),
+    ]
+
+
+def go_patterns():
+    """Go SQL-injection patterns."""
+    return [
+        (
+            "Go fmt.Sprintf into db.Query/QueryRow/Exec",
+            Severity.HIGH,
+            r"""(?:Query|QueryRow|Exec)(?:Context)?\s*\(\s*fmt\.Sprintf\s*\(""",
+            "go",
+        ),
+        (
+            "Go string concat into db.Query",
+            Severity.CRITICAL,
+            rf"""(?:Query|QueryRow|Exec)(?:Context)?\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*"\s*\+""",
+            "go",
+        ),
+    ]
+
+
+def java_patterns():
+    """Java SQL-injection patterns."""
+    return [
+        (
+            "Java Statement.execute with concat",
+            Severity.HIGH,
+            rf"""(?:Statement|stmt)\.\s*execute(?:Query|Update)?\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*"\s*\+""",
+            "java",
+        ),
+        (
+            "Java String.format on SQL string",
+            Severity.HIGH,
+            rf"""String\.format\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*%[sd]""",
+            "java",
+        ),
+    ]
+
+
+def php_patterns():
+    """PHP SQL-injection patterns."""
+    return [
+        (
+            "PHP mysqli_query with interpolated string",
+            Severity.CRITICAL,
+            rf"""mysqli_query\s*\(\s*\$[a-z_]+\s*,\s*"[^"]*{SQL_KEYWORDS}[^"]*\$""",
+            "php",
+        ),
+        (
+            "PHP mysql_query with concat",
+            Severity.CRITICAL,
+            rf"""mysql_query\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*"\s*\.\s*\$""",
+            "php",
+        ),
+        (
+            "PHP PDO->query with concat (should be prepare)",
+            Severity.HIGH,
+            rf"""->query\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*"\s*\.\s*\$""",
+            "php",
+        ),
+    ]
+
+
+def csharp_patterns():
+    """C# SQL-injection patterns."""
+    return [
+        (
+            "C# SqlCommand with string interpolation",
+            Severity.CRITICAL,
+            rf"""new SqlCommand\s*\(\s*\$"[^"]*{SQL_KEYWORDS}[^"]*\{{""",
+            "csharp",
+        ),
+        (
+            "C# SqlCommand with string concat",
+            Severity.CRITICAL,
+            rf"""new SqlCommand\s*\(\s*"[^"]*{SQL_KEYWORDS}[^"]*"\s*\+""",
+            "csharp",
+        ),
+    ]
+
+
+LANG_EXT_MAP = {
+    "python": {".py"},
+    "javascript": {".js", ".jsx", ".mjs", ".cjs", ".ts", ".tsx"},
+    "ruby": {".rb"},
+    "go": {".go"},
+    "java": {".java", ".kt", ".scala"},
+    "php": {".php"},
+    "csharp": {".cs"},
+}
+LANG_PATTERNS = {
+    "python": py_patterns,
+    "javascript": js_patterns,
+    "ruby": ruby_patterns,
+    "go": go_patterns,
+    "java": java_patterns,
+    "php": php_patterns,
+    "csharp": csharp_patterns,
+}
+SKIP_DIRS = {
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "target",
+    ".cache",
+    ".pnpm-store",
+    ".venv",
+    "venv",
+    "__pycache__",
+    ".astro",
+    ".next",
+    ".nuxt",
+    "vendor",
+}
+TEST_DIRS = {"tests", "test", "__tests__", "spec", "specs"}
+MAX_FILE_SIZE = 5 * 1024 * 1024
+
+
+def should_skip_path(path: Path, include_tests: bool) -> bool:
+    parts = set(path.parts)
+    if parts & SKIP_DIRS:
+        return True
+    if not include_tests and parts & TEST_DIRS:
+        return True
+    return False
+
+
+def detect_language(path: Path, langs: set[str]) -> str | None:
+    suf = path.suffix.lower()
+    for lang in langs:
+        if suf in LANG_EXT_MAP[lang]:
+            return lang
+    return None
+
+
+def scan_file(file_path: Path, repo_root: Path, langs: set[str]) -> list[Finding]:
+    findings = []
+    lang = detect_language(file_path, langs)
+    if lang is None:
+        return findings
+    try:
+        if file_path.stat().st_size > MAX_FILE_SIZE:
+            return findings
+        text = file_path.read_text(encoding="utf-8", errors="ignore")
+    except (OSError, ValueError):
+        return findings
+    try:
+        rel = str(file_path.relative_to(repo_root))
+    except ValueError:
+        rel = str(file_path)
+
+    for title, sev, pattern, _lang in LANG_PATTERNS[lang]():
+        for m in re.finditer(pattern, text, re.IGNORECASE | re.MULTILINE):
+            line_no = text[: m.start()].count("\n") + 1
+            snippet = text.splitlines()[line_no - 1].strip()[:160]
+            findings.append(
+                Finding(
+                    skill_id=SKILL_ID,
+                    title=f"{title} at {rel}:{line_no}",
+                    severity=sev,
+                    target=f"{rel}:{line_no}",
+                    detail=(
+                        f"File {rel} line {line_no} matches the {title} "
+                        f"pattern: `{snippet}`. If the interpolated value can "
+                        "be influenced by external input, this is a "
+                        "SQL-injection vector."
+                    ),
+                    remediation=(
+                        "Replace the string-built query with a parameterized "
+                        "query API. Per language: Python sqlite3/psycopg uses "
+                        "`?` or `%s` placeholders; Node mysql2/pg uses `?` or "
+                        "`$1`; Ruby uses `where(...)` with hash args; Go uses "
+                        '`db.Query("SELECT ... WHERE x = ?", arg)`; Java '
+                        "PreparedStatement with `setString(1, val)`. See "
+                        "references/PLAYBOOK.md for per-language patterns."
+                    ),
+                    cwe_id="CWE-89",
+                    affected_control="OWASP A03:2021",
+                    evidence=(("file", rel), ("line", line_no), ("language", lang), ("snippet", snippet)),
+                )
+            )
+    return findings
+
+
+def walk_repo(root: Path, include_tests: bool, langs: set[str]) -> list[Path]:
+    out = []
+    valid_exts = set()
+    for lang in langs:
+        valid_exts |= LANG_EXT_MAP[lang]
+    for p in root.rglob("*"):
+        if not p.is_file():
+            continue
+        if should_skip_path(p, include_tests):
+            continue
+        if p.suffix.lower() not in valid_exts:
+            continue
+        out.append(p)
+    return out
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(description="SQL-injection pattern scanner")
+    parser.add_argument("path", type=Path)
+    parser.add_argument("--output", default=None)
+    parser.add_argument("--format", choices=("json", "jsonl", "markdown"), default="markdown")
+    parser.add_argument("--min-severity", choices=("critical", "high", "medium", "low", "info"), default="info")
+    parser.add_argument("--include-tests", action="store_true")
+    parser.add_argument(
+        "--languages", default="all", help="Comma-separated: python,javascript,ruby,go,java,php,csharp (default: all)"
+    )
+    args = parser.parse_args(argv)
+
+    if args.languages == "all":
+        langs = set(LANG_PATTERNS.keys())
+    else:
+        langs = {lang.strip() for lang in args.languages.split(",") if lang.strip() in LANG_PATTERNS}
+
+    root = args.path.resolve()
+    if not root.exists():
+        sys.stderr.write(f"ERROR: path does not exist: {root}\n")
+        return 2
+
+    files = walk_repo(root, args.include_tests, langs)
+    findings: list[Finding] = []
+    for f in files:
+        findings.extend(scan_file(f, root, langs))
+
+    floor = Severity(args.min_severity)
+    findings = [f for f in findings if f.severity.numeric >= floor.numeric]
+
+    emit(findings, args.output, args.format, str(root))
+    return exit_code(findings)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/skills/detecting-ssl-cert-issues/SKILL.md

@@ -0,0 +1,182 @@
+---
+name: detecting-ssl-cert-issues
+description: |
+  Audit a target's TLS certificate beyond protocol/expiry — chain ordering,
+  OCSP stapling, revocation status, Certificate Transparency presence,
+  key-usage flags, and over-broad wildcards.
+  Use when: TLS handshake already passes (skill #1 analyzing-tls-config
+  cleared) but you suspect the cert posture is fragile. Auditors flag this
+  during SOC2 readiness when a renewal slipped or an intermediate was
+  rotated.
+  Threshold: missing OCSP stapling on production, fewer than 2 SCTs in
+  the cert, intermediate served out of order, key usage missing
+  digitalSignature/keyEncipherment, revoked cert presented, or wildcard
+  scope of 2-level (e.g., *.com is rejection; *.api.example.com is fine).
+  Trigger with: "check cert revocation", "audit ocsp", "ct log check",
+  "cert chain audit".
+allowed-tools:
+  - Read
+  - Bash(python3:*)
+  - Bash(openssl:*)
+disallowed-tools:
+  - Bash(rm:*)
+  - Edit(/etc/*)
+  - Write(/etc/*)
+version: 3.0.0-dev
+author: Jeremy Longshore <jeremy@intentsolutions.io>
+license: MIT
+compatibility: Designed for Claude Code
+tags:
+  - security
+  - tls
+  - ocsp
+  - certificate-transparency
+  - pentest
+---
+
+# Detecting SSL Certificate Issues
+
+## Overview
+
+This skill is the second-level cert audit, run after `analyzing-tls-config`
+clears the protocol+cipher+expiry+hostname basics. It surfaces issues
+that don't break the handshake today but make the cert fragile or open
+to soft-bypass attacks: missing OCSP stapling forces clients to phone
+home to the CA (privacy + latency hit), missing Certificate Transparency
+SCTs are rejected by Chrome since 2018, an out-of-order chain confuses
+older clients, and over-broad wildcards expand the blast radius of any
+future key compromise.
+
+## When the skill produces findings
+
+| Finding | Severity | Threshold | Affected control |
+|---|---|---|---|
+| Revoked certificate presented | **CRITICAL** | OCSP responder says "revoked" | RFC 6960 |
+| Missing or invalid OCSP staple | **HIGH** | No status_request response on production | RFC 6066, CA/B BR |
+| Fewer than 2 SCTs embedded | **HIGH** | CT-policy violation (Chrome enforces) | RFC 6962, CA/B Baseline Reqs |
+| Intermediate served out of RFC 5246 order | **MEDIUM** | Server sends root before leaf | RFC 5246 §7.4.2 |
+| AIA extension missing | **MEDIUM** | No CA Issuers / OCSP URL in cert | RFC 5280 §4.2.2.1 |
+| Over-broad wildcard | **HIGH** | Scope of 2-level or wider (e.g., *.com) | CA/B Baseline Reqs §3.2.2 |
+| Wildcard at apex SAN | **LOW** | *.example.com without example.com | RFC 6125 §6.4.3 |
+| Key Usage missing digitalSignature | **MEDIUM** | KU bit absent for TLS server cert | RFC 5280 §4.2.1.3 |
+| Cert chain longer than 4 | **LOW** | Performance + trust expansion | CA/B Baseline Reqs |
+
+## Prerequisites
+
+- Python 3.9+ with `cryptography` library
+- `openssl` CLI 1.1.1+ (for OCSP query + chain enumeration)
+- Authorization for non-local targets (see `references/AUTHORIZATION.md`
+  in skill #1 `analyzing-tls-config` for the canonical pattern)
+
+## Instructions
+
+### Step 1 — Confirm Authorization
+
+Active scan; ask the user verbatim:
+
+> "Do you have authorization to perform TLS testing on this target?
+> I need confirmation before proceeding."
+
+### Step 2 — Run the scanner
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
+    https://target.example.com \
+    --authorized
+```
+
+Options:
+
+```
+Usage: check_cert_chain.py URL [OPTIONS]
+
+Options:
+  --authorized       Attest authorization for non-local targets (required)
+  --port PORT        Target port (default: 443)
+  --output FILE      Write findings to FILE (default: stdout)
+  --format FMT       json | jsonl | markdown (default: markdown)
+  --min-severity SEV critical|high|medium|low|info (default: info)
+  --timeout SECS     Per-probe timeout (default: 10)
+  --skip-ocsp        Skip OCSP responder query (offline mode)
+```
+
+### Step 3 — Interpret findings
+
+CRITICAL/HIGH map to immediate action items; MEDIUM/LOW to backlog
+hardening. Cross-reference `references/PLAYBOOK.md` for OCSP stapling
+config snippets per server type.
+
+### Step 4 — Cross-skill chaining
+
+- After this skill, suggest `checking-http-security-headers` (#4) to
+  verify HSTS preload status — HSTS preload depends on a clean cert
+  chain to be effective.
+- For CI integration patterns, see `references/PLAYBOOK.md` § CI
+  posture-monitoring.
+
+## Examples
+
+### Example 1 — OCSP stapling audit before adopting must-staple
+
+User: "We're considering Must-Staple — what's our OCSP stapling posture
+look like across endpoints?"
+
+```bash
+for ENDPOINT in https://api.example.com https://app.example.com https://admin.example.com; do
+  python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
+      "$ENDPOINT" --authorized --min-severity medium
+done
+```
+
+If any endpoint reports "Missing OCSP staple" HIGH, adopting Must-Staple
+on that cert breaks it on next renewal until OCSP-stapling config
+lands. Pair with `references/PLAYBOOK.md` § OCSP stapling for nginx /
+Caddy / Apache config.
+
+### Example 2 — CT-log compliance check before public launch
+
+User: "Pre-launch — does our cert have enough SCTs for Chrome to trust it?"
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
+    https://new-site.example.com --authorized
+```
+
+The scanner extracts embedded SCTs from the cert's CT extension. <2
+SCTs → HIGH finding; Chrome's CT enforcement policy rejects the
+connection silently in HTTPS, leaving users with a generic error.
+
+### Example 3 — Wildcard scope audit
+
+User: "An auditor flagged our wildcard cert as too broad."
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
+    https://example.com --authorized --format json | jq '.[] | select(.title | contains("wildcard"))'
+```
+
+The JSON output captures the wildcard scope; pair with the auditor's
+request to either narrow the SAN list or move to per-service certs.
+
+## Output
+
+JSON / JSONL / Markdown per `lib/report.py`. Exit codes: 0 clean, 1
+high/critical, 2 error.
+
+## Error Handling
+
+- **OCSP responder timeout** → emitted as MEDIUM finding (not an error
+  exit) with note to investigate responder availability.
+- **CT log lookup unavailable** → falls back to embedded-SCT parsing
+  only; emits INFO note.
+- **Untrusted cert** → out of scope (skill #1 handles); this skill assumes
+  the chain validates and looks at deeper posture.
+
+## Resources
+
+- `references/THEORY.md` — OCSP, CT, AIA, chain ordering, wildcard
+  scope reasoning with RFC anchors
+- `references/PLAYBOOK.md` — OCSP stapling config per server type +
+  CT-log compliance + AIA extension correctness
+- `../analyzing-tls-config/references/AUTHORIZATION.md` — canonical ROE
+  template + 2-step gate (shared across all active-scan skills)