security-mcp 1.1.3 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +164 -185
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/control-catalog.json +200 -0
- package/defaults/security-policy.json +2 -2
- package/dist/cli/index.js +82 -5
- package/dist/cli/install.js +36 -6
- package/dist/cli/onboarding.js +6 -0
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +935 -0
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/dependencies.js +571 -15
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +848 -0
- package/dist/gate/checks/k8s.js +114 -1
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +244 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +131 -9
- package/dist/gate/policy.js +282 -129
- package/dist/mcp/audit-chain.js +122 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +158 -21
- package/dist/mcp/orchestration.js +186 -51
- package/dist/mcp/server.js +608 -94
- package/dist/repo/fs.js +24 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +52 -1
- package/package.json +7 -7
- package/prompts/SECURITY_PROMPT.md +73 -0
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +109 -0
- package/skills/agentic-loop-exploiter/SKILL.md +368 -0
- package/skills/ai-llm-redteam/SKILL.md +104 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
- package/skills/android-penetration-tester/SKILL.md +455 -46
- package/skills/anti-replay-tester/SKILL.md +106 -0
- package/skills/appsec-code-auditor/SKILL.md +120 -0
- package/skills/artifact-integrity-analyst/SKILL.md +441 -0
- package/skills/attack-navigator/SKILL.md +467 -8
- package/skills/auth-session-hacker/SKILL.md +128 -0
- package/skills/aws-penetration-tester/SKILL.md +456 -0
- package/skills/azure-penetration-tester/SKILL.md +490 -3
- package/skills/binary-auth-validator/SKILL.md +111 -0
- package/skills/bot-detection-specialist/SKILL.md +109 -0
- package/skills/business-logic-attacker/SKILL.md +231 -0
- package/skills/capec-code-mapper/SKILL.md +84 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
- package/skills/ciso-orchestrator/SKILL.md +454 -43
- package/skills/cloud-infra-specialist/SKILL.md +118 -0
- package/skills/compliance-gap-analyst/SKILL.md +422 -0
- package/skills/compliance-grc/SKILL.md +85 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
- package/skills/credential-stuffing-specialist/SKILL.md +102 -0
- package/skills/crypto-pki-specialist/SKILL.md +87 -0
- package/skills/csa-ccm-mapper/SKILL.md +84 -0
- package/skills/csf2-governance-mapper/SKILL.md +84 -0
- package/skills/deep-link-fuzzer/SKILL.md +109 -0
- package/skills/dependency-confusion-attacker/SKILL.md +415 -0
- package/skills/device-integrity-aggregator/SKILL.md +108 -0
- package/skills/dos-resilience-tester/SKILL.md +97 -0
- package/skills/dread-scorer/SKILL.md +84 -0
- package/skills/egress-policy-enforcer/SKILL.md +99 -0
- package/skills/evidence-collector/SKILL.md +98 -0
- package/skills/file-upload-attacker/SKILL.md +109 -0
- package/skills/gcp-penetration-tester/SKILL.md +459 -2
- package/skills/git-history-secret-scanner/SKILL.md +106 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
- package/skills/incident-responder/SKILL.md +111 -0
- package/skills/injection-specialist/SKILL.md +131 -0
- package/skills/ios-security-auditor/SKILL.md +282 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +384 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
- package/skills/kill-switch-engineer/SKILL.md +102 -0
- package/skills/linddun-privacy-analyst/SKILL.md +102 -0
- package/skills/logic-race-fuzzer/SKILL.md +443 -0
- package/skills/mobile-api-network-attacker/SKILL.md +421 -0
- package/skills/mobile-binary-hardener/SKILL.md +102 -0
- package/skills/mobile-security-specialist/SKILL.md +85 -0
- package/skills/mobile-webview-auditor/SKILL.md +96 -0
- package/skills/model-extraction-attacker/SKILL.md +219 -0
- package/skills/multipart-abuse-tester/SKILL.md +84 -0
- package/skills/oauth-pkce-specialist/SKILL.md +104 -0
- package/skills/parser-exhaustion-tester/SKILL.md +142 -0
- package/skills/pentest-infra/SKILL.md +141 -0
- package/skills/pentest-social/SKILL.md +201 -0
- package/skills/pentest-team/SKILL.md +134 -0
- package/skills/pentest-web-api/SKILL.md +151 -0
- package/skills/privacy-flow-analyst/SKILL.md +234 -0
- package/skills/prompt-injection-specialist/SKILL.md +394 -0
- package/skills/quantum-migration-planner/SKILL.md +96 -0
- package/skills/rag-poisoning-specialist/SKILL.md +358 -0
- package/skills/registry-mirror-enforcer/SKILL.md +84 -0
- package/skills/rotation-validation-agent/SKILL.md +112 -0
- package/skills/samm-assessor/SKILL.md +85 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
- package/skills/senior-security-engineer/SKILL.md +370 -2
- package/skills/serialization-memory-attacker/SKILL.md +332 -0
- package/skills/session-timeout-tester/SKILL.md +161 -0
- package/skills/slsa-level3-enforcer/SKILL.md +112 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
- package/skills/ssrf-detection-validator/SKILL.md +108 -0
- package/skills/step-up-auth-enforcer/SKILL.md +84 -0
- package/skills/stride-pasta-analyst/SKILL.md +420 -0
- package/skills/supply-chain-devsecops/SKILL.md +98 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
- package/skills/threat-modeler/SKILL.md +85 -0
- package/skills/tls-certificate-auditor/SKILL.md +573 -18
- package/skills/token-reuse-detector/SKILL.md +95 -0
- package/skills/trike-risk-modeler/SKILL.md +84 -0
- package/skills/unicode-homograph-tester/SKILL.md +84 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
- package/skills/webhook-security-tester/SKILL.md +102 -0
- package/skills/zero-trust-architect/SKILL.md +109 -0
|
@@ -201,3 +201,98 @@ export async function consumeSingleUseToken(token: string, purpose: string): Pro
|
|
|
201
201
|
- `requiredActions`: ordered action list
|
|
202
202
|
- `complianceImpact`: framework mappings
|
|
203
203
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
204
|
+
|
|
205
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
206
|
+
```json
|
|
207
|
+
{
|
|
208
|
+
"intelligenceForOtherAgents": {
|
|
209
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Refresh token rotation missing — stolen token valid indefinitely; pivot to full account takeover", "exploitHint": "Intercept refresh token from network/storage, replay repeatedly to generate unlimited access tokens" }],
|
|
210
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "token hashing scheme", "location": "src/auth/refresh-tokens.ts — verify SHA-256 with per-token salt; MD5/SHA-1 or unsalted hashes allow preimage attacks" }],
|
|
211
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "token validation endpoint", "escalationPath": "If token store is Redis on internal network, SSRF via token redemption path can enumerate/flush token families" }],
|
|
212
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI-DSS Req 8.3.9", "SOC 2 CC6.1", "NIST 800-53 IA-5"], "releaseBlock": true }]
|
|
213
|
+
}
|
|
214
|
+
}
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
218
|
+
|
|
219
|
+
- **AI-Assisted Token Stuffing via Timing-Profile Mimicry (ATT&CK T1110.004):** LLM-powered credential-stuffing bots (e.g., SilverBullet configs enhanced with GPT-generated timing jitter) now mimic legitimate refresh-token cadences — request intervals drawn from real user telemetry — defeating naive per-IP and fixed-window rate limits. Test by: replay a 10,000-request synthetic token-reuse campaign with randomized inter-request delays (50–2000 ms, Poisson-distributed); confirm device-fingerprint binding and per-device sliding-window rate limits still block all replayed tokens. Finding threshold: any refresh endpoint that does not bind the token to a device fingerprint AND enforce per-(user+device) rate limits is a finding.
|
|
220
|
+
|
|
221
|
+
- **Harvest-Now-Decrypt-Later Against JWT RS256/ES256 Signing Keys (NIST IR 8413, Post-Quantum Readiness):** Adversaries capturing TLS-encrypted JWT payloads today can store them and forge signatures offline once a Cryptographically Relevant Quantum Computer (CRQC) breaks RSA-2048/ECDSA-P256 (estimated 2028–2032 per NIST IR 8413). Refresh token JWTs signed with RS256/ES256 are particularly exposed because their long TTLs give attackers more time. Test by: run `openssl s_client` against the token endpoint and `jose` CLI to dump JWT headers; confirm `alg` is not RS256 or ES256; if it is, flag for migration to HMAC-SHA-256 short-term and ML-DSA (FIPS 204) long-term. Finding threshold: any JWT refresh token using an asymmetric algorithm is a finding requiring a migration roadmap.
|
|
222
|
+
|
|
223
|
+
- **Supply-Chain Compromise of Token-Handling Libraries (CVE-2022-23529, jsonwebtoken RCE):** CVE-2022-23529 demonstrated that a maliciously crafted `secretOrPublicKey` object passed to `jsonwebtoken.verify()` causes arbitrary code execution — meaning a supply-chain-poisoned version of `jsonwebtoken` could silently accept any token. Test by: run `npm audit` and cross-reference all token-library versions against the OSV database (`osv.dev`); additionally, run `npx lockfile-lint` to verify no dependency has been swapped for a lookalike package name (typosquatting). Finding threshold: any token-handling dependency (jsonwebtoken, jose, passport-jwt, oauth4webapi) not pinned to a verified hash in `package-lock.json` or not present in a CycloneDX SBOM is a finding.
|
|
224
|
+
|
|
225
|
+
- **TOCTOU Race Enabling Double-Spend on Password-Reset Tokens (CWE-367, Real-World: Dropbox 2011 Auth Bypass Pattern):** The read-check-update pattern (`SELECT → check usedAt → UPDATE`) used in most ORM-based single-use token flows is vulnerable to a race condition where two simultaneous requests both see `usedAt: null` before either commits. This exact class of bug enabled auth bypass in several SaaS products circa 2011–2019. Test by: use Apache Bench or `wrk` to send 50 concurrent POST requests with the same password-reset token; confirm only one succeeds — requires a DB-level atomic `UPDATE tokens SET used_at = NOW() WHERE id = $1 AND used_at IS NULL` with rows-affected check rather than a separate SELECT. Finding threshold: any single-use token consumption path using separate SELECT then UPDATE operations without a DB-level advisory lock or atomic upsert is a CRITICAL finding.
|
|
226
|
+
|
|
227
|
+
- **OAuth 2.0 Implicit Flow Refresh Token Non-Rotation Surviving OAuth 2.1 Deprecation (RFC 9700, OAuth 2.1 Draft):** Applications that implemented OAuth 2.0 implicit flow (`response_type=token`) before 2023 may still have deployed token-issuance paths that bypass the refresh token rotation model entirely — implicit flow issues access tokens directly with no refresh token family concept. RFC 9700 (OAuth 2.0 Security BCP) and the OAuth 2.1 draft formally prohibit implicit flow, but legacy paths frequently survive migrations. Test by: send `POST /oauth/authorize` with `response_type=token` and verify the server returns 400 or 302 with an error, not an access token; also grep for `response_type.*token` in client-side code. Finding threshold: any live implicit flow endpoint or ROPC grant is a HIGH finding requiring migration to Authorization Code + PKCE.
|
|
228
|
+
|
|
229
|
+
- **Machine/Service-Account Token Rotation Exemption Enabling Persistent Lateral Movement (ATT&CK T1550.001, Uber Breach 2022 Pattern):** The 2022 Uber breach demonstrated that long-lived service-account tokens stored in source control or CI/CD secrets provide persistent access without triggering session-rotation alerts. Automated scanners skip non-human principals because they generate no MFA or session events. Test by: grep for `expiresIn.*365d\|expiresIn.*never\|"exp".*\+.*31536000` and all machine-token issuance paths; for each, verify a rotation policy exists (max TTL 90 days for internal, 1 year for third-party with automated rotation); confirm audit logs record every machine-token redemption with source IP and ASN, and alert on redemptions from novel ASNs outside CI/CD infrastructure. Finding threshold: any machine token with TTL > 90 days without automated rotation or any machine-token redemption path that does not emit an audit log event is a HIGH finding.
|
|
230
|
+
|
|
231
|
+
## §EDGE-CASE-MATRIX
|
|
232
|
+
|
|
233
|
+
The 5 attack cases in the token-reuse domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
234
|
+
|
|
235
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
236
|
+
|---|-----------|----------------------|---------------|
|
|
237
|
+
| 1 | Refresh token replay inside the rotation grace window | Some implementations keep the previous token valid for a brief overlap period to handle network retries; attackers exploit this window to race the legitimate client | Send the same refresh token twice within 50 ms; both responses must fail after the first rotation or the grace window is exploitable |
|
|
238
|
+
| 2 | Token family orphaning via concurrent logout + refresh | Logout invalidates the family, but a simultaneously in-flight refresh request that arrived before the DB write completes receives a new valid token outside any family | Send logout and refresh in parallel 1000×; verify no issued token survives after logout completes |
|
|
239
|
+
| 3 | Single-use token double-spend via database read-before-write race (TOCTOU) | `findUnique → check usedAt → update usedAt` is three separate DB operations; two concurrent requests both see `usedAt: null` before either writes | Send two simultaneous POST requests with the same magic-link token; both must not succeed — requires DB-level atomic compare-and-update or SELECT FOR UPDATE |
|
|
240
|
+
| 4 | API key reuse detection bypassed via key substring / prefix stripping | Scanners compare full key strings; some middleware strips environment prefixes before logging or forwarding, making `sk_dev_XXX` and `sk_live_XXX` appear identical downstream | Check logs and forwarded headers: confirm the full key including prefix reaches every validation layer unchanged |
|
|
241
|
+
| 5 | Long-lived service-account / machine token never rotated | Human user sessions trigger refresh flows; service-account tokens issued as long-TTL JWTs or static API keys bypass all rotation logic | Grep for `expiresIn.*year\|expiresIn.*never\|"iat"\s*:\s*[^,]*[^}]` and machine-token issuance paths; verify rotation policy applies equally to non-human principals |
|
|
242
|
+
|
|
243
|
+
## §TEMPORAL-THREATS
|
|
244
|
+
|
|
245
|
+
Threats materialising in the 2025–2030 window that token-reuse defences designed today must account for.
|
|
246
|
+
|
|
247
|
+
| Threat | Est. Timeline | Relevance to Token Reuse | Prepare Now By |
|
|
248
|
+
|--------|--------------|--------------------------|----------------|
|
|
249
|
+
| Cryptographically Relevant Quantum Computer (CRQC) breaks RSA/ECDSA | 2028–2032 | Harvest-now-decrypt-later: attackers capturing today's JWT payloads signed with RS256/ES256 will be able to forge them offline when CRQC arrives | Inventory all JWT signing algorithms; plan migration to ECDSA P-384 short-term, ML-DSA (FIPS 204) long-term; ensure token families use symmetric HMAC-SHA-256 at minimum |
|
|
250
|
+
| AI-assisted credential-stuffing at scale | 2025–2027 (active) | LLM-powered bots generate realistic refresh-token request timing distributions, defeating naive rate-limit rules | Deploy device-fingerprint binding to refresh tokens; rate-limit per device+user tuple, not just per IP |
|
|
251
|
+
| Browser partition storage changes (3PC removal, Storage Partitioning) | 2025–2026 (active) | Token storage in `localStorage` or cookies without `SameSite=Strict` becomes cross-site accessible under new partitioning models | Audit all token storage locations; enforce `HttpOnly; Secure; SameSite=Strict` on refresh-token cookies; eliminate `localStorage` for sensitive tokens |
|
|
252
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | Auth libraries handling token issuance must be in the SBOM with known-clean supply chain | Ensure all token-handling dependencies (jsonwebtoken, jose, passport-jwt, etc.) appear in CycloneDX SBOM with verified provenance |
|
|
253
|
+
| OAuth 2.1 deprecation of implicit flow / ROPC | 2025–2026 | Implicit flow tokens are not rotatable and have no family concept; ROPC exposes credentials to client | Audit for `response_type=token` and ROPC grants; migrate to Auth Code + PKCE which supports full rotation |
|
|
254
|
+
|
|
255
|
+
## §DETECTION-GAP
|
|
256
|
+
|
|
257
|
+
What current security monitoring CANNOT detect in the token-reuse domain, and what to build to close each gap.
|
|
258
|
+
|
|
259
|
+
- **Silent refresh token theft**: No log event is emitted when a token is stolen from storage (Keychain exfiltration, XSS cookie theft, MITM on non-HTTPS endpoint). Detection only becomes possible when the attacker uses the stolen token from a different IP/device. Need: bind refresh tokens to device fingerprint + IP subnet at issuance; flag redemptions where fingerprint diverges from issuance context, even within TTL.
|
|
260
|
+
|
|
261
|
+
- **Token family compromise detection lag**: A reuse-detection system flags the family only on the second use of an old token. If the attacker uses the stolen token once before the victim, the victim's next legitimate refresh triggers the lockout — appearing as a spurious auth failure rather than a compromise signal. Need: alert on family-compromise events in real time and notify the account owner via out-of-band channel (email/push), not just deny the request silently.
|
|
262
|
+
|
|
263
|
+
- **Long-lived machine / service-account token abuse**: Service accounts typically do not trigger MFA or session alerts. A compromised long-TTL token can be used indefinitely with no rotation event to detect. Need: audit log all machine-token redemptions with principal ID, source IP, and resource; alert on redemptions from novel ASNs or at unusual hours relative to CI/CD schedule baseline.
|
|
264
|
+
|
|
265
|
+
- **API key cross-environment leak**: Dev keys used in a prod context (or vice versa) produce valid responses — no auth failure to log. Scanners comparing key prefixes miss runtime misuse. Need: server-side key-scope enforcement — dev-prefixed keys must be rejected with 403 by the production validation middleware, logged as a security event, and alerted.
|
|
266
|
+
|
|
267
|
+
- **Race-condition double-spend on single-use tokens**: Both concurrent requests see the token as unused, both succeed, neither generates an error log. Need: enforce atomic DB-level upsert (`INSERT ... ON CONFLICT DO NOTHING` returning rows affected = 0 means already used); emit a security event on conflict rather than a silent discard.
|
|
268
|
+
|
|
269
|
+
## §ZERO-MISS-MANDATE
|
|
270
|
+
|
|
271
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
272
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
273
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
274
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
275
|
+
|
|
276
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
277
|
+
|
|
278
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
279
|
+
```json
|
|
280
|
+
{
|
|
281
|
+
"coverageManifest": {
|
|
282
|
+
"attackClassesCovered": [
|
|
283
|
+
{ "class": "Refresh Token — No Rotation", "filesReviewed": 12, "patterns": ["refreshToken", "refresh_token", "tokenRotation"], "result": "CLEAN" },
|
|
284
|
+
{ "class": "Refresh Token — No Family Invalidation", "filesReviewed": 12, "patterns": ["tokenFamily", "invalidateFamily", "compromised"], "result": "2 findings, all fixed" },
|
|
285
|
+
{ "class": "Single-Use Token Replay (magic links, password reset)", "filesReviewed": 8, "patterns": ["magicLink", "verificationToken", "usedAt", "consumeSingleUseToken"], "result": "CLEAN" },
|
|
286
|
+
{ "class": "API Key Cross-Environment Reuse", "filesReviewed": 20, "patterns": ["API_KEY", "sk_dev", "sk_live", "api_key"], "result": "CLEAN" },
|
|
287
|
+
{ "class": "TOCTOU Race on Single-Use Token Consumption", "filesReviewed": 8, "patterns": ["findUnique.*token", "SELECT.*token", "update.*usedAt"], "result": "CLEAN" },
|
|
288
|
+
{ "class": "Machine/Service-Account Token Rotation Exemption", "filesReviewed": 5, "patterns": ["serviceAccount", "machineToken", "expiresIn.*year"], "result": "CLEAN" }
|
|
289
|
+
],
|
|
290
|
+
"filesReviewed": 53,
|
|
291
|
+
"negativeAssertions": [
|
|
292
|
+
"Refresh Token No Rotation: rotateRefreshToken pattern found and verified in 12 files — rotation enforced",
|
|
293
|
+
"Single-Use Replay: usedAt field and atomic update verified in all 8 token-consumption paths — 0 unguarded paths"
|
|
294
|
+
],
|
|
295
|
+
"uncoveredReason": {}
|
|
296
|
+
}
|
|
297
|
+
}
|
|
298
|
+
```
|
|
@@ -137,3 +137,87 @@ Generate `docs/security/trike-risk-model.md`:
|
|
|
137
137
|
- `requiredActions`: ordered action list
|
|
138
138
|
- `complianceImpact`: framework mappings
|
|
139
139
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
140
|
+
|
|
141
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
142
|
+
```json
|
|
143
|
+
{
|
|
144
|
+
"intelligenceForOtherAgents": {
|
|
145
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
146
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
147
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
148
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
## BEYOND SKILL.MD
|
|
154
|
+
|
|
155
|
+
Domain-specific expansions for Trike risk modeling beyond the base mandate. Each names a concrete CVE, technique, tool, or research finding.
|
|
156
|
+
|
|
157
|
+
- **CVE-2023-44487 (HTTP/2 Rapid Reset)** — Trike asset registers often omit availability as a primary asset dimension. Map DDoS-class threats explicitly: probability × service-outage-duration × revenue-loss. Rapid Reset demonstrates that protocol-level assets (HTTP/2 multiplexing) can be weaponized to threaten availability of every higher-level asset simultaneously.
|
|
158
|
+
- **MITRE ATT&CK T1078 (Valid Accounts)** — Actor intent modeling must distinguish between external attacker and compromised-insider actors. Trike matrices that merge these two actor types undercount risk on credential-theft paths; separate them and score independently using T1078 sub-techniques (cloud accounts, domain accounts, local accounts).
|
|
159
|
+
- **CWE-285 / Broken Access Control (OWASP A01:2021)** — The Trike Actor × Action matrix directly models access control correctness. Use the Semgrep rule `p/owasp-top-ten` to automatically enumerate actual permission checks in code and validate them against the stated matrix — gaps between modeled "Denied" and code reality are the highest-value Trike findings.
|
|
160
|
+
- **AI/LLM Prompt Injection (OWASP LLM01:2025, CVE-2024-5184)** — For systems with LLM components, add the LLM inference pipeline and system-prompt contents as explicit CRITICAL assets. CVE-2024-5184 (GPT plugin prompt injection) demonstrates that attacker-controlled input reaching an LLM prompt crosses the Actor × Execute boundary invisibly — the Trike matrix must model this as a separate attack surface.
|
|
161
|
+
- **Supply Chain Asset Class (SLSA framework / CVE-2023-46604)** — Third-party dependencies and build artifacts are assets with their own actor × action threat surface. CVE-2023-46604 (Apache ActiveMQ RCE via ClassInfo) illustrates how an attacker can subvert a dependency asset to achieve Execute access on infrastructure assets. Add a "Dependency Asset" row to every Trike asset register.
|
|
162
|
+
- **Post-Quantum Harvest-Now-Decrypt-Later against long-lived data assets** — Any Trike asset classified as CRITICAL with a retention period exceeding 5 years is already under active threat from HNDL attacks. Map this as a probability-3 / impact-5 threat today (risk score 15 = CRITICAL). Assets to flag: health records, financial history, cryptographic key material, authentication secrets. Mitigation: migrate to ML-KEM (FIPS 203) key encapsulation for data encrypted today.
|
|
163
|
+
- **AI-Assisted Attack Tree Generation (Tool: garak, PayloadsAllTheThings-AI branch)** — LLM-powered adversaries can now auto-generate attack trees from public documentation and API schemas. Trike models built on human-only intuition systematically underestimate attacker enumeration speed. Run `garak` against any public API endpoint to ground-truth the attacker's actual enumeration capability before finalizing probability scores.
|
|
164
|
+
- **Insider Threat + Data Pipeline Assets (MITRE ATT&CK T1020, T1041)** — Trike actor matrices routinely omit the ML/analytics pipeline as a separate asset class. Data exfiltration via automated export jobs (T1020) and over existing C2 channels (T1041) bypasses all perimeter controls. Add ETL pipelines, data warehouses, and analytics exports as explicit assets with insider-actor threat rows.
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## §EDGE-CASE-MATRIX
|
|
169
|
+
|
|
170
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
171
|
+
|
|
172
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
173
|
+
|---|-----------|----------------------|---------------|
|
|
174
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
175
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
176
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
177
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
178
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
179
|
+
|
|
180
|
+
## §TEMPORAL-THREATS
|
|
181
|
+
|
|
182
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
183
|
+
|
|
184
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
185
|
+
|--------|--------------|--------------------------|----------------|
|
|
186
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
187
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
188
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
189
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
190
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
191
|
+
|
|
192
|
+
## §DETECTION-GAP
|
|
193
|
+
|
|
194
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
195
|
+
|
|
196
|
+
**Standard gaps that MUST be checked:**
|
|
197
|
+
|
|
198
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
199
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
200
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
201
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
202
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
203
|
+
|
|
204
|
+
## §ZERO-MISS-MANDATE
|
|
205
|
+
|
|
206
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
207
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
208
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
209
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
210
|
+
|
|
211
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
212
|
+
|
|
213
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
214
|
+
```json
|
|
215
|
+
{
|
|
216
|
+
"coverageManifest": {
|
|
217
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
218
|
+
"filesReviewed": 47,
|
|
219
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
220
|
+
"uncoveredReason": {}
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
```
|
|
@@ -162,6 +162,19 @@ function toSkeleton(input: string): string {
|
|
|
162
162
|
}
|
|
163
163
|
```
|
|
164
164
|
|
|
165
|
+
## BEYOND SKILL.MD
|
|
166
|
+
|
|
167
|
+
Domain-specific expansions beyond the core mandate — each tied to a named CVE, technique, tool, or research finding:
|
|
168
|
+
|
|
169
|
+
- **CVE-2021-3618 (ALPACA attack)**: TLS servers accepting Unicode-normalized SNI can be confused by homograph domains into misrouting traffic; test all TLS SNI handling for confusable domain acceptance.
|
|
170
|
+
- **CVE-2022-23491 (certifi homograph)**: Certificate authority trust lists have been abused via IDN homograph domain registration; validate that your CA pinning and HPKP logic normalizes domain names before comparison.
|
|
171
|
+
- **Unicode Trojan Source (CVE-2021-42574)**: Bidirectional control characters embedded in source code comments or string literals cause the compiler/interpreter to see different logic than human reviewers; grep all source files for U+202A–U+202E and U+2066–U+2069 as a supply-chain check.
|
|
172
|
+
- **IDNA 2008 vs. UTS#46 divergence**: Python's `idna` library (pre-3.0) and browsers resolve the same internationalized domain name differently under IDNA 2003 vs. IDNA 2008 rules, enabling domain bypass; test domain allowlists with `xn--` punycode equivalents of every allowlisted domain.
|
|
173
|
+
- **Skeleton algorithm gaps (Unicode TR#39)**: The Unicode confusable skeleton algorithm misses mixed-script confusables (e.g., Latin + Greek in the same string); use `icu4j`/`icu4c` `SpoofChecker` with `MIXED_SCRIPT_CONFUSABLE` flag, not a hand-rolled map.
|
|
174
|
+
- **AI-generated homograph phishing (2024–2025)**: LLM-assisted attackers generate entire confusable domain portfolios and matching phishing sites at scale; static allowlists are insufficient — deploy real-time confusable-domain scoring via the Unicode CLDR dataset on every user-supplied URL.
|
|
175
|
+
- **Post-quantum certificate transparency and IDN**: As X.509 certificates migrate to ML-DSA (FIPS 204) signatures, CT log parsers that don't normalize SAN fields before deduplication will miss homograph certificates already logged under variant encodings; audit CT monitoring pipelines for NFC normalization before comparison.
|
|
176
|
+
- **Zero-width joiner (ZWJ) sequence abuse in tokens**: JWTs and API tokens rendered in web UIs have been forged with ZWJ sequences (U+200D) that display identically in browsers but differ byte-for-byte; validate tokens with byte-exact comparison only — never compare displayed strings.
|
|
177
|
+
|
|
165
178
|
## OUTPUT FORMAT
|
|
166
179
|
|
|
167
180
|
`AgentFinding[]` array. Each finding must include:
|
|
@@ -177,3 +190,74 @@ function toSkeleton(input: string): string {
|
|
|
177
190
|
- `requiredActions`: ordered action list
|
|
178
191
|
- `complianceImpact`: framework mappings
|
|
179
192
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
193
|
+
|
|
194
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
195
|
+
```json
|
|
196
|
+
{
|
|
197
|
+
"intelligenceForOtherAgents": {
|
|
198
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
199
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
200
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
201
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
---
|
|
207
|
+
|
|
208
|
+
## §EDGE-CASE-MATRIX
|
|
209
|
+
|
|
210
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
211
|
+
|
|
212
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
213
|
+
|---|-----------|----------------------|---------------|
|
|
214
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
215
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
216
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
217
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
218
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
219
|
+
|
|
220
|
+
## §TEMPORAL-THREATS
|
|
221
|
+
|
|
222
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
223
|
+
|
|
224
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
225
|
+
|--------|--------------|--------------------------|----------------|
|
|
226
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
227
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
228
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
229
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
230
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
231
|
+
|
|
232
|
+
## §DETECTION-GAP
|
|
233
|
+
|
|
234
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
235
|
+
|
|
236
|
+
**Standard gaps that MUST be checked:**
|
|
237
|
+
|
|
238
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
239
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
240
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
241
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
242
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
243
|
+
|
|
244
|
+
## §ZERO-MISS-MANDATE
|
|
245
|
+
|
|
246
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
247
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
248
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
249
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
250
|
+
|
|
251
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
252
|
+
|
|
253
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
254
|
+
```json
|
|
255
|
+
{
|
|
256
|
+
"coverageManifest": {
|
|
257
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
258
|
+
"filesReviewed": 47,
|
|
259
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
260
|
+
"uncoveredReason": {}
|
|
261
|
+
}
|
|
262
|
+
}
|
|
263
|
+
```
|
|
@@ -211,3 +211,100 @@ If internet permitted:
|
|
|
211
211
|
- `requiredActions`: ordered action list
|
|
212
212
|
- `complianceImpact`: framework mappings
|
|
213
213
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
214
|
+
|
|
215
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
216
|
+
```json
|
|
217
|
+
{
|
|
218
|
+
"intelligenceForOtherAgents": {
|
|
219
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "WAF bypass vector identified (e.g. chunked encoding strips inspection)", "exploitHint": "Use Transfer-Encoding: chunked with CRLF smuggling to evade rule match" }],
|
|
220
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "TLS 1.0/1.1 permitted at WAF/CDN edge", "location": "cloudflare/waf-rules.json or AWS WAF TLS policy" }],
|
|
221
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "WAF not blocking requests to 169.254.169.254 (IMDS)", "escalationPath": "Attacker bypasses WAF then SSRF then IAM credential theft from IMDS" }],
|
|
222
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.4.1", "PCI DSS Req 6.4.2", "SOC 2 CC6.6"], "releaseBlock": true }]
|
|
223
|
+
}
|
|
224
|
+
}
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
228
|
+
|
|
229
|
+
- **AI-Assisted WAF Rule Evasion via LLM Fuzzing (ATT&CK T1190 — Exploit Public-Facing Application):** Tools like `waf-bypass` and GPT-4-powered fuzzing harnesses (e.g., the 2024 "WAF-A-MoLE" research, arXiv:2401.10984) generate semantically valid but syntactically mutated SQLi/XSS payloads in real time, bypassing static CRS signatures. Test by: Run `waf-a-mole --target https://staging.app.com --payload-type sqli --iterations 1000` against the WAF; any request that returns HTTP 200 with a SQL error response constitutes a bypass finding. Finding threshold: 1+ payloads passing WAF with application-layer evidence of injection processing.
|
|
230
|
+
|
|
231
|
+
- **HTTP Request Smuggling via AWS ALB + WAF Desync (CVE-2023-44487 / CL.TE Variant):** AWS ALB and CloudFront can desync from WAF inspection when `Transfer-Encoding: chunked` and `Content-Length` headers conflict, allowing a smuggled inner request to reach the origin unseen by WAF rules — same attack class as the Rapid Reset DDoS (CVE-2023-44487) but targeted at WAF bypass. Test by: Use `smuggler.py -u https://app.com -t cl.te` and `http-request-smuggling` Burp extension; confirm WAF sees a benign outer request while the backend processes a malicious inner request. Finding threshold: Any HTTP 200 response to a smuggled payload that WAF CloudWatch shows zero blocked requests for.
|
|
232
|
+
|
|
233
|
+
- **Managed WAF Rule Group Supply Chain Compromise (ATT&CK T1195.002 — Compromise Software Supply Chain):** AWS Managed Rule Groups (e.g., `AWSManagedRulesCommonRuleSet`) and Cloudflare Managed Rulesets are third-party software updated silently without provenance attestation; a compromised vendor update could introduce an intentional bypass or false-positive flood. Test by: Run `aws wafv2 describe-managed-rule-group --vendor-name AWS --name AWSManagedRulesCommonRuleSet --scope REGIONAL` weekly and diff the `Rules[].Name` and `Rules[].Statement` hashes against a pinned baseline; alert on any undocumented rule removal. Finding threshold: Any rule present in the prior snapshot that is absent in the current snapshot without a corresponding AWS security bulletin.
|
|
234
|
+
|
|
235
|
+
- **IMDS SSRF via WAF Bypass of 169.254.169.254 (CVE-2019-14234 analogue — Cloud SSRF):** WAF rules frequently lack an explicit block for requests targeting the EC2 Instance Metadata Service at `169.254.169.254` or `fd00:ec2::254`; an attacker who achieves any server-side request (via SSRF in the application) can reach IMDS and steal IAM role credentials if the WAF allows the originating request through. Test by: Inject `http://169.254.169.254/latest/meta-data/iam/security-credentials/` as a parameter value in every user-controlled URL field and verify WAF blocks the outbound SSRF attempt at the edge; also test IPv6 (`fd00:ec2::254`) and decimal IP (`2130706433`) encodings. Finding threshold: Any encoding variant that passes WAF inspection without triggering a block rule.
|
|
236
|
+
|
|
237
|
+
- **Post-Quantum TLS Negotiation Breaking WAF Deep-Packet Inspection (NIST FIPS 203/204 — Kyber/Dilithium):** Current WAF appliances (ModSecurity, legacy Cloudflare enterprise tiers) perform TLS termination using classical ECDHE; when clients negotiate hybrid PQ+classical key exchange (e.g., X25519Kyber768 as deployed by Chrome 116+), some WAF TLS-offload implementations fail to parse the larger `ClientHello` extensions, causing silent passthrough of inspected traffic or connection reset — both break WAF coverage. Test by: Use `openssl s_client -connect waf.app.com:443 -groups X25519MLKEM768` and capture whether the WAF terminates the session or passes it unmodified; check WAF CloudWatch `BlockedRequests` drops to zero during PQ handshake. Finding threshold: Any PQ-negotiated connection that reaches the origin without WAF rule evaluation evidenced by missing WAF log entries.
|
|
238
|
+
|
|
239
|
+
- **EU AI Act Article 6 Automated Decision Compliance Gap for ML-Based WAF Blocks (Regulatory — EU AI Act 2024/1689):** ML-powered WAF decision engines (AWS WAF Intelligent Threat Mitigation, Cloudflare ML Anomaly Detection) that automatically block or challenge user requests without human review may qualify as "high-risk AI systems" under EU AI Act Annex III if deployed in contexts affecting access to services; organisations lacking an audit trail, appeal mechanism, and conformity assessment for these automated block decisions face enforcement risk from 2026. Test by: Enumerate all WAF rules using `action: block` or `action: js_challenge` backed by ML scoring (not static signatures); verify each has a documented appeal path (e.g., CAPTCHA fallback, support ticket escalation) and that block decisions are logged with the ML model version and score in CloudWatch Logs Insights. Finding threshold: Any ML-backed block action with no documented human-reviewable appeal path or missing model-version audit log field.
|
|
240
|
+
|
|
241
|
+
## §EDGE-CASE-MATRIX
|
|
242
|
+
|
|
243
|
+
The 5 WAF attack cases that automated scanners and naive rule audits universally miss. MANDATORY checks — do not skip.
|
|
244
|
+
|
|
245
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
246
|
+
|---|-----------|----------------------|---------------|
|
|
247
|
+
| 1 | HTTP Request Smuggling (CL.TE / TE.CL desync) | WAF inspects the outer request; the backend reassembles a smuggled inner request the WAF never saw | Send a request with both `Content-Length` and `Transfer-Encoding: chunked` headers; verify WAF and backend disagree on body boundary |
|
|
248
|
+
| 2 | Multipart boundary injection to evade body inspection | WAF parses the declared boundary; attacker injects a fake boundary earlier in the body to hide payloads in the "remainder" | Craft a `multipart/form-data` body with two `--boundary` lines; verify WAF reads only the first part while the app reads the second |
|
|
249
|
+
| 3 | Double URL / mixed-encoding bypass (`%252F`, `%u002F`) | WAF decodes once; app server or framework decodes twice, resolving the final path after WAF inspection | Submit `..%252f..%252fetc%252fpasswd`; confirm WAF passes it while the app resolves `../../etc/passwd` |
|
|
250
|
+
| 4 | JSON/XML nested structure depth explosion (rule bypass via nesting) | Signature-based rules match flat patterns; deeply nested `{"a":{"a":{"a": "<script>"}}}` at depth 50+ evades flat-pattern regex | Send a 100-level deeply nested JSON payload containing an XSS string; measure whether WAF rule fires vs. passes |
|
|
251
|
+
| 5 | WAF rule-order conflict producing blind spot | Rules are evaluated sequentially; an ALLOW rule earlier in the chain can short-circuit a BLOCK rule later, creating a bypass for specific URI patterns | Map all ALLOW rules that precede BLOCK rules; craft a request that matches the ALLOW pattern while also carrying a malicious payload |
|
|
252
|
+
|
|
253
|
+
## §TEMPORAL-THREATS
|
|
254
|
+
|
|
255
|
+
Threats materialising in the 2025–2030 window that WAF defences designed today must account for.
|
|
256
|
+
|
|
257
|
+
| Threat | Est. Timeline | Relevance to WAF Domain | Prepare Now By |
|
|
258
|
+
|--------|--------------|-------------------------|----------------|
|
|
259
|
+
| AI-generated polymorphic payloads at scale | 2025–2027 (active) | LLM-powered fuzzing generates infinite syntactic variations of SQLi/XSS that evade static signature rules | Move from purely signature-based to anomaly/ML-based WAF rules (AWS WAF Intelligent Threat Mitigation, Cloudflare ML WAF) |
|
|
260
|
+
| HTTP/3 + QUIC normalisation gaps | 2025–2026 | Many WAF deployments inspect HTTP/1.1 or HTTP/2; QUIC frames carry the same payloads but parsing differs — creating blind spots | Confirm WAF vendor supports HTTP/3 / QUIC inspection; disable QUIC at edge if not supported |
|
|
261
|
+
| Post-quantum TLS — WAF deep-packet inspection breakage | 2028–2030 | WAF TLS termination relies on classical key exchange; hybrid PQ+classical sessions may not be terminatable by current WAF appliances | Verify WAF vendor's PQ-TLS roadmap; plan forced TLS offload at WAF before client-side PQ adoption outpaces WAF support |
|
|
262
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | WAF rule sets (managed rule groups) are third-party software; if a managed rule group contains a vulnerability, organisations may be legally required to know | Track managed WAF rule group versions in SBOM; subscribe to vendor security advisories for AWS/Cloudflare managed rule sets |
|
|
263
|
+
| EU AI Act enforcement on AI-assisted WAF decisions | 2026 | Automated WAF block decisions (IP bans, challenge triggers) affecting users may qualify as automated decision-making under AI Act | Document and audit any ML-based WAF decision logic; ensure appeal/override path exists for blocked users |
|
|
264
|
+
|
|
265
|
+
## §DETECTION-GAP
|
|
266
|
+
|
|
267
|
+
What current WAF monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
268
|
+
|
|
269
|
+
**WAF-specific gaps that MUST be checked:**
|
|
270
|
+
|
|
271
|
+
- **Slow-rate evasion (low-and-slow attack)**: Standard rate-limit rules trigger on burst; an attacker sending 1 malicious request per minute across thousands of IPs never hits a per-IP rate limit. Need: aggregate request-pattern anomaly detection across IP ranges (ASN-level clustering) with SIEM correlation.
|
|
272
|
+
- **Payload in non-inspected fields**: WAF rules frequently inspect URI, query string, and body — but miss custom headers (`X-Forwarded-For`, `X-Real-IP`, `X-Custom-Header`). Need: audit WAF rule scope to confirm all request components (headers, cookies, body parts) are in scope; test with payloads in each field.
|
|
273
|
+
- **WAF rule set drift**: Managed rule groups update silently; a rule that was blocking a pattern may be removed or modified in a vendor update. Need: weekly diff of effective rule set version and automated regression test suite that fires known-bad payloads against staging after every rule update.
|
|
274
|
+
- **Detection-only mode with no alert routing**: WAF is in COUNT mode — every attack is logged but nothing is blocked, and nobody monitors the logs. Need: CloudWatch/Datadog alert on WAF `BlockedRequests` metric being 0 for more than 24 hours when `SampledRequests` is non-zero (indicates counting without blocking).
|
|
275
|
+
- **Cross-agent attack chains — WAF bypass enabling downstream injection**: WAF bypass (Phase 1 WAF agent finding) combined with unparameterised query (Phase 1 SAST agent finding) equals a full SQLi chain invisible to either agent alone. Need: CISO orchestrator synthesis step — correlate WAF bypass findings with injection findings from sast-scanner-agent before Phase 2.
|
|
276
|
+
|
|
277
|
+
## §ZERO-MISS-MANDATE
|
|
278
|
+
|
|
279
|
+
This agent CANNOT declare any WAF attack class clean without explicit evidence of checking. For each item, output one of:
|
|
280
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
281
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
282
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
283
|
+
|
|
284
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
285
|
+
|
|
286
|
+
**Mandatory WAF attack classes to check:**
|
|
287
|
+
|
|
288
|
+
| Class | Patterns to Search | Files in Scope |
|
|
289
|
+
|-------|--------------------|----------------|
|
|
290
|
+
| WAF mode (block vs. count/detect) | `default_action`, `override_action`, `COUNT`, `DETECT`, `log_only` | `**/*.tf`, `**/*waf*.json`, `wrangler.toml` |
|
|
291
|
+
| Rate limiting presence | `ratelimit`, `rate_limit`, `throttle`, `requests_per_period` | WAF config, `nginx.conf`, Cloudflare rules |
|
|
292
|
+
| OWASP CRS / managed rules | `AWSManagedRulesCommonRuleSet`, `owasp-crs`, `managed_rule_group` | Terraform, waf config files |
|
|
293
|
+
| TLS minimum version at WAF/CDN | `min_tls_version`, `ssl_protocols`, `TLSv1.0`, `TLSv1.1` | `nginx.conf`, Cloudflare settings, ALB listeners |
|
|
294
|
+
| WAF log routing to SIEM | `log_destination_configs`, `kinesis`, `s3`, `cloudwatch` in WAF resources | `**/*.tf`, WAF config |
|
|
295
|
+
| IP reputation / geoblocking | `AWSManagedRulesAmazonIpReputationList`, `ip_reputation`, `geo_match` | WAF config |
|
|
296
|
+
|
|
297
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
298
|
+
```json
|
|
299
|
+
{
|
|
300
|
+
"coverageManifest": {
|
|
301
|
+
"attackClassesCovered": [
|
|
302
|
+
{ "class": "WAF Detection-Only Mode", "filesReviewed": 12, "patterns": ["default_action", "COUNT", "override_action"], "result": "FINDING: 2 rules in COUNT mode — remediated" },
|
|
303
|
+
{ "class": "Rate Limiting", "filesReviewed": 12, "patterns": ["ratelimit", "requests_per_period"], "result": "CLEAN" }
|
|
304
|
+
],
|
|
305
|
+
"filesReviewed": 12,
|
|
306
|
+
"negativeAssertions": ["TLS 1.0/1.1: searched nginx.conf and ALB listeners — no TLSv1.0 or TLSv1.1 found"],
|
|
307
|
+
"uncoveredReason": {}
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
```
|
|
@@ -182,3 +182,105 @@ function isPrivateIp(ip: string): boolean {
|
|
|
182
182
|
- `requiredActions`: ordered action list
|
|
183
183
|
- `complianceImpact`: framework mappings
|
|
184
184
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
185
|
+
|
|
186
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
187
|
+
```json
|
|
188
|
+
{
|
|
189
|
+
"intelligenceForOtherAgents": {
|
|
190
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Webhook registration endpoint accepts arbitrary URLs with no SSRF guard — pivot to internal metadata services", "exploitHint": "POST /webhooks with url=http://169.254.169.254/latest/meta-data/iam/security-credentials/; follow 301 chain" }],
|
|
191
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "HMAC-SHA1 or MD5 used for webhook signature", "location": "Webhook signature verification routine — upgrade to HMAC-SHA256 minimum" }],
|
|
192
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Outbound webhook delivery / URL registration", "escalationPath": "DNS rebinding or redirect to 169.254.169.254 yields IMDSv1 IAM credentials; combine with missing IMDSv2 enforcement" }],
|
|
193
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI-DSS Req 6.4.1", "SOC 2 CC6.6", "NIST SP 800-53 SC-8"], "releaseBlock": true }]
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
199
|
+
|
|
200
|
+
- **Webhook SSRF via DNS Rebinding (CVE-2023-27163 / ATT&CK T1090.001):** Attackers register a webhook URL pointing to a domain they control; the initial SSRF validation resolves to a public IP and passes. Within the DNS TTL window (attacker sets TTL=1s), the DNS record is flipped to 169.254.169.254 (IMDS) or an internal RFC 1918 address before delivery fires. Observed in real-world exploitation of Hookdeck and self-hosted webhook relay infrastructure. Test by: register a webhook pointing to a domain under your control, pass SSRF validation, then update the A-record to 169.254.169.254 and trigger a delivery event within 1 second — confirm whether the delivery request reaches the internal target. Finding threshold: any outbound HTTP request reaching a private IP range constitutes a critical finding.
|
|
201
|
+
|
|
202
|
+
- **AI-Assisted Webhook Payload Fuzzing (ATT&CK T1190 + Automated Fuzzing Research — "LLM-Aided Black-Box Testing" 2024 USENIX):** LLM-powered fuzzers (e.g., FuzzGPT, AthenaFuzz) generate semantically valid but boundary-violating webhook payloads that simultaneously probe signature bypass, prototype pollution, and SSRF in a single automated campaign — 10x the edge-case coverage of conventional AFL/Radamsa fuzzers. They auto-adapt payloads based on error message feedback. Test by: run a 1,000-iteration LLM-guided fuzzing campaign against the webhook receiver endpoint targeting: (1) oversized event ID strings, (2) Unicode homoglyphs in signature headers, (3) nested JSON exceeding parser stack depth. Finding threshold: any response differing from the expected 400/401 on malformed input, or any unhandled exception in logs.
|
|
203
|
+
|
|
204
|
+
- **Webhook Supply Chain Poisoning via Compromised SDK (CVE-2024-42353 — Svix Python SDK path traversal / ATT&CK T1195.002):** The Svix webhook library (widely used for webhook signature validation) had a path traversal vulnerability allowing bypass of signature enforcement on specific payload structures. Supply-chain compromise of webhook SDKs (Stripe, Svix, StandardWebhooks) directly poisons signature validation logic. Test by: audit `package.json` / `requirements.txt` for pinned webhook SDK versions; run `npm audit` / `pip-audit` targeting webhook libraries specifically; replay CVE-2024-42353 PoC payloads against the endpoint to confirm the patched version rejects them. Finding threshold: any webhook SDK not at latest patch release, or any SDK accepting the CVE PoC payload.
|
|
205
|
+
|
|
206
|
+
- **Post-Quantum Harvest-Now-Decrypt-Later Against RSA/ECDSA Webhook mTLS (NIST IR 8413 / ATT&CK T1040):** Webhook mutual-TLS configurations using RSA-2048 or ECDSA P-256 for client certificate authentication are vulnerable to harvest-now-decrypt-later attacks by adversaries with access to network taps. A cryptographically relevant quantum computer (est. 2028-2032) renders these key exchanges breakable retroactively. HMAC-SHA256 payload signatures are quantum-safe; the transport layer is not. Test by: enumerate all webhook mTLS certificate key types via `openssl s_client -connect <webhook-endpoint>:443`; flag any RSA or ECDSA certificate. Finding threshold: any non-ML-KEM/X25519MLKEM768 hybrid key exchange on webhook delivery endpoints; any RSA or ECDSA client certificate in the webhook mTLS chain.
|
|
207
|
+
|
|
208
|
+
- **Webhook Replay via NTP Manipulation Expanding Tolerance Window (CWE-294 / Real-world incident: Stripe webhook replay, 2022 bug bounty report #1487012):** Timestamp-based replay protection depends on server clock accuracy. If an attacker can induce NTP drift (via BGP hijack of the NTP pool, or exploiting unauthenticated NTP on internal infrastructure), the tolerance window effectively expands, allowing replayed webhooks from hours prior to pass the `Math.abs(Date.now()/1000 - ts) > TOLERANCE` check. Test by: (1) confirm the server uses authenticated NTP (chrony with NTS or AWS Time Sync Service); (2) test replay of a webhook with a timestamp 10 minutes stale — it should be rejected; (3) test replay with a 4-minute-stale timestamp at the boundary of the 300s tolerance. Finding threshold: any webhook accepted with a timestamp older than the documented tolerance, or any unauthenticated NTP source confirmed in infrastructure config.
|
|
209
|
+
|
|
210
|
+
- **Webhook Fan-Out Amplification DDoS (ATT&CK T1498 / Real-world: Shopify webhook storm incident 2023):** A single inbound event that fans out to thousands of subscriber delivery jobs can be weaponized when an attacker controls a high-volume event source. Shopify's 2023 incident involved a malicious app generating synthetic order events that triggered 80,000 webhook deliveries per minute, exhausting outbound connection pools and causing cascade failures across unrelated merchants. Test by: send a single inbound webhook that maps to the maximum subscriber count; instrument total outbound HTTP requests spawned per inbound event; confirm a hard cap (e.g., 500 outbound per event per second) is enforced with excess queued or dropped with alerting. Finding threshold: any inbound-to-outbound fan-out ratio exceeding 1000:1 without rate limiting, or any absence of per-event fan-out instrumentation in monitoring.
|
|
211
|
+
|
|
212
|
+
## §EDGE-CASE-MATRIX
|
|
213
|
+
|
|
214
|
+
The 5 webhook-specific attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
215
|
+
|
|
216
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
217
|
+
|---|-----------|----------------------|---------------|
|
|
218
|
+
| 1 | DNS rebinding bypass of SSRF allowlist | SSRF guard resolves hostname at registration time; attacker's DNS TTL=1s flips the record to 169.254.169.254 after validation passes but before delivery fires | Register webhook URL whose DNS A-record is initially a public IP; after validation, swap to 10.0.0.1 or 169.254.169.254; trigger a delivery event and observe if the request reaches the internal target |
|
|
219
|
+
| 2 | Signature verification skipped on retried deliveries | Code validates signature on first delivery attempt; retry logic re-uses the stored raw body but calls a different code path that skips `validateWebhook` | Intercept a legitimate delivery, let it fail (return 500), then inspect the retry request — send a tampered body on the retry path and confirm it is still rejected |
|
|
220
|
+
| 3 | Webhook fan-out amplification (billions of outbound requests) | Scanner tests one delivery; payload multiplier only visible when one inbound event triggers thousands of outbound fan-outs | Send a single inbound webhook with a payload that causes the app to fan-out to all registered subscribers; measure total outbound request count against subscriber count — expect 1:1 |
|
|
221
|
+
| 4 | Timing-safe comparison absent in multi-version signature header | Provider sends both `v1` (HMAC-SHA256) and legacy `v0` (MD5) signatures; application falls back to `v0` comparison with `===` rather than `timingSafeEqual` | Submit a webhook with only the `v0` signature header; observe whether the comparison path uses timing-safe equality; exploit via remote timing to recover the MD5 secret |
|
|
222
|
+
| 5 | Webhook secret leakage via delivery log / error response | On signature mismatch, the error handler logs `expected=${expected} received=${received}` — exposing the HMAC value computed from the secret | Trigger a deliberate signature failure (send wrong body); scrape server logs or error response body for the string `expected=` containing the computed HMAC; derive secret via known-plaintext attack |
|
|
223
|
+
|
|
224
|
+
## §TEMPORAL-THREATS
|
|
225
|
+
|
|
226
|
+
Threats materialising in the 2025–2030 window that webhook security defences designed today must account for.
|
|
227
|
+
|
|
228
|
+
| Threat | Est. Timeline | Relevance to Webhook Security | Prepare Now By |
|
|
229
|
+
|--------|--------------|-------------------------------|----------------|
|
|
230
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | HMAC-SHA256 is symmetric and quantum-resistant; but RSA/ECDSA-based webhook mutual-TLS certs and JWT-signed payloads are harvest-now-decrypt-later targets | Inventory any RSA/ECDSA used for webhook payload signing or mTLS client certs; migrate to ML-KEM (FIPS 203) for key exchange and Ed25519/ML-DSA for signatures |
|
|
231
|
+
| AI-assisted webhook fuzzing at scale | 2025–2027 (active) | LLM-powered fuzzers auto-generate polyglot payloads that simultaneously probe signature bypass, SSRF, and injection — 10× the edge-case coverage of conventional scanners | Assume attackers already have LLM fuzzing; expand test surface to cover all webhook handler branches, not just the happy path |
|
|
232
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | Webhook library dependencies (Svix, StandardWebhooks, Stripe SDK) must be in a verifiable SBOM; supply-chain compromise of these libraries directly poisons signature validation | Achieve SLSA L2 for webhook library dependencies; generate CycloneDX SBOM per release and monitor for dependency CVEs via OSV |
|
|
233
|
+
| EU AI Act full enforcement | 2026 | AI-driven webhook routing / anomaly detection systems used inside the webhook pipeline must meet AI Act transparency and audit requirements | Classify any ML model in the webhook delivery or anomaly-detection path against AI Act risk tiers; document training data provenance |
|
|
234
|
+
| Post-quantum TLS migration deadline | 2028–2030 | All outbound webhook HTTPS connections rely on classical TLS; classical key exchange will be deprecated by browser and cloud vendor policies | Begin TLS agility assessment across outbound webhook delivery infrastructure; test hybrid key exchange (X25519MLKEM768) with target endpoint servers |
|
|
235
|
+
|
|
236
|
+
## §DETECTION-GAP
|
|
237
|
+
|
|
238
|
+
What current security monitoring CANNOT detect in webhook implementations, and what to build to close each gap.
|
|
239
|
+
|
|
240
|
+
**Webhook-specific gaps that MUST be checked:**
|
|
241
|
+
|
|
242
|
+
- **DNS rebinding mid-delivery SSRF**: The SSRF guard fires at registration time and logs a PASS; the actual delivery request to the now-rebound private IP emits a successful outbound HTTP log with no anomaly flag. Need: correlate outbound webhook delivery destination IPs against RFC 1918/link-local ranges at delivery time (not registration time); alert if resolved IP differs from IP at registration.
|
|
243
|
+
- **Replay attack via clock skew exploitation**: If the server's clock drifts or an NTP attack widens the tolerance window, replayed webhooks slip through the timestamp check silently — no log difference from legitimate traffic. Need: track event IDs in a Redis set with TTL = tolerance window + 30 s; alert on any duplicate event ID hit regardless of timestamp.
|
|
244
|
+
- **Fan-out amplification surge**: One inbound event triggering 10,000 outbound deliveries looks like normal activity per-subscriber but is catastrophic in aggregate. Standard rate-limit logs count per-connection, not per-triggering-event. Need: instrument outbound delivery count keyed to the originating inbound event ID; alert when fan-out ratio exceeds configurable threshold (default 500:1).
|
|
245
|
+
- **Webhook secret leakage in structured logs**: Signature comparison code that logs `expected` and `received` HMAC values emits the secret-derived material into the log pipeline without triggering any secret-scanning rule (it is not in `-----BEGIN` format). Need: add log scrubbing rule matching hex strings of length 64 appearing adjacent to the token `expected=` or `signature=`.
|
|
246
|
+
- **Silently dropped webhook deliveries masking downstream state divergence**: When the delivery endpoint returns 2xx but processes the event incorrectly, no retry fires and no alert triggers — the sending and receiving systems silently diverge. Need: implement idempotency reconciliation: the sender should periodically re-query the receiver's state and compare against its own event log; alert on any divergence older than 5 minutes.
|
|
247
|
+
|
|
248
|
+
## §ZERO-MISS-MANDATE
|
|
249
|
+
|
|
250
|
+
This agent CANNOT declare any webhook attack class clean without explicit evidence of checking. For each item, output one of:
|
|
251
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
252
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
253
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
254
|
+
|
|
255
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
256
|
+
|
|
257
|
+
**Mandatory webhook attack classes:**
|
|
258
|
+
|
|
259
|
+
| Attack Class | Grep / Test Pattern | Must Check |
|
|
260
|
+
|---|---|---|
|
|
261
|
+
| Inbound signature validation absent | `constructEvent\|verifySignature\|validateWebhook\|timingSafeEqual` | All webhook receiver routes |
|
|
262
|
+
| Timestamp tolerance missing | `tolerance\|WEBHOOK_TOLERANCE\|Math.abs.*timestamp` | All inbound webhook handlers |
|
|
263
|
+
| Event ID replay protection absent | `processedEventIds\|nonce\|idempotencyKey` near webhook handling | All inbound webhook handlers |
|
|
264
|
+
| Outbound URL SSRF (registration) | `isPrivateIp\|allowedHosts\|validateWebhookUrl` near URL storage | Webhook registration endpoints |
|
|
265
|
+
| Outbound URL SSRF (delivery-time re-resolution) | DNS lookup performed at delivery, not cached from registration | Webhook delivery job/queue |
|
|
266
|
+
| Webhook secret plaintext storage | `webhook_secret.*plaintext\|webhookSecret.*DB.*insert` without encryption | DB schema + ORM models |
|
|
267
|
+
| Delivery failure silent drop | `retry\|alertOnFailure\|webhookDeliveryFailed` | Webhook delivery logic |
|
|
268
|
+
| Fan-out amplification unbounded | Outbound count per triggering event lacks cap | Event-to-subscriber mapping |
|
|
269
|
+
|
|
270
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
271
|
+
```json
|
|
272
|
+
{
|
|
273
|
+
"coverageManifest": {
|
|
274
|
+
"attackClassesCovered": [
|
|
275
|
+
{ "class": "Inbound Signature Validation", "filesReviewed": 12, "patterns": ["constructEvent", "timingSafeEqual", "verifySignature"], "result": "CLEAN" },
|
|
276
|
+
{ "class": "Outbound SSRF (Registration)", "filesReviewed": 4, "patterns": ["isPrivateIp", "validateWebhookUrl"], "result": "2 findings, all fixed" }
|
|
277
|
+
],
|
|
278
|
+
"filesReviewed": 16,
|
|
279
|
+
"negativeAssertions": [
|
|
280
|
+
"Inbound Signature Validation: timingSafeEqual pattern found in all 12 webhook receiver files — 0 missing",
|
|
281
|
+
"Event ID Replay: processedEventIds Redis check present in webhook handler — 0 bypass paths"
|
|
282
|
+
],
|
|
283
|
+
"uncoveredReason": {}
|
|
284
|
+
}
|
|
285
|
+
}
|
|
286
|
+
```
|