security-mcp 1.1.4 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +116 -264
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/security-policy.json +2 -2
- package/dist/cli/index.js +0 -0
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/dependencies.js +571 -15
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +114 -1
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +244 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +131 -9
- package/dist/gate/policy.js +280 -131
- package/dist/mcp/audit-chain.js +122 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +158 -21
- package/dist/mcp/orchestration.js +186 -51
- package/dist/mcp/server.js +337 -53
- package/dist/repo/fs.js +24 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +52 -1
- package/package.json +7 -7
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +109 -0
- package/skills/agentic-loop-exploiter/SKILL.md +368 -0
- package/skills/ai-llm-redteam/SKILL.md +104 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
- package/skills/android-penetration-tester/SKILL.md +455 -46
- package/skills/anti-replay-tester/SKILL.md +106 -0
- package/skills/appsec-code-auditor/SKILL.md +85 -0
- package/skills/artifact-integrity-analyst/SKILL.md +441 -0
- package/skills/attack-navigator/SKILL.md +467 -8
- package/skills/auth-session-hacker/SKILL.md +102 -0
- package/skills/aws-penetration-tester/SKILL.md +456 -0
- package/skills/azure-penetration-tester/SKILL.md +490 -3
- package/skills/binary-auth-validator/SKILL.md +111 -0
- package/skills/bot-detection-specialist/SKILL.md +109 -0
- package/skills/business-logic-attacker/SKILL.md +231 -0
- package/skills/capec-code-mapper/SKILL.md +84 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
- package/skills/ciso-orchestrator/SKILL.md +454 -43
- package/skills/cloud-infra-specialist/SKILL.md +118 -0
- package/skills/compliance-gap-analyst/SKILL.md +422 -0
- package/skills/compliance-grc/SKILL.md +85 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
- package/skills/credential-stuffing-specialist/SKILL.md +102 -0
- package/skills/crypto-pki-specialist/SKILL.md +87 -0
- package/skills/csa-ccm-mapper/SKILL.md +84 -0
- package/skills/csf2-governance-mapper/SKILL.md +84 -0
- package/skills/deep-link-fuzzer/SKILL.md +109 -0
- package/skills/dependency-confusion-attacker/SKILL.md +415 -0
- package/skills/device-integrity-aggregator/SKILL.md +108 -0
- package/skills/dos-resilience-tester/SKILL.md +97 -0
- package/skills/dread-scorer/SKILL.md +84 -0
- package/skills/egress-policy-enforcer/SKILL.md +99 -0
- package/skills/evidence-collector/SKILL.md +98 -0
- package/skills/file-upload-attacker/SKILL.md +109 -0
- package/skills/gcp-penetration-tester/SKILL.md +459 -2
- package/skills/git-history-secret-scanner/SKILL.md +106 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
- package/skills/incident-responder/SKILL.md +111 -0
- package/skills/injection-specialist/SKILL.md +102 -0
- package/skills/ios-security-auditor/SKILL.md +282 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +384 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
- package/skills/kill-switch-engineer/SKILL.md +102 -0
- package/skills/linddun-privacy-analyst/SKILL.md +102 -0
- package/skills/logic-race-fuzzer/SKILL.md +443 -0
- package/skills/mobile-api-network-attacker/SKILL.md +421 -0
- package/skills/mobile-binary-hardener/SKILL.md +102 -0
- package/skills/mobile-security-specialist/SKILL.md +85 -0
- package/skills/mobile-webview-auditor/SKILL.md +96 -0
- package/skills/model-extraction-attacker/SKILL.md +219 -0
- package/skills/multipart-abuse-tester/SKILL.md +84 -0
- package/skills/oauth-pkce-specialist/SKILL.md +104 -0
- package/skills/parser-exhaustion-tester/SKILL.md +142 -0
- package/skills/pentest-infra/SKILL.md +98 -0
- package/skills/pentest-social/SKILL.md +201 -0
- package/skills/pentest-team/SKILL.md +87 -0
- package/skills/pentest-web-api/SKILL.md +98 -0
- package/skills/privacy-flow-analyst/SKILL.md +234 -0
- package/skills/prompt-injection-specialist/SKILL.md +394 -0
- package/skills/quantum-migration-planner/SKILL.md +96 -0
- package/skills/rag-poisoning-specialist/SKILL.md +358 -0
- package/skills/registry-mirror-enforcer/SKILL.md +84 -0
- package/skills/rotation-validation-agent/SKILL.md +112 -0
- package/skills/samm-assessor/SKILL.md +85 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
- package/skills/senior-security-engineer/SKILL.md +167 -0
- package/skills/serialization-memory-attacker/SKILL.md +332 -0
- package/skills/session-timeout-tester/SKILL.md +161 -0
- package/skills/slsa-level3-enforcer/SKILL.md +112 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
- package/skills/ssrf-detection-validator/SKILL.md +108 -0
- package/skills/step-up-auth-enforcer/SKILL.md +84 -0
- package/skills/stride-pasta-analyst/SKILL.md +420 -0
- package/skills/supply-chain-devsecops/SKILL.md +98 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
- package/skills/threat-modeler/SKILL.md +85 -0
- package/skills/tls-certificate-auditor/SKILL.md +573 -18
- package/skills/token-reuse-detector/SKILL.md +95 -0
- package/skills/trike-risk-modeler/SKILL.md +84 -0
- package/skills/unicode-homograph-tester/SKILL.md +84 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
- package/skills/webhook-security-tester/SKILL.md +102 -0
- package/skills/zero-trust-architect/SKILL.md +109 -0
|
@@ -194,3 +194,105 @@ If internet permitted:
|
|
|
194
194
|
- `requiredActions`: ordered action list
|
|
195
195
|
- `complianceImpact`: framework mappings
|
|
196
196
|
- `beyondSkillMd`: true — this agent is entirely beyond-policy
|
|
197
|
+
|
|
198
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
199
|
+
```json
|
|
200
|
+
{
|
|
201
|
+
"intelligenceForOtherAgents": {
|
|
202
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "PII-rich endpoint or data store identified during LINDDUN analysis", "exploitHint": "Exfiltration via IDOR, mass-assignment, or analytics SDK misconfiguration" }],
|
|
203
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "SHA-256 email hash used as pseudonym (reversible via rainbow table)", "location": "src/models/user.ts" }],
|
|
204
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "Third-party analytics SDK with unconstrained webhook callback URL", "escalationPath": "SSRF to instance metadata → IAM token → S3 PII bucket" }],
|
|
205
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["GDPR Art. 35", "CCPA §1798.150", "HIPAA §164.514"], "releaseBlock": true }]
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
```
|
|
209
|
+
|
|
210
|
+
---
|
|
211
|
+
|
|
212
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
213
|
+
|
|
214
|
+
- **LLM-Assisted Re-identification of "Anonymised" Datasets (CWE-359 / ATT&CK T1530 / Sweeney 2002 k-anonymity paper):** Adversaries feed quasi-identifier fields (ZIP code, DOB, gender, device type) into an LLM alongside public data sources (voter rolls, LinkedIn, breach dumps) to collapse k-anonymity at scale — a re-identification attack that statistical models underestimate. Modern LLMs reduce the data-point threshold for re-identification from 5+ fields to as few as 2–3 correlated attributes. Test by: extract all non-PII attributes from each data model; prompt GPT-4o with the combination and a public dataset (e.g., US Census) and ask it to identify a specific individual; flag any schema where the LLM produces a confident match with < 5 quasi-identifiers. Finding threshold: any entity record with k < 5 under LLM-assisted adversary model.
|
|
215
|
+
|
|
216
|
+
- **Harvest-Now-Decrypt-Later Attack on Pseudonymised Tokens (NIST IR 8413 / PQC Migration / FIPS 203 ML-KEM):** Nation-state actors archive TLS-captured traffic today containing pseudonymised identifiers encrypted with RSA-2048 or ECDH P-256. When cryptographically relevant quantum computers (CRQCs) arrive (~2030 per NIST), these tokens become fully reversible. Any PII pseudonymised with RSA-based key exchange that must remain private beyond a 5-year horizon is already compromised. Test by: inventory all pseudonymisation key exchange mechanisms (`grep -r "RSA\|ECDH\|P-256\|rs256\|ES256" src/`); check data retention policies — flag any PII-bearing token stored beyond 5 years without post-quantum migration plan. Finding threshold: any long-lived pseudonymous identifier using pre-quantum cryptography with retention > 5 years.
|
|
217
|
+
|
|
218
|
+
- **Consent State Stale Cache Exploitation via Async Worker Race (CVE-2023-28432 class / ATT&CK T1499.003):** Background workers (email queues, retargeting exporters, recommendation engines) read consent state from a Redis or in-memory cache seeded at job-enqueue time. A user withdraws consent and the DB record updates, but the already-enqueued jobs carry a stale consent snapshot and complete the processing — violating GDPR Art. 7(3) right to withdraw consent. This was observed in real-world GDPR enforcement actions (e.g., Meta's 2023 €390M fine for consent bypass via "legitimate interest" fallback). Test by: withdraw consent for a test user via the API; immediately inspect the job queue for enqueued tasks referencing that userId; confirm each job re-reads live consent state (`grep -r "consent" src/workers/ src/queues/`); measure delay between consent revocation and job suppression. Finding threshold: any job that completes PII processing > 5 seconds after consent revocation.
|
|
219
|
+
|
|
220
|
+
- **Analytics SDK PII Leakage via Auto-Captured URL Parameters (Real Incident: Meta Pixel HIPAA breach 2022 / ATT&CK T1567.002):** Third-party analytics pixels (Meta Pixel, Google Analytics, Segment auto-track) capture `window.location.href` and `document.referrer` before any application-layer sanitisation runs, exfiltrating PII embedded in query parameters (e.g., `?email=user@example.com`, `?userId=123`, `?token=abc`). The 2022 Meta Pixel healthcare breach affected 3M+ patient records across 33 hospital systems. PII-in-URL is invisible to server-side log analysis. Test by: use Playwright to load every authenticated page with a synthetic PII-laden URL (`?email=test%40evil.com`); intercept all outbound HTTP requests via `page.on('request', ...)`; flag any request to a third-party domain that contains the injected PII value. Finding threshold: any third-party beacon containing PII present in the page URL.
|
|
221
|
+
|
|
222
|
+
- **Right-to-Erasure Gap in ML Training Snapshots and Cold Storage (GDPR Art. 17 / ATT&CK T1530 / EU AI Act Art. 10):** GDPR Art. 17 erasure requests are satisfied for the live database but PII persists in: S3/Glacier data lake snapshots, BigQuery export tables, Elasticsearch document indexes, ML model training datasets, and CDN-edge-cached profile pages. The EU AI Act (enforcement 2026) additionally requires that high-risk AI systems support data subject rights in training data — i.e., the right to have one's data removed from a training set. Regulatory audits now enumerate all downstream stores. Test by: build an erasure verification job that queries each registered downstream system for a deleted userId 72 hours post-deletion (`SELECT * FROM bq_export WHERE user_id = ?`; Elasticsearch `GET /users/_doc/{id}`; `aws s3 ls s3://snapshots/ | grep {userId}`); flag any non-zero result. Finding threshold: PII present in any downstream store 72 hours after erasure request.
|
|
223
|
+
|
|
224
|
+
- **Timing and Response-Size Side-Channel for User Presence Inference (LINDDUN Detecting / CWE-203 / ATT&CK T1592.002):** Authentication and account-lookup endpoints that return differential response latency or content-length for "user exists" vs "user not found" allow an adversary to enumerate valid user accounts — violating the LINDDUN Detecting threat category — without any PII being returned in the response body. This class of oracle was exploited in the 2016 LinkedIn scraping campaign and is present in most OAuth 2.0 password-reset flows. Content-scanning and SAST tools pass because no PII appears in the response. Test by: send 1,000 requests each to a known-valid and known-invalid identifier against `/auth/login`, `/auth/forgot-password`, and `/api/users/{id}`; compute p50/p99 latency delta and Content-Length delta; flag if latency delta > 5 ms or content-length delta > 50 bytes across the distribution. Finding threshold: statistically significant delta (t-test p < 0.05) between hit and miss response timing or size.
|
|
225
|
+
|
|
226
|
+
---
|
|
227
|
+
|
|
228
|
+
## §EDGE-CASE-MATRIX
|
|
229
|
+
|
|
230
|
+
The 5 privacy attack cases in the LINDDUN domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
231
|
+
|
|
232
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
233
|
+
|---|-----------|----------------------|---------------|
|
|
234
|
+
| 1 | Quasi-identifier linkage attack | Scanner flags explicit PII fields (email, SSN) but ignores indirect combinations: ZIP + DOB + gender re-identifies 87% of Americans (Sweeney). No single field triggers an alert. | Extract the set of non-PII attributes per data model; run k-anonymity check — flag any combination with k < 5 across realistic user population |
|
|
235
|
+
| 2 | Analytics SDK silently forwarding PII via URL or referrer | Third-party pixels and analytics snippets capture the full page URL including query params (e.g. `?email=user@example.com`) before any sanitization runs. Scanner tests API responses, not browser-sent requests. | Audit every analytics integration for auto-capture scope; search for `window.location.href`, `document.referrer`, `utm_*` patterns logged alongside user sessions; replay with a synthetic PII-laden URL |
|
|
236
|
+
| 3 | Right-to-erasure gap via derived data stores | User record deleted from primary DB but PII persists in: search indexes (Elasticsearch/Algolia), ML training snapshots, cold-storage analytics exports, CDN-cached profile pages. Scanner only checks the primary DELETE code path. | Enumerate every downstream system in the data flow diagram; for each, verify a deletion propagation mechanism exists and is tested with a real erasure call |
|
|
237
|
+
| 4 | Consent state not propagated to asynchronous workers | Consent withdrawn on the frontend; the revocation event is written to the DB. However, background jobs (email queues, recommendation engines, retargeting exports) read a stale consent cache and continue processing. Scanner audits synchronous code paths only. | Trace consent-check logic into every async consumer (queues, crons, webhooks); confirm each re-reads live consent state rather than a cached snapshot |
|
|
238
|
+
| 5 | Fingerprinting via timing or response-size side-channels (Detecting threat) | No PII is returned in the response body, so content-scanning tools pass. But differential response latency or byte-length for "user exists" vs "user not found" allows presence inference — violating the LINDDUN Detecting category. | Measure p50/p99 response time for existing vs non-existing identifiers across 1000 samples; flag if delta > 5 ms; similarly diff response Content-Length |
|
|
239
|
+
|
|
240
|
+
---
|
|
241
|
+
|
|
242
|
+
## §TEMPORAL-THREATS
|
|
243
|
+
|
|
244
|
+
Privacy threats materialising in the 2025–2030 window that LINDDUN-informed defences designed today must account for.
|
|
245
|
+
|
|
246
|
+
| Threat | Est. Timeline | Relevance to Privacy Domain | Prepare Now By |
|
|
247
|
+
|--------|--------------|------------------------------|----------------|
|
|
248
|
+
| Harvest-now-decrypt-later attacks on pseudonymised data | 2025 (active) | Adversaries archive encrypted PII today to decrypt once CRQCs arrive; pseudonymisation via RSA-based tokens provides no long-term protection | Migrate pseudonymisation tokens and encryption of long-lived PII to ML-KEM (FIPS 203) / AES-256-GCM; audit data retention — delete what doesn't need to outlive the quantum threat window |
|
|
249
|
+
| LLM-assisted re-identification of "anonymised" datasets | 2025–2026 (active) | LLMs correlate quasi-identifiers across public datasets at scale, collapsing k-anonymity protections that were adequate against manual analysis | Apply differential privacy (ε-DP) to any published aggregate or ML training data; validate anonymisation against LLM-assisted adversary, not just statistical models |
|
|
250
|
+
| EU AI Act risk classification of profiling systems | 2026 (enforcement) | Systems that perform behavioural profiling or automated decision-making on individuals are classified high-risk and require DPIA + conformity assessment | Audit all recommendation, scoring, and targeting features against AI Act Annex III; pre-register DPIAs for any feature that scores, ranks, or filters individuals |
|
|
251
|
+
| Data broker regulation and cross-context tracking bans | 2026–2027 | US state privacy laws (CPRA, VCDPA, CPA) increasingly ban cross-context behavioural advertising without explicit consent; violations now carry per-record fines | Audit all third-party SDK data flows; implement server-side tagging to eliminate client-side PII leakage to ad networks |
|
|
252
|
+
| Mandatory data minimisation in generative AI training (EU AI Act / GDPR joint guidance) | 2026–2027 | Any fine-tuning on user data without explicit consent for that purpose will constitute unlawful processing; current fine-tune pipelines rarely validate consent scope | Implement consent-scope checks in every data pipeline that feeds model training; purge user data from training sets upon erasure request |
|
|
253
|
+
|
|
254
|
+
---
|
|
255
|
+
|
|
256
|
+
## §DETECTION-GAP
|
|
257
|
+
|
|
258
|
+
What current privacy monitoring CANNOT detect in the LINDDUN domain, and what to build to close each gap.
|
|
259
|
+
|
|
260
|
+
- **Quasi-identifier linkage across data stores**: No SIEM rule fires because no single PII field is accessed. Need: data-access graph that correlates queries touching ZIP, DOB, gender, and device ID within the same user session — alert when 3+ quasi-identifiers are joined without a documented legitimate purpose.
|
|
261
|
+
- **Analytics SDK PII leakage via browser-collected URLs**: Server-side logs show clean API requests; the exfiltration happens in the browser before the request is sent. Need: CSP `connect-src` inventory + periodic synthetic test that loads key pages with PII in query params and inspects outbound network calls via a proxy (Playwright + Burp).
|
|
262
|
+
- **Stale consent propagated to async workers**: The consent DB record is updated; the background worker reads from a Redis cache with a 24-hour TTL. Need: consent-change events must invalidate all downstream caches synchronously; add a canary test that withdraws consent and verifies the next queued job for that user is suppressed within < 5 seconds.
|
|
263
|
+
- **Right-to-erasure incompleteness in cold storage**: Primary DB erasure looks correct in application logs. Glacier, BigQuery export tables, and Elasticsearch indexes are never checked. Need: erasure verification job that queries all registered downstream systems for the deleted user ID 72 hours post-deletion and alerts on any non-zero result.
|
|
264
|
+
- **Timing/size side-channel presence inference (Detecting)**: No application log records "user existence leaked." Need: p99 latency and Content-Length monitoring per authentication/lookup endpoint; statistical alert if the delta between hit and miss paths exceeds 5 ms or 50 bytes across a rolling 1-hour window.
|
|
265
|
+
|
|
266
|
+
---
|
|
267
|
+
|
|
268
|
+
## §ZERO-MISS-MANDATE
|
|
269
|
+
|
|
270
|
+
This agent CANNOT declare any LINDDUN threat category clean without explicit evidence of checking. For each category, output one of:
|
|
271
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
272
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
273
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
274
|
+
|
|
275
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
276
|
+
|
|
277
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
278
|
+
```json
|
|
279
|
+
{
|
|
280
|
+
"coverageManifest": {
|
|
281
|
+
"attackClassesCovered": [
|
|
282
|
+
{ "class": "LINDDUN:Linking", "filesReviewed": 34, "patterns": ["userId in analytics events", "cross-context correlation"], "result": "CLEAN" },
|
|
283
|
+
{ "class": "LINDDUN:Identifying", "filesReviewed": 34, "patterns": ["email hash", "IP+UA fingerprint"], "result": "2 findings, both remediated" },
|
|
284
|
+
{ "class": "LINDDUN:NonRepudiation", "filesReviewed": 18, "patterns": ["audit log granularity", "action attribution"], "result": "CLEAN" },
|
|
285
|
+
{ "class": "LINDDUN:Detecting", "filesReviewed": 22, "patterns": ["last-seen APIs", "read receipts", "timing side-channel"], "result": "CLEAN" },
|
|
286
|
+
{ "class": "LINDDUN:DataDisclosure", "filesReviewed": 29, "patterns": ["PII in error messages", "third-party SDK scope"], "result": "1 finding, remediated" },
|
|
287
|
+
{ "class": "LINDDUN:Unawareness", "filesReviewed": 8, "patterns": ["privacy notice presence", "consent UI"], "result": "CLEAN" },
|
|
288
|
+
{ "class": "LINDDUN:NonCompliance", "filesReviewed": 15, "patterns": ["retention policy", "DPIA existence", "erasure completeness"], "result": "CLEAN" }
|
|
289
|
+
],
|
|
290
|
+
"filesReviewed": 47,
|
|
291
|
+
"negativeAssertions": [
|
|
292
|
+
"Linking: cross-context userId correlation searched across 34 files — 0 unmitigated paths",
|
|
293
|
+
"DataDisclosure: PII in error messages searched across 29 files — 1 finding fixed inline"
|
|
294
|
+
],
|
|
295
|
+
"uncoveredReason": {}
|
|
296
|
+
}
|
|
297
|
+
}
|
|
298
|
+
```
|
|
@@ -65,3 +65,446 @@ Find race conditions, business logic flaws, and arithmetic vulnerabilities.
|
|
|
65
65
|
- Concurrent request sequence that reproduces the issue
|
|
66
66
|
- Database/cache state before and after the race
|
|
67
67
|
- Fixed code using atomic operations or distributed locks written inline
|
|
68
|
+
|
|
69
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
70
|
+
```json
|
|
71
|
+
{
|
|
72
|
+
"intelligenceForOtherAgents": {
|
|
73
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
74
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
75
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
76
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
84
|
+
|
|
85
|
+
### 1. Double-Spend via Async Await Gap (CVE-2023-23916 class)
|
|
86
|
+
|
|
87
|
+
**Attack technique:** In any async handler where a balance read precedes a deduction, a second
|
|
88
|
+
concurrent request can observe the pre-deduction balance. Both transactions succeed, debiting
|
|
89
|
+
only once from the account. This pattern is rampant in Node.js microservices using Prisma
|
|
90
|
+
without explicit row-level locking.
|
|
91
|
+
|
|
92
|
+
**Concrete detection method:**
|
|
93
|
+
```bash
|
|
94
|
+
# Grep for balance read followed by update without transaction or locking
|
|
95
|
+
grep -rn "findUnique\|findFirst" src/ | grep -i "balance\|credit\|wallet\|fund" | \
|
|
96
|
+
while read line; do
|
|
97
|
+
file=$(echo $line | cut -d: -f1)
|
|
98
|
+
# Check if file uses $transaction() or SELECT FOR UPDATE
|
|
99
|
+
grep -l "\$transaction\|SELECT.*FOR UPDATE\|selectForUpdate" "$file" || echo "MISSING_LOCK: $file"
|
|
100
|
+
done
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
**Finding criterion:** Any balance-affecting endpoint where the read and write are not wrapped
|
|
104
|
+
in a serializable transaction or SELECT FOR UPDATE. Reproduce with:
|
|
105
|
+
```bash
|
|
106
|
+
ab -n 200 -c 50 -p payload.json -T application/json http://target/api/transfer
|
|
107
|
+
# Verify: final balance < expected minimum (funds created from nothing)
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
---
|
|
111
|
+
|
|
112
|
+
### 2. Redis INCR/EXPIRE Non-Atomic Rate Limit Bypass
|
|
113
|
+
|
|
114
|
+
**Attack technique:** A rate limiter that calls INCR then EXPIRE as two separate commands has a
|
|
115
|
+
TOCTOU window. If the process crashes or a network partition occurs between INCR and EXPIRE,
|
|
116
|
+
the counter persists forever — permanently locking the key. Conversely, a fast concurrent
|
|
117
|
+
burst can exhaust the window before EXPIRE fires, allowing unlimited requests.
|
|
118
|
+
|
|
119
|
+
**Concrete detection method:**
|
|
120
|
+
```bash
|
|
121
|
+
grep -rn "redis.*incr\|client\.incr\|\.incr(" src/ | grep -v "lua\|eval\|multi\|pipeline"
|
|
122
|
+
# Any INCR not followed immediately by an atomic EXPIRE in the same Lua script is vulnerable
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
**Fix template:** Replace with atomic Lua:
|
|
126
|
+
```lua
|
|
127
|
+
local current = redis.call('INCR', KEYS[1])
|
|
128
|
+
if current == 1 then redis.call('EXPIRE', KEYS[1], ARGV[1]) end
|
|
129
|
+
return current
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
### 3. Mass Assignment Privilege Escalation (OWASP API6:2023)
|
|
135
|
+
|
|
136
|
+
**Attack technique:** When ORM models accept arbitrary JSON from `req.body` without an explicit
|
|
137
|
+
allowlist, an attacker can set fields like `role`, `isAdmin`, `tier`, `verified`, or `balance`
|
|
138
|
+
directly. This is distinct from parameter pollution — the payload looks structurally valid.
|
|
139
|
+
|
|
140
|
+
**Concrete detection method:**
|
|
141
|
+
```bash
|
|
142
|
+
# Express/Fastify: find raw body spreads into ORM create/update calls
|
|
143
|
+
grep -rn "\.create(\|\.update(\|\.upsert(" src/ | grep -v "allowlist\|pick(\|omit("
|
|
144
|
+
# Then check if req.body is passed directly
|
|
145
|
+
grep -rn "req\.body" src/ | grep -v "zod\|joi\|validate\|schema"
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
**Finding criterion:** Any ORM mutation accepting `req.body` without a Zod/Joi allowlist schema
|
|
149
|
+
applied at the route boundary. Fields to verify are excluded: `role`, `isAdmin`, `plan`,
|
|
150
|
+
`balance`, `credits`, `verified`, `stripeCustomerId`.
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
### 4. AI-Assisted Race Condition Discovery (Emerging Threat, 2025)
|
|
155
|
+
|
|
156
|
+
**Attack technique:** LLM-powered fuzzing tools (e.g., Mayhem, CodaMOSA, and custom GPT-4-based
|
|
157
|
+
harnesses) can automatically generate concurrent request sequences from OpenAPI specs and
|
|
158
|
+
exhaustively model state interleavings. An adversary with access to a public API spec and an
|
|
159
|
+
LLM harness can discover race windows in hours that would take a human days. This means any
|
|
160
|
+
publicly documented API endpoint with shared-state side effects is now a viable automated
|
|
161
|
+
target.
|
|
162
|
+
|
|
163
|
+
**Concrete detection method (defensive):**
|
|
164
|
+
- Export all route definitions and run `race-the-web` or a custom ab/wrk2 harness against
|
|
165
|
+
every state-mutating endpoint with concurrency ≥ 50.
|
|
166
|
+
- For AI-assisted attack simulation: feed the OpenAPI spec to a locally-hosted LLM and ask it
|
|
167
|
+
to enumerate all async await gaps and concurrent state mutation paths.
|
|
168
|
+
|
|
169
|
+
```bash
|
|
170
|
+
# Run concurrent hammering against every POST/PUT/PATCH endpoint
|
|
171
|
+
npx race-the-web --config race-config.yaml --concurrency 100 --requests 500
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
**Finding criterion:** Any endpoint where a concurrent load test produces a final system state
|
|
175
|
+
that differs from the sum of all successful response payloads.
|
|
176
|
+
|
|
177
|
+
---
|
|
178
|
+
|
|
179
|
+
### 5. Integer Overflow in Quantity × Price Multiplication (CWE-190)
|
|
180
|
+
|
|
181
|
+
**Attack technique:** When quantity and unit price are stored as 32-bit integers and multiplied
|
|
182
|
+
server-side without overflow guards, an attacker supplying `quantity=2147483648` can cause the
|
|
183
|
+
total to wrap to a negative number (or zero), resulting in a free or negative-cost order. This
|
|
184
|
+
was exploited in multiple e-commerce platforms in 2022–2024.
|
|
185
|
+
|
|
186
|
+
**Concrete detection method:**
|
|
187
|
+
```bash
|
|
188
|
+
# Find multiplication of user-controlled numeric fields
|
|
189
|
+
grep -rn "quantity.*price\|price.*quantity\|qty.*amount\|amount.*qty" src/ | \
|
|
190
|
+
grep -v "BigInt\|bigint\|Decimal\|decimal\|Math\.imul"
|
|
191
|
+
# Also check for lack of upper-bound validation on quantity inputs
|
|
192
|
+
grep -rn "z\.number()\|Joi\.number()" src/ | grep -v "\.max(\|\.positive(\|\.int("
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
**Finding criterion:** Any money calculation using native JavaScript `number` type (IEEE 754
|
|
196
|
+
float, 53-bit mantissa) or uncapped integer multiplication. All monetary arithmetic MUST use
|
|
197
|
+
`BigInt` or a decimal library (`decimal.js`, `dinero.js`). All quantity inputs must have an
|
|
198
|
+
explicit `.max()` bound in validation schemas.
|
|
199
|
+
|
|
200
|
+
---
|
|
201
|
+
|
|
202
|
+
### 6. Supply Chain: Malicious npm Package Injecting Timing Attacks (Post-2024)
|
|
203
|
+
|
|
204
|
+
**Attack technique:** Compromised npm packages (e.g., the `event-stream` pattern) can inject
|
|
205
|
+
code that introduces intentional timing side channels. A malicious `parseAmount()` patch in a
|
|
206
|
+
transitive dependency can leak whether a given account balance is above or below a threshold
|
|
207
|
+
by varying response time by ~2ms per bit — invisible to functional tests but detectable by
|
|
208
|
+
statistical timing analysis after ~10,000 samples.
|
|
209
|
+
|
|
210
|
+
**Concrete detection method:**
|
|
211
|
+
```bash
|
|
212
|
+
# Audit all transitive dependencies for recently published/updated packages
|
|
213
|
+
npm audit --json | jq '.vulnerabilities | keys[]'
|
|
214
|
+
npx better-npm-audit --level critical
|
|
215
|
+
# Check for suspicious timing patterns in hot paths
|
|
216
|
+
grep -rn "setTimeout\|setInterval\|Date\.now()\|performance\.now()" node_modules/.pnp* 2>/dev/null || \
|
|
217
|
+
find node_modules -name "*.js" -newer package-lock.json -not -path "*/test/*" | head -20
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
**Finding criterion:** Any recently-modified transitive dependency touching arithmetic or
|
|
221
|
+
comparison functions in payment or authentication hot paths. Cross-reference with OSV.dev
|
|
222
|
+
and the Socket.dev supply chain scanner.
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
### 7. Post-Quantum Threat to Idempotency Key HMAC Signing
|
|
227
|
+
|
|
228
|
+
**Attack technique:** Many idempotency key schemes use HMAC-SHA256 to sign the key + timestamp
|
|
229
|
+
to prevent replay. With a Cryptographically Relevant Quantum Computer (CRQC), Grover's algorithm
|
|
230
|
+
reduces HMAC-SHA256 brute-force from 2^256 to 2^128 — still safe for symmetric keys. However,
|
|
231
|
+
if idempotency keys are also bound to RSA or ECDSA signatures (e.g., signed JWTs), those
|
|
232
|
+
signatures will be fully broken. An attacker who harvests signed idempotency tokens today can
|
|
233
|
+
replay them after CRQC deployment.
|
|
234
|
+
|
|
235
|
+
**Concrete detection method:**
|
|
236
|
+
```bash
|
|
237
|
+
# Find idempotency key validation that relies on RSA/ECDSA-signed tokens
|
|
238
|
+
grep -rn "idempotency\|Idempotency" src/ | grep -v "HMAC\|sha256\|sha512"
|
|
239
|
+
grep -rn "jwt\.verify\|RS256\|ES256\|RS384" src/ | grep -i "idempot\|replay\|dedup"
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
**Finding criterion:** Any idempotency scheme relying on asymmetric cryptography for token
|
|
243
|
+
integrity. Migrate to HMAC-SHA256 or ML-KEM-based MACs for long-lived tokens. Flag for the
|
|
244
|
+
CryptoSpecialist agent.
|
|
245
|
+
|
|
246
|
+
---
|
|
247
|
+
|
|
248
|
+
### 8. TOCTOU in File-Based Job Lock Files
|
|
249
|
+
|
|
250
|
+
**Attack technique:** Job processors that use filesystem lock files (`.lock`, `.pid`) to prevent
|
|
251
|
+
duplicate execution have a TOCTOU window between `fs.existsSync()` and `fs.writeFileSync()`.
|
|
252
|
+
On NFS-mounted volumes or containerized environments with shared storage, two workers can
|
|
253
|
+
simultaneously observe the lock as absent and both proceed — causing duplicate job execution.
|
|
254
|
+
This is a common pattern in legacy cron-to-container migrations.
|
|
255
|
+
|
|
256
|
+
**Concrete detection method:**
|
|
257
|
+
```bash
|
|
258
|
+
# Find lock file patterns that are not using O_EXCL or atomic file creation
|
|
259
|
+
grep -rn "existsSync\|statSync\|accessSync" src/ | grep -i "lock\|pid\|mutex"
|
|
260
|
+
grep -rn "writeFileSync\|openSync" src/ | grep -i "lock\|pid"
|
|
261
|
+
# O_EXCL flag check — this is the only safe pattern:
|
|
262
|
+
grep -rn "O_EXCL\|wx'" src/ | grep -i "lock\|pid" # must have results
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
**Finding criterion:** Any lock file mechanism not using `fs.openSync(path, 'wx')` (O_EXCL
|
|
266
|
+
mode) or a database-level advisory lock. The `'wx'` flag fails atomically if the file exists.
|
|
267
|
+
Replace all `existsSync + writeFileSync` lock patterns with atomic `openSync(..., 'wx')`.
|
|
268
|
+
|
|
269
|
+
---
|
|
270
|
+
|
|
271
|
+
## §LOGIC_RACE_FUZZER-CHECKLIST
|
|
272
|
+
|
|
273
|
+
1. **Double-spend via concurrent balance deduction** — Mechanism: two simultaneous POST
|
|
274
|
+
/transfer requests read the same balance before either write commits. Grep for
|
|
275
|
+
`balance`, `wallet`, `credit` reads not inside `$transaction()` or `SELECT FOR UPDATE`.
|
|
276
|
+
Finding: final balance lower than both transactions combined, or negative.
|
|
277
|
+
|
|
278
|
+
2. **Negative quantity acceptance in order creation** — Mechanism: attacker submits
|
|
279
|
+
`quantity: -100` to refund endpoint, receiving credits without spending. Grep Zod/Joi
|
|
280
|
+
schemas for quantity fields missing `.positive()` or `.min(1)`. Finding: API accepts
|
|
281
|
+
negative quantities and adjusts balance accordingly.
|
|
282
|
+
|
|
283
|
+
3. **Redis rate limit bypass via non-atomic INCR/EXPIRE** — Mechanism: burst 100 requests
|
|
284
|
+
in <1ms before EXPIRE fires; counter never gets TTL. Grep for `redis.incr` not followed
|
|
285
|
+
by Lua eval. Finding: rate limit counter persists beyond window or burst succeeds past limit.
|
|
286
|
+
|
|
287
|
+
4. **Mass assignment role escalation** — Mechanism: POST body includes `"role":"admin"` or
|
|
288
|
+
`"isAdmin":true`; ORM applies it without allowlist. Grep for `.create(req.body)` or
|
|
289
|
+
`Object.assign(model, req.body)`. Finding: user gains elevated role via crafted payload.
|
|
290
|
+
|
|
291
|
+
5. **Float arithmetic precision loss in money** — Mechanism: `0.1 + 0.2 !== 0.3` in
|
|
292
|
+
JavaScript causes rounding errors in accumulated transactions. Grep for `parseFloat`,
|
|
293
|
+
`toFixed`, or arithmetic on price/amount/balance fields. Finding: total differs from
|
|
294
|
+
expected by >0 cents over multiple operations.
|
|
295
|
+
|
|
296
|
+
6. **Idempotency key replay across users** — Mechanism: idempotency key namespace is not
|
|
297
|
+
scoped per user; attacker reuses another user's key to replay their transaction. Grep for
|
|
298
|
+
idempotency key lookup without user ID scoping. Finding: key from user A accepted for
|
|
299
|
+
user B's request, returning user A's cached response.
|
|
300
|
+
|
|
301
|
+
7. **Bull/BullMQ duplicate job on worker restart** — Mechanism: job marked active but
|
|
302
|
+
worker crashes before marking complete; re-queued on restart; processed twice. Grep for
|
|
303
|
+
`queue.add()` without `jobId` deduplication option. Finding: job processing count >1 for
|
|
304
|
+
the same logical event in logs.
|
|
305
|
+
|
|
306
|
+
8. **TOCTOU on inventory deduction** — Mechanism: two concurrent purchase requests both
|
|
307
|
+
check `stock > 0`, both pass, both decrement — final stock goes negative. Grep for
|
|
308
|
+
inventory/stock reads without `SELECT FOR UPDATE` or optimistic locking version field.
|
|
309
|
+
Finding: `stock` column < 0 after concurrent purchase load test.
|
|
310
|
+
|
|
311
|
+
9. **Integer overflow in total price calculation** — Mechanism: `quantity * unitPrice` with
|
|
312
|
+
uncapped integer input overflows signed 32-bit, wrapping to negative. Grep for price
|
|
313
|
+
multiplication not using `BigInt` or `Decimal`. Finding: order total is negative or zero
|
|
314
|
+
for extreme quantity inputs.
|
|
315
|
+
|
|
316
|
+
10. **Webhook duplicate delivery without deduplication** — Mechanism: provider retries
|
|
317
|
+
webhook on timeout; handler processes event twice; payment credited twice. Grep for
|
|
318
|
+
webhook handlers without idempotency key storage in DB. Finding: duplicate credit/order
|
|
319
|
+
row created for single webhook event ID.
|
|
320
|
+
|
|
321
|
+
11. **Async await gap in multi-step state machine** — Mechanism: handler reads state,
|
|
322
|
+
`await`s external call, another request mutates state during await, handler resumes
|
|
323
|
+
with stale state and overwrites it. Grep for state reads followed by `await` and
|
|
324
|
+
subsequent state writes without re-read or optimistic lock. Finding: state machine
|
|
325
|
+
transitions to invalid state under concurrent load.
|
|
326
|
+
|
|
327
|
+
12. **Quota bypass via concurrent quota check and consumption** — Mechanism: concurrent
|
|
328
|
+
API calls all pass quota check simultaneously; each consumes quota; total exceeds limit.
|
|
329
|
+
Grep for quota/limit checks using two-step read+decrement outside a transaction.
|
|
330
|
+
Finding: usage counter exceeds configured maximum after concurrent burst test.
|
|
331
|
+
|
|
332
|
+
---
|
|
333
|
+
|
|
334
|
+
## §POC-REQUIREMENT
|
|
335
|
+
|
|
336
|
+
For every CRITICAL or HIGH finding in this domain:
|
|
337
|
+
|
|
338
|
+
1. **Write the working PoC FIRST** (exact payload, exact request, observed impact)
|
|
339
|
+
2. **Confirm the PoC reproduces the issue** — show actual vs. expected state
|
|
340
|
+
3. **THEN write the fix**
|
|
341
|
+
4. **THEN verify the PoC fails against the fix** — rerun and confirm fix holds
|
|
342
|
+
5. **Record the PoC in findings JSON under `exploitPoC`**
|
|
343
|
+
|
|
344
|
+
**PoC skipping = finding severity downgraded to MEDIUM automatically.**
|
|
345
|
+
|
|
346
|
+
### PoC Template for Race Conditions:
|
|
347
|
+
|
|
348
|
+
```bash
|
|
349
|
+
# Step 1: Establish baseline state
|
|
350
|
+
BEFORE=$(curl -s -H "Authorization: Bearer $TOKEN" http://target/api/balance | jq .balance)
|
|
351
|
+
echo "Balance before: $BEFORE"
|
|
352
|
+
|
|
353
|
+
# Step 2: Fire concurrent requests
|
|
354
|
+
for i in {1..50}; do
|
|
355
|
+
curl -s -X POST http://target/api/transfer \
|
|
356
|
+
-H "Authorization: Bearer $TOKEN" \
|
|
357
|
+
-H "Content-Type: application/json" \
|
|
358
|
+
-d '{"amount": 100, "to": "attacker"}' &
|
|
359
|
+
done
|
|
360
|
+
wait
|
|
361
|
+
|
|
362
|
+
# Step 3: Observe post-race state
|
|
363
|
+
AFTER=$(curl -s -H "Authorization: Bearer $TOKEN" http://target/api/balance | jq .balance)
|
|
364
|
+
ATTACKER=$(curl -s -H "Authorization: Bearer $ATTACKER_TOKEN" http://target/api/balance | jq .balance)
|
|
365
|
+
echo "Balance after: $AFTER (expected: $((BEFORE - 100)))"
|
|
366
|
+
echo "Attacker received: $ATTACKER (expected: 100)"
|
|
367
|
+
# FINDING: if ATTACKER > 100 — double spend confirmed
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
### PoC findings JSON entry:
|
|
371
|
+
```json
|
|
372
|
+
{
|
|
373
|
+
"findingId": "RACE-001",
|
|
374
|
+
"severity": "CRITICAL",
|
|
375
|
+
"title": "Double-spend via concurrent balance deduction",
|
|
376
|
+
"exploitPoC": {
|
|
377
|
+
"command": "ab -n 200 -c 50 -p transfer.json -T application/json http://target/api/transfer",
|
|
378
|
+
"payload": "{\"amount\": 100, \"to\": \"attacker\"}",
|
|
379
|
+
"observedImpact": "Attacker balance increased by 800 from a single 100-unit source",
|
|
380
|
+
"reproduced": true,
|
|
381
|
+
"fixVerified": true
|
|
382
|
+
}
|
|
383
|
+
}
|
|
384
|
+
```
|
|
385
|
+
|
|
386
|
+
---
|
|
387
|
+
|
|
388
|
+
## §PROJECT-ESCALATION
|
|
389
|
+
|
|
390
|
+
Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` and halt
|
|
391
|
+
normal execution flow when ANY of the following conditions are detected:
|
|
392
|
+
|
|
393
|
+
1. **Confirmed double-spend with monetary impact** — Any race condition where a concurrent
|
|
394
|
+
PoC produces more funds/credits than were legitimately input. Escalate immediately; do not
|
|
395
|
+
wait for full scan completion. This is a P0 production incident if the service is live.
|
|
396
|
+
|
|
397
|
+
2. **Mass assignment grants admin/root privileges** — A PoC payload that promotes a regular
|
|
398
|
+
user to admin, superuser, or bypasses billing tier restrictions via body injection. The
|
|
399
|
+
entire authorization model must be reassessed by the full orchestrator.
|
|
400
|
+
|
|
401
|
+
3. **Idempotency key namespace collision enabling cross-user replay** — If user A's
|
|
402
|
+
idempotency token can be replayed as user B, this is a fundamental authentication flaw
|
|
403
|
+
that affects every transaction in the system. Escalate before continuing.
|
|
404
|
+
|
|
405
|
+
4. **Integer overflow to negative total enabling free or paid-refund order** — A PoC that
|
|
406
|
+
places an order with negative total, triggering a real payment refund or free fulfillment.
|
|
407
|
+
Escalate to compliance GRC agent simultaneously — this may constitute fraud facilitation.
|
|
408
|
+
|
|
409
|
+
5. **Duplicate webhook processing confirmed with external payment provider** — If Stripe,
|
|
410
|
+
PayPal, or any payment webhook fires credits twice and the system accepts both, escalate
|
|
411
|
+
immediately. Financial reconciliation is now broken; every transaction must be audited.
|
|
412
|
+
|
|
413
|
+
6. **Supply chain package found injecting timing code into payment hot path** — A transitive
|
|
414
|
+
npm dependency modified within the last 30 days that touches arithmetic in payment or
|
|
415
|
+
balance calculation code. Escalate to CISO orchestrator for supply chain incident response.
|
|
416
|
+
|
|
417
|
+
7. **TOCTOU on authentication token validation** — If a race between token validation and
|
|
418
|
+
token revocation allows a revoked token to be used, escalate. This is an authentication
|
|
419
|
+
bypass affecting all session security.
|
|
420
|
+
|
|
421
|
+
8. **Quota bypass enabling resource exhaustion or billing fraud** — If concurrent API calls
|
|
422
|
+
can exceed hard resource limits (e.g., API call quotas, storage limits, seat licenses),
|
|
423
|
+
escalate to compliance GRC. Billing integrity is compromised.
|
|
424
|
+
|
|
425
|
+
---
|
|
426
|
+
|
|
427
|
+
## §EDGE-CASE-MATRIX
|
|
428
|
+
|
|
429
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
430
|
+
|
|
431
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
432
|
+
|---|-----------|----------------------|---------------|
|
|
433
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
434
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
435
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
436
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
437
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
438
|
+
|
|
439
|
+
---
|
|
440
|
+
|
|
441
|
+
## §TEMPORAL-THREATS
|
|
442
|
+
|
|
443
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
444
|
+
|
|
445
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
446
|
+
|--------|--------------|--------------------------|----------------|
|
|
447
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
448
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
449
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
450
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
451
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
452
|
+
|
|
453
|
+
---
|
|
454
|
+
|
|
455
|
+
## §DETECTION-GAP
|
|
456
|
+
|
|
457
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
458
|
+
|
|
459
|
+
**Standard gaps that MUST be checked:**
|
|
460
|
+
|
|
461
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
462
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
463
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
464
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
465
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
466
|
+
|
|
467
|
+
**Domain-specific detection gaps for logic-race-fuzzer:**
|
|
468
|
+
|
|
469
|
+
- **Race condition in production traffic**: Standard APM shows elevated p99 but no log entry for the race event itself. Need: distributed tracing with concurrent request correlation — flag any two request spans that overlap in time and mutate the same resource ID.
|
|
470
|
+
- **Slow double-spend over days**: Attacker spaces concurrent requests hours apart to avoid rate limiting. Need: balance integrity check — periodic reconciliation job that computes expected balance from transaction ledger and alerts on discrepancy.
|
|
471
|
+
- **Negative balance after float rounding**: Rounding errors accumulate over thousands of transactions but individual transaction logs appear correct. Need: end-of-day balance reconciliation comparing ledger sum to stored balance with zero tolerance.
|
|
472
|
+
|
|
473
|
+
---
|
|
474
|
+
|
|
475
|
+
## §ZERO-MISS-MANDATE
|
|
476
|
+
|
|
477
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
478
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
479
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
480
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
481
|
+
|
|
482
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
483
|
+
|
|
484
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
485
|
+
```json
|
|
486
|
+
{
|
|
487
|
+
"coverageManifest": {
|
|
488
|
+
"attackClassesCovered": [{ "class": "Double-Spend Race Condition", "filesReviewed": 47, "patterns": ["findUnique", "balance", "$transaction"], "result": "CLEAN" }],
|
|
489
|
+
"filesReviewed": 47,
|
|
490
|
+
"negativeAssertions": ["Race condition: balance mutation patterns searched across 47 files — all wrapped in $transaction()"],
|
|
491
|
+
"uncoveredReason": {}
|
|
492
|
+
}
|
|
493
|
+
}
|
|
494
|
+
```
|
|
495
|
+
|
|
496
|
+
---
|
|
497
|
+
|
|
498
|
+
## LEARNING SIGNAL
|
|
499
|
+
|
|
500
|
+
On every finding resolved, emit:
|
|
501
|
+
```json
|
|
502
|
+
{
|
|
503
|
+
"findingId": "FINDING_ID",
|
|
504
|
+
"agentName": "logic-race-fuzzer",
|
|
505
|
+
"resolved": true,
|
|
506
|
+
"remediationTemplate": "one-line description of what was done",
|
|
507
|
+
"falsePositive": false
|
|
508
|
+
}
|
|
509
|
+
```
|
|
510
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|